Support Consul Ent NS's for CRDs

hashicorp · Sep 10, 2020 · c4246a8 · c4246a8
1 parent 3a61dfe
commit c4246a8
Show file tree

Hide file tree

Showing 19 changed files with 706 additions and 218 deletions.
diff --git a/api/v1alpha1/servicedefaults_types.go b/api/v1alpha1/servicedefaults_types.go
@@ -54,9 +54,8 @@ func init() {
 // ToConsul converts the entry into it's Consul equivalent struct.
 func (s *ServiceDefaults) ToConsul() *capi.ServiceConfigEntry {
 	return &capi.ServiceConfigEntry{
-		Kind: capi.ServiceDefaults,
-		Name: s.Name,
-		//Namespace: s.Namespace, // todo: don't set this unless enterprise
+		Kind:        capi.ServiceDefaults,
+		Name:        s.Name,
 		Protocol:    s.Spec.Protocol,
 		MeshGateway: s.Spec.MeshGateway.toConsul(),
 		Expose:      s.Spec.Expose.toConsul(),

diff --git a/api/v1alpha1/servicedefaults_webhook_test.go b/api/v1alpha1/servicedefaults_webhook_test.go
@@ -45,7 +45,7 @@ func TestRun_HandleErrorsIfServiceDefaultsWithSameNameExists(t *testing.T) {
 	validator := &serviceDefaultsValidator{
 		Client:       client,
 		ConsulClient: consulClient,
-		Logger:       logrtest.NullLogger{},
+		Logger:       logrtest.TestLogger{T: t},
 	}
 
 	decoder, err := admission.NewDecoder(scheme.Scheme)

diff --git a/catalog/to-consul/syncer.go b/catalog/to-consul/syncer.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/cenkalti/backoff"
 	"github.com/deckarep/golang-set"
+	"github.com/hashicorp/consul-k8s/namespaces"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-hclog"
 )
@@ -417,9 +418,7 @@ func (s *ConsulSyncer) syncFull(ctx context.Context) {
 	for _, services := range s.namespaces {
 		for _, r := range services {
 			if s.EnableNamespaces {
-				// Check and potentially create the service's namespace if
-				// it doesn't already exist
-				err := s.checkAndCreateNamespace(r.Service.Namespace)
+				err := namespaces.EnsureExists(s.Client, r.Service.Namespace, s.CrossNamespaceACLPolicy)
 				if err != nil {
 					s.Log.Warn("error checking and creating Consul namespace",
 						"node-name", r.Node,
@@ -475,40 +474,3 @@ func (s *ConsulSyncer) init() {
 		s.initialSync = make(chan bool)
 	}
 }
-
-func (s *ConsulSyncer) checkAndCreateNamespace(ns string) error {
-	// Check if the Consul namespace exists
-	namespaceInfo, _, err := s.Client.Namespaces().Read(ns, nil)
-	if err != nil {
-		return err
-	}
-
-	// If not, create it
-	if namespaceInfo == nil {
-		var aclConfig api.NamespaceACLConfig
-		if s.CrossNamespaceACLPolicy != "" {
-			// Create the ACLs config for the cross-Consul-namespace
-			// default policy that needs to be attached
-			aclConfig = api.NamespaceACLConfig{
-				PolicyDefaults: []api.ACLLink{
-					{Name: s.CrossNamespaceACLPolicy},
-				},
-			}
-		}
-
-		consulNamespace := api.Namespace{
-			Name:        ns,
-			Description: "Auto-generated by a Catalog Sync Process",
-			ACLs:        &aclConfig,
-			Meta:        map[string]string{"external-source": "kubernetes"},
-		}
-
-		_, _, err = s.Client.Namespaces().Create(&consulNamespace, nil)
-		if err != nil {
-			return err
-		}
-		s.Log.Info("creating consul namespace", "name", consulNamespace.Name)
-	}
-
-	return nil
-}
diff --git a/connect-inject/handler.go b/connect-inject/handler.go
@@ -9,6 +9,7 @@ import (
 	"strconv"
 
 	"github.com/deckarep/golang-set"
+	"github.com/hashicorp/consul-k8s/namespaces"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-hclog"
 	"github.com/mattbaird/jsonpatch"
@@ -370,8 +371,7 @@ func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionRespon
 	// all patches are created to guarantee no errors were encountered in
 	// that process before modifying the Consul cluster.
 	if h.EnableNamespaces {
-		// Check if the namespace exists. If not, create it.
-		if err := h.checkAndCreateNamespace(h.consulNamespace(req.Namespace)); err != nil {
+		if err := namespaces.EnsureExists(h.ConsulClient, h.consulNamespace(req.Namespace), h.CrossNamespaceACLPolicy); err != nil {
 			h.Log.Error("Error checking or creating namespace", "err", err,
 				"Namespace", h.consulNamespace(req.Namespace), "Request Name", req.Name)
 			return &v1beta1.AdmissionResponse{
@@ -503,42 +503,6 @@ func (h *Handler) consulNamespace(ns string) string {
 	}
 }
 
-func (h *Handler) checkAndCreateNamespace(ns string) error {
-	// Check if the Consul namespace exists
-	namespaceInfo, _, err := h.ConsulClient.Namespaces().Read(ns, nil)
-	if err != nil {
-		return err
-	}
-
-	// If not, create it
-	if namespaceInfo == nil {
-		var aclConfig api.NamespaceACLConfig
-		if h.CrossNamespaceACLPolicy != "" {
-			// Create the ACLs config for the cross-Consul-namespace
-			// default policy that needs to be attached
-			aclConfig = api.NamespaceACLConfig{
-				PolicyDefaults: []api.ACLLink{
-					{Name: h.CrossNamespaceACLPolicy},
-				},
-			}
-		}
-
-		consulNamespace := api.Namespace{
-			Name:        ns,
-			Description: "Auto-generated by a Connect Injector",
-			ACLs:        &aclConfig,
-			Meta:        map[string]string{"external-source": "kubernetes"},
-		}
-
-		_, _, err = h.ConsulClient.Namespaces().Create(&consulNamespace, nil)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
 func portValue(pod *corev1.Pod, value string) (int32, error) {
 	// First search for the named port
 	for _, c := range pod.Spec.Containers {

diff --git a/connect-inject/handler_ent_test.go b/connect-inject/handler_ent_test.go
@@ -225,7 +225,7 @@ func TestHandler_MutateWithNamespaces(t *testing.T) {
 
 				// Check created namespace properties
 				if ns != "default" {
-					require.Equalf("Auto-generated by a Connect Injector", actNamespace.Description,
+					require.Equalf("Auto-generated by consul-k8s", actNamespace.Description,
 						"wrong namespace description for namespace %s", ns)
 					require.Containsf(actNamespace.Meta, "external-source",
 						"namespace %s does not contain external-source metadata key", ns)
@@ -420,7 +420,6 @@ func TestHandler_MutateWithNamespaces_ACLs(t *testing.T) {
 			a, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) {
 				c.ACL.Enabled = true
 			})
-			require.NoError(t, err)
 			defer a.Stop()
 
 			// Set up a client for bootstrapping
@@ -489,7 +488,7 @@ func TestHandler_MutateWithNamespaces_ACLs(t *testing.T) {
 
 				// Check created namespace properties
 				if ns != "default" {
-					require.Equalf(t, "Auto-generated by a Connect Injector", actNamespace.Description,
+					require.Equalf(t, "Auto-generated by consul-k8s", actNamespace.Description,
 						"wrong namespace description for namespace %s", ns)
 					require.Containsf(t, actNamespace.Meta, "external-source",
 						"namespace %s does not contain external-source metadata key", ns)