Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sync catalog acl refactor #1077

Merged
merged 4 commits into from
Mar 7, 2022
Merged

Sync catalog acl refactor #1077

merged 4 commits into from
Mar 7, 2022

Conversation

thisisnotashwin
Copy link
Contributor

@thisisnotashwin thisisnotashwin commented Mar 6, 2022
edited
Loading

Changes proposed in this PR:

  • Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
  • Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.

How I've tested this PR:

  • Unit tests.
  • Acceptance tests.

How I expect reviewers to test this PR:

  • Code Review

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@thisisnotashwin thisisnotashwin changed the base branch from main to connect-inject-acl-refactor March 6, 2022 19:59
@thisisnotashwin thisisnotashwin force-pushed the connect-inject-acl-refactor branch 2 times, most recently from 61e651f to 5ba54b2 Compare March 6, 2022 20:09
@thisisnotashwin thisisnotashwin changed the title Sync token acl refactor Sync catalog acl refactor Mar 6, 2022
@thisisnotashwin thisisnotashwin requested review from ishustava and kschoche and removed request for ishustava March 6, 2022 20:15
@thisisnotashwin thisisnotashwin marked this pull request as ready for review March 6, 2022 20:15
@thisisnotashwin thisisnotashwin force-pushed the sync-token-acl-refactor branch 10 times, most recently from 6fdd05a to b082126 Compare March 7, 2022 18:07
@thisisnotashwin thisisnotashwin force-pushed the connect-inject-acl-refactor branch 5 times, most recently from e136832 to 58d6bf4 Compare March 7, 2022 21:23
ishustava
ishustava approved these changes Mar 7, 2022
View reviewed changes
charts/consul/templates/authmethod-clusterrole.yaml
- serviceaccounts
verbs:
- get
{{- end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perfect!!

charts/consul/templates/authmethod-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-authmethod
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should it be auth-method?

charts/consul/templates/connect-inject-clusterrole.yaml
Comment on lines -43 to 44
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we might need this for multiport

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that those lines were duplicated 😅
but we definitely need it for the multiport workaround..i found out the acceptance tests failed on me way

charts/consul/test/unit/authmethod-serviceaccount.bats
Comment on lines +22 to +23
#--------------------------------------------------------------------
# global.imagePullSecrets
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about it, I don't think we need imagePullSecrets for this SA because it's not used by any pod, but maybe worth keeping just in case?

control-plane/subcommand/server-acl-init/command.go
Comment on lines +129 to +130
c.flags.BoolVar(&c.flagEnableCatalogSync, "sync-catalog", false,
"Toggle for creating a catalog sync policy.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think it'd be nice for flag name and var name to match for readablity.

@thisisnotashwin thisisnotashwin merged commit a25a183 into connect-inject-acl-refactor Mar 7, 2022
@thisisnotashwin thisisnotashwin deleted the sync-token-acl-refactor branch March 7, 2022 23:40
@thisisnotashwin thisisnotashwin restored the sync-token-acl-refactor branch March 7, 2022 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ishustava ishustava ishustava approved these changes

@kschoche kschoche Awaiting requested review from kschoche

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thisisnotashwin @ishustava