Revert "Merge branch 'main' into curtbushko/agentless-metrics-merging"

This reverts commit 6727942, reversing changes made to 419bcc2.
hashicorp · Oct 19, 2022 · f3863bb · f3863bb
1 parent 062fc11
commit f3863bb
Show file tree

Hide file tree

Showing 13 changed files with 466 additions and 108 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1084,6 +1084,67 @@ jobs:
           fail_only: true
           failure_message: "OpenShift acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
+  acceptance-kind-1-23-consul-nightly-1-11:
+    environment:
+      - TEST_RESULTS: /tmp/test-results
+      - CONSUL_IMAGE: "docker.mirror.hashicorp.services/hashicorppreview/consul-enterprise:1.11-dev"
+      - ENVOY_IMAGE: "envoyproxy/envoy:v1.20.2"
+      - CONSUL_K8S_IMAGE: "docker.mirror.hashicorp.services/hashicorp/consul-k8s-control-plane:0.49.0"
+      - HELM_CHART_VERSION: "0.49.0"
+    machine:
+      image: ubuntu-2004:202010-01
+    resource_class: xlarge
+    steps:
+      - run: 
+          name: checkout code
+          command: |
+            if [ -e '/home/circleci/project/.git' ] ; then
+              echo 'Fetching into existing repository'
+              existing_repo='true'
+              cd '/home/circleci/project'
+              git remote set-url origin "$CIRCLE_REPOSITORY_URL" || true
+            else
+              echo 'Cloning git repository'
+              existing_repo='false'
+              mkdir -p '/home/circleci/project'
+              cd '/home/circleci/project'
+              git clone --no-checkout "$CIRCLE_REPOSITORY_URL" .
+            fi
+
+            if [ "$existing_repo" = 'true' ] || [ 'false' = 'true' ]; then
+              echo 'Fetching from remote repository'
+                git fetch --force --tags origin
+            fi
+
+            echo 'Checking out tag'
+            git checkout --force "v$HELM_CHART_VERSION"
+      - install-prereqs
+      - create-kind-clusters:
+          version: "v1.23.0"
+      - restore_cache:
+          keys:
+            - consul-helm-modcache-v2-{{ checksum "acceptance/go.mod" }}
+      - run:
+          name: go mod download
+          working_directory: *acceptance-mod-path
+          command: go mod download
+      - save_cache:
+          key: consul-helm-modcache-v2-{{ checksum "acceptance/go.mod" }}
+          paths:
+            - ~/.go_workspace/pkg/mod
+      - run: mkdir -p $TEST_RESULTS
+      - run-acceptance-tests:
+          consul-k8s-image: $CONSUL_K8S_IMAGE
+          additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -consul-image=$CONSUL_IMAGE -consul-version="1.11" -envoy-image=$ENVOY_IMAGE -helm-chart-version=$HELM_CHART_VERSION
+      - store_test_results:
+          path: /tmp/test-results
+      - store_artifacts:
+          path: /tmp/test-results
+      - slack/status:
+          channel: *slack-channel
+          fail_only: true
+          failure_message: "Acceptance tests against Kind with Kubernetes v1.23 with Consul 1.11 nightly failed. Check the logs at: ${CIRCLE_BUILD_URL}"
+
   acceptance-kind-1-23-consul-nightly-1-12:
     environment:
       - TEST_RESULTS: /tmp/test-results
@@ -1292,5 +1353,6 @@ workflows:
               only:
                 - main
     jobs:
+      - acceptance-kind-1-23-consul-nightly-1-11
       - acceptance-kind-1-23-consul-nightly-1-12
       - acceptance-kind-1-23-consul-nightly-1-13
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/LICENSE → LICENSE.md b/LICENSE → LICENSE.md
@@ -1,5 +1,3 @@
-Copyright (c) 2018 HashiCorp, Inc.
-
 Mozilla Public License, version 2.0
 
 1. Definitions

diff --git a/acceptance/tests/partitions/partitions_connect_test.go b/acceptance/tests/partitions/partitions_connect_test.go
@@ -118,6 +118,7 @@ func TestPartitions_Connect(t *testing.T) {
 			// share the same node network (docker bridge), we can use
 			// a NodePort service so that we can access node(s) in a different Kind cluster.
 			if cfg.UseKind {
+				defaultPartitionHelmValues["global.adminPartitions.service.type"] = "NodePort"
 				defaultPartitionHelmValues["meshGateway.service.type"] = "NodePort"
 				defaultPartitionHelmValues["meshGateway.service.nodePort"] = "30200" // todo: do we need to set this port?
 				defaultPartitionHelmValues["server.exposeService.type"] = "NodePort"

diff --git a/acceptance/tests/partitions/partitions_sync_test.go b/acceptance/tests/partitions/partitions_sync_test.go
@@ -114,8 +114,8 @@ func TestPartitions_Sync(t *testing.T) {
 			// share the same node network (docker bridge), we can use
 			// a NodePort service so that we can access node(s) in a different Kind cluster.
 			if cfg.UseKind {
-				serverHelmValues["server.exposeService.type"] = "NodePort"
-				serverHelmValues["server.exposeService.nodePort.https"] = "30000"
+				serverHelmValues["global.adminPartitions.service.type"] = "NodePort"
+				serverHelmValues["global.adminPartitions.service.nodePort.https"] = "30000"
 			}
 
 			releaseName := helpers.RandomName()

diff --git a/acceptance/tests/vault/vault_partitions_test.go b/acceptance/tests/vault/vault_partitions_test.go
@@ -346,10 +346,11 @@ func TestVault_Partitions(t *testing.T) {
 	// share the same node network (docker bridge), we can use
 	// a NodePort service so that we can access node(s) in a different Kind cluster.
 	if cfg.UseKind {
+		serverHelmValues["global.adminPartitions.service.type"] = "NodePort"
+		serverHelmValues["global.adminPartitions.service.nodePort.https"] = "30000"
 		serverHelmValues["meshGateway.service.type"] = "NodePort"
 		serverHelmValues["meshGateway.service.nodePort"] = "30100"
 		serverHelmValues["server.exposeService.type"] = "NodePort"
-		serverHelmValues["server.exposeService.nodePort.https"] = "30000"
 	}
 
 	helpers.MergeMaps(serverHelmValues, commonHelmValues)

diff --git a/charts/consul/templates/connect-injector-disruptionbudget.yaml b/charts/consul/templates/connect-injector-disruptionbudget.yaml
@@ -17,11 +17,7 @@ metadata:
     release: {{ .Release.Name }}
     component: connect-injector
 spec:
-  {{- if .Values.connectInject.disruptionBudget.minAvailable }}
-  minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }}
-  {{- else }}
   maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }}
-  {{- end }}
   selector:
     matchLabels:
       app: {{ template "consul.name" . }}

diff --git a/charts/consul/templates/partition-service.yaml b/charts/consul/templates/partition-service.yaml
@@ -0,0 +1,45 @@
+{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
+{{- if (and .Values.global.adminPartitions.enabled $serverEnabled) }}
+# Service with an external IP for clients in non-default Admin Partitions
+# to discover Consul servers. This service should only point to Consul servers.
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "consul.fullname" . }}-partition
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: server
+  annotations:
+    {{- if .Values.global.adminPartitions.service.annotations }}
+    {{ tpl .Values.global.adminPartitions.service.annotations . | nindent 4 | trim }}
+    {{- end }}
+spec:
+  type: "{{ .Values.global.adminPartitions.service.type }}"
+  ports:
+    - name: https
+      port: 8501
+      targetPort: 8501
+      {{ if (and (eq .Values.global.adminPartitions.service.type "NodePort") .Values.global.adminPartitions.service.nodePort.https) }}
+      nodePort: {{ .Values.global.adminPartitions.service.nodePort.https }}
+      {{- end }}
+    - name: serflan
+      port: 8301
+      targetPort: 8301
+      {{ if (and (eq .Values.global.adminPartitions.service.type "NodePort") .Values.global.adminPartitions.service.nodePort.serf) }}
+      nodePort: {{ .Values.global.adminPartitions.service.nodePort.serf }}
+      {{- end }}
+    - name: server
+      port: 8300
+      targetPort: 8300
+      {{ if (and (eq .Values.global.adminPartitions.service.type "NodePort") .Values.global.adminPartitions.service.nodePort.rpc) }}
+      nodePort: {{ .Values.global.adminPartitions.service.nodePort.rpc }}
+      {{- end }}
+  selector:
+    app: {{ template "consul.name" . }}
+    release: "{{ .Release.Name }}"
+    component: server
+{{- end }}
diff --git a/charts/consul/templates/server-service.yaml b/charts/consul/templates/server-service.yaml
@@ -19,6 +19,10 @@ metadata:
     {{- if .Values.server.service.annotations }}
     {{ tpl .Values.server.service.annotations . | nindent 4 | trim }}
     {{- end }}
+    # This must be set in addition to publishNotReadyAddresses due
+    # to an open issue where it may not work:
+    # https://github.com/kubernetes/kubernetes/issues/58662
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
   clusterIP: None
   # We want the servers to become available even if they're not ready

diff --git a/charts/consul/test/unit/connect-injector-disruptionbudget.bats b/charts/consul/test/unit/connect-injector-disruptionbudget.bats
@@ -163,35 +163,3 @@ load _helpers
 # no flag to *remove* an API version so some Helm versions will always have
 # policy/v1 support and will always use that API version.
 
-
-#--------------------------------------------------------------------
-# minAvailable
-
-@test "connect-injector/DisruptionBudget: correct minAvailable when set" {
-  cd `chart_dir`
-  local tpl=$(helm template \
-      -s templates/connect-injector-disruptionbudget.yaml  \
-      --set 'connectInject.replicas=1' \
-      --set 'global.enabled=true' \
-      --set 'connectInject.enabled=true' \
-      --set 'connectInject.disruptionBudget.enabled=true' \
-      --set 'connectInject.disruptionBudget.minAvailable=1' \
-      . | tee /dev/stderr)
-  [ $(echo "$tpl" | yq '.spec.minAvailable') = "1" ]
-  [ $(echo "$tpl" | yq '.spec.maxUnavailable') = "null" ]
-}
-
-@test "connect-injector/DisruptionBudget: correct minAvailable when set with maxUnavailable" {
-  cd `chart_dir`
-  local tpl=$(helm template \
-      -s templates/connect-injector-disruptionbudget.yaml  \
-      --set 'connectInject.replicas=1' \
-      --set 'global.enabled=true' \
-      --set 'connectInject.enabled=true' \
-      --set 'connectInject.disruptionBudget.enabled=true' \
-      --set 'connectInject.disruptionBudget.minAvailable=1' \
-      --set 'connectInject.disruptionBudget.maxUnavailable=2' \
-      . | tee /dev/stderr)
-  [ $(echo "$tpl" | yq '.spec.minAvailable') = "1" ]
-  [ $(echo "$tpl" | yq '.spec.maxUnavailable') = "null" ]
-}
diff --git a/charts/consul/test/unit/partition-service.bats b/charts/consul/test/unit/partition-service.bats
@@ -0,0 +1,141 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "partition/Service: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/partition-service.yaml  \
+      .
+}
+
+@test "partition/Service: enable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.enabled=false' \
+      --set 'server.enabled=true' \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "partition/Service: disable with adminPartitions.enabled" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=false' \
+      .
+}
+
+@test "partition/Service: disable with server.enabled" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
+      --set 'server.enabled=false' \
+      .
+}
+
+@test "partition/Service: disable with global.enabled" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.enabled=false' \
+      .
+}
+
+#--------------------------------------------------------------------
+# annotations
+
+@test "partition/Service: no annotations by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations | length' | tee /dev/stderr)
+  [ "${actual}" = "0" ]
+}
+
+@test "partition/Service: can set annotations" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.adminPartitions.service.annotations=key: value' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations.key' | tee /dev/stderr)
+  [ "${actual}" = "value" ]
+}
+
+#--------------------------------------------------------------------
+# nodePort
+
+@test "partition/Service: RPC node port can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.adminPartitions.service.type=NodePort' \
+      --set 'global.adminPartitions.service.nodePort.rpc=4443' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[] | select(.name == "server") | .nodePort' | tee /dev/stderr)
+  [ "${actual}" == "4443" ]
+}
+
+@test "partition/Service: Serf node port can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.adminPartitions.service.type=NodePort' \
+      --set 'global.adminPartitions.service.nodePort.serf=4444' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[] | select(.name == "serflan") | .nodePort' | tee /dev/stderr)
+  [ "${actual}" == "4444" ]
+}
+
+@test "partition/Service: HTTPS node port can be set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.adminPartitions.service.type=NodePort' \
+      --set 'global.adminPartitions.service.nodePort.https=4444' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[] | select(.name == "https") | .nodePort' | tee /dev/stderr)
+  [ "${actual}" == "4444" ]
+}
+
+@test "partition/Service: RPC, Serf and HTTPS node ports can be set" {
+  cd `chart_dir`
+  local ports=$(helm template \
+      -s templates/partition-service.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.adminPartitions.service.type=NodePort' \
+      --set 'global.adminPartitions.service.nodePort.rpc=4443' \
+      --set 'global.adminPartitions.service.nodePort.https=4444' \
+      --set 'global.adminPartitions.service.nodePort.serf=4445' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.ports[]' | tee /dev/stderr)
+
+  local actual
+  actual=$(echo $ports | jq -r 'select(.name == "server") | .nodePort' | tee /dev/stderr)
+  [ "${actual}" == "4443" ]
+
+  actual=$(echo $ports | jq -r 'select(.name == "https") | .nodePort' | tee /dev/stderr)
+  [ "${actual}" == "4444" ]
+
+  actual=$(echo $ports | jq -r 'select(.name == "serflan") | .nodePort' | tee /dev/stderr)
+  [ "${actual}" == "4445" ]
+}
diff --git a/charts/consul/test/unit/server-service.bats b/charts/consul/test/unit/server-service.bats
@@ -42,6 +42,11 @@ load _helpers
 # this is such an important part of making everything work we verify it here.
 @test "server/Service: tolerates unready endpoints" {
   cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-service.yaml  \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
 
   local actual=$(helm template \
       -s templates/server-service.yaml  \
@@ -98,13 +103,13 @@ load _helpers
 #--------------------------------------------------------------------
 # annotations
 
-@test "server/Service: no annotation by default" {
+@test "server/Service: one annotation by default" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/server-service.yaml  \
       . | tee /dev/stderr |
       yq -r '.metadata.annotations | length' | tee /dev/stderr)
-  [ "${actual}" = "0" ]
+  [ "${actual}" = "1" ]
 }
 
 @test "server/Service: can set annotations" {