diff --git a/charts/consul/templates/authmethod-clusterrole.yaml b/charts/consul/templates/auth-method-clusterrole.yaml similarity index 81% rename from charts/consul/templates/authmethod-clusterrole.yaml rename to charts/consul/templates/auth-method-clusterrole.yaml index 30385aa25f..6b8f2c5451 100644 --- a/charts/consul/templates/authmethod-clusterrole.yaml +++ b/charts/consul/templates/auth-method-clusterrole.yaml @@ -2,13 +2,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "consul.fullname" . }}-authmethod + name: {{ template "consul.fullname" . }}-auth-method labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} - component: authmethod + component: auth-method rules: - apiGroups: [ "" ] resources: diff --git a/charts/consul/templates/authmethod-clusterrolebinding.yaml b/charts/consul/templates/auth-method-clusterrolebinding.yaml similarity index 76% rename from charts/consul/templates/authmethod-clusterrolebinding.yaml rename to charts/consul/templates/auth-method-clusterrolebinding.yaml index 89bc44dea4..9bd6c64113 100644 --- a/charts/consul/templates/authmethod-clusterrolebinding.yaml +++ b/charts/consul/templates/auth-method-clusterrolebinding.yaml @@ -8,32 +8,32 @@ metadata: chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} - component: authmethod + component: auth-method roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: "system:auth-delegator" subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-authmethod + name: {{ template "consul.fullname" . }}-auth-method namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "consul.fullname" . }}-authmethod + name: {{ template "consul.fullname" . }}-auth-method labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} - component: authmethod + component: auth-method roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "consul.fullname" . }}-authmethod + name: {{ template "consul.fullname" . }}-auth-method subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-authmethod + name: {{ template "consul.fullname" . }}-auth-method namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/consul/templates/authmethod-serviceaccount.yaml b/charts/consul/templates/auth-method-serviceaccount.yaml similarity index 83% rename from charts/consul/templates/authmethod-serviceaccount.yaml rename to charts/consul/templates/auth-method-serviceaccount.yaml index bfb50dc0dd..098339b8c8 100644 --- a/charts/consul/templates/authmethod-serviceaccount.yaml +++ b/charts/consul/templates/auth-method-serviceaccount.yaml @@ -2,14 +2,14 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "consul.fullname" . }}-authmethod + name: {{ template "consul.fullname" . }}-auth-method namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} - component: authmethod + component: auth-method {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- range . }} diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 48d38e6ac6..04f4e2de3e 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -169,7 +169,7 @@ spec: {{- end }} {{- if .Values.syncCatalog.enabled }} - -create-sync-policy=true \ + -sync-catalog=true \ {{- if .Values.syncCatalog.consulNodeName }} -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ {{- end }} diff --git a/charts/consul/templates/server-acl-init-role.yaml b/charts/consul/templates/server-acl-init-role.yaml index 9e38f55310..eb7b6a928e 100644 --- a/charts/consul/templates/server-acl-init-role.yaml +++ b/charts/consul/templates/server-acl-init-role.yaml @@ -23,7 +23,7 @@ rules: resources: - serviceaccounts resourceNames: - - {{ template "consul.fullname" . }}-authmethod + - {{ template "consul.fullname" . }}-auth-method verbs: - get {{- if .Values.global.enablePodSecurityPolicies }} diff --git a/charts/consul/test/unit/authmethod-clusterrole.bats b/charts/consul/test/unit/auth-method-clusterrole.bats similarity index 55% rename from charts/consul/test/unit/authmethod-clusterrole.bats rename to charts/consul/test/unit/auth-method-clusterrole.bats index 0888ea373b..935a448161 100644 --- a/charts/consul/test/unit/authmethod-clusterrole.bats +++ b/charts/consul/test/unit/auth-method-clusterrole.bats @@ -2,17 +2,17 @@ load _helpers -@test "authmethod/ClusterRole: disabled by default" { +@test "auth-method/ClusterRole: disabled by default" { cd `chart_dir` assert_empty helm template \ - -s templates/authmethod-clusterrole.yaml \ + -s templates/auth-method-clusterrole.yaml \ . } -@test "authmethod/ClusterRole: enabled with global.acls.manageSystemACLs true" { +@test "auth-method/ClusterRole: enabled with global.acls.manageSystemACLs true" { cd `chart_dir` local actual=$(helm template \ - -s templates/authmethod-clusterrole.yaml \ + -s templates/auth-method-clusterrole.yaml \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | yq -s 'length > 0' | tee /dev/stderr) diff --git a/charts/consul/test/unit/authmethod-clusterrolebinding.bats b/charts/consul/test/unit/auth-method-clusterrolebinding.bats similarity index 52% rename from charts/consul/test/unit/authmethod-clusterrolebinding.bats rename to charts/consul/test/unit/auth-method-clusterrolebinding.bats index 21b96d0bbb..dcb293ba14 100644 --- a/charts/consul/test/unit/authmethod-clusterrolebinding.bats +++ b/charts/consul/test/unit/auth-method-clusterrolebinding.bats @@ -2,17 +2,17 @@ load _helpers -@test "authmethod/ClusterRoleBinding: disabled by default" { +@test "auth-method/ClusterRoleBinding: disabled by default" { cd `chart_dir` assert_empty helm template \ - -s templates/authmethod-clusterrolebinding.yaml \ + -s templates/auth-method-clusterrolebinding.yaml \ . } -@test "authmethod/ClusterRoleBinding: enabled with global.acls.manageSystemACLs true" { +@test "auth-method/ClusterRoleBinding: enabled with global.acls.manageSystemACLs true" { cd `chart_dir` local actual=$(helm template \ - -s templates/authmethod-clusterrolebinding.yaml \ + -s templates/auth-method-clusterrolebinding.yaml \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | yq -s 'length > 0' | tee /dev/stderr) diff --git a/charts/consul/test/unit/authmethod-serviceaccount.bats b/charts/consul/test/unit/auth-method-serviceaccount.bats similarity index 70% rename from charts/consul/test/unit/authmethod-serviceaccount.bats rename to charts/consul/test/unit/auth-method-serviceaccount.bats index 8cf9633cae..9413a03291 100644 --- a/charts/consul/test/unit/authmethod-serviceaccount.bats +++ b/charts/consul/test/unit/auth-method-serviceaccount.bats @@ -2,17 +2,17 @@ load _helpers -@test "authMethod/ServiceAccount: disabled by default" { +@test "auth-method/ServiceAccount: disabled by default" { cd `chart_dir` assert_empty helm template \ - -s templates/authmethod-serviceaccount.yaml \ + -s templates/auth-method-serviceaccount.yaml \ . } -@test "authMethod/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" { +@test "auth-method/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" { cd `chart_dir` local actual=$(helm template \ - -s templates/authmethod-serviceaccount.yaml \ + -s templates/auth-method-serviceaccount.yaml \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | yq -s 'length > 0' | tee /dev/stderr) @@ -22,10 +22,10 @@ load _helpers #-------------------------------------------------------------------- # global.imagePullSecrets -@test "authMethod/ServiceAccount: can set image pull secrets" { +@test "auth-method/ServiceAccount: can set image pull secrets" { cd `chart_dir` local object=$(helm template \ - -s templates/authmethod-serviceaccount.yaml \ + -s templates/auth-method-serviceaccount.yaml \ --set 'global.acls.manageSystemACLs=true' \ --set 'global.imagePullSecrets[0].name=my-secret' \ --set 'global.imagePullSecrets[1].name=my-secret2' \ diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index 93b4e8429e..5cbd5a7b8f 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -249,7 +249,7 @@ load _helpers -s templates/server-acl-init-job.yaml \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command | any(contains("-sync-catalog"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -260,7 +260,7 @@ load _helpers --set 'global.acls.manageSystemACLs=true' \ --set 'syncCatalog.enabled=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command | any(contains("-sync-catalog"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/control-plane/subcommand/server-acl-init/command.go b/control-plane/subcommand/server-acl-init/command.go index c6abed92cf..82d35193d3 100644 --- a/control-plane/subcommand/server-acl-init/command.go +++ b/control-plane/subcommand/server-acl-init/command.go @@ -42,7 +42,7 @@ type Command struct { flagCreateClientToken bool - flagCreateSyncPolicy bool + flagSyncCatalog bool flagSyncConsulNodeName string flagConnectInject bool @@ -126,7 +126,7 @@ func (c *Command) init() { c.flags.BoolVar(&c.flagCreateClientToken, "create-client-token", true, "Toggle for creating a client agent token. Default is true.") - c.flags.BoolVar(&c.flagCreateSyncPolicy, "create-sync-policy", false, + c.flags.BoolVar(&c.flagSyncCatalog, "sync-catalog", false, "Toggle for creating a catalog sync policy.") c.flags.StringVar(&c.flagSyncConsulNodeName, "sync-consul-node-name", "k8s-sync", "The Consul node name to register for catalog sync. Defaults to k8s-sync. To be discoverable "+ @@ -481,7 +481,7 @@ func (c *Command) Run(args []string) int { } } - if c.flagCreateSyncPolicy { + if c.flagSyncCatalog { syncRules, err := c.syncRules() if err != nil { c.log.Error("Error templating sync rules", "err", err) @@ -499,9 +499,9 @@ func (c *Command) Run(args []string) int { if !primary { componentAuthMethodName = globalComponentAuthMethodName } - err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, globalToken, primary, componentAuthMethodName, serviceAccountName, consulClient) + err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, globalPolicy, primary, componentAuthMethodName, serviceAccountName, consulClient) } else { - err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, localToken, primary, componentAuthMethodName, serviceAccountName, consulClient) + err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, localPolicy, primary, componentAuthMethodName, serviceAccountName, consulClient) } if err != nil { c.log.Error(err.Error()) diff --git a/control-plane/subcommand/server-acl-init/command_ent_test.go b/control-plane/subcommand/server-acl-init/command_ent_test.go index 270893e765..a7e3f71e51 100644 --- a/control-plane/subcommand/server-acl-init/command_ent_test.go +++ b/control-plane/subcommand/server-acl-init/command_ent_test.go @@ -287,7 +287,7 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { "-create-client-token", "-allow-dns", "-create-mesh-gateway-token", - "-create-sync-policy", + "-sync-catalog", "-connect-inject", "-create-snapshot-agent-token", "-create-enterprise-license-token", @@ -1073,7 +1073,7 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_PrimaryDatacenter(t *testing.T) }, { ComponentName: "sync-catalog", - TokenFlags: []string{"-create-sync-policy"}, + TokenFlags: []string{"-sync-catalog"}, Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, Namespace: ns, GlobalToken: false, @@ -1164,7 +1164,7 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_SecondaryDatacenter(t *testing. }, { ComponentName: "sync-catalog", - TokenFlags: []string{"-create-sync-policy"}, + TokenFlags: []string{"-sync-catalog"}, Roles: []string{resourcePrefix + "-sync-catalog-acl-role-dc2"}, Namespace: ns, GlobalToken: true, diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 3f1408581e..50dd929fe9 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -1013,7 +1013,7 @@ func TestRun_SyncPolicyUpdates(t *testing.T) { "-k8s-namespace=" + ns, "-server-address", strings.Split(testSvr.HTTPAddr, ":")[0], "-server-port", strings.Split(testSvr.HTTPAddr, ":")[1], - "-create-sync-policy", + "-sync-catalog", } firstRunArgs := append(commonArgs, "-sync-consul-node-name=k8s-sync", @@ -1122,7 +1122,7 @@ func TestRun_ErrorsOnDuplicateACLPolicy(t *testing.T) { "-k8s-namespace=" + ns, "-server-address", strings.Split(testAgent.HTTPAddr, ":")[0], "-server-port", strings.Split(testAgent.HTTPAddr, ":")[1], - "-create-sync-policy", + "-sync-catalog", } responseCode := cmd.Run(cmdArgs) @@ -2159,7 +2159,7 @@ func TestRun_PoliciesAndBindingRulesForACLLogin_PrimaryDatacenter(t *testing.T) }, { TestName: "Sync Catalog", - TokenFlags: []string{"-create-sync-policy"}, + TokenFlags: []string{"-sync-catalog"}, PolicyNames: []string{"sync-catalog-policy"}, Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, }, @@ -2269,7 +2269,7 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) { }, { TestName: "Sync Catalog", - TokenFlags: []string{"-create-sync-policy"}, + TokenFlags: []string{"-sync-catalog"}, PolicyNames: []string{"sync-catalog-policy-" + secondaryDatacenter}, Roles: []string{resourcePrefix + "-sync-catalog-acl-role-" + secondaryDatacenter}, GlobalAuthMethod: false, @@ -2377,7 +2377,7 @@ func TestRun_ValidateLoginToken_PrimaryDatacenter(t *testing.T) { }, { ComponentName: "sync-catalog", - TokenFlags: []string{"-create-sync-policy"}, + TokenFlags: []string{"-sync-catalog"}, Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, }, } @@ -2470,7 +2470,7 @@ func TestRun_ValidateLoginToken_SecondaryDatacenter(t *testing.T) { }, { ComponentName: "sync-catalog", - TokenFlags: []string{"-create-sync-policy"}, + TokenFlags: []string{"-sync-catalog"}, Roles: []string{resourcePrefix + "-sync-catalog-acl-role-dc2"}, GlobalAuthMethod: false, }, @@ -2803,7 +2803,7 @@ func getBootToken(t *testing.T, k8s *fake.Clientset, prefix string, k8sNamespace func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) (string, string) { // Create ServiceAccount for the kubernetes auth method if it doesn't exist, // otherwise, do nothing. - serviceAccountName := resourcePrefix + "-authmethod" + serviceAccountName := resourcePrefix + "-auth-method" sa, _ := k8s.CoreV1().ServiceAccounts(namespace).Get(context.Background(), serviceAccountName, metav1.GetOptions{}) if sa == nil { // Create a service account that references two secrets. @@ -2820,7 +2820,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) Name: resourcePrefix + "-some-other-secret", }, { - Name: resourcePrefix + "-authmethod", + Name: resourcePrefix + "-auth-method", }, }, }, @@ -2835,7 +2835,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) require.NoError(t, err) // Create a Kubernetes secret if it doesn't exist, otherwise update it - secretName := resourcePrefix + "-authmethod" + secretName := resourcePrefix + "-auth-method" secret := &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, diff --git a/control-plane/subcommand/server-acl-init/connect_inject.go b/control-plane/subcommand/server-acl-init/connect_inject.go index 5f7d9a4c47..64666b01d2 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject.go +++ b/control-plane/subcommand/server-acl-init/connect_inject.go @@ -83,7 +83,7 @@ func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client, aut func (c *Command) createAuthMethodTmpl(authMethodName string, useNS bool) (api.ACLAuthMethod, error) { // Get the Secret name for the auth method ServiceAccount. var authMethodServiceAccount *apiv1.ServiceAccount - serviceAccountName := c.withPrefix("authmethod") + serviceAccountName := c.withPrefix("auth-method") err := c.untilSucceeds(fmt.Sprintf("getting %s ServiceAccount", serviceAccountName), func() error { var err error diff --git a/control-plane/subcommand/server-acl-init/connect_inject_test.go b/control-plane/subcommand/server-acl-init/connect_inject_test.go index 8a9793610b..959f02e178 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject_test.go +++ b/control-plane/subcommand/server-acl-init/connect_inject_test.go @@ -30,7 +30,7 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { ctx: ctx, } - serviceAccountName := resourcePrefix + "-authmethod" + serviceAccountName := resourcePrefix + "-auth-method" secretName := resourcePrefix + "-connect-injector" // Create a service account referencing secretName @@ -65,5 +65,5 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { require.NoError(t, err) _, err = cmd.createAuthMethodTmpl("test", true) - require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-authmethod service account") + require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-auth-method service account") } diff --git a/control-plane/subcommand/server-acl-init/create_or_update.go b/control-plane/subcommand/server-acl-init/create_or_update.go index 1c869b11bf..291eead327 100644 --- a/control-plane/subcommand/server-acl-init/create_or_update.go +++ b/control-plane/subcommand/server-acl-init/create_or_update.go @@ -313,7 +313,7 @@ func (c *Command) createOrUpdateACLPolicy(policy api.ACLPolicy, consulClient *ap // Allowing the Consul node name to be configurable also requires any sync // policy to be updated in case the node name has changed. if isPolicyExistsErr(err, policy.Name) { - if c.flagEnableNamespaces || c.flagCreateSyncPolicy { + if c.flagEnableNamespaces || c.flagSyncCatalog { c.log.Info(fmt.Sprintf("Policy %q already exists, updating", policy.Name)) // The policy ID is required in any PolicyUpdate call, so first we need to diff --git a/control-plane/subcommand/server-acl-init/create_or_update_test.go b/control-plane/subcommand/server-acl-init/create_or_update_test.go index a9e8f0704a..5cd01fac25 100644 --- a/control-plane/subcommand/server-acl-init/create_or_update_test.go +++ b/control-plane/subcommand/server-acl-init/create_or_update_test.go @@ -20,10 +20,10 @@ func TestCreateOrUpdateACLPolicy_ErrorsIfDescriptionDoesNotMatch(t *testing.T) { ui := cli.NewMockUi() k8s := fake.NewSimpleClientset() cmd := Command{ - UI: ui, - clientset: k8s, - log: hclog.NewNullLogger(), - flagCreateSyncPolicy: true, + UI: ui, + clientset: k8s, + log: hclog.NewNullLogger(), + flagSyncCatalog: true, } // Start Consul.