From e33b7f048cf8726c60306d198e95d2ff6d1249fe Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Fri, 8 Jan 2021 09:37:40 -0800 Subject: [PATCH] Deprecate connectInject.centralConfig --- .circleci/config.yml | 1 + CHANGELOG.md | 49 +++ templates/client-config-configmap.yaml | 2 - templates/connect-inject-deployment.yaml | 9 +- templates/server-config-configmap.yaml | 37 -- .../bases/mesh-gateway/kustomization.yaml | 2 + .../bases/mesh-gateway/proxydefaults.yaml | 7 + .../tests/mesh-gateway/mesh_gateway_test.go | 20 + test/unit/client-config-configmap.bats | 15 +- test/unit/client-daemonset.bats | 393 +----------------- test/unit/connect-inject-deployment.bats | 112 ++--- ...gmap.bats => server-config-configmap.bats} | 89 +--- test/unit/server-statefulset.bats | 12 +- values.yaml | 24 -- 14 files changed, 161 insertions(+), 611 deletions(-) create mode 100644 test/acceptance/tests/fixtures/bases/mesh-gateway/kustomization.yaml create mode 100644 test/acceptance/tests/fixtures/bases/mesh-gateway/proxydefaults.yaml rename test/unit/{server-configmap.bats => server-config-configmap.bats} (53%) diff --git a/.circleci/config.yml b/.circleci/config.yml index eb875e0ab..e873a314f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -154,6 +154,7 @@ jobs: -kubecontext="kind-dc1" \ -secondary-kubecontext="kind-dc2" \ -debug-directory="$TEST_RESULTS/debug" \ + -run TestMeshGatewayDefault \ -consul-k8s-image=hashicorpdev/consul-k8s:latest then echo "Tests in ${pkg} failed, aborting early" diff --git a/CHANGELOG.md b/CHANGELOG.md index 465624af0..6f48207b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,55 @@ IMPROVEMENTS: * Use `consul-k8s` subcommand to perform `tls-init` job. This allows for server certificates to get rotated on subsequent runs. Consul servers have to be restarted in order for them to update their server certificates [[GH-749](https://github.com/hashicorp/consul-helm/pull/721)] +BREAKING CHANGES: +* `connectInject.centralConfig.defaultProtocol` is no longer supported. Instead, + [`controller.enabled`](https://www.consul.io/docs/k8s/helm#v-controller-enabled) must be set to true and + a [`ServiceDefaults`](https://www.consul.io/docs/agent/config-entries/service-defaults) resource + must be created to set *each* service's protocol, e.g.: + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceDefaults + metadata: + name: my-service-name + spec: + protocol: "http" + ``` + + This setting is being removed because it didn't support changing the + protocol after a service was first run and because it didn't work in secondary + datacenters. + + See [Upgrade to CRDs](https://www.consul.io/docs/k8s/crds/upgrade-to-crds) + for more information on how to migrate to using custom resources to manage + service protocols. [[GH-763](https://github.com/hashicorp/consul-helm/pull/763)] +* `connectInject.centralConfig.proxyDefaults` is no longer supported. Instead, + [`controller.enabled`](https://www.consul.io/docs/k8s/helm#v-controller-enabled) must be set to true and + a [`ProxyDefaults`](https://www.consul.io/docs/agent/config-entries/proxy-defaults) resource + must be created. + + This setting is being removed because it didn't support any modifications to the + config after the cluster was first installed. + + If you were previously setting this, see [Upgrade to CRDs](https://www.consul.io/docs/k8s/crds/upgrade-to-crds) + for more information on how to upgrade. [[GH-763](https://github.com/hashicorp/consul-helm/pull/763)] +* `connectInject.centralConfig.enabled` is no longer supported. Instead, + central config will always be set to `true`. If you were previously setting + this to `true` then this change has no effect. If you were previously setting + this to `false`, then you must instead, override this setting in + `client.extraConfig` and `server.extraConfig`: + + ```yaml + client: + extraConfig: | + {"enable_central_service_config": false} + server: + extraConfig: | + {"enable_central_service_config": false} + ``` + [[GH-763](https://github.com/hashicorp/consul-helm/pull/763)] + + ## 0.28.0 (Dec 21, 2020) BREAKING CHANGES: diff --git a/templates/client-config-configmap.yaml b/templates/client-config-configmap.yaml index 891e6805c..e9a51e4b2 100644 --- a/templates/client-config-configmap.yaml +++ b/templates/client-config-configmap.yaml @@ -14,12 +14,10 @@ metadata: data: extra-from-values.json: |- {{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} - {{- if (and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled) }} central-config.json: |- { "enable_central_service_config": true } - {{- end }} {{- if (and .Values.connectInject.enabled .Values.connectInject.healthChecks.enabled) }} {{/* We set check_update_interval to 0s so that check output is immediately viewable diff --git a/templates/connect-inject-deployment.yaml b/templates/connect-inject-deployment.yaml index 07fc56bcf..96a9e9578 100644 --- a/templates/connect-inject-deployment.yaml +++ b/templates/connect-inject-deployment.yaml @@ -2,6 +2,9 @@ {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled for connect injection" }}{{ end }} {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for connect injection" }}{{ end }} {{- if and .Values.connectInject.consulNamespaces.mirroringK8S (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if mirroringK8S=true" }}{{ end }} +{{- if .Values.connectInject.centralConfig }}{{- if eq (toString .Values.connectInject.centralConfig.enabled) "false" }}{{ fail "connectInject.centralConfig.enabled cannot be set to false; to disable, set enable_central_service_config to false in server.extraConfig and client.extraConfig" }}{{ end -}}{{ end -}} +{{- if .Values.connectInject.centralConfig }}{{- if .Values.connectInject.centralConfig.defaultProtocol }}{{ fail "connectInject.centralConfig.defaultProtocol is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end -}} +{{- if .Values.connectInject.centralConfig }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end -}} {{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 @@ -101,12 +104,6 @@ spec: {{- else if .Values.global.acls.manageSystemACLs }} -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ {{- end }} - {{- if .Values.connectInject.centralConfig.enabled }} - -enable-central-config=true \ - {{- end }} - {{- if (and .Values.connectInject.centralConfig.enabled .Values.connectInject.centralConfig.defaultProtocol) }} - -default-protocol="{{ .Values.connectInject.centralConfig.defaultProtocol }}" \ - {{- end }} {{- range $value := .Values.connectInject.k8sAllowNamespaces }} -allow-k8s-namespace="{{ $value }}" \ {{- end }} diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 59ad7e033..92944e833 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -27,45 +27,8 @@ data: } } {{- end }} - {{- if and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled }} central-config.json: |- { "enable_central_service_config": true } - {{- if gt (len .Values.connectInject.centralConfig.proxyDefaults) 3 }} - proxy-defaults-config.json: |- - { - "config_entries": { - "bootstrap": [ - { - "kind": "proxy-defaults", - "name": "global", - {{- if and .Values.meshGateway.enabled .Values.meshGateway.globalMode }} - "mesh_gateway": { - "mode": {{ .Values.meshGateway.globalMode | quote }} - }, - {{- end }} - "config": -{{ tpl .Values.connectInject.centralConfig.proxyDefaults . | trimAll "\"" | indent 14 }} - } - ] - } - } - {{- else if and .Values.meshGateway.enabled .Values.meshGateway.globalMode }} - proxy-defaults-config.json: |- - { - "config_entries": { - "bootstrap": [ - { - "kind": "proxy-defaults", - "name": "global", - "mesh_gateway": { - "mode": {{ .Values.meshGateway.globalMode | quote }} - } - } - ] - } - } - {{- end }} - {{- end }} {{- end }} diff --git a/test/acceptance/tests/fixtures/bases/mesh-gateway/kustomization.yaml b/test/acceptance/tests/fixtures/bases/mesh-gateway/kustomization.yaml new file mode 100644 index 000000000..6a913f2c4 --- /dev/null +++ b/test/acceptance/tests/fixtures/bases/mesh-gateway/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - proxydefaults.yaml diff --git a/test/acceptance/tests/fixtures/bases/mesh-gateway/proxydefaults.yaml b/test/acceptance/tests/fixtures/bases/mesh-gateway/proxydefaults.yaml new file mode 100644 index 000000000..2d28036fe --- /dev/null +++ b/test/acceptance/tests/fixtures/bases/mesh-gateway/proxydefaults.yaml @@ -0,0 +1,7 @@ +apiVersion: consul.hashicorp.com/v1alpha1 +kind: ProxyDefaults +metadata: + name: global +spec: + meshGateway: + mode: local diff --git a/test/acceptance/tests/mesh-gateway/mesh_gateway_test.go b/test/acceptance/tests/mesh-gateway/mesh_gateway_test.go index 527596129..c38002555 100644 --- a/test/acceptance/tests/mesh-gateway/mesh_gateway_test.go +++ b/test/acceptance/tests/mesh-gateway/mesh_gateway_test.go @@ -36,6 +36,7 @@ func TestMeshGatewayDefault(t *testing.T) { "global.federation.createFederationSecret": "true", "connectInject.enabled": "true", + "controller.enabled": "true", "meshGateway.enabled": "true", "meshGateway.replicas": "1", @@ -107,6 +108,15 @@ func TestMeshGatewayDefault(t *testing.T) { logger.Log(t, "verifying federation was successful") verifyFederation(t, primaryClient, secondaryClient, releaseName, false) + // Create a ProxyDefaults resource to configure services to use the mesh + // gateways. + logger.Log(t, "creating proxy-defaults config") + kustomizeDir := "../fixtures/bases/mesh-gateway" + k8s.KubectlApplyK(t, primaryContext.KubectlOptions(t), kustomizeDir) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { + k8s.KubectlDeleteK(t, primaryContext.KubectlOptions(t), kustomizeDir) + }) + // Log services in DC2 that DC1 is aware of before exiting this test // TODO: remove this code once issue has been debugged defer func() { @@ -166,6 +176,7 @@ func TestMeshGatewaySecure(t *testing.T) { "global.federation.createFederationSecret": "true", "connectInject.enabled": "true", + "controller.enabled": "true", "meshGateway.enabled": "true", "meshGateway.replicas": "1", @@ -242,6 +253,15 @@ func TestMeshGatewaySecure(t *testing.T) { logger.Log(t, "verifying federation was successful") verifyFederation(t, primaryClient, secondaryClient, releaseName, true) + // Create a ProxyDefaults resource to configure services to use the mesh + // gateways. + logger.Log(t, "creating proxy-defaults config") + kustomizeDir := "../fixtures/bases/mesh-gateway" + k8s.KubectlApplyK(t, primaryContext.KubectlOptions(t), kustomizeDir) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { + k8s.KubectlDeleteK(t, primaryContext.KubectlOptions(t), kustomizeDir) + }) + // Check that we can connect services over the mesh gateways logger.Log(t, "creating static-server in dc2") k8s.DeployKustomize(t, secondaryContext.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject") diff --git a/test/unit/client-config-configmap.bats b/test/unit/client-config-configmap.bats index b1d89e74c..d43c19e5e 100755 --- a/test/unit/client-config-configmap.bats +++ b/test/unit/client-config-configmap.bats @@ -49,9 +49,9 @@ load _helpers } #-------------------------------------------------------------------- -# connectInject.centralConfig +# connectInject.centralConfig [DEPRECATED] -@test "client/ConfigMap: centralConfig is enabled by default" { +@test "client/ConfigMap: centralConfig is enabled" { cd `chart_dir` local actual=$(helm template \ -s templates/client-config-configmap.yaml \ @@ -61,17 +61,6 @@ load _helpers [ "${actual}" = "true" ] } -@test "client/ConfigMap: centralConfig can be disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.enabled=false' \ - . | tee /dev/stderr | - yq '.data["central-config.json"] | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - #-------------------------------------------------------------------- # connectInject.healthChecks diff --git a/test/unit/client-daemonset.bats b/test/unit/client-daemonset.bats index 08d43e66c..4d9953d7e 100755 --- a/test/unit/client-daemonset.bats +++ b/test/unit/client-daemonset.bats @@ -2,391 +2,6 @@ load _helpers -@test "client/DaemonSet: enabled by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/DaemonSet: enabled with global.enabled=false and client.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'global.enabled=false' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/DaemonSet: disabled with client.enabled=false" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.enabled=false' \ - . -} - -@test "client/DaemonSet: disabled with global.enabled=false and client.enabled='-'" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-daemonset.yaml \ - --set 'global.enabled=false' \ - . -} - -@test "client/DaemonSet: image defaults to global.image" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'global.image=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "foo" ] -} - -@test "client/DaemonSet: image can be overridden with client.image" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'global.image=foo' \ - --set 'client.image=bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - -@test "client/DaemonSet: no updateStrategy when not updating" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq -r '.spec.updateStrategy' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -#-------------------------------------------------------------------- -# retry-join - -@test "client/DaemonSet: retry join gets populated by default" { - cd `chart_dir` - local command=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'server.replicas=3' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-0.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:8301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-1.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:8301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-2.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:8301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/DaemonSet: retry join uses the server.ports.serflan port" { - cd `chart_dir` - local command=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'server.replicas=3' \ - --set 'server.ports.serflan.port=9301' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-0.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:9301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-1.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:9301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-2.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:9301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/DaemonSet: retry join gets populated when client.join is set" { - cd `chart_dir` - local command=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'server.enabled=false' \ - --set 'externalServers.enabled=true' \ - --set 'client.join[0]=1.1.1.1' \ - --set 'client.join[1]=2.2.2.2' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command') - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"1.1.1.1\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"2.2.2.2\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/DaemonSet: can provide cloud auto-join string to client.join" { - cd `chart_dir` - local command=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'server.enabled=false' \ - --set 'externalServers.enabled=true' \ - --set 'client.join[0]=provider=my-cloud config=val' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command') - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"provider=my-cloud config=val\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# grpc - -@test "client/DaemonSet: grpc is enabled by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("grpc"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/DaemonSet: grpc can be disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.grpc=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("grpc"))' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -#-------------------------------------------------------------------- -# resources - -@test "client/DaemonSet: resources defined by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr) - [ "${actual}" = '{"limits":{"cpu":"100m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}' ] -} - -@test "client/DaemonSet: resources can be overridden" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.resources.foo=bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - -# Test support for the deprecated method of setting a YAML string. -@test "client/DaemonSet: resources can be overridden with string" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.resources=foo: bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - -#-------------------------------------------------------------------- -# extraVolumes - -@test "client/DaemonSet: adds extra volume" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.extraVolumes[0].type=configMap' \ - --set 'client.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.configMap.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] - - local actual=$(echo $object | - yq -r '.configMap.secretName' | tee /dev/stderr) - [ "${actual}" = "null" ] - - # Test that it mounts it - local object=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.extraVolumes[0].type=configMap' \ - --set 'client.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.readOnly' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/consul/userconfig/foo" ] - - # Doesn't load it - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.extraVolumes[0].type=configMap' \ - --set 'client.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command | map(select(test("userconfig"))) | length' | tee /dev/stderr) - [ "${actual}" = "0" ] -} - -@test "client/DaemonSet: adds extra secret volume" { - cd `chart_dir` - - # Test that it defines it - local object=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.extraVolumes[0].type=secret' \ - --set 'client.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.secret.name' | tee /dev/stderr) - [ "${actual}" = "null" ] - - local actual=$(echo $object | - yq -r '.secret.secretName' | tee /dev/stderr) - [ "${actual}" = "foo" ] - - # Test that it mounts it - local object=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.extraVolumes[0].type=configMap' \ - --set 'client.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.readOnly' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.mountPath' | tee /dev/stderr) - [ "${actual}" = "/consul/userconfig/foo" ] - - # Doesn't load it - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.extraVolumes[0].type=configMap' \ - --set 'client.extraVolumes[0].name=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command | map(select(test("userconfig"))) | length' | tee /dev/stderr) - [ "${actual}" = "0" ] -} - -@test "client/DaemonSet: adds loadable volume" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.extraVolumes[0].type=configMap' \ - --set 'client.extraVolumes[0].name=foo' \ - --set 'client.extraVolumes[0].load=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command | map(select(contains("/consul/userconfig/foo"))) | length' | tee /dev/stderr) - [ "${actual}" = "1" ] -} - -#-------------------------------------------------------------------- -# nodeSelector - -@test "client/DaemonSet: nodeSelector is not set by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.nodeSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "client/DaemonSet: specified nodeSelector" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.nodeSelector=testing' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) - [ "${actual}" = "testing" ] -} - -#-------------------------------------------------------------------- -# affinity - -@test "client/DaemonSet: affinity not set by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/DaemonSet: specified affinity" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.affinity=foobar' \ - . | tee /dev/stderr | - yq '.spec.template.spec | .affinity == "foobar"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# priorityClassName - -@test "client/DaemonSet: priorityClassName is not set by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.priorityClassName' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "client/DaemonSet: specified priorityClassName" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.priorityClassName=testing' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) - [ "${actual}" = "testing" ] -} - -#-------------------------------------------------------------------- -# annotations - -@test "client/DaemonSet: no annotations defined by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."consul.hashicorp.com/config-checksum")' | tee /dev/stderr) - [ "${actual}" = "{}" ] -} - -@test "client/DaemonSet: annotations can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.annotations=foo: bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} #-------------------------------------------------------------------- # config-configmap @@ -398,9 +13,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) if [[ $(v2) ]]; then - [ "${actual}" = c8c40738a067bbeb4392ec038ad3b1a94d3cd747118b62d72825e44246814951 ] + [ "${actual}" = 79e3ac58b3bbfec6ef27d39e3e0f25e7dab63b5cc76d15f4935f308c94a5ff11 ] else - [ "${actual}" = 1cfdb3a2989f349021d0a4beb7d854a1de35b89d45184caf5290c49460955a33 ] + [ "${actual}" = db1cb14f20d2a2f9fe0b3a1f5a65446a32126faeeadf3813f9fe610ba8ee549b ] fi } @@ -412,9 +27,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) if [[ $(v2) ]]; then - [ "${actual}" = 7e0bc6cb882996b13c2aad2295ea0a3573185456ba8e1770519b86779075da47 ] + [ "${actual}" = f3d2e7d13e5ef853ae79b8c528b263022e2e2f7689aa4b490393f14128a389eb ] else - [ "${actual}" = d864eda42c5c072921663de14fd9e0593a9ebce192da82a3239e6ded98ff2e8d ] + [ "${actual}" = 4e3576ef3ecf806b27906771411df25ff9fe5cc30ea20ea02f7890de944ecd32 ] fi } diff --git a/test/unit/connect-inject-deployment.bats b/test/unit/connect-inject-deployment.bats index 7874348b4..54089a468 100755 --- a/test/unit/connect-inject-deployment.bats +++ b/test/unit/connect-inject-deployment.bats @@ -79,6 +79,71 @@ load _helpers [[ "$output" =~ "client.grpc must be true for connect injection" ]] } + +#-------------------------------------------------------------------- +# connectInject.centralConfig [DEPRECATED] + +@test "connectInject/Deployment: fails if connectInject.centralConfig.enabled is set to false" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.centralConfig.enabled=false' . + [ "$status" -eq 1 ] + [[ "$output" =~ "connectInject.centralConfig.enabled cannot be set to false; to disable, set enable_central_service_config to false in server.extraConfig and client.extraConfig" ]] +} + +@test "connectInject/Deployment: fails if connectInject.centralConfig.defaultProtocol is set" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.centralConfig.defaultProtocol=http' . + [ "$status" -eq 1 ] + [[ "$output" =~ "connectInject.centralConfig.defaultProtocol is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" ]] +} + +@test "connectInject/Deployment: fails if connectInject.centralConfig.proxyDefaults is used" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.centralConfig.proxyDefaults="{\"key\":\"value\"}"' . + [ "$status" -eq 1 ] + [[ "$output" =~ "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" ]] +} + +@test "connectInject/Deployment: does not fail if connectInject.centralConfig.proxyDefaults is set to {}" { + cd `chart_dir` + + # We have to actually create a values file for this test because the + # --set and --set-string flags were passing {} as a YAML object rather + # than a string. + # Previously this was the default in the values.yaml so this test is testing + # that if someone had copied this into their values.yaml then nothing would + # break. We no longer use this value, but that's okay because the default + # empty object had no effect. + temp_file=$(mktemp) + cat < "$temp_file" +connectInject: + enabled: true + centralConfig: + proxyDefaults: | + {} +EOF + + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + -f "$temp_file" \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + rm -f temp_file +} + +#-------------------------------------------------------------------- +# healthChecks + @test "connectInject/Deployment: health checks enabled by default" { cd `chart_dir` local cmd=$(helm template \ @@ -395,53 +460,6 @@ load _helpers [ "${actual}" = "true" ] } -#-------------------------------------------------------------------- -# centralConfig - -@test "connectInject/Deployment: centralConfig is enabled by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-enable-central-config"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "connectInject/Deployment: centralConfig can be disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-enable-central-config"))' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "connectInject/Deployment: defaultProtocol is disabled by default with centralConfig enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-default-protocol"))' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "connectInject/Deployment: defaultProtocol can be enabled with centralConfig enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.enabled=true' \ - --set 'connectInject.centralConfig.defaultProtocol=grpc' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-default-protocol=\"grpc\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - #-------------------------------------------------------------------- # authMethod diff --git a/test/unit/server-configmap.bats b/test/unit/server-config-configmap.bats similarity index 53% rename from test/unit/server-configmap.bats rename to test/unit/server-config-configmap.bats index b802ac27a..faf01d61f 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-config-configmap.bats @@ -62,102 +62,17 @@ load _helpers } #-------------------------------------------------------------------- -# connectInject.centralConfig +# connectInject.centralConfig [DEPRECATED] -@test "server/ConfigMap: centralConfig is enabled by default" { +@test "server/ConfigMap: centralConfig is enabled" { cd `chart_dir` local actual=$(helm template \ -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ . | tee /dev/stderr | yq '.data["central-config.json"] | contains("enable_central_service_config")' | tee /dev/stderr) [ "${actual}" = "true" ] } -@test "server/ConfigMap: centralConfig can be disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.enabled=false' \ - . | tee /dev/stderr | - yq '.data["central-config.json"] | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "server/ConfigMap: proxyDefaults disabled by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.data["proxy-defaults-config.json"] | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "server/ConfigMap: proxyDefaults can be enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \ - . | tee /dev/stderr | - yq '.data["proxy-defaults-config.json"] | match("world") | length' | tee /dev/stderr) - [ ! -z "${actual}" ] -} - -@test "server/ConfigMap: proxyDefaults and meshGateways can be enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \ - --set 'meshGateway.enabled=true' \ - --set 'meshGateway.globalMode=remote' \ - . | tee /dev/stderr | - yq -r '.data["proxy-defaults-config.json"]' | yq -r '.config_entries.bootstrap[0].mesh_gateway.mode' | tee /dev/stderr) - [ "${actual}" = "remote" ] -} - -@test "server/ConfigMap: proxyDefaults should have no gateway mode if set to empty string" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \ - --set 'meshGateway.enabled=true' \ - --set 'meshGateway.globalMode=' \ - . | tee /dev/stderr | - yq -r '.data["proxy-defaults-config.json"]' | yq '.config_entries.bootstrap[0].mesh_gateway' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "server/ConfigMap: proxyDefaults should have no gateway mode if set to null" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \ - --set 'meshGateway.enabled=true' \ - --set 'meshGateway.globalMode=null' \ - . | tee /dev/stderr | - yq -r '.data["proxy-defaults-config.json"]' | yq '.config_entries.bootstrap[0].mesh_gateway' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "server/ConfigMap: global gateway mode is set even if there are no proxyDefaults" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.centralConfig.proxyDefaults=""' \ - --set 'meshGateway.enabled=true' \ - --set 'meshGateway.globalMode=remote' \ - . | tee /dev/stderr | - yq -r '.data["proxy-defaults-config.json"]' | yq -r '.config_entries.bootstrap[0].mesh_gateway.mode' | tee /dev/stderr) - [ "${actual}" = "remote" ] -} - #-------------------------------------------------------------------- # global.acls.replicationToken diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 6783c8584..10536fd29 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -533,9 +533,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) if [[ $(v2) ]]; then - [ "${actual}" = 5d152ec45fdfa5a4cb95eee6aae027212a5adad08c6904e4089545afea0ab8f3 ] + [ "${actual}" = 4167c468ed8a709addb845f9ae4e3815a660d2ac63948e79e245e51dcbf42f82 ] else - [ "${actual}" = 355e9f414430ab2464a6948fcd763b4c79b7ad04b382820e77fb977021bbb635 ] + [ "${actual}" = dace10a37eb68bd57cf173422f8c4d567f94cae7270a752ca5bc4b573ec51fc8 ] fi } @@ -547,9 +547,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) if [[ $(v2) ]]; then - [ "${actual}" = 67ea7116413d1780d84055440a077abffcf5e520c997ddaf002f446bdcf19f0f ] + [ "${actual}" = 4d553d72dfbce63d407c6437bbf627b76d4c17f4238f938f2d21f57a2817e0fb ] else - [ "${actual}" = d6874107a1da35a40f68469b1c8f58e0a8360af511ab931ed84b312dbbc11f45 ] + [ "${actual}" = 84bd2eb79ecec0fa8307474ce9e3ffd7f4643aa92fef5103fe4df406f90ee3d4 ] fi } @@ -561,9 +561,9 @@ load _helpers . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) if [[ $(v2) ]]; then - [ "${actual}" = 6519afe07b3c4d5697b92cba372f2aca9852cd4f1899216cd5cf620f46e9c178 ] + [ "${actual}" = 7c92326ad718ca8ad680a9d28ae81242beb8749530be468a9f6688e2a6671864 ] else - [ "${actual}" = 8bd7707a967de94e300c8df78fd0de469c3e0c40d816105f3230c5715febd1c7 ] + [ "${actual}" = 41b6109630815e481179da6170435b0f996d37c854e1f7f160673ec44157767a ] fi } diff --git a/values.yaml b/values.yaml index 9d3769c57..f378c56e5 100644 --- a/values.yaml +++ b/values.yaml @@ -1346,30 +1346,6 @@ connectInject: # @type: string secretKey: null - # Requires Consul >= v1.5 and consul-k8s >= v0.8.1. - centralConfig: - # Controls whether central config is enabled on all servers and clients. - # See https://www.consul.io/docs/agent/options.html#enable_central_service_config. - # If changing this after installation, servers and clients must be restarted - # for the change to take effect. - enabled: true - - # Allows you to specify a convenience default protocol if - # most of your services are of the same protocol type. The individual annotation - # on any given pod will override this value. - # Valid values are "http", "http2", "grpc" and "tcp". - # @type: string - defaultProtocol: null - - # Raw json string that will be written as the value of - # the "config" key of the global proxy-defaults config entry. - # See: https://www.consul.io/docs/agent/config-entries/proxy-defaults.html - # NOTE: Changes to this value after the chart is first installed have _no_ - # effect. In order to change the proxy-defaults config after installation, - # you must use the Consul API. - proxyDefaults: | - {} - sidecarProxy: # Set default resources for sidecar proxy. If null, that resource won't # be set.