Deprecate connectInject.centralConfig

.circleci/config.yml

@@ -154,7 +154,7 @@ jobs:
                     -kubecontext="kind-dc1" \
                     -secondary-kubecontext="kind-dc2" \
                     -debug-directory="$TEST_RESULTS/debug" \
-                    -consul-k8s-image=hashicorpdev/consul-k8s:latest
+                    -consul-k8s-image=ghcr.io/lkysow/consul-k8s-dev:jan11
               then
                 echo "Tests in ${pkg} failed, aborting early"
                 exit_code=1

CHANGELOG.md

@@ -4,6 +4,83 @@ IMPROVEMENTS:
 * Use `consul-k8s` subcommand to perform `tls-init` job. This allows for server certificates to get rotated on subsequent runs.
   Consul servers have to be restarted in order for them to update their server certificates [[GH-749](https://github.com/hashicorp/consul-helm/pull/721)]
 
+BREAKING CHANGES:
+* `connectInject.centralConfig.defaultProtocol` is no longer supported. Instead,
+   [`controller.enabled`](https://www.consul.io/docs/k8s/helm#v-controller-enabled) must be set to true and
+   a [`ServiceDefaults`](https://www.consul.io/docs/agent/config-entries/service-defaults) resource
+   must be created to set *each* service's protocol, e.g.:
+
+   ```yaml
+   apiVersion: consul.hashicorp.com/v1alpha1
+   kind: ServiceDefaults
+   metadata:
+     name: my-service-name
+   spec:
+     protocol: "http"
+   ```
+  
+  This setting is being removed because it didn't support changing the
+  protocol after a service was first run and because it didn't work in secondary
+  datacenters.
+  
+  See [Upgrade to CRDs](https://www.consul.io/docs/k8s/crds/upgrade-to-crds)
+  for more information on how to migrate to using custom resources to manage
+  service protocols. [[GH-763](https://github.com/hashicorp/consul-helm/pull/763)] 
+* `connectInject.centralConfig.proxyDefaults` is no longer supported. Instead,
+   [`controller.enabled`](https://www.consul.io/docs/k8s/helm#v-controller-enabled) must be set to true and
+   a [`ProxyDefaults`](https://www.consul.io/docs/agent/config-entries/proxy-defaults) resource
+   must be created.
+
+  This setting is being removed because it didn't support any modifications to the
+  config after the cluster was first installed.
+
+  If you were previously setting this, see [Upgrade to CRDs](https://www.consul.io/docs/k8s/crds/upgrade-to-crds)
+  for more information on how to upgrade. [[GH-763](https://github.com/hashicorp/consul-helm/pull/763)] 
+* `connectInject.centralConfig.enabled` is no longer supported. Instead,
+   central config will always be set to `true`. If you were previously setting
+   this to `true` then this change has no effect. If you were previously setting
+   this to `false`, then you must instead, override this setting in
+   `client.extraConfig` and `server.extraConfig`:
+
+   ```yaml
+   client:
+     extraConfig: |
+       {"enable_central_service_config": false}
+   server:
+     extraConfig: |
+       {"enable_central_service_config": false}
+   ``` 
+  [[GH-763](https://github.com/hashicorp/consul-helm/pull/763)] 
+* The `consul.hashicorp.com/connect-service-protocol` annotation on Connect pods is
+  no longer supported with the latest version of `consul-k8s`.
+
+  Current deployments that have the annotation should remove it, otherwise they
+  will get an error if a pod from that deployment is rescheduled.
+
+  This annotation is being removed because it didn't support changing the
+  protocol after a service was first run and because it didn't work in secondary
+  datacenters.
+
+  Removing the annotation will not change their protocol
+  since the config entry was already written to Consul. If you wish to change
+  the protocol you must migrate the config entry to be managed by a
+  [`ServiceDefaults`](https://www.consul.io/docs/agent/config-entries/service-defaults) resource.
+  See [Upgrade to CRDs](https://www.consul.io/docs/k8s/crds/upgrade-to-crds) for more
+  information.
+
+  To set the protocol for __new__ services, you must use the
+  [`ServiceDefaults`](https://www.consul.io/docs/agent/config-entries/service-defaults) resource,
+  e.g.
+
+  ```yaml
+  apiVersion: consul.hashicorp.com/v1alpha1
+  kind: ServiceDefaults
+  metadata:
+    name: my-service-name
+  spec:
+    protocol: "http"
+  ```
+
 ## 0.28.0 (Dec 21, 2020)
 
 BREAKING CHANGES:

templates/client-config-configmap.yaml

@@ -14,12 +14,10 @@ metadata:
 data:
   extra-from-values.json: |-
 {{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }}
-  {{- if (and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled) }}
   central-config.json: |-
     {
       "enable_central_service_config": true
     }
-  {{- end }}
 
   {{- if (and .Values.connectInject.enabled .Values.connectInject.healthChecks.enabled) }}
   {{/* We set check_update_interval to 0s so that check output is immediately viewable

templates/connect-inject-deployment.yaml

@@ -2,6 +2,9 @@
 {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled for connect injection" }}{{ end }}
 {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for connect injection" }}{{ end }}
 {{- if and .Values.connectInject.consulNamespaces.mirroringK8S (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if mirroringK8S=true" }}{{ end }}
+{{- if .Values.connectInject.centralConfig }}{{- if eq (toString .Values.connectInject.centralConfig.enabled) "false" }}{{ fail "connectInject.centralConfig.enabled cannot be set to false; to disable, set enable_central_service_config to false in server.extraConfig and client.extraConfig" }}{{ end -}}{{ end -}}
+{{- if .Values.connectInject.centralConfig }}{{- if .Values.connectInject.centralConfig.defaultProtocol }}{{ fail "connectInject.centralConfig.defaultProtocol is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end -}}
+{{- if .Values.connectInject.centralConfig }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end -}}
 {{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }}
 # The deployment for running the Connect sidecar injector
 apiVersion: apps/v1
@@ -101,12 +104,6 @@ spec:
                 {{- else if .Values.global.acls.manageSystemACLs }}
                 -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \
                 {{- end }}
-                {{- if .Values.connectInject.centralConfig.enabled }}
-                -enable-central-config=true \
-                {{- end }}
-                {{- if (and .Values.connectInject.centralConfig.enabled .Values.connectInject.centralConfig.defaultProtocol) }}
-                -default-protocol="{{ .Values.connectInject.centralConfig.defaultProtocol }}" \
-                {{- end }}
                 {{- range $value := .Values.connectInject.k8sAllowNamespaces }}
                 -allow-k8s-namespace="{{ $value }}" \
                 {{- end }}

templates/server-config-configmap.yaml

@@ -27,45 +27,8 @@ data:
       }
     }
   {{- end }}
-  {{- if and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled }}
   central-config.json: |-
     {
       "enable_central_service_config": true
     }
-  {{- if gt (len .Values.connectInject.centralConfig.proxyDefaults) 3 }}
-  proxy-defaults-config.json: |-
-    {
-      "config_entries": {
-        "bootstrap": [
-          {
-            "kind": "proxy-defaults",
-            "name": "global",
-            {{- if and .Values.meshGateway.enabled .Values.meshGateway.globalMode }}
-            "mesh_gateway": {
-              "mode": {{ .Values.meshGateway.globalMode | quote }}
-            },
-            {{- end }}
-            "config":
-{{ tpl .Values.connectInject.centralConfig.proxyDefaults . | trimAll "\"" | indent 14 }}
-          }
-        ]
-      }
-    }
-  {{- else if and .Values.meshGateway.enabled .Values.meshGateway.globalMode }}
-  proxy-defaults-config.json: |-
-    {
-      "config_entries": {
-        "bootstrap": [
-          {
-            "kind": "proxy-defaults",
-            "name": "global",
-            "mesh_gateway": {
-              "mode": {{ .Values.meshGateway.globalMode | quote }}
-            }
-          }
-        ]
-      }
-    }
-  {{- end }}
-  {{- end }}
 {{- end }}

test/acceptance/tests/fixtures/bases/mesh-gateway/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - proxydefaults.yaml

test/acceptance/tests/fixtures/bases/mesh-gateway/proxydefaults.yaml

@@ -0,0 +1,7 @@
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ProxyDefaults
+metadata:
+  name: global
+spec:
+  meshGateway:
+    mode: local

test/acceptance/tests/mesh-gateway/mesh_gateway_test.go

@@ -36,6 +36,7 @@ func TestMeshGatewayDefault(t *testing.T) {
 		"global.federation.createFederationSecret": "true",
 
 		"connectInject.enabled": "true",
+		"controller.enabled":    "true",
 
 		"meshGateway.enabled":  "true",
 		"meshGateway.replicas": "1",
@@ -107,6 +108,15 @@ func TestMeshGatewayDefault(t *testing.T) {
 	logger.Log(t, "verifying federation was successful")
 	verifyFederation(t, primaryClient, secondaryClient, releaseName, false)
 
+	// Create a ProxyDefaults resource to configure services to use the mesh
+	// gateways.
+	logger.Log(t, "creating proxy-defaults config")
+	kustomizeDir := "../fixtures/bases/mesh-gateway"
+	k8s.KubectlApplyK(t, primaryContext.KubectlOptions(t), kustomizeDir)
+	helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
+		k8s.KubectlDeleteK(t, primaryContext.KubectlOptions(t), kustomizeDir)
+	})
+
 	// Log services in DC2 that DC1 is aware of before exiting this test
 	// TODO: remove this code once issue has been debugged
 	defer func() {
@@ -166,6 +176,7 @@ func TestMeshGatewaySecure(t *testing.T) {
 				"global.federation.createFederationSecret": "true",
 
 				"connectInject.enabled": "true",
+				"controller.enabled":    "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
@@ -242,6 +253,15 @@ func TestMeshGatewaySecure(t *testing.T) {
 			logger.Log(t, "verifying federation was successful")
 			verifyFederation(t, primaryClient, secondaryClient, releaseName, true)
 
+			// Create a ProxyDefaults resource to configure services to use the mesh
+			// gateways.
+			logger.Log(t, "creating proxy-defaults config")
+			kustomizeDir := "../fixtures/bases/mesh-gateway"
+			k8s.KubectlApplyK(t, primaryContext.KubectlOptions(t), kustomizeDir)
+			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
+				k8s.KubectlDeleteK(t, primaryContext.KubectlOptions(t), kustomizeDir)
+			})
+
 			// Check that we can connect services over the mesh gateways
 			logger.Log(t, "creating static-server in dc2")
 			k8s.DeployKustomize(t, secondaryContext.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject")

test/unit/client-config-configmap.bats

@@ -49,9 +49,9 @@ load _helpers
 }
 
 #--------------------------------------------------------------------
-# connectInject.centralConfig
+# connectInject.centralConfig [DEPRECATED]
 
-@test "client/ConfigMap: centralConfig is enabled by default" {
+@test "client/ConfigMap: centralConfig is enabled" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/client-config-configmap.yaml  \
@@ -61,17 +61,6 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "client/ConfigMap: centralConfig can be disabled" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/client-config-configmap.yaml  \
-      --set 'connectInject.enabled=true' \
-      --set 'connectInject.centralConfig.enabled=false' \
-      . | tee /dev/stderr |
-      yq '.data["central-config.json"] | length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-}
-
 #--------------------------------------------------------------------
 # connectInject.healthChecks