From 79d97c8103a43e174eeebdd00f50d2de2fb21a34 Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 11 May 2022 20:07:30 -0600 Subject: [PATCH 01/80] refactored TestVault --- acceptance/framework/vault/helpers.go | 178 ++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) diff --git a/acceptance/framework/vault/helpers.go b/acceptance/framework/vault/helpers.go index 850f8efbed..5e740d6002 100644 --- a/acceptance/framework/vault/helpers.go +++ b/acceptance/framework/vault/helpers.go @@ -210,3 +210,181 @@ path "/%s/*" { rootPath, intermediatePath, rootPath, intermediatePath)) require.NoError(t, err) } + +// ConfigurePKICerts configures roles in Vault so +// that controller webhook TLS certificates can be issued by Vault. +func ConfigurePKICerts(t *testing.T, + vaultClient *vapi.Client, baseUrl, allowedSubdomain, roleName, ns, datacenter, + maxTTL string) string { + allowedDomains := fmt.Sprintf("%s.consul,%s,%s.%s,%s.%s.svc", datacenter, + allowedSubdomain, allowedSubdomain, ns, allowedSubdomain, ns) + params := map[string]interface{}{ + "allowed_domains": allowedDomains, + "allow_bare_domains": "true", + "allow_localhost": "true", + "allow_subdomains": "true", + "generate_lease": "true", + "max_ttl": maxTTL, + } + + _, err := vaultClient.Logical().Write( + fmt.Sprintf("%s/roles/%s", baseUrl, roleName), params) + require.NoError(t, err) + + certificateIssuePath := fmt.Sprintf("%s/issue/%s", baseUrl, roleName) + policy := fmt.Sprintf(` + path %q { + capabilities = ["create", "update"] + }`, certificateIssuePath) + + // Create the server policy. + err = vaultClient.Sys().PutPolicy(roleName, policy) + require.NoError(t, err) + + return certificateIssuePath +} + +// ConfigurePKI generates a CA in Vault at a given path with a given policyName. +func ConfigurePKI(t *testing.T, vaultClient *vapi.Client, baseUrl, policyName, commonName string) { + // Mount the PKI Secrets engine at the baseUrl. + err := vaultClient.Sys().Mount(baseUrl, &vapi.MountInput{ + Type: "pki", + Config: vapi.MountConfigInput{}, + }) + require.NoError(t, err) + // Create root CA to issue Consul server certificates and the `consul-server` PKI role. + // See https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls. + // Generate the root CA. + params := map[string]interface{}{ + "common_name": commonName, + "ttl": "24h", + } + _, err = vaultClient.Logical().Write(fmt.Sprintf("%s/root/generate/internal", baseUrl), params) + require.NoError(t, err) + + policy := fmt.Sprintf(`path "%s/cert/ca" { + capabilities = ["read"] + }`, baseUrl) + err = vaultClient.Sys().PutPolicy(policyName, policy) + require.NoError(t, err) +} + +type KubernetesAuthRoleConfiguration struct { + ServiceAccountName string + KubernetesNamespace string + PolicyNames string + AuthMethodPath string + RoleName string +} + +// ConfigureKubernetesAuthRole configures a role in Vault for the component for the Kubernetes auth method +// that will be used by the test Helm chart installation. +func ConfigureK8SAuthRole(t *testing.T, vaultClient *vapi.Client, config *KubernetesAuthRoleConfiguration) { + // Create the Auth Roles for the component. + // Auth roles bind policies to Kubernetes service accounts, which + // then enables the Vault agent init container to call 'vault login' + // with the Kubernetes auth method to obtain a Vault token. + // Please see https://www.vaultproject.io/docs/auth/kubernetes#configuration + // for more details. + logger.Logf(t, "Creating the %q", config.ServiceAccountName) + params := map[string]interface{}{ + "bound_service_account_names": config.ServiceAccountName, + "bound_service_account_namespaces": config.KubernetesNamespace, + "policies": config.PolicyNames, + "ttl": "24h", + } + _, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/%s", config.AuthMethodPath, config.RoleName), params) + require.NoError(t, err) +} + +type PKIAndAuthRoleConfiguration struct { + ServiceAccountName string + BaseURL string + PolicyName string + RoleName string + CommonName string + CAPath string + CertPath string + KubernetesNamespace string + DataCenter string + MaxTTL string + AuthMethodPath string + AllowedSubdomain string +} + +func ConfigurePKIAndAuthRole(t *testing.T, vaultClient *vapi.Client, config *PKIAndAuthRoleConfiguration) { + config.CAPath = fmt.Sprintf("%s/cert/ca", config.BaseURL) + // Configure role with read access to /cert/ca + ConfigurePKI(t, vaultClient, config.BaseURL, config.PolicyName, + config.CommonName) + // Configure role with create and update access to issue certs at + // /issue/ + config.CertPath = ConfigurePKICerts(t, vaultClient, config.BaseURL, + config.AllowedSubdomain, config.PolicyName, config.KubernetesNamespace, + config.DataCenter, config.MaxTTL) + // Configure AuthMethodRole that will map the service account name + // to the Vault role + authMethodRoleConfig := &KubernetesAuthRoleConfiguration{ + ServiceAccountName: config.ServiceAccountName, + KubernetesNamespace: config.KubernetesNamespace, + AuthMethodPath: config.AuthMethodPath, + RoleName: config.RoleName, + PolicyNames: config.PolicyName, + } + ConfigureK8SAuthRole(t, vaultClient, authMethodRoleConfig) +} + +type SaveVaultSecretConfiguration struct { + Path string + Key string + PolicyName string + Value string +} + +func SaveSecret(t *testing.T, vaultClient *vapi.Client, config *SaveVaultSecretConfiguration) { + policy := fmt.Sprintf(` + path "%s" { + capabilities = ["read"] + }`, config.Path) + // Create the Vault Policy for the gossip key. + logger.Log(t, "Creating policy") + err := vaultClient.Sys().PutPolicy(config.PolicyName, policy) + require.NoError(t, err) + + // Create the gossip secret. + logger.Log(t, "Creating the gossip secret") + params := map[string]interface{}{ + "data": map[string]interface{}{ + config.Key: config.Value, + }, + } + _, err = vaultClient.Logical().Write(config.Path, params) + require.NoError(t, err) +} + +// CreateConnectCAPolicyForDatacenter creates the Vault Policy for the connect-ca in a given datacenter. +func CreateConnectCARootAndIntermediatePIKPolicy(t *testing.T, vaultClient *vapi.Client, policyName, rootPath, intermediatePath string) { + // connectCAPolicy allows Consul to bootstrap all certificates for the service mesh in Vault. + // Adapted from https://www.consul.io/docs/connect/ca/vault#consul-managed-pki-paths. + connectCAPolicyTemplate := ` +path "/sys/mounts" { + capabilities = [ "read" ] +} +path "/sys/mounts/%s" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} +path "/sys/mounts/%s" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} +path "/%s/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} +path "/%s/*" { + capabilities = [ "create", "read", "update", "delete", "list" ] +} +` + err := vaultClient.Sys().PutPolicy( + policyName, + fmt.Sprintf(connectCAPolicyTemplate, rootPath, intermediatePath, rootPath, intermediatePath)) + require.NoError(t, err) +} From 10b507c6c1791c4a4664c66a97b25419589272f2 Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 11 May 2022 20:25:19 -0600 Subject: [PATCH 02/80] Fixing name of CreateConnectCARootAndIntermediatePIKPolicy to CreateConnectCARootAndIntermediatePKIPolicy --- acceptance/framework/vault/helpers.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acceptance/framework/vault/helpers.go b/acceptance/framework/vault/helpers.go index 5e740d6002..e457defe33 100644 --- a/acceptance/framework/vault/helpers.go +++ b/acceptance/framework/vault/helpers.go @@ -363,7 +363,7 @@ func SaveSecret(t *testing.T, vaultClient *vapi.Client, config *SaveVaultSecretC } // CreateConnectCAPolicyForDatacenter creates the Vault Policy for the connect-ca in a given datacenter. -func CreateConnectCARootAndIntermediatePIKPolicy(t *testing.T, vaultClient *vapi.Client, policyName, rootPath, intermediatePath string) { +func CreateConnectCARootAndIntermediatePKIPolicy(t *testing.T, vaultClient *vapi.Client, policyName, rootPath, intermediatePath string) { // connectCAPolicy allows Consul to bootstrap all certificates for the service mesh in Vault. // Adapted from https://www.consul.io/docs/connect/ca/vault#consul-managed-pki-paths. connectCAPolicyTemplate := ` From a34ebb71d5d2946ee2b6e1929c3627e8024b0827 Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 11 May 2022 22:51:34 -0600 Subject: [PATCH 03/80] refactored all except WAN Fed has error --- acceptance/framework/vault/helpers.go | 178 ------------------- acceptance/tests/vault/vault_wan_fed_test.go | 81 ++++++++- 2 files changed, 79 insertions(+), 180 deletions(-) diff --git a/acceptance/framework/vault/helpers.go b/acceptance/framework/vault/helpers.go index e457defe33..850f8efbed 100644 --- a/acceptance/framework/vault/helpers.go +++ b/acceptance/framework/vault/helpers.go @@ -210,181 +210,3 @@ path "/%s/*" { rootPath, intermediatePath, rootPath, intermediatePath)) require.NoError(t, err) } - -// ConfigurePKICerts configures roles in Vault so -// that controller webhook TLS certificates can be issued by Vault. -func ConfigurePKICerts(t *testing.T, - vaultClient *vapi.Client, baseUrl, allowedSubdomain, roleName, ns, datacenter, - maxTTL string) string { - allowedDomains := fmt.Sprintf("%s.consul,%s,%s.%s,%s.%s.svc", datacenter, - allowedSubdomain, allowedSubdomain, ns, allowedSubdomain, ns) - params := map[string]interface{}{ - "allowed_domains": allowedDomains, - "allow_bare_domains": "true", - "allow_localhost": "true", - "allow_subdomains": "true", - "generate_lease": "true", - "max_ttl": maxTTL, - } - - _, err := vaultClient.Logical().Write( - fmt.Sprintf("%s/roles/%s", baseUrl, roleName), params) - require.NoError(t, err) - - certificateIssuePath := fmt.Sprintf("%s/issue/%s", baseUrl, roleName) - policy := fmt.Sprintf(` - path %q { - capabilities = ["create", "update"] - }`, certificateIssuePath) - - // Create the server policy. - err = vaultClient.Sys().PutPolicy(roleName, policy) - require.NoError(t, err) - - return certificateIssuePath -} - -// ConfigurePKI generates a CA in Vault at a given path with a given policyName. -func ConfigurePKI(t *testing.T, vaultClient *vapi.Client, baseUrl, policyName, commonName string) { - // Mount the PKI Secrets engine at the baseUrl. - err := vaultClient.Sys().Mount(baseUrl, &vapi.MountInput{ - Type: "pki", - Config: vapi.MountConfigInput{}, - }) - require.NoError(t, err) - // Create root CA to issue Consul server certificates and the `consul-server` PKI role. - // See https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls. - // Generate the root CA. - params := map[string]interface{}{ - "common_name": commonName, - "ttl": "24h", - } - _, err = vaultClient.Logical().Write(fmt.Sprintf("%s/root/generate/internal", baseUrl), params) - require.NoError(t, err) - - policy := fmt.Sprintf(`path "%s/cert/ca" { - capabilities = ["read"] - }`, baseUrl) - err = vaultClient.Sys().PutPolicy(policyName, policy) - require.NoError(t, err) -} - -type KubernetesAuthRoleConfiguration struct { - ServiceAccountName string - KubernetesNamespace string - PolicyNames string - AuthMethodPath string - RoleName string -} - -// ConfigureKubernetesAuthRole configures a role in Vault for the component for the Kubernetes auth method -// that will be used by the test Helm chart installation. -func ConfigureK8SAuthRole(t *testing.T, vaultClient *vapi.Client, config *KubernetesAuthRoleConfiguration) { - // Create the Auth Roles for the component. - // Auth roles bind policies to Kubernetes service accounts, which - // then enables the Vault agent init container to call 'vault login' - // with the Kubernetes auth method to obtain a Vault token. - // Please see https://www.vaultproject.io/docs/auth/kubernetes#configuration - // for more details. - logger.Logf(t, "Creating the %q", config.ServiceAccountName) - params := map[string]interface{}{ - "bound_service_account_names": config.ServiceAccountName, - "bound_service_account_namespaces": config.KubernetesNamespace, - "policies": config.PolicyNames, - "ttl": "24h", - } - _, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/%s", config.AuthMethodPath, config.RoleName), params) - require.NoError(t, err) -} - -type PKIAndAuthRoleConfiguration struct { - ServiceAccountName string - BaseURL string - PolicyName string - RoleName string - CommonName string - CAPath string - CertPath string - KubernetesNamespace string - DataCenter string - MaxTTL string - AuthMethodPath string - AllowedSubdomain string -} - -func ConfigurePKIAndAuthRole(t *testing.T, vaultClient *vapi.Client, config *PKIAndAuthRoleConfiguration) { - config.CAPath = fmt.Sprintf("%s/cert/ca", config.BaseURL) - // Configure role with read access to /cert/ca - ConfigurePKI(t, vaultClient, config.BaseURL, config.PolicyName, - config.CommonName) - // Configure role with create and update access to issue certs at - // /issue/ - config.CertPath = ConfigurePKICerts(t, vaultClient, config.BaseURL, - config.AllowedSubdomain, config.PolicyName, config.KubernetesNamespace, - config.DataCenter, config.MaxTTL) - // Configure AuthMethodRole that will map the service account name - // to the Vault role - authMethodRoleConfig := &KubernetesAuthRoleConfiguration{ - ServiceAccountName: config.ServiceAccountName, - KubernetesNamespace: config.KubernetesNamespace, - AuthMethodPath: config.AuthMethodPath, - RoleName: config.RoleName, - PolicyNames: config.PolicyName, - } - ConfigureK8SAuthRole(t, vaultClient, authMethodRoleConfig) -} - -type SaveVaultSecretConfiguration struct { - Path string - Key string - PolicyName string - Value string -} - -func SaveSecret(t *testing.T, vaultClient *vapi.Client, config *SaveVaultSecretConfiguration) { - policy := fmt.Sprintf(` - path "%s" { - capabilities = ["read"] - }`, config.Path) - // Create the Vault Policy for the gossip key. - logger.Log(t, "Creating policy") - err := vaultClient.Sys().PutPolicy(config.PolicyName, policy) - require.NoError(t, err) - - // Create the gossip secret. - logger.Log(t, "Creating the gossip secret") - params := map[string]interface{}{ - "data": map[string]interface{}{ - config.Key: config.Value, - }, - } - _, err = vaultClient.Logical().Write(config.Path, params) - require.NoError(t, err) -} - -// CreateConnectCAPolicyForDatacenter creates the Vault Policy for the connect-ca in a given datacenter. -func CreateConnectCARootAndIntermediatePKIPolicy(t *testing.T, vaultClient *vapi.Client, policyName, rootPath, intermediatePath string) { - // connectCAPolicy allows Consul to bootstrap all certificates for the service mesh in Vault. - // Adapted from https://www.consul.io/docs/connect/ca/vault#consul-managed-pki-paths. - connectCAPolicyTemplate := ` -path "/sys/mounts" { - capabilities = [ "read" ] -} -path "/sys/mounts/%s" { - capabilities = [ "create", "read", "update", "delete", "list" ] -} -path "/sys/mounts/%s" { - capabilities = [ "create", "read", "update", "delete", "list" ] -} -path "/%s/*" { - capabilities = [ "create", "read", "update", "delete", "list" ] -} -path "/%s/*" { - capabilities = [ "create", "read", "update", "delete", "list" ] -} -` - err := vaultClient.Sys().PutPolicy( - policyName, - fmt.Sprintf(connectCAPolicyTemplate, rootPath, intermediatePath, rootPath, intermediatePath)) - require.NoError(t, err) -} diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go index 1d24614907..3f7f5b57a9 100644 --- a/acceptance/tests/vault/vault_wan_fed_test.go +++ b/acceptance/tests/vault/vault_wan_fed_test.go @@ -209,9 +209,86 @@ func TestVault_WANFederationViaGateways(t *testing.T) { } replicationTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) - commonServerPolicies := "gossip" + // ------------------------- + // PKI + // ------------------------- + // Configure Service Mesh CA + // dc1 + connectCAPolicy := "connect-ca-dc1" + connectCARootPath := "connect_root" + connectCAIntermediatePath := "dc1/connect_inter" + // Configure Policy for Connect CA + vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicy, connectCARootPath, connectCAIntermediatePath) + + // dc2 + connectCAPolicySecondary := "connect-ca-dc2" + connectCARootPathSecondary := "connect_root" + connectCAIntermediatePathSecondary := "dc2/connect_inter" + // Configure Policy for Connect CA + vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicySecondary, connectCARootPathSecondary, connectCAIntermediatePathSecondary) + + // Configure Server PKI + // dc1 + serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "pki", + PolicyName: "consul-ca-policy", + RoleName: "consul-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + MaxTTL: "1h", + AuthMethodPath: "kubernetes", + } + vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfig) + // dc2 + serverPKIConfigSecondary := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "pki", + PolicyName: "consul-ca-policy-dc2", + RoleName: "consul-ca-role-dc2", + KubernetesNamespace: ns, + DataCenter: "dc2", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + MaxTTL: "1h", + AuthMethodPath: secondaryDatacenterAuthMethod, + SkipMountPKIEngine: true, + } + vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfigSecondary) + + // ------------------------- + // KV2 secrets + // ------------------------- + // Gossip key + gossipKey, err := vault.GenerateGossipSecret() + require.NoError(t, err) + gossipSecret := &vault.SaveVaultSecretConfiguration{ + Path: "consul/data/secret/gossip", + Key: "gossip", + Value: gossipKey, + PolicyName: "gossip", + } + vault.SaveSecret(t, vaultClient, gossipSecret) + + // License + licenseSecret := &vault.SaveVaultSecretConfiguration{ + Path: "consul/data/secret/license", + Key: "license", + Value: cfg.EnterpriseLicense, + PolicyName: "license", + } if cfg.EnableEnterprise { - commonServerPolicies += ",license" + vault.SaveSecret(t, vaultClient, licenseSecret) + } + + // Bootstrap Token + bootstrapToken, err := uuid.GenerateUUID() + require.NoError(t, err) + bootstrapTokenSecret := &vault.SaveVaultSecretConfiguration{ + Path: "consul/data/secret/bootstrap", + Key: "token", + Value: bootstrapToken, + PolicyName: "bootstrap", } // -------------------------------------------- From 460125db31db138d08c93ba9dc9a389777a79002 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 12 May 2022 15:26:23 -0600 Subject: [PATCH 04/80] fixing vault wan fed test --- acceptance/tests/vault/vault_wan_fed_test.go | 31 ++++++++++---------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go index 3f7f5b57a9..d8b46f8e7a 100644 --- a/acceptance/tests/vault/vault_wan_fed_test.go +++ b/acceptance/tests/vault/vault_wan_fed_test.go @@ -212,23 +212,15 @@ func TestVault_WANFederationViaGateways(t *testing.T) { // ------------------------- // PKI // ------------------------- - // Configure Service Mesh CA // dc1 + // Configure Service Mesh CA connectCAPolicy := "connect-ca-dc1" connectCARootPath := "connect_root" connectCAIntermediatePath := "dc1/connect_inter" // Configure Policy for Connect CA vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicy, connectCARootPath, connectCAIntermediatePath) - // dc2 - connectCAPolicySecondary := "connect-ca-dc2" - connectCARootPathSecondary := "connect_root" - connectCAIntermediatePathSecondary := "dc2/connect_inter" - // Configure Policy for Connect CA - vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicySecondary, connectCARootPathSecondary, connectCAIntermediatePathSecondary) - - // Configure Server PKI - // dc1 + //Configure Server PKI serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{ BaseURL: "pki", PolicyName: "consul-ca-policy", @@ -241,7 +233,16 @@ func TestVault_WANFederationViaGateways(t *testing.T) { AuthMethodPath: "kubernetes", } vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfig) + // dc2 + // Configure Service Mesh CA + connectCAPolicySecondary := "connect-ca-dc2" + connectCARootPathSecondary := "connect_root" + connectCAIntermediatePathSecondary := "dc2/connect_inter" + // Configure Policy for Connect CA + vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicySecondary, connectCARootPathSecondary, connectCAIntermediatePathSecondary) + + //Configure Server PKI serverPKIConfigSecondary := &vault.PKIAndAuthRoleConfiguration{ BaseURL: "pki", PolicyName: "consul-ca-policy-dc2", @@ -251,15 +252,15 @@ func TestVault_WANFederationViaGateways(t *testing.T) { ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), MaxTTL: "1h", - AuthMethodPath: secondaryDatacenterAuthMethod, - SkipMountPKIEngine: true, + AuthMethodPath: secondaryAuthMethodName, + SkipPKIMount: true, } vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfigSecondary) // ------------------------- // KV2 secrets // ------------------------- - // Gossip key + //Gossip key gossipKey, err := vault.GenerateGossipSecret() require.NoError(t, err) gossipSecret := &vault.SaveVaultSecretConfiguration{ @@ -270,7 +271,7 @@ func TestVault_WANFederationViaGateways(t *testing.T) { } vault.SaveSecret(t, vaultClient, gossipSecret) - // License + //License licenseSecret := &vault.SaveVaultSecretConfiguration{ Path: "consul/data/secret/license", Key: "license", @@ -281,7 +282,7 @@ func TestVault_WANFederationViaGateways(t *testing.T) { vault.SaveSecret(t, vaultClient, licenseSecret) } - // Bootstrap Token + //Bootstrap Token bootstrapToken, err := uuid.GenerateUUID() require.NoError(t, err) bootstrapTokenSecret := &vault.SaveVaultSecretConfiguration{ From cf613179d44cd38c1e8e9b7febd2049e5b2f9a8d Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 12 May 2022 16:19:13 -0600 Subject: [PATCH 05/80] comment formatting --- acceptance/tests/vault/vault_wan_fed_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go index d8b46f8e7a..586b540ab9 100644 --- a/acceptance/tests/vault/vault_wan_fed_test.go +++ b/acceptance/tests/vault/vault_wan_fed_test.go @@ -242,7 +242,7 @@ func TestVault_WANFederationViaGateways(t *testing.T) { // Configure Policy for Connect CA vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicySecondary, connectCARootPathSecondary, connectCAIntermediatePathSecondary) - //Configure Server PKI + // Configure Server PKI serverPKIConfigSecondary := &vault.PKIAndAuthRoleConfiguration{ BaseURL: "pki", PolicyName: "consul-ca-policy-dc2", @@ -260,7 +260,7 @@ func TestVault_WANFederationViaGateways(t *testing.T) { // ------------------------- // KV2 secrets // ------------------------- - //Gossip key + // Gossip key gossipKey, err := vault.GenerateGossipSecret() require.NoError(t, err) gossipSecret := &vault.SaveVaultSecretConfiguration{ @@ -271,7 +271,7 @@ func TestVault_WANFederationViaGateways(t *testing.T) { } vault.SaveSecret(t, vaultClient, gossipSecret) - //License + // License licenseSecret := &vault.SaveVaultSecretConfiguration{ Path: "consul/data/secret/license", Key: "license", @@ -282,7 +282,7 @@ func TestVault_WANFederationViaGateways(t *testing.T) { vault.SaveSecret(t, vaultClient, licenseSecret) } - //Bootstrap Token + // Bootstrap Token bootstrapToken, err := uuid.GenerateUUID() require.NoError(t, err) bootstrapTokenSecret := &vault.SaveVaultSecretConfiguration{ From 4ecfd7a43ed1b11dbc7e0c99b7359d534992f313 Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 18 May 2022 14:29:56 -0600 Subject: [PATCH 06/80] PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments. --- .../tests/vault/vault_namespaces_test.go | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go index 82ed605a48..503db4052c 100644 --- a/acceptance/tests/vault/vault_namespaces_test.go +++ b/acceptance/tests/vault/vault_namespaces_test.go @@ -93,7 +93,11 @@ func TestVault_VaultNamespace(t *testing.T) { Value: gossipKey, PolicyName: "gossip", } +<<<<<<< HEAD gossipSecret.SaveSecretAndAddReadPolicy(t, vaultClient) +======= + gossipSecret.Save(t, vaultClient) +>>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) // License licenseSecret := &vault.KV2Secret{ @@ -103,7 +107,11 @@ func TestVault_VaultNamespace(t *testing.T) { PolicyName: "license", } if cfg.EnableEnterprise { +<<<<<<< HEAD licenseSecret.SaveSecretAndAddReadPolicy(t, vaultClient) +======= + licenseSecret.Save(t, vaultClient) +>>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) } //Bootstrap Token @@ -115,7 +123,11 @@ func TestVault_VaultNamespace(t *testing.T) { Value: bootstrapToken, PolicyName: "bootstrap", } +<<<<<<< HEAD bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) +======= + bootstrapTokenSecret.Save(t, vaultClient) +>>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) // ------------------------- // Additional Auth Roles @@ -137,8 +149,13 @@ func TestVault_VaultNamespace(t *testing.T) { srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) // client +<<<<<<< HEAD consulClientRole := ClientRole consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ClientRole) +======= + consulClientRole := "client" + consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "client") +>>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: consulClientServiceAccountName, KubernetesNamespace: ns, @@ -149,8 +166,13 @@ func TestVault_VaultNamespace(t *testing.T) { clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) // manageSystemACLs +<<<<<<< HEAD manageSystemACLsRole := ManageSystemACLsRole manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ManageSystemACLsRole) +======= + manageSystemACLsRole := "server-acl-init" + manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "server-acl-init") +>>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) aclAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: manageSystemACLsServiceAccountName, KubernetesNamespace: ns, From 898bf115e48c15c33d426ee1e052f893715400a9 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 18:39:57 -0600 Subject: [PATCH 07/80] PR Feedback. changing name of Save() onkv2secret to something moredescriptive. adding comment string. --- .../tests/vault/vault_namespaces_test.go | 24 ++----------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go index 503db4052c..a7ddec906c 100644 --- a/acceptance/tests/vault/vault_namespaces_test.go +++ b/acceptance/tests/vault/vault_namespaces_test.go @@ -93,11 +93,8 @@ func TestVault_VaultNamespace(t *testing.T) { Value: gossipKey, PolicyName: "gossip", } -<<<<<<< HEAD + gossipSecret.SaveSecretAndAddReadPolicy(t, vaultClient) -======= - gossipSecret.Save(t, vaultClient) ->>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) // License licenseSecret := &vault.KV2Secret{ @@ -107,11 +104,7 @@ func TestVault_VaultNamespace(t *testing.T) { PolicyName: "license", } if cfg.EnableEnterprise { -<<<<<<< HEAD licenseSecret.SaveSecretAndAddReadPolicy(t, vaultClient) -======= - licenseSecret.Save(t, vaultClient) ->>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) } //Bootstrap Token @@ -123,11 +116,8 @@ func TestVault_VaultNamespace(t *testing.T) { Value: bootstrapToken, PolicyName: "bootstrap", } -<<<<<<< HEAD + bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) -======= - bootstrapTokenSecret.Save(t, vaultClient) ->>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) // ------------------------- // Additional Auth Roles @@ -149,13 +139,8 @@ func TestVault_VaultNamespace(t *testing.T) { srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) // client -<<<<<<< HEAD consulClientRole := ClientRole consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ClientRole) -======= - consulClientRole := "client" - consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "client") ->>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: consulClientServiceAccountName, KubernetesNamespace: ns, @@ -166,13 +151,8 @@ func TestVault_VaultNamespace(t *testing.T) { clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) // manageSystemACLs -<<<<<<< HEAD manageSystemACLsRole := ManageSystemACLsRole manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ManageSystemACLsRole) -======= - manageSystemACLsRole := "server-acl-init" - manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "server-acl-init") ->>>>>>> 32f54f5e (PR Feedback. Moving vault helper functions to be on the structs they were taking as arguments.) aclAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: manageSystemACLsServiceAccountName, KubernetesNamespace: ns, From d192a46b782e4c8d3dc87d4f4ed5d3e779d55b44 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 25 Apr 2022 10:11:59 -0600 Subject: [PATCH 08/80] Do not load webhook cert manager when vault is enabled. --- .../webhook-cert-manager-clusterrole.yaml | 2 +- ...bhook-cert-manager-clusterrolebinding.yaml | 2 +- .../webhook-cert-manager-configmap.yaml | 4 ++-- .../webhook-cert-manager-deployment.yaml | 2 +- ...ebhook-cert-manager-podsecuritypolicy.yaml | 2 +- .../webhook-cert-manager-serviceaccount.yaml | 2 +- .../webhook-cert-manager-clusterrole.bats | 15 ++++++++++++++ ...bhook-cert-manager-clusterrolebinding.bats | 15 ++++++++++++++ .../unit/webhook-cert-manager-configmap.bats | 17 +++++++++++++++- .../unit/webhook-cert-manager-deployment.bats | 15 ++++++++++++++ ...ebhook-cert-manager-podsecuritypolicy.bats | 20 +++++++++++++++++-- .../webhook-cert-manager-serviceaccount.bats | 15 ++++++++++++++ 12 files changed, 101 insertions(+), 10 deletions(-) diff --git a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml index eb812035f3..75a8682e8a 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.connectInject.enabled .Values.controller.enabled}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml index 910c4bf84d..9880c88a07 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.connectInject.enabled .Values.controller.enabled}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/consul/templates/webhook-cert-manager-configmap.yaml b/charts/consul/templates/webhook-cert-manager-configmap.yaml index e13d14a7ab..5843bb7c18 100644 --- a/charts/consul/templates/webhook-cert-manager-configmap.yaml +++ b/charts/consul/templates/webhook-cert-manager-configmap.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.connectInject.enabled .Values.controller.enabled}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} apiVersion: v1 kind: ConfigMap metadata: @@ -39,4 +39,4 @@ data: } {{- end }} ] - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/consul/templates/webhook-cert-manager-deployment.yaml b/charts/consul/templates/webhook-cert-manager-deployment.yaml index 9974c4c1cd..317cb298bc 100644 --- a/charts/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/consul/templates/webhook-cert-manager-deployment.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.connectInject.enabled .Values.controller.enabled}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml index 1cc626d6e0..a88bdca8b4 100644 --- a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml +++ b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if and (or .Values.controller.enabled .Values.connectInject.enabled) .Values.global.enablePodSecurityPolicies }} +{{- if and (or .Values.controller.enabled .Values.connectInject.enabled) .Values.global.enablePodSecurityPolicies (not .Values.global.secretsBackend.vault.enabled)}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml index 3e880434dd..b191c0c988 100644 --- a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml +++ b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.connectInject.enabled .Values.controller.enabled}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index 90b7a3e59e..95eae1f0cf 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -58,3 +58,18 @@ load _helpers local actual=$(echo $object | yq -r '.resourceNames[0]' | tee /dev/stderr) [ "${actual}" = "release-name-consul-webhook-cert-manager" ] } + +#-------------------------------------------------------------------- +# Vault + +@test "webhookCertManager/ClusterRole: disabled when global.secretsBackend.vault.enabled=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/webhook-cert-manager-clusterrole.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + . +} diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats index 628b672062..4289afb71f 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats @@ -39,3 +39,18 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# Vault + +@test "webhookCertManager/ClusterRoleBinding: disabled when global.secretsBackend.vault.enabled=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/webhook-cert-manager-clusterrolebinding.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + . +} diff --git a/charts/consul/test/unit/webhook-cert-manager-configmap.bats b/charts/consul/test/unit/webhook-cert-manager-configmap.bats index 31ec074f8a..14fd1fd66a 100644 --- a/charts/consul/test/unit/webhook-cert-manager-configmap.bats +++ b/charts/consul/test/unit/webhook-cert-manager-configmap.bats @@ -90,4 +90,19 @@ load _helpers local actual=$(echo $cfg | jq '.[1].name | contains("controller")') [ "${actual}" = "true" ] -} \ No newline at end of file +} + +#-------------------------------------------------------------------- +# Vault + +@test "webhookCertManager/Configmap: disabled when global.secretsBackend.vault.enabled=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/webhook-cert-manager-configmap.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + . +} diff --git a/charts/consul/test/unit/webhook-cert-manager-deployment.bats b/charts/consul/test/unit/webhook-cert-manager-deployment.bats index f3118206bd..f05022b6f0 100644 --- a/charts/consul/test/unit/webhook-cert-manager-deployment.bats +++ b/charts/consul/test/unit/webhook-cert-manager-deployment.bats @@ -62,3 +62,18 @@ load _helpers yq -r '.spec.template.spec.tolerations[0].key' | tee /dev/stderr) [ "${actual}" = "value" ] } + +#-------------------------------------------------------------------- +# Vault + +@test "webhookCertManager/Deployment: disabled when global.secretsBackend.vault.enabled=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/webhook-cert-manager-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + . +} diff --git a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats index f4e8a2a22b..eb04f096a6 100644 --- a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats +++ b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats @@ -28,7 +28,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "webhookCertManager/Configmap: enabled with connectInject.enabled=true, controller.enabled=false and global.enablePodSecurityPolicies=true" { +@test "webhookCertManager/PodSecurityPolicy: enabled with connectInject.enabled=true, controller.enabled=false and global.enablePodSecurityPolicies=true" { cd `chart_dir` local actual=$(helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ @@ -39,7 +39,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "webhookCertManager/Configmap: enabled with connectInject.enabled=true, controller.enabled=true and global.enablePodSecurityPolicies=true" { +@test "webhookCertManager/PodSecurityPolicy: enabled with connectInject.enabled=true, controller.enabled=true and global.enablePodSecurityPolicies=true" { cd `chart_dir` local actual=$(helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ @@ -50,3 +50,19 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# Vault + +@test "webhookCertManager/PodSecurityPolicy: disabled when global.secretsBackend.vault.enabled=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ + --set 'controller.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + . +} diff --git a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats index 3cdd1e3d0e..87eb57334d 100644 --- a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats +++ b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats @@ -60,3 +60,18 @@ load _helpers yq -r '.imagePullSecrets[1].name' | tee /dev/stderr) [ "${actual}" = "my-secret2" ] } + +#-------------------------------------------------------------------- +# Vault + +@test "webhookCertManager/ServiceAccount: disabled when global.secretsBackend.vault.enabled=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/webhook-cert-manager-serviceaccount.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + . +} From 27ca52900563e2f5b96f416fdc5beca231dbd250 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 25 Apr 2022 14:17:19 -0600 Subject: [PATCH 09/80] do not mount volumes when using vault --- acceptance/tests/vault/vault_test.go | 11 ++++-- .../templates/connect-inject-deployment.yaml | 8 +++-- .../templates/controller-deployment.yaml | 8 +++-- .../test/unit/connect-inject-deployment.bats | 29 ++++++++++++++++ .../test/unit/controller-deployment.bats | 34 +++++++++++++++++++ charts/consul/values.yaml | 12 +++++++ 6 files changed, 95 insertions(+), 7 deletions(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index f746f73ed1..f1677a4312 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -159,6 +159,10 @@ func TestVault(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + pathForConnectInjectWebookCerts := + vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + consulReleaseName, ns, "dc1", "1h") + vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ @@ -166,9 +170,10 @@ func TestVault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "controller.enabled": "true", + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "connectInject.tlsCertDir": pathForConnectInjectWebookCerts, + "controller.enabled": "true", "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 9865ff0b01..17605085c4 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -168,7 +168,7 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} - -tls-cert-dir=/etc/connect-injector/certs \ + -tls-cert-dir={{ .Values.connectInject.tlsCertDir }} \ {{- $resources := .Values.connectInject.sidecarProxy.resources }} {{- /* kindIs is used here to differentiate between null and 0 */}} {{- if not (kindIs "invalid" $resources.limits.memory) }} @@ -252,9 +252,11 @@ spec: successThreshold: 1 timeoutSeconds: 5 volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} - name: certs - mountPath: /etc/connect-injector/certs + mountPath: {{ .Values.connectInject.tlsCertDir }} readOnly: true + {{- end}} - mountPath: /consul/login name: consul-data readOnly: true @@ -272,10 +274,12 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumes: + {{- if not .Values.global.secretsBackend.vault.enabled }} - name: certs secret: defaultMode: 420 secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} - name: consul-data emptyDir: medium: "Memory" diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index de0b0107d7..843abc5ca3 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -117,7 +117,7 @@ spec: -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ - -webhook-tls-cert-dir=/tmp/controller-webhook/certs \ + -webhook-tls-cert-dir={{ .Values.controller.tlsCertDir }} \ -datacenter={{ .Values.global.datacenter }} \ {{- if .Values.global.adminPartitions.enabled }} -partition={{ .Values.global.adminPartitions.name }} \ @@ -188,9 +188,11 @@ spec: - mountPath: /consul/login name: consul-data readOnly: true - - mountPath: /tmp/controller-webhook/certs + {{- if not .Values.global.secretsBackend.vault.enabled }} + - mountPath: {{ .Values.controller.tlsCertDir }} name: cert readOnly: true + {{- end }} {{- if .Values.global.tls.enabled }} {{- if .Values.global.tls.enableAutoEncrypt }} - name: consul-auto-encrypt-ca-cert @@ -202,10 +204,12 @@ spec: {{- end }} terminationGracePeriodSeconds: 10 volumes: + {{- if not .Values.global.secretsBackend.vault.enabled }} - name: cert secret: defaultMode: 420 secretName: {{ template "consul.fullname" . }}-controller-webhook-cert + {{- end }} {{- if .Values.global.tls.enabled }} {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} - name: consul-ca-cert diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 5dfa8d6d89..5e4fd45e41 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1942,6 +1942,35 @@ EOF [ "${actual}" = "test" ] } +@test "connectInject/Deployment: vault does not add tls-ca-cert volume when global.tls.enabled is true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + +@test "connectInject/Deployment: vault does not add tls-ca-cert volumeMounts when global.tls.enabled is true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) + [ "${actual}" == "" ] +} #-------------------------------------------------------------------- # Vault agent annotations diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 28e9e46ca5..bfa1dd9bb1 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -934,6 +934,40 @@ load _helpers [ "${actual}" = "test" ] } +@test "controller/Deployment: vault does not add cert volume when global.tls.enabled is true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'controller.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.caCert.secretName=foo' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "cert")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + +@test "controller/Deployment: vault does not add cert volumeMounts when global.tls.enabled is true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'controller.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.caCert.secretName=foo' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "cert")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + #-------------------------------------------------------------------- # Vault agent annotations diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 81de83386a..a9c5ad8e6c 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -2050,6 +2050,12 @@ connectInject: memory: "150Mi" cpu: "50m" + # The directory that Kubernetes will use on Kubernetes service creation, + # deletion, and update, to get TLS certificates used to send webhooks to + # ConnectInject + # @type: string + tlsCertDir: /etc/connect-injector/certs + # Controller handles config entry custom resources. # Requires consul >= 1.8.4. # ServiceIntentions require consul 1.9+. @@ -2064,6 +2070,12 @@ controller: # @type: string logLevel: "" + # The directory that Kubernetes will use on Kubernetes CRD creation, + # deletion, and update, to get TLS certificates used to send webhooks to + # the controller. + # @type: string + tlsCertDir: /tmp/controller-webhook/certs + serviceAccount: # This value defines additional annotations for the controller service account. This should be formatted as a # multi-line string. From 14c8b0c143cec4f36b969791e5207a671202334e Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 25 Apr 2022 16:47:31 -0600 Subject: [PATCH 10/80] configuring vault injector --- charts/consul/templates/_helpers.tpl | 16 ++++++++++++++++ .../templates/connect-inject-deployment.yaml | 8 ++++++-- .../consul/templates/controller-deployment.yaml | 4 ++-- charts/consul/values.yaml | 15 ++++++++++----- control-plane/subcommand/controller/command.go | 6 +++--- 5 files changed, 37 insertions(+), 12 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index b95975ab91..d47f0040ef 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -53,6 +53,22 @@ as well as the global.name setting. {{ "{{" }}- end -{{ "}}" }} {{- end -}} +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + {{- define "consul.serverTLSAltNames" -}} {{- $name := include "consul.fullname" . -}} {{- $ns := .Release.Namespace -}} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 17605085c4..f745102259 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -44,6 +44,10 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + "vault.hashicorp.com/agent-inject-secret-injectwebhookcert.crt": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-injectwebhookcert.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-injectwebhookcert.key": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-injectwebhookcert.key": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" @@ -168,7 +172,7 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} - -tls-cert-dir={{ .Values.connectInject.tlsCertDir }} \ + -tls-cert-dir={{ .Values.connectInject.tlsCert.dir }} \ {{- $resources := .Values.connectInject.sidecarProxy.resources }} {{- /* kindIs is used here to differentiate between null and 0 */}} {{- if not (kindIs "invalid" $resources.limits.memory) }} @@ -254,7 +258,7 @@ spec: volumeMounts: {{- if not .Values.global.secretsBackend.vault.enabled }} - name: certs - mountPath: {{ .Values.connectInject.tlsCertDir }} + mountPath: {{ .Values.connectInject.tlsCert.dir }} readOnly: true {{- end}} - mountPath: /consul/login diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 843abc5ca3..9e73238095 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -117,7 +117,7 @@ spec: -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ - -webhook-tls-cert-dir={{ .Values.controller.tlsCertDir }} \ + -webhook-tls-cert-dir={{ .Values.controller.tlsCert.dir }} \ -datacenter={{ .Values.global.datacenter }} \ {{- if .Values.global.adminPartitions.enabled }} -partition={{ .Values.global.adminPartitions.name }} \ @@ -189,7 +189,7 @@ spec: name: consul-data readOnly: true {{- if not .Values.global.secretsBackend.vault.enabled }} - - mountPath: {{ .Values.controller.tlsCertDir }} + - mountPath: {{ .Values.controller.tlsCert.dir }} name: cert readOnly: true {{- end }} diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index a9c5ad8e6c..94bae8a27b 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -2053,9 +2053,11 @@ connectInject: # The directory that Kubernetes will use on Kubernetes service creation, # deletion, and update, to get TLS certificates used to send webhooks to # ConnectInject - # @type: string - tlsCertDir: /etc/connect-injector/certs - + tlsCert: + # @type: string + dir: /etc/connect-injector/certs + # @type: string + secretName: nil # Controller handles config entry custom resources. # Requires consul >= 1.8.4. # ServiceIntentions require consul 1.9+. @@ -2073,8 +2075,11 @@ controller: # The directory that Kubernetes will use on Kubernetes CRD creation, # deletion, and update, to get TLS certificates used to send webhooks to # the controller. - # @type: string - tlsCertDir: /tmp/controller-webhook/certs + tlsCert: + # @type: string + dir: /tmp/controller-webhook/certs + # @type: string + secretName: nil serviceAccount: # This value defines additional annotations for the controller service account. This should be formatted as a diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index eb7121b928..838e87aebc 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -29,7 +29,7 @@ type Command struct { flagSet *flag.FlagSet httpFlags *flags.HTTPFlags - flagWebhookTLSCertDir string + flagWebhooktlsCert.dir string flagEnableLeaderElection bool flagEnableWebhooks bool flagDatacenter string @@ -77,7 +77,7 @@ func (c *Command) init() { c.flagSet.StringVar(&c.flagCrossNSACLPolicy, "consul-cross-namespace-acl-policy", "", "[Enterprise Only] Name of the ACL policy to attach to all created Consul namespaces to allow service "+ "discovery across Consul namespaces. Only necessary if ACLs are enabled.") - c.flagSet.StringVar(&c.flagWebhookTLSCertDir, "webhook-tls-cert-dir", "", + c.flagSet.StringVar(&c.flagWebhooktlsCert.dir, "webhook-tls-cert-dir", "", "Directory that contains the TLS cert and key required for the webhook. The cert and key files must be named 'tls.crt' and 'tls.key' respectively.") c.flagSet.BoolVar(&c.flagEnableWebhooks, "enable-webhooks", true, "Enable webhooks. Disable when running locally since Kube API server won't be able to route to local server.") @@ -245,7 +245,7 @@ func (c *Command) Run(args []string) int { if c.flagEnableWebhooks { // This webhook server sets up a Cert Watcher on the CertDir. This watches for file changes and updates the webhook certificates // automatically when new certificates are available. - mgr.GetWebhookServer().CertDir = c.flagWebhookTLSCertDir + mgr.GetWebhookServer().CertDir = c.flagWebhooktlsCert.dir // Note: The path here should be identical to the one on the kubebuilder // annotation in each webhook file. From c0166f3b73c4dba19517acdfde836b721c17f519 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 25 Apr 2022 22:34:45 -0600 Subject: [PATCH 11/80] Fixing linting --- acceptance/tests/vault/vault_test.go | 8 ++++---- control-plane/subcommand/controller/command.go | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index f1677a4312..cd80ee0c67 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -170,10 +170,10 @@ func TestVault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "connectInject.tlsCertDir": pathForConnectInjectWebookCerts, - "controller.enabled": "true", + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index 838e87aebc..eb7121b928 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -29,7 +29,7 @@ type Command struct { flagSet *flag.FlagSet httpFlags *flags.HTTPFlags - flagWebhooktlsCert.dir string + flagWebhookTLSCertDir string flagEnableLeaderElection bool flagEnableWebhooks bool flagDatacenter string @@ -77,7 +77,7 @@ func (c *Command) init() { c.flagSet.StringVar(&c.flagCrossNSACLPolicy, "consul-cross-namespace-acl-policy", "", "[Enterprise Only] Name of the ACL policy to attach to all created Consul namespaces to allow service "+ "discovery across Consul namespaces. Only necessary if ACLs are enabled.") - c.flagSet.StringVar(&c.flagWebhooktlsCert.dir, "webhook-tls-cert-dir", "", + c.flagSet.StringVar(&c.flagWebhookTLSCertDir, "webhook-tls-cert-dir", "", "Directory that contains the TLS cert and key required for the webhook. The cert and key files must be named 'tls.crt' and 'tls.key' respectively.") c.flagSet.BoolVar(&c.flagEnableWebhooks, "enable-webhooks", true, "Enable webhooks. Disable when running locally since Kube API server won't be able to route to local server.") @@ -245,7 +245,7 @@ func (c *Command) Run(args []string) int { if c.flagEnableWebhooks { // This webhook server sets up a Cert Watcher on the CertDir. This watches for file changes and updates the webhook certificates // automatically when new certificates are available. - mgr.GetWebhookServer().CertDir = c.flagWebhooktlsCert.dir + mgr.GetWebhookServer().CertDir = c.flagWebhookTLSCertDir // Note: The path here should be identical to the one on the kubebuilder // annotation in each webhook file. From b37191ae17b6fc177f4112631fa4ecb420a80714 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 26 Apr 2022 09:10:05 -0600 Subject: [PATCH 12/80] Pods are all running --- charts/consul/templates/connect-inject-deployment.yaml | 10 +++++----- charts/consul/templates/controller-deployment.yaml | 6 +++++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index f745102259..b916e0337e 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -44,10 +44,10 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - "vault.hashicorp.com/agent-inject-secret-injectwebhookcert.crt": {{ .Values.connectInject.tlsCert.secretName }} - "vault.hashicorp.com/agent-inject-template-injectwebhookcert.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} - "vault.hashicorp.com/agent-inject-secret-injectwebhookcert.key": {{ .Values.connectInject.tlsCert.secretName }} - "vault.hashicorp.com/agent-inject-template-injectwebhookcert.key": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" @@ -172,7 +172,7 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} - -tls-cert-dir={{ .Values.connectInject.tlsCert.dir }} \ + -tls-cert-dir=/vault/secrets \ {{- $resources := .Values.connectInject.sidecarProxy.resources }} {{- /* kindIs is used here to differentiate between null and 0 */}} {{- if not (kindIs "invalid" $resources.limits.memory) }} diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 9e73238095..5501280f96 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -36,6 +36,10 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" @@ -117,7 +121,7 @@ spec: -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ - -webhook-tls-cert-dir={{ .Values.controller.tlsCert.dir }} \ + -webhook-tls-cert-dir=/vault/secrets \ -datacenter={{ .Values.global.datacenter }} \ {{- if .Values.global.adminPartitions.enabled }} -partition={{ .Values.global.adminPartitions.name }} \ From 9a2d56a50ad1d910b12edc0a93a487ca8984cd18 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 26 Apr 2022 09:16:17 -0600 Subject: [PATCH 13/80] Fixing cert-dir paths for vault and non-vault use --- charts/consul/templates/connect-inject-deployment.yaml | 4 ++++ charts/consul/templates/controller-deployment.yaml | 4 ++++ charts/consul/values.yaml | 4 ---- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index b916e0337e..38b98f3393 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -172,7 +172,11 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} -tls-cert-dir=/vault/secrets \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} {{- $resources := .Values.connectInject.sidecarProxy.resources }} {{- /* kindIs is used here to differentiate between null and 0 */}} {{- if not (kindIs "invalid" $resources.limits.memory) }} diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 5501280f96..10a9f20569 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -121,7 +121,11 @@ spec: -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} -webhook-tls-cert-dir=/vault/secrets \ + {{- else }} + -webhook-tls-cert-dir=/tmp/controller-webhook/certs \ + {{- end }} -datacenter={{ .Values.global.datacenter }} \ {{- if .Values.global.adminPartitions.enabled }} -partition={{ .Values.global.adminPartitions.name }} \ diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 94bae8a27b..2590965776 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -2054,8 +2054,6 @@ connectInject: # deletion, and update, to get TLS certificates used to send webhooks to # ConnectInject tlsCert: - # @type: string - dir: /etc/connect-injector/certs # @type: string secretName: nil # Controller handles config entry custom resources. @@ -2076,8 +2074,6 @@ controller: # deletion, and update, to get TLS certificates used to send webhooks to # the controller. tlsCert: - # @type: string - dir: /tmp/controller-webhook/certs # @type: string secretName: nil From 318cca41bc469025a8ff7da6b539802b1da67689 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 26 Apr 2022 11:11:46 -0600 Subject: [PATCH 14/80] fixing volume mount --- charts/consul/templates/connect-inject-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 38b98f3393..3c0a4f172f 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -262,7 +262,7 @@ spec: volumeMounts: {{- if not .Values.global.secretsBackend.vault.enabled }} - name: certs - mountPath: {{ .Values.connectInject.tlsCert.dir }} + mountPath: /etc/connect-injector/certs readOnly: true {{- end}} - mountPath: /consul/login From 768190e835bcd9c03d803e473ad2f325d883aa99 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 26 Apr 2022 12:51:00 -0600 Subject: [PATCH 15/80] fixing volume mount again --- charts/consul/templates/controller-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 10a9f20569..f4263a780b 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -197,7 +197,7 @@ spec: name: consul-data readOnly: true {{- if not .Values.global.secretsBackend.vault.enabled }} - - mountPath: {{ .Values.controller.tlsCert.dir }} + - mountPath: /tmp/controller-webhook/certs name: cert readOnly: true {{- end }} From e9c885d2c6a77990f93fe89ae4570d24cd8cc517 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 26 Apr 2022 14:21:40 -0600 Subject: [PATCH 16/80] adding bats tests for tls cert directory --- .../test/unit/connect-inject-deployment.bats | 36 +++++++++++++++++++ .../test/unit/controller-deployment.bats | 34 ++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 5e4fd45e41..577b128ea7 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1914,6 +1914,7 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.tls.enabled=true' \ + --set 'connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ @@ -1940,6 +1941,25 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)" [ "${actual}" = "test" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.crt"]' | tee /dev/stderr)" + [ "${actual}" = "pki/issue/connect-webhook-cert-dc1" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.key"]' | tee /dev/stderr)" + [ "${actual}" = "pki/issue/connect-webhook-cert-dc1" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] + } @test "connectInject/Deployment: vault does not add tls-ca-cert volume when global.tls.enabled is true" { @@ -1971,6 +1991,22 @@ EOF yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) [ "${actual}" == "" ] } + +@test "connectInject/Deployment: vault tls-cert-dir flag is set to /vault/secrets" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-dir=/vault/secrets"))' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Vault agent annotations diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index bfa1dd9bb1..0548de24f7 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -906,6 +906,7 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.tls.enabled=true' \ + --set 'connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ @@ -932,6 +933,24 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)" [ "${actual}" = "test" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.crt"]' | tee /dev/stderr)" + [ "${actual}" = "pki/issue/connect-webhook-cert-dc1" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.key"]' | tee /dev/stderr)" + [ "${actual}" = "pki/issue/connect-webhook-cert-dc1" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] } @test "controller/Deployment: vault does not add cert volume when global.tls.enabled is true" { @@ -968,6 +987,21 @@ load _helpers [ "${actual}" == "" ] } +@test "controller/Deployment: vault webhook-tls-cert-dir flag is set to /vault/secrets" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-webhook-tls-cert-dir=/vault/secrets"))' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Vault agent annotations From 26619432b3610a61e600a5fe8e801708f666782e Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 26 Apr 2022 16:03:55 -0600 Subject: [PATCH 17/80] fixing cert for tls-cert dir --- charts/consul/templates/_helpers.tpl | 14 ++++++++++---- .../test/unit/connect-inject-deployment.bats | 4 ++-- charts/consul/test/unit/controller-deployment.bats | 4 ++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index d47f0040ef..57d51aaa6f 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -55,16 +55,16 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSCertTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} {{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} @@ -83,6 +83,12 @@ as well as the global.name setting. {{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $ipsan := .Values.global.tls.serverAdditionalIPSANs }},{{ $ipsan }} {{- end -}}{{- end -}}{{- end -}} {{- end -}} +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-connect-injector,*.%s-connect-injector,*.%s-connect-injector.%s,%s-connect-injector.%s,*.%s-connect-injector.%s.svc,%s-connect-injector.%s.svc,*.connect-injector.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }} +{{- end -}} + {{- define "consul.vaultReplicationTokenTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 577b128ea7..a82afed4d7 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1948,7 +1948,7 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | @@ -1957,7 +1957,7 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] } diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 0548de24f7..9cfd66a241 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -940,7 +940,7 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | @@ -949,7 +949,7 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=server.dc1.consul\"\n\"alt_names=localhost,release-name-consul-server,*.release-name-consul-server,*.release-name-consul-server.default,release-name-consul-server.default,*.release-name-consul-server.default.svc,release-name-consul-server.default.svc,*.server.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] } From a6ea7546e06ee755eec52e42fa6cccd21ff41322 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 26 Apr 2022 22:45:32 -0600 Subject: [PATCH 18/80] Adding logic to tests for controller tls cert. also adding snapshot agent and vault namespaces tests --- .../snapshot-agent/snapshot_agent_vault_test.go | 15 ++++++++++++--- acceptance/tests/vault/vault_namespaces_test.go | 15 ++++++++++++--- acceptance/tests/vault/vault_test.go | 8 ++++++++ 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go index bde2d88ab0..99dff5ca7e 100644 --- a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go +++ b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go @@ -177,6 +177,13 @@ func TestSnapshotAgent_Vault(t *testing.T) { } saAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + pathForConnectInjectWebookCerts := + vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + consulReleaseName, ns, "dc1", "1h") + pathForControllerWebookCerts := + vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + consulReleaseName, ns, "dc1", "1h") + vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ @@ -184,9 +191,11 @@ func TestSnapshotAgent_Vault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "controller.enabled": "true", + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + "controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go index a7ddec906c..ffa83605f1 100644 --- a/acceptance/tests/vault/vault_namespaces_test.go +++ b/acceptance/tests/vault/vault_namespaces_test.go @@ -172,6 +172,13 @@ func TestVault_VaultNamespace(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + pathForConnectInjectWebookCerts := + vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + consulReleaseName, ns, "dc1", "1h") + pathForControllerWebookCerts := + vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + consulReleaseName, ns, "dc1", "1h") + vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ @@ -179,9 +186,11 @@ func TestVault_VaultNamespace(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "controller.enabled": "true", + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + "controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index cd80ee0c67..7c5c373507 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -106,10 +106,14 @@ func TestVault(t *testing.T) { } bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) +<<<<<<< HEAD // ------------------------- // Additional Auth Roles // ------------------------- serverPolicies := fmt.Sprintf("%s,%s,%s,%s", gossipSecret.PolicyName, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) +======= + serverPolicies := "gossip,connect-ca-dc1,server-cert-dc1,bootstrap-token" +>>>>>>> 9b5a11d1 (Adding logic to tests for controller tls cert. also adding snapshot agent and vault namespaces tests) if cfg.EnableEnterprise { serverPolicies += fmt.Sprintf(",%s", licenseSecret.PolicyName) } @@ -162,6 +166,9 @@ func TestVault(t *testing.T) { pathForConnectInjectWebookCerts := vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, consulReleaseName, ns, "dc1", "1h") + pathForControllerWebookCerts := + vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + consulReleaseName, ns, "dc1", "1h") vaultCASecret := vault.CASecretName(vaultReleaseName) @@ -174,6 +181,7 @@ func TestVault(t *testing.T) { "connectInject.replicas": "1", "connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, "controller.enabled": "true", + "controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, From 517f5732fcdcdb883b50262ec4619fba469f6fc2 Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 4 May 2022 20:39:36 -0600 Subject: [PATCH 19/80] it works...with hardocded stuff...need to refactor from here --- charts/consul/templates/_helpers.tpl | 22 ++++++ .../templates/connect-inject-clusterrole.yaml | 9 +++ .../templates/controller-clusterrole.yaml | 9 +++ .../templates/controller-deployment.yaml | 9 +-- .../test/unit/controller-deployment.bats | 10 +-- .../subcommand/controller/command.go | 67 +++++++++++++++++++ .../subcommand/inject-connect/command.go | 44 +++++++++++- 7 files changed, 160 insertions(+), 10 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 57d51aaa6f..19a11c429f 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -69,6 +69,22 @@ as well as the global.name setting. {{ "{{" }}- end -{{ "}}" }} {{- end -}} +{{- define "consul.controllerWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.controllerWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + {{- define "consul.serverTLSAltNames" -}} {{- $name := include "consul.fullname" . -}} {{- $ns := .Release.Namespace -}} @@ -89,6 +105,12 @@ as well as the global.name setting. {{ printf "localhost,%s-connect-injector,*.%s-connect-injector,*.%s-connect-injector.%s,%s-connect-injector.%s,*.%s-connect-injector.%s.svc,%s-connect-injector.%s.svc,*.connect-injector.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }} {{- end -}} +{{- define "consul.controllerWebhookTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-controller-webhook,*.%s-controller-webhook,*.%s-controller-webhook.%s,%s-controller-webhook.%s,*.%s-controller-webhook.%s.svc,%s-controller-webhook.%s.svc,*.controller-webhook.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }} +{{- end -}} + {{- define "consul.vaultReplicationTokenTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index 683a9c6bf7..12beb949b9 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -33,6 +33,15 @@ rules: - get - list - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: [ "policy" ] resources: [ "podsecuritypolicies" ] diff --git a/charts/consul/templates/controller-clusterrole.yaml b/charts/consul/templates/controller-clusterrole.yaml index e2522a2eae..aa7a09c414 100644 --- a/charts/consul/templates/controller-clusterrole.yaml +++ b/charts/consul/templates/controller-clusterrole.yaml @@ -57,6 +57,15 @@ rules: - get - list - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: ["policy"] resources: ["podsecuritypolicies"] diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index f4263a780b..908e78235e 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -36,10 +36,10 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.connectInject.tlsCert.secretName }} - "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.connectInject.tlsCert.secretName }} - "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.controller.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.controllerWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.controller.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.controllerWebhookTLSKeyTemplate" . }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" @@ -121,6 +121,7 @@ spec: -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ + -resource-prefix={{ template "consul.fullname" . }} \ {{- if .Values.global.secretsBackend.vault.enabled }} -webhook-tls-cert-dir=/vault/secrets \ {{- else }} diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 9cfd66a241..68cd63f054 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -906,7 +906,7 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.tls.enabled=true' \ - --set 'connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ @@ -936,20 +936,20 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.crt"]' | tee /dev/stderr)" - [ "${actual}" = "pki/issue/connect-webhook-cert-dc1" ] + [ "${actual}" = "pki/issue/controller-webhook-cert-dc1" ] local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=localhost,release-name-consul-controller-webhook,*.release-name-consul-controller-webhook,*.release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default,*.release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc,*.controller-webhook.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.key"]' | tee /dev/stderr)" - [ "${actual}" = "pki/issue/connect-webhook-cert-dc1" ] + [ "${actual}" = "pki/issue/controller-webhook-cert-dc1" ] local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=localhost,release-name-consul-controller-webhook,*.release-name-consul-controller-webhook,*.release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default,*.release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc,*.controller-webhook.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] } diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index eb7121b928..f74dca95ae 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -1,9 +1,13 @@ package controller import ( + "context" + "encoding/base64" + "encoding/json" "errors" "flag" "fmt" + "io/ioutil" "sync" "github.com/hashicorp/consul-k8s/control-plane/api/common" @@ -15,9 +19,13 @@ import ( "github.com/hashicorp/consul/api" "github.com/mitchellh/cli" "go.uber.org/zap/zapcore" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/client-go/kubernetes" clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" "k8s.io/klog/v2" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -35,6 +43,7 @@ type Command struct { flagDatacenter string flagLogLevel string flagLogJSON bool + flagResourcePrefix string // Flags to support Consul Enterprise namespaces. flagEnableNamespaces bool @@ -81,6 +90,8 @@ func (c *Command) init() { "Directory that contains the TLS cert and key required for the webhook. The cert and key files must be named 'tls.crt' and 'tls.key' respectively.") c.flagSet.BoolVar(&c.flagEnableWebhooks, "enable-webhooks", true, "Enable webhooks. Disable when running locally since Kube API server won't be able to route to local server.") + c.flagSet.StringVar(&c.flagResourcePrefix, "resource-prefix", "", + "Release prefix of the Consul installation used to determine Consul DNS Service name.") c.flagSet.StringVar(&c.flagLogLevel, "log-level", zapcore.InfoLevel.String(), fmt.Sprintf("Log verbosity level. Supported values (in order of detail) are "+ "%q, %q, %q, and %q.", zapcore.DebugLevel.String(), zapcore.InfoLevel.String(), zapcore.WarnLevel.String(), zapcore.ErrorLevel.String())) @@ -321,6 +332,62 @@ func (c *Command) Run(args []string) int { } // +kubebuilder:scaffold:builder + // Create a context to be used by the processes started in this command. + ctx, cancelFunc := context.WithCancel(context.Background()) + defer cancelFunc() + config, err := rest.InClusterConfig() + if err != nil { + c.UI.Error(fmt.Sprintf("error loading in-cluster K8S config: %s", err)) + return 1 + } + clientset, err := kubernetes.NewForConfig(config) + if err != nil { + c.UI.Error(fmt.Sprintf("error creating K8S client: %s", err)) + return 1 + } + + consulCACert, err := ioutil.ReadFile("/vault/secrets/serverca.crt") + if err != nil { + c.UI.Error(fmt.Sprintf("error reading Consul's CA cert file %q: %s", cfg.TLSConfig.CAFile, err)) + return 1 + } + if len(consulCACert) == 0 { + setupLog.Error(err, "no CA certificate in the bundle") + } + value := base64.StdEncoding.EncodeToString(consulCACert) + webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "controller") + webhookCfg, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigName, metav1.GetOptions{}) + setupLog.Info(fmt.Sprintf("Webhook Config: %+v\n", webhookCfg)) + + if err != nil { + setupLog.Error(err, "problem getting mutating webhook configurations") + } + type patch struct { + Op string `json:"op,omitempty"` + Path string `json:"path,omitempty"` + Value string `json:"value,omitempty"` + } + + var patches []patch + for i := range webhookCfg.Webhooks { + patches = append(patches, patch{ + Op: "add", + Path: fmt.Sprintf("/webhooks/%d/clientConfig/caBundle", i), + Value: value, + }) + } + patchesJson, err := json.Marshal(patches) + if err != nil { + setupLog.Error(err, "problem mashalling webhook patch") + } + + if _, err = clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(ctx, webhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil { + setupLog.Error(err, "problem patching webhook") + } + + if err := mgr.Start(ctx); err != nil { + setupLog.Error(err, "problem running manager") + } setupLog.Info("starting manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { setupLog.Error(err, "problem running manager") diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index 1554d0cb40..4b2f37b2e6 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -2,6 +2,8 @@ package connectinject import ( "context" + "encoding/base64" + "encoding/json" "errors" "flag" "fmt" @@ -21,7 +23,9 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -464,9 +468,47 @@ func (c *Command) Run(args []string) int { ConsulAPITimeout: c.http.ConsulAPITimeout(), }}) + consulCACert, err = ioutil.ReadFile("/vault/secrets/serverca.crt") + if err != nil { + c.UI.Error(fmt.Sprintf("error reading Consul's CA cert file %q: %s", cfg.TLSConfig.CAFile, err)) + return 1 + } + if len(consulCACert) == 0 { + setupLog.Error(err, "no CA certificate in the bundle") + } + value := base64.StdEncoding.EncodeToString(consulCACert) + webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "connect-injector") + webhookCfg, err := c.clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigName, metav1.GetOptions{}) + setupLog.Info(fmt.Sprintf("Webhook Config: %+v\n", webhookCfg)) + + if err != nil { + setupLog.Error(err, "problem getting mutating webhook configurations") + } + type patch struct { + Op string `json:"op,omitempty"` + Path string `json:"path,omitempty"` + Value string `json:"value,omitempty"` + } + + var patches []patch + for i := range webhookCfg.Webhooks { + patches = append(patches, patch{ + Op: "add", + Path: fmt.Sprintf("/webhooks/%d/clientConfig/caBundle", i), + Value: value, + }) + } + patchesJson, err := json.Marshal(patches) + if err != nil { + setupLog.Error(err, "problem mashalling webhook patch") + } + + if _, err = c.clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(ctx, webhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil { + setupLog.Error(err, "problem patching webhook") + } + if err := mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") - return 1 } c.UI.Info("shutting down") return 0 From d867059bdc5f03080f0d32e6b0f6131415123b8c Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 5 May 2022 11:13:10 -0600 Subject: [PATCH 20/80] refactoring out the updating of the webhook config --- .../subcommand/controller/command.go | 45 +++--------------- .../subcommand/inject-connect/command.go | 45 +++--------------- .../webhook-cert-manager/command.go | 46 ++----------------- 3 files changed, 17 insertions(+), 119 deletions(-) diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index f74dca95ae..e10c165b6f 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -2,8 +2,6 @@ package controller import ( "context" - "encoding/base64" - "encoding/json" "errors" "flag" "fmt" @@ -14,14 +12,13 @@ import ( "github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1" "github.com/hashicorp/consul-k8s/control-plane/consul" "github.com/hashicorp/consul-k8s/control-plane/controller" + mutatingwebhookconfiguration "github.com/hashicorp/consul-k8s/control-plane/helper/mutating-webhook-configuration" cmdCommon "github.com/hashicorp/consul-k8s/control-plane/subcommand/common" "github.com/hashicorp/consul-k8s/control-plane/subcommand/flags" "github.com/hashicorp/consul/api" "github.com/mitchellh/cli" "go.uber.org/zap/zapcore" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -346,44 +343,14 @@ func (c *Command) Run(args []string) int { return 1 } - consulCACert, err := ioutil.ReadFile("/vault/secrets/serverca.crt") - if err != nil { - c.UI.Error(fmt.Sprintf("error reading Consul's CA cert file %q: %s", cfg.TLSConfig.CAFile, err)) - return 1 - } - if len(consulCACert) == 0 { - setupLog.Error(err, "no CA certificate in the bundle") - } - value := base64.StdEncoding.EncodeToString(consulCACert) webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "controller") - webhookCfg, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigName, metav1.GetOptions{}) - setupLog.Info(fmt.Sprintf("Webhook Config: %+v\n", webhookCfg)) - + caPath := "/vault/secrets/serverca.crt" + caCert, err := ioutil.ReadFile(caPath) if err != nil { - setupLog.Error(err, "problem getting mutating webhook configurations") - } - type patch struct { - Op string `json:"op,omitempty"` - Path string `json:"path,omitempty"` - Value string `json:"value,omitempty"` - } - - var patches []patch - for i := range webhookCfg.Webhooks { - patches = append(patches, patch{ - Op: "add", - Path: fmt.Sprintf("/webhooks/%d/clientConfig/caBundle", i), - Value: value, - }) - } - patchesJson, err := json.Marshal(patches) - if err != nil { - setupLog.Error(err, "problem mashalling webhook patch") - } - - if _, err = clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(ctx, webhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil { - setupLog.Error(err, "problem patching webhook") + setupLog.Error(err, "problem getting CA Cert") + return 1 } + err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, clientset, webhookConfigName, caCert) if err := mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index 4b2f37b2e6..4af96aad5a 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -2,8 +2,6 @@ package connectinject import ( "context" - "encoding/base64" - "encoding/json" "errors" "flag" "fmt" @@ -15,6 +13,7 @@ import ( connectinject "github.com/hashicorp/consul-k8s/control-plane/connect-inject" "github.com/hashicorp/consul-k8s/control-plane/consul" + mutatingwebhookconfiguration "github.com/hashicorp/consul-k8s/control-plane/helper/mutating-webhook-configuration" "github.com/hashicorp/consul-k8s/control-plane/subcommand/common" "github.com/hashicorp/consul-k8s/control-plane/subcommand/flags" "github.com/hashicorp/consul/api" @@ -23,9 +22,7 @@ import ( batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -468,44 +465,14 @@ func (c *Command) Run(args []string) int { ConsulAPITimeout: c.http.ConsulAPITimeout(), }}) - consulCACert, err = ioutil.ReadFile("/vault/secrets/serverca.crt") - if err != nil { - c.UI.Error(fmt.Sprintf("error reading Consul's CA cert file %q: %s", cfg.TLSConfig.CAFile, err)) - return 1 - } - if len(consulCACert) == 0 { - setupLog.Error(err, "no CA certificate in the bundle") - } - value := base64.StdEncoding.EncodeToString(consulCACert) webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "connect-injector") - webhookCfg, err := c.clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigName, metav1.GetOptions{}) - setupLog.Info(fmt.Sprintf("Webhook Config: %+v\n", webhookCfg)) - + caPath := "/vault/secrets/serverca.crt" + caCert, err := ioutil.ReadFile(caPath) if err != nil { - setupLog.Error(err, "problem getting mutating webhook configurations") - } - type patch struct { - Op string `json:"op,omitempty"` - Path string `json:"path,omitempty"` - Value string `json:"value,omitempty"` - } - - var patches []patch - for i := range webhookCfg.Webhooks { - patches = append(patches, patch{ - Op: "add", - Path: fmt.Sprintf("/webhooks/%d/clientConfig/caBundle", i), - Value: value, - }) - } - patchesJson, err := json.Marshal(patches) - if err != nil { - setupLog.Error(err, "problem mashalling webhook patch") - } - - if _, err = c.clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(ctx, webhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil { - setupLog.Error(err, "problem patching webhook") + setupLog.Error(err, "problem getting CA Cert") + return 1 } + err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, c.clientset, webhookConfigName, caCert) if err := mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") diff --git a/control-plane/subcommand/webhook-cert-manager/command.go b/control-plane/subcommand/webhook-cert-manager/command.go index 570a432ad9..0c35073dfd 100644 --- a/control-plane/subcommand/webhook-cert-manager/command.go +++ b/control-plane/subcommand/webhook-cert-manager/command.go @@ -3,7 +3,6 @@ package webhookcertmanager import ( "bytes" "context" - "encoding/base64" "encoding/json" "errors" "flag" @@ -17,6 +16,7 @@ import ( "time" "github.com/hashicorp/consul-k8s/control-plane/helper/cert" + mutatingwebhookconfiguration "github.com/hashicorp/consul-k8s/control-plane/helper/mutating-webhook-configuration" "github.com/hashicorp/consul-k8s/control-plane/subcommand" "github.com/hashicorp/consul-k8s/control-plane/subcommand/common" "github.com/hashicorp/consul-k8s/control-plane/subcommand/flags" @@ -26,7 +26,6 @@ import ( corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes" ) @@ -265,7 +264,8 @@ func (c *Command) reconcileCertificates(ctx context.Context, clientset kubernete } iterLog.Info("Updating webhook configuration") - if err = c.updateWebhookConfig(ctx, bundle, clientset); err != nil { + err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, c.clientset, bundle.WebhookConfigName, bundle.CACert) + if err != nil { iterLog.Error("Error updating webhook configuration") return err } @@ -307,39 +307,9 @@ func (c *Command) reconcileCertificates(ctx context.Context, clientset kubernete } iterLog.Info("Updating webhook configuration with new CA") - if err = c.updateWebhookConfig(ctx, bundle, clientset); err != nil { - iterLog.Error("Error updating webhook configuration", "err", err) - return err - } - return nil -} - -// updateWebhookConfig iterates over every webhook on the specified webhook configuration and updates -// their caBundle with the CA from the MetaBundle. -func (c *Command) updateWebhookConfig(ctx context.Context, metaBundle cert.MetaBundle, clientset kubernetes.Interface) error { - if len(metaBundle.CACert) == 0 { - return errors.New("no CA certificate in the bundle") - } - value := base64.StdEncoding.EncodeToString(metaBundle.CACert) - - webhookCfg, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, metaBundle.WebhookConfigName, metav1.GetOptions{}) + err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, clientset, bundle.WebhookConfigName, bundle.CACert) if err != nil { - return err - } - var patches []patch - for i := range webhookCfg.Webhooks { - patches = append(patches, patch{ - Op: "add", - Path: fmt.Sprintf("/webhooks/%d/clientConfig/caBundle", i), - Value: value, - }) - } - patchesJson, err := json.Marshal(patches) - if err != nil { - return err - } - - if _, err = clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(ctx, metaBundle.WebhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil { + iterLog.Error("Error updating webhook configuration", "err", err) return err } return nil @@ -396,12 +366,6 @@ func (c webhookConfig) validate(ctx context.Context, client kubernetes.Interface return nil } -type patch struct { - Op string `json:"op,omitempty"` - Path string `json:"path,omitempty"` - Value string `json:"value,omitempty"` -} - func (c *Command) Help() string { c.once.Do(c.init) return c.help From cf4bec7fdc53fa120084f21770339d7a63aec328 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 5 May 2022 11:29:59 -0600 Subject: [PATCH 21/80] adding missing file --- .../mutating_webhook_configuration.go | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration.go diff --git a/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration.go b/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration.go new file mode 100644 index 0000000000..c3c93b5204 --- /dev/null +++ b/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration.go @@ -0,0 +1,51 @@ +package mutatingwebhookconfiguration + +import ( + "context" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/kubernetes" +) + +// UpdateWithCABundle iterates over every webhook on the specified webhook configuration and updates +// their caBundle with the the specified CA. +func UpdateWithCABundle(ctx context.Context, clientset kubernetes.Interface, webhookConfigName string, caCert []byte) error { + if len(caCert) == 0 { + return errors.New("no CA certificate in the bundle") + } + value := base64.StdEncoding.EncodeToString(caCert) + webhookCfg, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, webhookConfigName, metav1.GetOptions{}) + + if err != nil { + return err + } + type patch struct { + Op string `json:"op,omitempty"` + Path string `json:"path,omitempty"` + Value string `json:"value,omitempty"` + } + + var patches []patch + for i := range webhookCfg.Webhooks { + patches = append(patches, patch{ + Op: "add", + Path: fmt.Sprintf("/webhooks/%d/clientConfig/caBundle", i), + Value: value, + }) + } + patchesJson, err := json.Marshal(patches) + if err != nil { + return err + } + + if _, err = clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(ctx, webhookConfigName, types.JSONPatchType, patchesJson, metav1.PatchOptions{}); err != nil { + return err + } + + return nil +} From bbf9616037d3e605f07f891f7e85b4fc64b5301d Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 10:45:03 -0600 Subject: [PATCH 22/80] adding tests for webhook-cert-manager --- .../webhook-cert-manager-clusterrole.bats | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index 95eae1f0cf..7160853ffc 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -40,6 +40,96 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# rules + +@test "webhookCertManager/ClusterRole: sets full access to secrets" { + cd `chart_dir` + local object=$(helm template \ + -s templates/webhook-cert-manager-clusterrole.yaml \ + --set 'controller.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + . | tee /dev/stderr | + yq -r '.rules[0]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) + [ "${actual}" = "secrets" ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "" ] + + local actual=$(echo $object | yq -r '.verbs | index("create")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("delete")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("update")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "webhookCertManager/ClusterRole: sets get, list, watch, and patch access to mutatingwebhookconfigurations" { + cd `chart_dir` + local object=$(helm template \ + -s templates/webhook-cert-manager-clusterrole.yaml \ + --set 'controller.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + . | tee /dev/stderr | + yq -r '.rules[1]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) + [ "${actual}" = "mutatingwebhookconfigurations" ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "admissionregistration.k8s.io" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "webhookCertManager/ClusterRole: sets get access to deployments" { + cd `chart_dir` + local object=$(helm template \ + -s templates/webhook-cert-manager-clusterrole.yaml \ + --set 'controller.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + . | tee /dev/stderr | + yq -r '.rules[2]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) + [ "${actual}" = "deployments" ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "apps" ] + + local actual=$(echo $object | yq -r '.resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "release-name-consul-webhook-cert-manager" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] +} + #-------------------------------------------------------------------- # global.enablePodSecurityPolicies From 68a7e1abc5669a8b9479fcea8b8bf01431b4cc39 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 10:48:19 -0600 Subject: [PATCH 23/80] refining webhook cert manager to remove setting of global.enablePodSecurityPolicies --- charts/consul/test/unit/webhook-cert-manager-clusterrole.bats | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index 7160853ffc..c37067a342 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -48,7 +48,6 @@ load _helpers local object=$(helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ --set 'controller.enabled=true' \ - --set 'global.enablePodSecurityPolicies=true' \ . | tee /dev/stderr | yq -r '.rules[0]' | tee /dev/stderr) @@ -85,7 +84,6 @@ load _helpers local object=$(helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ --set 'controller.enabled=true' \ - --set 'global.enablePodSecurityPolicies=true' \ . | tee /dev/stderr | yq -r '.rules[1]' | tee /dev/stderr) @@ -113,7 +111,6 @@ load _helpers local object=$(helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ --set 'controller.enabled=true' \ - --set 'global.enablePodSecurityPolicies=true' \ . | tee /dev/stderr | yq -r '.rules[2]' | tee /dev/stderr) From 219366d5227229be369664f3a64311c76b64ddf3 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 11:08:08 -0600 Subject: [PATCH 24/80] adding connect-inject bats tests --- .../test/unit/connect-inject-clusterrole.bats | 117 ++++++++++++++++++ 1 file changed, 117 insertions(+) diff --git a/charts/consul/test/unit/connect-inject-clusterrole.bats b/charts/consul/test/unit/connect-inject-clusterrole.bats index e954b8908a..44bfab62a2 100644 --- a/charts/consul/test/unit/connect-inject-clusterrole.bats +++ b/charts/consul/test/unit/connect-inject-clusterrole.bats @@ -29,6 +29,123 @@ load _helpers . } +#-------------------------------------------------------------------- +# rules + +@test "connectInject/ClusterRole: sets get, list, and watch access to pods, endpoints, services, and namespaces in all api groups" { + cd `chart_dir` + local object=$(helm template \ + -s templates/connect-inject-clusterrole.yaml \ + --set 'global.enabled=false' \ + --set 'client.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.rules[0]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[| index("pods")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources[| index("endpoints")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources[| index("services")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources[| index("namespaces")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "connectInject/ClusterRole: sets create, get, list, and update access to leases in the coordination.k8s.io api group" { + cd `chart_dir` + local object=$(helm template \ + -s templates/connect-inject-clusterrole.yaml \ + --set 'global.enabled=false' \ + --set 'client.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.rules[1]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[| index("leases")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "coordination.k8s.io" ] + + local actual=$(echo $object | yq -r '.verbs | index("create")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("update")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "connectInject/ClusterRole: sets get, list, watch, and patch access to mutatingwebhookconfigurations" { + cd `chart_dir` + local object=$(helm template \ + -s templates/connect-inject-clusterrole.yaml \ + --set 'global.enabled=false' \ + --set 'client.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.rules[2]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) + [ "${actual}" = "mutatingwebhookconfigurations" ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "admissionregistration.k8s.io" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "connectInject/ClusterRole: sets get access to serviceaccounts when manageSystemACLSis true" { + cd `chart_dir` + local object=$(helm template \ + -s templates/connect-inject-clusterrole.yaml \ + --set 'global.enabled=false' \ + --set 'client.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.rules[0]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[| index("serviceaccounts")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] +} + #-------------------------------------------------------------------- # global.enablePodSecurityPolicies From 401ba179c4597c2a23870c2cf170a2053dfd2644 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 11:17:10 -0600 Subject: [PATCH 25/80] adding test for controller and use of resource-prefix --- charts/consul/test/unit/controller-deployment.bats | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 68cd63f054..044739102a 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -36,6 +36,20 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# resourcePrefix + +@test "controller/Deployment: resource-prefix flag is set on command" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-resource-prefix=release-name-consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # replicas From 8ef4d2b249c34497d3e393168cf073384d2f732a Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 14:05:34 -0600 Subject: [PATCH 26/80] adding tests for mwc update code --- .../mutating_webhook_configuration_test.go | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go diff --git a/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go b/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go new file mode 100644 index 0000000000..a6c1ce6221 --- /dev/null +++ b/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go @@ -0,0 +1,43 @@ +package mutatingwebhookconfiguration + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + admissionv1 "k8s.io/api/admissionregistration/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes/fake" +) + +func TestUpdateWithCABundle_emptyCertReturnsError(t *testing.T) { + var bytes []byte + ctx := context.Background() + clientset := fake.NewSimpleClientset() + + err := UpdateWithCABundle(ctx, clientset, "foo", bytes) + require.Error(t, err, "no CA certificate in the bundle") +} + +func TestUpdateWithCABundle_patchesExistingConfiguration(t *testing.T) { + caBundleOne := []byte("ca-bundle-for-mwc") + ctx := context.Background() + clientset := fake.NewSimpleClientset() + + mwc := &admissionv1.MutatingWebhookConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "mwc-one", + }, + Webhooks: []admissionv1.MutatingWebhook{ + { + Name: "webhook-under-test", + }, + }, + } + mwcCreated, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Create(ctx, mwc, metav1.CreateOptions{}) + require.NoError(t, err) + err = UpdateWithCABundle(ctx, clientset, mwcCreated.Name, caBundleOne) + mwcFetched, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, mwc.Name, metav1.GetOptions{}) + require.NoError(t, err) + require.Equal(t, caBundleOne, mwcFetched.Webhooks[0].ClientConfig.CABundle) +} From 6f8deaf199f4053050a30308ba198f4a58607942 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 14:28:49 -0600 Subject: [PATCH 27/80] configure controller to only update mwc with ca bundle when using vault as a secrets backend. --- .../templates/controller-deployment.yaml | 1 + .../test/unit/controller-deployment.bats | 30 ++++++++++ .../subcommand/controller/command.go | 55 +++++++++++-------- 3 files changed, 63 insertions(+), 23 deletions(-) diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 908e78235e..2fd002e3f6 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -123,6 +123,7 @@ spec: -log-json={{ .Values.global.logJSON }} \ -resource-prefix={{ template "consul.fullname" . }} \ {{- if .Values.global.secretsBackend.vault.enabled }} + -enable-webhook-ca-update \ -webhook-tls-cert-dir=/vault/secrets \ {{- else }} -webhook-tls-cert-dir=/tmp/controller-webhook/certs \ diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 044739102a..c84a47adaa 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -50,6 +50,36 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# enable-webhook-ca-update + +@test "controller/Deployment: enable-webhook-ca-update flag is not set on command by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "controller/Deployment: enable-webhook-ca-update flag is not set on command when using vault" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # replicas diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index e10c165b6f..a53af37597 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -34,13 +34,14 @@ type Command struct { flagSet *flag.FlagSet httpFlags *flags.HTTPFlags - flagWebhookTLSCertDir string - flagEnableLeaderElection bool - flagEnableWebhooks bool - flagDatacenter string - flagLogLevel string - flagLogJSON bool - flagResourcePrefix string + flagWebhookTLSCertDir string + flagEnableLeaderElection bool + flagEnableWebhooks bool + flagDatacenter string + flagLogLevel string + flagLogJSON bool + flagResourcePrefix string + flagEnableWebhookCAUpdate bool // Flags to support Consul Enterprise namespaces. flagEnableNamespaces bool @@ -89,6 +90,8 @@ func (c *Command) init() { "Enable webhooks. Disable when running locally since Kube API server won't be able to route to local server.") c.flagSet.StringVar(&c.flagResourcePrefix, "resource-prefix", "", "Release prefix of the Consul installation used to determine Consul DNS Service name.") + c.flagSet.BoolVar(&c.flagEnableWebhookCAUpdate, "enable-webhook-ca-update", false, + "Enables updating the CABundle on the webhook within this controller rather than using the web cert manager.") c.flagSet.StringVar(&c.flagLogLevel, "log-level", zapcore.InfoLevel.String(), fmt.Sprintf("Log verbosity level. Supported values (in order of detail) are "+ "%q, %q, %q, and %q.", zapcore.DebugLevel.String(), zapcore.InfoLevel.String(), zapcore.WarnLevel.String(), zapcore.ErrorLevel.String())) @@ -329,38 +332,44 @@ func (c *Command) Run(args []string) int { } // +kubebuilder:scaffold:builder + if c.flagEnableWebhookCAUpdate { + err := c.configureCABundleUpdate() + if err != nil { + setupLog.Error(err, "problem getting CA Cert") + return 1 + } + } + + setupLog.Info("starting manager") + if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + setupLog.Error(err, "problem running manager") + return 1 + } + return 0 +} + +func (c *Command) configureCABundleUpdate() error { // Create a context to be used by the processes started in this command. ctx, cancelFunc := context.WithCancel(context.Background()) defer cancelFunc() config, err := rest.InClusterConfig() if err != nil { - c.UI.Error(fmt.Sprintf("error loading in-cluster K8S config: %s", err)) - return 1 + return err } clientset, err := kubernetes.NewForConfig(config) if err != nil { - c.UI.Error(fmt.Sprintf("error creating K8S client: %s", err)) - return 1 + return err } webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "controller") - caPath := "/vault/secrets/serverca.crt" + caPath := fmt.Sprintf("%s/%s", c.flagWebhookTLSCertDir, "serverca.crt") caCert, err := ioutil.ReadFile(caPath) if err != nil { - setupLog.Error(err, "problem getting CA Cert") - return 1 + return err } err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, clientset, webhookConfigName, caCert) - if err := mgr.Start(ctx); err != nil { - setupLog.Error(err, "problem running manager") - } - setupLog.Info("starting manager") - if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { - setupLog.Error(err, "problem running manager") - return 1 - } - return 0 + return nil } func (c *Command) validateFlags() error { From f2ddbf19d48430220d1145d39a5be2b9a71e6de5 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 14:37:30 -0600 Subject: [PATCH 28/80] configure connect inject to only update mwc with ca bundle when using vault as a secrets backend. --- .../templates/connect-inject-deployment.yaml | 1 + .../test/unit/connect-inject-deployment.bats | 34 ++++++++++++ .../subcommand/inject-connect/command.go | 53 ++++++++++++------- 3 files changed, 68 insertions(+), 20 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 3c0a4f172f..ddbab73b18 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -174,6 +174,7 @@ spec: {{- end }} {{- if .Values.global.secretsBackend.vault.enabled }} -tls-cert-dir=/vault/secrets \ + -enable-webhook-ca-update \ {{- else }} -tls-cert-dir=/etc/connect-injector/certs \ {{- end }} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index a82afed4d7..6bfaf27c57 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1813,6 +1813,40 @@ EOF [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# enable-webhook-ca-update + +@test "controller/Deployment: enable-webhook-ca-update flag is not set on command by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "connectInject/Deployment: enable-webhook-ca-update flag is not set on command when using vault" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # Vault diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index 4af96aad5a..81dff23dee 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -35,19 +35,20 @@ import ( type Command struct { UI cli.Ui - flagListen string - flagCertDir string // Directory with TLS certs for listening (PEM) - flagDefaultInject bool // True to inject by default - flagConsulImage string // Docker image for Consul - flagEnvoyImage string // Docker image for Envoy - flagConsulK8sImage string // Docker image for consul-k8s - flagACLAuthMethod string // Auth Method to use for ACLs, if enabled - flagWriteServiceDefaults bool // True to enable central config injection - flagDefaultProtocol string // Default protocol for use with central config - flagConsulCACert string // [Deprecated] Path to CA Certificate to use when communicating with Consul clients - flagEnvoyExtraArgs string // Extra envoy args when starting envoy - flagLogLevel string - flagLogJSON bool + flagListen string + flagCertDir string // Directory with TLS certs for listening (PEM) + flagDefaultInject bool // True to inject by default + flagConsulImage string // Docker image for Consul + flagEnvoyImage string // Docker image for Envoy + flagConsulK8sImage string // Docker image for consul-k8s + flagACLAuthMethod string // Auth Method to use for ACLs, if enabled + flagWriteServiceDefaults bool // True to enable central config injection + flagDefaultProtocol string // Default protocol for use with central config + flagConsulCACert string // [Deprecated] Path to CA Certificate to use when communicating with Consul clients + flagEnvoyExtraArgs string // Extra envoy args when starting envoy + flagEnableWebhookCAUpdate bool + flagLogLevel string + flagLogJSON bool flagAllowK8sNamespacesList []string // K8s namespaces to explicitly inject flagDenyK8sNamespacesList []string // K8s namespaces to deny injection (has precedence) @@ -173,6 +174,8 @@ func (c *Command) init() { "Release prefix of the Consul installation used to determine Consul DNS Service name.") c.flagSet.BoolVar(&c.flagEnableOpenShift, "enable-openshift", false, "Indicates that the command runs in an OpenShift cluster.") + c.flagSet.BoolVar(&c.flagEnableWebhookCAUpdate, "enable-webhook-ca-update", false, + "Enables updating the CABundle on the webhook within this controller rather than using the web cert manager.") c.flagSet.StringVar(&c.flagLogLevel, "log-level", zapcore.InfoLevel.String(), fmt.Sprintf("Log verbosity level. Supported values (in order of detail) are "+ "%q, %q, %q, and %q.", zapcore.DebugLevel.String(), zapcore.InfoLevel.String(), zapcore.WarnLevel.String(), zapcore.ErrorLevel.String())) @@ -465,14 +468,13 @@ func (c *Command) Run(args []string) int { ConsulAPITimeout: c.http.ConsulAPITimeout(), }}) - webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "connect-injector") - caPath := "/vault/secrets/serverca.crt" - caCert, err := ioutil.ReadFile(caPath) - if err != nil { - setupLog.Error(err, "problem getting CA Cert") - return 1 + if c.flagEnableWebhookCAUpdate { + err := c.configureCABundleUpdate(ctx) + if err != nil { + setupLog.Error(err, "problem getting CA Cert") + return 1 + } } - err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, c.clientset, webhookConfigName, caCert) if err := mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") @@ -481,6 +483,17 @@ func (c *Command) Run(args []string) int { return 0 } +func (c *Command) configureCABundleUpdate(ctx context.Context) error { + webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "connect-injector") + caPath := fmt.Sprintf("%s/%s", c.flagCertDir, "serverca.crt") + caCert, err := ioutil.ReadFile(caPath) + if err != nil { + return err + } + err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, c.clientset, webhookConfigName, caCert) + + return nil +} func (c *Command) validateFlags() error { if c.flagConsulK8sImage == "" { return errors.New("-consul-k8s-image must be set") From b0d6452009013d76c1d464e75179e28b9cc33dd2 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 14:41:25 -0600 Subject: [PATCH 29/80] fixing lint errors for unnahdled errors --- control-plane/subcommand/controller/command.go | 4 +++- control-plane/subcommand/inject-connect/command.go | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index a53af37597..09cf69342a 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -368,7 +368,9 @@ func (c *Command) configureCABundleUpdate() error { return err } err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, clientset, webhookConfigName, caCert) - + if err != nil { + return err + } return nil } diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index 81dff23dee..cdf2d91f1e 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -491,7 +491,9 @@ func (c *Command) configureCABundleUpdate(ctx context.Context) error { return err } err = mutatingwebhookconfiguration.UpdateWithCABundle(ctx, c.clientset, webhookConfigName, caCert) - + if err != nil { + return err + } return nil } func (c *Command) validateFlags() error { From fb16cf18d44101f51baae08617d913093de25199 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 14:57:40 -0600 Subject: [PATCH 30/80] embedding tlsCertDir for controller and connectInject under vault in values.yaml --- .../snapshot_agent_vault_test.go | 10 +++---- .../tests/vault/vault_namespaces_test.go | 10 +++---- acceptance/tests/vault/vault_test.go | 10 +++---- charts/consul/templates/_helpers.tpl | 8 ++--- .../templates/connect-inject-deployment.yaml | 4 +-- .../templates/controller-deployment.yaml | 4 +-- .../test/unit/connect-inject-deployment.bats | 2 +- .../test/unit/controller-deployment.bats | 2 +- charts/consul/values.yaml | 29 ++++++++++--------- 9 files changed, 41 insertions(+), 38 deletions(-) diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go index 99dff5ca7e..6c0a5a9223 100644 --- a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go +++ b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go @@ -191,11 +191,11 @@ func TestSnapshotAgent_Vault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - "controller.tlsCert.secretName": pathForControllerWebookCerts, + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go index ffa83605f1..26edf811e4 100644 --- a/acceptance/tests/vault/vault_namespaces_test.go +++ b/acceptance/tests/vault/vault_namespaces_test.go @@ -186,11 +186,11 @@ func TestVault_VaultNamespace(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - "controller.tlsCert.secretName": pathForControllerWebookCerts, + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index 7c5c373507..8a833aaf23 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -177,11 +177,11 @@ func TestVault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - "controller.tlsCert.secretName": pathForControllerWebookCerts, + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 19a11c429f..582885104f 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -55,7 +55,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSCertTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -63,7 +63,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -71,7 +71,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSCertTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -79,7 +79,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSKeyTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index ddbab73b18..8cab44e6e8 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -44,9 +44,9 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 2fd002e3f6..9eb649630b 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -36,9 +36,9 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.controller.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.controllerWebhookTLSCertTemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.controller.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.controllerWebhookTLSKeyTemplate" . }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 6bfaf27c57..2fda68863d 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1948,7 +1948,7 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.tls.enabled=true' \ - --set 'connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index c84a47adaa..d47fea235e 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -950,7 +950,7 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.tls.enabled=true' \ - --set 'controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ + --set 'secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 2590965776..1cc0fc7767 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -263,6 +263,22 @@ global: additionalConfig: | {} + controller: + # The directory that Kubernetes will use on Kubernetes CRD creation, + # deletion, and update, to get TLS certificates used issued from vault + # to send webhooks to the controller. + tlsCert: + # @type: string + secretName: nil + + connectInject: + # The directory that Kubernetes will use on Kubernetes CRD creation, + # deletion, and update, to get TLS certificates used issued from vault + # to send webhooks to ConnectInject + tlsCert: + # @type: string + secretName: nil + # Configures Consul's gossip encryption key. # (see `-encrypt` (https://www.consul.io/docs/agent/config/cli-flags#_encrypt)). # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. @@ -2050,12 +2066,6 @@ connectInject: memory: "150Mi" cpu: "50m" - # The directory that Kubernetes will use on Kubernetes service creation, - # deletion, and update, to get TLS certificates used to send webhooks to - # ConnectInject - tlsCert: - # @type: string - secretName: nil # Controller handles config entry custom resources. # Requires consul >= 1.8.4. # ServiceIntentions require consul 1.9+. @@ -2070,13 +2080,6 @@ controller: # @type: string logLevel: "" - # The directory that Kubernetes will use on Kubernetes CRD creation, - # deletion, and update, to get TLS certificates used to send webhooks to - # the controller. - tlsCert: - # @type: string - secretName: nil - serviceAccount: # This value defines additional annotations for the controller service account. This should be formatted as a # multi-line string. From d9423d6ce51b7f6eca2664b917bd55599bc4e524 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 15:36:05 -0600 Subject: [PATCH 31/80] embedding tlsCertDir for controller and connectInject under vault in values.yaml - fixing tests --- charts/consul/templates/_helpers.tpl | 8 ++--- .../templates/connect-inject-deployment.yaml | 10 +++--- .../templates/controller-deployment.yaml | 8 +++-- .../test/unit/connect-inject-deployment.bats | 33 ++++++++++++------- .../test/unit/controller-deployment.bats | 2 +- charts/consul/values.yaml | 10 ++++++ .../mutating_webhook_configuration_test.go | 1 + 7 files changed, 49 insertions(+), 23 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 582885104f..7565ab8a89 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -55,7 +55,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSCertTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -63,7 +63,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -71,7 +71,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSCertTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -79,7 +79,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSKeyTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 8cab44e6e8..a1e89fc073 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -41,13 +41,15 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" @@ -172,7 +174,7 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} - {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} -tls-cert-dir=/vault/secrets \ -enable-webhook-ca-update \ {{- else }} diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 9eb649630b..4a32ad9376 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -36,10 +36,12 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.secretsBackend.vault.controller.tlsCert.secretName }} + {{- if .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.controllerWebhookTLSCertTemplate" . }} - "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.secretsBackend.vault.controller.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.controllerWebhookTLSKeyTemplate" . }} + {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" @@ -122,7 +124,7 @@ spec: -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ -resource-prefix={{ template "consul.fullname" . }} \ - {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} -enable-webhook-ca-update \ -webhook-tls-cert-dir=/vault/secrets \ {{- else }} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 2fda68863d..0c1d3325b0 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1840,7 +1840,8 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) @@ -1861,7 +1862,8 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq -r '.spec.template' | tee /dev/stderr) @@ -1882,7 +1884,8 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretName=ca' \ . | tee /dev/stderr | yq -r '.spec.template' | tee /dev/stderr) @@ -1904,7 +1907,8 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ . | tee /dev/stderr | yq -r '.spec.template' | tee /dev/stderr) @@ -1926,7 +1930,8 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretName=ca' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ . | tee /dev/stderr | @@ -1946,9 +1951,10 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.tls.enabled=true' \ - --set 'secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ @@ -2003,7 +2009,8 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | @@ -2018,7 +2025,8 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | @@ -2034,8 +2042,9 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - . | tee /dev/stderr | + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-dir=/vault/secrets"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -2054,6 +2063,7 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."vault.hashicorp.com/agent-inject") | del(."vault.hashicorp.com/role")' | tee /dev/stderr) [ "${actual}" = "{}" ] @@ -2071,6 +2081,7 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' \ . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index d47fea235e..f359b82c74 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -950,7 +950,7 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.tls.enabled=true' \ - --set 'secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 1cc0fc7767..b99dc65833 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -271,6 +271,11 @@ global: # @type: string secretName: nil + # The Vault role for consul controller to read the Consul's controllers's CA Certificate (unauthenticated). + # A Vault policy must be created which grants read capabilities to + # `global.secretsBackend.vault.controller.tlsCert.secretName`. + consulControllerCARole: "" + connectInject: # The directory that Kubernetes will use on Kubernetes CRD creation, # deletion, and update, to get TLS certificates used issued from vault @@ -279,6 +284,11 @@ global: # @type: string secretName: nil + # The Vault role for consul connect inject to read the Consul's controllers's CA Certificate (unauthenticated). + # A Vault policy must be created which grants read capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + consulConnectInjectCARole: "" + # Configures Consul's gossip encryption key. # (see `-encrypt` (https://www.consul.io/docs/agent/config/cli-flags#_encrypt)). # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. diff --git a/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go b/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go index a6c1ce6221..e247c71d14 100644 --- a/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go +++ b/control-plane/helper/mutating-webhook-configuration/mutating_webhook_configuration_test.go @@ -37,6 +37,7 @@ func TestUpdateWithCABundle_patchesExistingConfiguration(t *testing.T) { mwcCreated, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Create(ctx, mwc, metav1.CreateOptions{}) require.NoError(t, err) err = UpdateWithCABundle(ctx, clientset, mwcCreated.Name, caBundleOne) + require.NoError(t, err) mwcFetched, err := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(ctx, mwc.Name, metav1.GetOptions{}) require.NoError(t, err) require.Equal(t, caBundleOne, mwcFetched.Webhooks[0].ClientConfig.CABundle) From c22fe6f214e9c1ea3c5d4b1a1f1a360cdaa31a56 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 9 May 2022 22:31:16 -0600 Subject: [PATCH 32/80] change vault role for controller to come from global.secretsBackend.vault.consulControllerCARole --- acceptance/tests/vault/vault_test.go | 26 ++++++++----------- .../templates/controller-deployment.yaml | 2 +- .../test/unit/controller-deployment.bats | 3 ++- 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index 8a833aaf23..a24962db5a 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -106,14 +106,10 @@ func TestVault(t *testing.T) { } bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) -<<<<<<< HEAD // ------------------------- // Additional Auth Roles // ------------------------- serverPolicies := fmt.Sprintf("%s,%s,%s,%s", gossipSecret.PolicyName, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) -======= - serverPolicies := "gossip,connect-ca-dc1,server-cert-dc1,bootstrap-token" ->>>>>>> 9b5a11d1 (Adding logic to tests for controller tls cert. also adding snapshot agent and vault namespaces tests) if cfg.EnableEnterprise { serverPolicies += fmt.Sprintf(",%s", licenseSecret.PolicyName) } @@ -163,12 +159,12 @@ func TestVault(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - pathForConnectInjectWebookCerts := - vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - consulReleaseName, ns, "dc1", "1h") - pathForControllerWebookCerts := - vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - consulReleaseName, ns, "dc1", "1h") + // pathForConnectInjectWebookCerts := + // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") + // pathForControllerWebookCerts := + // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") vaultCASecret := vault.CASecretName(vaultReleaseName) @@ -177,11 +173,11 @@ func TestVault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, + "connectInject.enabled": "true", + "connectInject.replicas": "1", + // "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + // "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 4a32ad9376..0f3b4f94f8 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -33,7 +33,7 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} {{- if .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index f359b82c74..2f7c90adfb 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -948,7 +948,8 @@ load _helpers --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ --set 'global.tls.enabled=true' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ From 69688cbb93b4d6bc56b1d60343ebc081473b49c4 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 10 May 2022 10:37:27 -0600 Subject: [PATCH 33/80] fixing vault namespaces and snapshot agent on vault acceptance tests --- .../snapshot_agent_vault_test.go | 22 +++++++++---------- .../tests/vault/vault_namespaces_test.go | 22 +++++++++---------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go index 6c0a5a9223..cbcafb7f71 100644 --- a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go +++ b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go @@ -177,12 +177,12 @@ func TestSnapshotAgent_Vault(t *testing.T) { } saAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - pathForConnectInjectWebookCerts := - vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - consulReleaseName, ns, "dc1", "1h") - pathForControllerWebookCerts := - vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - consulReleaseName, ns, "dc1", "1h") + // pathForConnectInjectWebookCerts := + // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") + // pathForControllerWebookCerts := + // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") vaultCASecret := vault.CASecretName(vaultReleaseName) @@ -191,11 +191,11 @@ func TestSnapshotAgent_Vault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, + "connectInject.enabled": "true", + "connectInject.replicas": "1", + // "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + // "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go index 26edf811e4..4750fa77ad 100644 --- a/acceptance/tests/vault/vault_namespaces_test.go +++ b/acceptance/tests/vault/vault_namespaces_test.go @@ -172,12 +172,12 @@ func TestVault_VaultNamespace(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - pathForConnectInjectWebookCerts := - vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - consulReleaseName, ns, "dc1", "1h") - pathForControllerWebookCerts := - vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - consulReleaseName, ns, "dc1", "1h") + // pathForConnectInjectWebookCerts := + // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") + // pathForControllerWebookCerts := + // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") vaultCASecret := vault.CASecretName(vaultReleaseName) @@ -186,11 +186,11 @@ func TestVault_VaultNamespace(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, + "connectInject.enabled": "true", + "connectInject.replicas": "1", + // "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, + "controller.enabled": "true", + // "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, From 4123629c41783f9f7c4efa65eb2fae9f0baa3f93 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 10 May 2022 14:18:29 -0600 Subject: [PATCH 34/80] fixing VAULT_TLSAUtoReload test --- acceptance/tests/vault/vault_tls_auto_reload_test.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/acceptance/tests/vault/vault_tls_auto_reload_test.go b/acceptance/tests/vault/vault_tls_auto_reload_test.go index 371e0428d5..84cefb63d4 100644 --- a/acceptance/tests/vault/vault_tls_auto_reload_test.go +++ b/acceptance/tests/vault/vault_tls_auto_reload_test.go @@ -21,7 +21,7 @@ import ( // TestVault_TlsAutoReload installs Vault, bootstraps it with secrets, policies, and Kube Auth Method. // It then gets certs for https and rpc on the server. It then waits for the certs to rotate and checks // that certs have different expirations. -func TestVault_TlsAutoReload(t *testing.T) { +func TestVault_TLSAutoReload(t *testing.T) { cfg := suite.Config() ctx := suite.Environment().DefaultContext(t) ns := ctx.KubectlOptions(t).Namespace @@ -162,6 +162,13 @@ func TestVault_TlsAutoReload(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + // pathForConnectInjectWebookCerts := + // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") + // pathForControllerWebookCerts := + // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") + vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ From 369b265f9f970f92ba517cd280e154b1bdbfdf32 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 12 May 2022 17:44:06 -0600 Subject: [PATCH 35/80] rebased fromvault refactor. static server replicaset has error about unknown authority. --- acceptance/tests/vault/vault_test.go | 50 +++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 9 deletions(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index a24962db5a..7664347a02 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -70,6 +70,34 @@ func TestVault(t *testing.T) { } serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + // Configure controller webhook PKI + controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "controller", + PolicyName: "controller-ca-policy", + RoleName: "controller-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), + MaxTTL: "1h", + AuthMethodPath: "kubernetes", + } + vault.ConfigurePKIAndAuthRole(t, vaultClient, controllerWebhookPKIConfig) + + // Configure controller webhook PKI + connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "connect", + PolicyName: "connect-ca-policy", + RoleName: "connect-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + MaxTTL: "1h", + AuthMethodPath: "kubernetes", + } + vault.ConfigurePKIAndAuthRole(t, vaultClient, connectInjectorWebhookPKIConfig) + // ------------------------- // KV2 secrets // ------------------------- @@ -175,15 +203,19 @@ func TestVault(t *testing.T) { "connectInject.enabled": "true", "connectInject.replicas": "1", - // "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - // "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, - - "global.secretsBackend.vault.enabled": "true", - "global.secretsBackend.vault.consulServerRole": consulServerRole, - "global.secretsBackend.vault.consulClientRole": consulClientRole, - "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, - "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, + "controller.enabled": "true", + "global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath, + "global.secretsBackend.vault.connectInject.caCert.secretName": connectInjectorWebhookPKIConfig.CAPath, + "global.secretsBackend.vault.controller.tlsCert.secretName": controllerWebhookPKIConfig.CertPath, + "global.secretsBackend.vault.controller.caCert.secretName": controllerWebhookPKIConfig.CAPath, + + "global.secretsBackend.vault.enabled": "true", + "global.secretsBackend.vault.consulServerRole": consulServerRole, + "global.secretsBackend.vault.consulClientRole": consulClientRole, + "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, + "global.secretsBackend.vault.consulConnectInjectCARole": connectInjectorWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.consulControllerCARole": controllerWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, "global.secretsBackend.vault.ca.secretName": vaultCASecret, "global.secretsBackend.vault.ca.secretKey": "tls.crt", From e7664eca515f4814d2dece6ed1e167d738d9de9e Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 13 May 2022 10:09:57 -0600 Subject: [PATCH 36/80] Working using separate CAs for connect-injector and controller. only vault test is configured. --- charts/consul/templates/_helpers.tpl | 7 +++++++ charts/consul/templates/connect-inject-deployment.yaml | 6 ++++++ charts/consul/templates/controller-deployment.yaml | 6 ++++++ control-plane/subcommand/controller/command.go | 2 +- control-plane/subcommand/inject-connect/command.go | 2 +- 5 files changed, 21 insertions(+), 2 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 7565ab8a89..d9c0c2f8f8 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -22,6 +22,13 @@ as well as the global.name setting. {{ "{{" }}- end -{{ "}}" }} {{- end -}} +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + {{- define "consul.serverTLSCATemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.tls.caCert.secretName }}" -{{ "}}" }} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index a1e89fc073..6c2a5f0f7a 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -44,6 +44,12 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + {{- end }} + {{- end }} {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 0f3b4f94f8..552601ef0d 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -36,6 +36,12 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.controller.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.controller.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + {{- end }} + {{- end }} {{- if .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.controllerWebhookTLSCertTemplate" . }} diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index 09cf69342a..2da74e6b93 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -362,7 +362,7 @@ func (c *Command) configureCABundleUpdate() error { } webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "controller") - caPath := fmt.Sprintf("%s/%s", c.flagWebhookTLSCertDir, "serverca.crt") + caPath := fmt.Sprintf("%s/%s", c.flagWebhookTLSCertDir, "ca.crt") caCert, err := ioutil.ReadFile(caPath) if err != nil { return err diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index cdf2d91f1e..d446b43ce1 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -485,7 +485,7 @@ func (c *Command) Run(args []string) int { func (c *Command) configureCABundleUpdate(ctx context.Context) error { webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "connect-injector") - caPath := fmt.Sprintf("%s/%s", c.flagCertDir, "serverca.crt") + caPath := fmt.Sprintf("%s/%s", c.flagCertDir, "ca.crt") caCert, err := ioutil.ReadFile(caPath) if err != nil { return err From 228d2f8eafbff33ee6ce337b891254da4912b228 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 17 May 2022 10:11:52 -0600 Subject: [PATCH 37/80] adding failure if .Values.global.secretsBackend.vault.consulConnectInjectCARole, .Values.global.secretsBackend.vault.connectInject.tlsCert, .Values.global.secretsBackend.vault.connectInject.caCert are either all not set or all set. --- .../templates/connect-inject-deployment.yaml | 5 + .../templates/controller-deployment.yaml | 4 + .../test/unit/connect-inject-deployment.bats | 103 ++++++++++++++++-- 3 files changed, 103 insertions(+), 9 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 6c2a5f0f7a..87f1f08bca 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -8,6 +8,7 @@ {{- if .Values.connectInject.centralConfig }}{{ if .Values.connectInject.centralConfig.proxyDefaults }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end }}{{ end -}} {{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{- if and .Values.global.secretsBackend.vault.consulConnectInjectCARole (or (not .Values.global.secretsBackend.vault.connectInject.tlsCert) (not .Values.global.secretsBackend.vault.connectInject.caCert)) }}{{ fail "global.secretsBackend.vault.consulConnectInjectCARole is set. global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName must also be set."}}{{ end }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 @@ -44,18 +45,22 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert }} {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} {{- end }} {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert }} {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} {{- end }} + {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 552601ef0d..248efab930 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -36,18 +36,22 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.controller.caCert }} {{- if .Values.global.secretsBackend.vault.controller.caCert.secretName }} {{- with .Values.global.secretsBackend.vault.controller.caCert }} "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} {{- end }} {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.controller.tlsCert }} {{- if .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.controllerWebhookTLSCertTemplate" . }} "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.controllerWebhookTLSKeyTemplate" . }} {{- end }} + {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 0c1d3325b0..857c6559a9 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1843,6 +1843,8 @@ EOF --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -1862,7 +1864,6 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq -r '.spec.template' | tee /dev/stderr) @@ -1884,7 +1885,6 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretName=ca' \ . | tee /dev/stderr | @@ -1907,7 +1907,6 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ . | tee /dev/stderr | @@ -1930,7 +1929,6 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretName=ca' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ @@ -1943,6 +1941,60 @@ EOF [ "${actual}" = "/vault/custom/tls.crt" ] } +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulConnectInjectCARole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ + --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . + [ "$status" -eq 1 ] + [[ "$output" =~ "global.secretsBackend.vault.consulConnectInjectCARole is set. global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName must also be set." ]] +} + +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . + [ "$status" -eq 1 ] + [[ "$output" =~ "global.secretsBackend.vault.connectInject.tlsCert.secretName is set. global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName must also be set." ]] +} + +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . + [ "$status" -eq 1 ] + [[ "$output" =~ "global.secretsBackend.vault.connectInject.caCert.secretName is set. global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName must also be set." ]] +} + @test "connectInject/Deployment: vault tls annotations are set when tls is enabled" { cd `chart_dir` local cmd=$(helm template \ @@ -1958,6 +2010,7 @@ EOF --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ . | tee /dev/stderr | yq -r '.spec.template.metadata' | tee /dev/stderr) @@ -1970,6 +2023,15 @@ EOF yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-serverca.crt"]' | tee /dev/stderr)" [ "${actual}" = "pki_int/cert/ca" ] + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-ca.crt"]' | tee /dev/stderr)" + local expected=$'{{- with secret \"foo/ca\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-ca.crt"]' | tee /dev/stderr)" + [ "${actual}" = "foo/ca" ] + local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-init-first"]' | tee /dev/stderr)" [ "${actual}" = "true" ] @@ -2009,7 +2071,6 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ @@ -2025,7 +2086,6 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ @@ -2042,7 +2102,6 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-dir=/vault/secrets"))' | tee /dev/stderr) @@ -2050,6 +2109,34 @@ EOF [ "${actual}" = "true" ] } +@test "connectInject/Deployment: vault ca annotations are set when tls is enabled" { + cd `chart_dir` + local cmd=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + --set 'global.tls.enabled=true' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.serverCert.secretName=pki_int/issue/test' \ + --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata' | tee /dev/stderr) + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-serverca.crt"]' | tee /dev/stderr)" + local expected=$'{{- with secret \"pki_int/cert/ca\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-serverca.crt"]' | tee /dev/stderr)" + [ "${actual}" = "pki_int/cert/ca" ] +} + #-------------------------------------------------------------------- # Vault agent annotations @@ -2063,7 +2150,6 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."vault.hashicorp.com/agent-inject") | del(."vault.hashicorp.com/role")' | tee /dev/stderr) [ "${actual}" = "{}" ] @@ -2081,7 +2167,6 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' \ . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) From 1fe928ff780a750e8e0a87f34968d73e76cdc3e9 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 19 May 2022 14:59:35 -0600 Subject: [PATCH 38/80] updating chart with caCert configs --- charts/consul/values.yaml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index b99dc65833..66002bcc3a 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -269,7 +269,13 @@ global: # to send webhooks to the controller. tlsCert: # @type: string - secretName: nil + secretName: null + # The directory that Kubernetes will use on Kubernetes CRD creation, + # deletion, and update, to get CA certificates used issued from vault + # to send webhooks to the controller. + caCert: + # @type: string + secretName: null # The Vault role for consul controller to read the Consul's controllers's CA Certificate (unauthenticated). # A Vault policy must be created which grants read capabilities to @@ -277,12 +283,19 @@ global: consulControllerCARole: "" connectInject: + # The directory that Kubernetes will use on Kubernetes CRD creation, + # deletion, and update, to get CA certificates used issued from vault + # to send webhooks to ConnectInject + caCert: + # @type: string + secretName: null + # The directory that Kubernetes will use on Kubernetes CRD creation, # deletion, and update, to get TLS certificates used issued from vault # to send webhooks to ConnectInject tlsCert: # @type: string - secretName: nil + secretName: null # The Vault role for consul connect inject to read the Consul's controllers's CA Certificate (unauthenticated). # A Vault policy must be created which grants read capabilities to From 85eb377c33ecc797d2d689af4cf0d37f1c3cda0c Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 19 May 2022 15:23:22 -0600 Subject: [PATCH 39/80] enforcing setting both controller and connectInject CA and tls vault settings all at once. --- .../templates/connect-inject-deployment.yaml | 6 +++- .../test/unit/connect-inject-deployment.bats | 32 ++++++++++++++----- charts/consul/values.yaml | 1 + 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 87f1f08bca..3f5ac374d9 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -8,7 +8,11 @@ {{- if .Values.connectInject.centralConfig }}{{ if .Values.connectInject.centralConfig.proxyDefaults }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end }}{{ end -}} {{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} -{{- if and .Values.global.secretsBackend.vault.consulConnectInjectCARole (or (not .Values.global.secretsBackend.vault.connectInject.tlsCert) (not .Values.global.secretsBackend.vault.connectInject.caCert)) }}{{ fail "global.secretsBackend.vault.consulConnectInjectCARole is set. global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName must also be set."}}{{ end }} +{{- if or .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} + {{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectCARole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerCARole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} + {{fail "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} + {{ end }} +{{ end }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 857c6559a9..6f3092e3dd 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1840,11 +1840,14 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -1956,7 +1959,7 @@ EOF --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "global.secretsBackend.vault.consulConnectInjectCARole is set. global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName must also be set." ]] + [[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { @@ -1967,14 +1970,14 @@ EOF --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulClientRole=connectInject/Deployment: enable-webhook-ca-update flag is not set on command when using vaulttest' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "global.secretsBackend.vault.connectInject.tlsCert.secretName is set. global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName must also be set." ]] + [[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { @@ -1989,10 +1992,10 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "global.secretsBackend.vault.connectInject.caCert.secretName is set. global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName must also be set." ]] + [[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: vault tls annotations are set when tls is enabled" { @@ -2003,14 +2006,17 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.tls.enabled=true' \ - --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | yq -r '.spec.template.metadata' | tee /dev/stderr) @@ -2100,6 +2106,12 @@ EOF -s templates/connect-inject-deployment.yaml \ --set 'connectInject.enabled=true' \ --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ @@ -2119,8 +2131,12 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.tls.enabled=true' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 66002bcc3a..1778290b16 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -270,6 +270,7 @@ global: tlsCert: # @type: string secretName: null + # The directory that Kubernetes will use on Kubernetes CRD creation, # deletion, and update, to get CA certificates used issued from vault # to send webhooks to the controller. From a982ec9d0089f2b4c78482aa64c5802298e736fd Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 15:51:49 -0600 Subject: [PATCH 40/80] correcting connect inject tests --- .../templates/connect-inject-deployment.yaml | 4 +- .../test/unit/connect-inject-deployment.bats | 76 +++++++++++-------- 2 files changed, 48 insertions(+), 32 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 3f5ac374d9..64a15573ce 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -278,7 +278,7 @@ spec: successThreshold: 1 timeoutSeconds: 5 volumeMounts: - {{- if not .Values.global.secretsBackend.vault.enabled }} + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} - name: certs mountPath: /etc/connect-injector/certs readOnly: true @@ -300,7 +300,7 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumes: - {{- if not .Values.global.secretsBackend.vault.enabled }} + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} - name: certs secret: defaultMode: 420 diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 6f3092e3dd..b03c1673a4 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2070,36 +2070,6 @@ EOF } -@test "connectInject/Deployment: vault does not add tls-ca-cert volume when global.tls.enabled is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test2' \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" == "" ] -} - -@test "connectInject/Deployment: vault does not add tls-ca-cert volumeMounts when global.tls.enabled is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test2' \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" == "" ] -} - @test "connectInject/Deployment: vault tls-cert-dir flag is set to /vault/secrets" { cd `chart_dir` local actual=$(helm template \ @@ -2153,6 +2123,52 @@ EOF [ "${actual}" = "pki_int/cert/ca" ] } +@test "connectInject/Deployment: vault does not add certs volume when global.secretsBackend.vault.connectInject.tlsCert.secretName is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "certs")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + +@test "connectInject/Deployment: vault does not add certs volumeMounts when global.secretsBackend.vault.connectInject.tlsCert.secretName is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "certs")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + #-------------------------------------------------------------------- # Vault agent annotations From a6b52fb11921206c2f79f68e0cbed8cf5014e94c Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 16:23:42 -0600 Subject: [PATCH 41/80] Update controller tests --- charts/consul/templates/_helpers.tpl | 23 ++++ .../templates/connect-inject-deployment.yaml | 6 +- .../templates/controller-deployment.yaml | 5 +- .../test/unit/connect-inject-deployment.bats | 6 +- .../test/unit/controller-deployment.bats | 100 +++++++++++++++++- 5 files changed, 129 insertions(+), 11 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index d9c0c2f8f8..eb2ed1f7aa 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -279,3 +279,26 @@ Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} {{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} {{- end }} {{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.consulConnectInjectCARole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName +- global.secretsBackend.vault.consulControllerCARole +- global.secretsBackend.vault.controller.tlsCert.secretName +- global.secretsBackend.vault.controller.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject and controller to manage its own webhook certs. + +Usage: {{ template "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" . }} + +*/}} +{{- define "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" -}} +{{- if or .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectCARole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerCARole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} +{{ end }} +{{ end }} +{{- end -}} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 64a15573ce..e46fd2b93e 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -8,11 +8,7 @@ {{- if .Values.connectInject.centralConfig }}{{ if .Values.connectInject.centralConfig.proxyDefaults }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end }}{{ end -}} {{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} -{{- if or .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} - {{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectCARole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerCARole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} - {{fail "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} - {{ end }} -{{ end }} +{{ template "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" . }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 248efab930..f54ffbf5e5 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -1,5 +1,6 @@ {{- if .Values.controller.enabled }} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" . }} apiVersion: apps/v1 kind: Deployment metadata: @@ -210,7 +211,7 @@ spec: - mountPath: /consul/login name: consul-data readOnly: true - {{- if not .Values.global.secretsBackend.vault.enabled }} + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.controller.tlsCert.secretName) }} - mountPath: /tmp/controller-webhook/certs name: cert readOnly: true @@ -226,7 +227,7 @@ spec: {{- end }} terminationGracePeriodSeconds: 10 volumes: - {{- if not .Values.global.secretsBackend.vault.enabled }} + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.controller.tlsCert.secretName) }} - name: cert secret: defaultMode: 420 diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index b03c1673a4..769cb95fab 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1959,7 +1959,7 @@ EOF --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { @@ -1977,7 +1977,7 @@ EOF --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { @@ -1995,7 +1995,7 @@ EOF --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: vault tls annotations are set when tls is enabled" { diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 2f7c90adfb..60064c59a3 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -75,6 +75,15 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=test' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -951,10 +960,18 @@ load _helpers --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.consulControllerCARole=test' \ --set 'global.tls.enabled=true' \ - --set 'global.secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq -r '.spec.template.metadata' | tee /dev/stderr) @@ -1010,6 +1027,15 @@ load _helpers --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq '.spec.template.spec.volumes[] | select(.name == "cert")' | tee /dev/stderr) [ "${actual}" == "" ] @@ -1027,6 +1053,15 @@ load _helpers --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "cert")' | tee /dev/stderr) [ "${actual}" == "" ] @@ -1041,12 +1076,75 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-webhook-tls-cert-dir=/vault/secrets"))' | tee /dev/stderr) [ "${actual}" = "true" ] } +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulControllerCARole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulControllerCARole=controllerinjectcarole' \ + --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . + [ "$status" -eq 1 ] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] +} + +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . + [ "$status" -eq 1 ] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] +} + +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . + [ "$status" -eq 1 ] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] +} + #-------------------------------------------------------------------- # Vault agent annotations From 328ac87a85a480050cdd79e3850ccbbbf17dc0d8 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 16:35:42 -0600 Subject: [PATCH 42/80] fixing condition on which web certmanager is shut off --- .../templates/webhook-cert-manager-clusterrole.yaml | 2 +- .../webhook-cert-manager-clusterrolebinding.yaml | 2 +- .../templates/webhook-cert-manager-configmap.yaml | 2 +- .../templates/webhook-cert-manager-deployment.yaml | 2 +- .../webhook-cert-manager-podsecuritypolicy.yaml | 2 +- .../webhook-cert-manager-serviceaccount.yaml | 2 +- .../test/unit/webhook-cert-manager-clusterrole.bats | 9 +++++++++ .../unit/webhook-cert-manager-clusterrolebinding.bats | 9 +++++++++ .../test/unit/webhook-cert-manager-configmap.bats | 9 +++++++++ .../test/unit/webhook-cert-manager-deployment.bats | 9 +++++++++ .../unit/webhook-cert-manager-podsecuritypolicy.bats | 11 ++++++++++- .../unit/webhook-cert-manager-serviceaccount.bats | 9 +++++++++ 12 files changed, 61 insertions(+), 7 deletions(-) diff --git a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml index 75a8682e8a..39bbf1c62c 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml index 9880c88a07..004d8abd24 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/consul/templates/webhook-cert-manager-configmap.yaml b/charts/consul/templates/webhook-cert-manager-configmap.yaml index 5843bb7c18..6776b9816d 100644 --- a/charts/consul/templates/webhook-cert-manager-configmap.yaml +++ b/charts/consul/templates/webhook-cert-manager-configmap.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/consul/templates/webhook-cert-manager-deployment.yaml b/charts/consul/templates/webhook-cert-manager-deployment.yaml index 317cb298bc..be5511bc0c 100644 --- a/charts/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/consul/templates/webhook-cert-manager-deployment.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml index a88bdca8b4..883156031b 100644 --- a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml +++ b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if and (or .Values.controller.enabled .Values.connectInject.enabled) .Values.global.enablePodSecurityPolicies (not .Values.global.secretsBackend.vault.enabled)}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) .Values.global.enablePodSecurityPolicies (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml index b191c0c988..e0fc8fd97c 100644 --- a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml +++ b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not .Values.global.secretsBackend.vault.enabled)) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index c37067a342..06eca25c7a 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -158,5 +158,14 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . } diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats index 4289afb71f..f1802620ba 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats @@ -52,5 +52,14 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . } diff --git a/charts/consul/test/unit/webhook-cert-manager-configmap.bats b/charts/consul/test/unit/webhook-cert-manager-configmap.bats index 14fd1fd66a..d8ae415079 100644 --- a/charts/consul/test/unit/webhook-cert-manager-configmap.bats +++ b/charts/consul/test/unit/webhook-cert-manager-configmap.bats @@ -104,5 +104,14 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . } diff --git a/charts/consul/test/unit/webhook-cert-manager-deployment.bats b/charts/consul/test/unit/webhook-cert-manager-deployment.bats index f05022b6f0..cb202f1b70 100644 --- a/charts/consul/test/unit/webhook-cert-manager-deployment.bats +++ b/charts/consul/test/unit/webhook-cert-manager-deployment.bats @@ -75,5 +75,14 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . } diff --git a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats index eb04f096a6..af071cdd75 100644 --- a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats +++ b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats @@ -58,11 +58,20 @@ load _helpers cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ - --set 'controller.enabled=true' \ --set 'global.enablePodSecurityPolicies=true' \ + --set 'controller.enabled=true' \ --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . } diff --git a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats index 87eb57334d..0e740189c0 100644 --- a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats +++ b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats @@ -73,5 +73,14 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ . } From 0bd96667baeace1cd0ab1a808049b8f9a0b3bc3c Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 17:03:45 -0600 Subject: [PATCH 43/80] only rendering vault role when suppled in controller and connect-inject deployments --- .../templates/connect-inject-deployment.yaml | 4 ---- .../templates/controller-deployment.yaml | 6 ++---- .../test/unit/connect-inject-deployment.bats | 21 ++++++++++++++++++- .../test/unit/controller-deployment.bats | 21 +++++++++++++++++++ 4 files changed, 43 insertions(+), 9 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index e46fd2b93e..532a999da9 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -45,22 +45,18 @@ spec: "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectCARole }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - {{- if .Values.global.secretsBackend.vault.connectInject.caCert }} {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} {{- end }} {{- end }} - {{- end }} - {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert }} {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} {{- end }} - {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index f54ffbf5e5..7159f660e7 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -34,25 +34,23 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.consulControllerCARole }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerCARole }} + {{ end }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - {{- if .Values.global.secretsBackend.vault.controller.caCert }} {{- if .Values.global.secretsBackend.vault.controller.caCert.secretName }} {{- with .Values.global.secretsBackend.vault.controller.caCert }} "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} {{- end }} {{- end }} - {{- end }} - {{- if .Values.global.secretsBackend.vault.controller.tlsCert }} {{- if .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.controllerWebhookTLSCertTemplate" . }} "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.controllerWebhookTLSKeyTemplate" . }} {{- end }} - {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 769cb95fab..6450253b83 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1816,7 +1816,7 @@ EOF #-------------------------------------------------------------------- # enable-webhook-ca-update -@test "controller/Deployment: enable-webhook-ca-update flag is not set on command by default" { +@test "connectInject/Deployment: enable-webhook-ca-update flag is not set on command by default" { cd `chart_dir` local actual=$(helm template \ -s templates/connect-inject-deployment.yaml \ @@ -2169,6 +2169,25 @@ EOF [ "${actual}" == "" ] } +@test "connectInject/Deployment: vault vault.hashicorp.com/role not set if global.secretsBackend.vault.consulControllerCARole is not set" { + cd `chart_dir` + local cmd=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + + . | tee /dev/stderr | + yq -r '.spec.template.metadata' | tee /dev/stderr) + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)" + [ "${actual}" = "" ] +} + #-------------------------------------------------------------------- # Vault agent annotations diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 60064c59a3..7c445958f1 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -1145,6 +1145,27 @@ load _helpers [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } +@test "controller/Deployment: vault vault.hashicorp.com/role not set if global.secretsBackend.vault.consulControllerCARole is not set" { + cd `chart_dir` + local cmd=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.serverCert.secretName=pki_int/issue/test' \ + --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata' | tee /dev/stderr) + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)" + [ "${actual}" = "" ] +} #-------------------------------------------------------------------- # Vault agent annotations From 359fab65d4d7655cd972fd4689ceb22c0dc6cd80 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 17:10:19 -0600 Subject: [PATCH 44/80] fixing connect inject deploy for vault role --- charts/consul/templates/connect-inject-deployment.yaml | 2 ++ charts/consul/test/unit/connect-inject-deployment.bats | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 532a999da9..bf755a2152 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -42,7 +42,9 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.consulConnectInjectCARole }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectCARole }} + {{ end }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 6450253b83..93b9a403d6 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2169,7 +2169,7 @@ EOF [ "${actual}" == "" ] } -@test "connectInject/Deployment: vault vault.hashicorp.com/role not set if global.secretsBackend.vault.consulControllerCARole is not set" { +@test "connectInject/Deployment: vault vault.hashicorp.com/role not set if global.secretsBackend.vault.consulConnectInjectCARole is not set" { cd `chart_dir` local cmd=$(helm template \ -s templates/connect-inject-deployment.yaml \ @@ -2177,9 +2177,10 @@ EOF --set 'global.secretsBackend.vault.enabled=true' \ --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - . | tee /dev/stderr | yq -r '.spec.template.metadata' | tee /dev/stderr) From 84538d916c6dbdc42c64ad11c015ee7a99705f5a Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 18:10:10 -0600 Subject: [PATCH 45/80] making global.secretsBackend.vault.consulCARole the fallback in the controller and connect-inject deployments if the web cert replacement roles are not defined. --- .../tests/vault/vault_namespaces_test.go | 11 +- acceptance/tests/vault/vault_test.go | 53 +--- .../tests/vault/vault_tls_auto_reload_test.go | 7 - .../tests/vault/vault_webhook_certs_test.go | 293 ++++++++++++++++++ .../templates/connect-inject-deployment.yaml | 2 + .../templates/controller-deployment.yaml | 2 + .../test/unit/connect-inject-deployment.bats | 4 +- .../test/unit/controller-deployment.bats | 5 +- 8 files changed, 308 insertions(+), 69 deletions(-) create mode 100644 acceptance/tests/vault/vault_webhook_certs_test.go diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go index 4750fa77ad..a7ddec906c 100644 --- a/acceptance/tests/vault/vault_namespaces_test.go +++ b/acceptance/tests/vault/vault_namespaces_test.go @@ -172,13 +172,6 @@ func TestVault_VaultNamespace(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - // pathForConnectInjectWebookCerts := - // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - // pathForControllerWebookCerts := - // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ @@ -188,9 +181,7 @@ func TestVault_VaultNamespace(t *testing.T) { "connectInject.enabled": "true", "connectInject.replicas": "1", - // "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - // "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, + "controller.enabled": "true", "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index 7664347a02..f746f73ed1 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -70,34 +70,6 @@ func TestVault(t *testing.T) { } serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) - // Configure controller webhook PKI - controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ - BaseURL: "controller", - PolicyName: "controller-ca-policy", - RoleName: "controller-ca-role", - KubernetesNamespace: ns, - DataCenter: "dc1", - ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), - AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), - MaxTTL: "1h", - AuthMethodPath: "kubernetes", - } - vault.ConfigurePKIAndAuthRole(t, vaultClient, controllerWebhookPKIConfig) - - // Configure controller webhook PKI - connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ - BaseURL: "connect", - PolicyName: "connect-ca-policy", - RoleName: "connect-ca-role", - KubernetesNamespace: ns, - DataCenter: "dc1", - ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), - AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), - MaxTTL: "1h", - AuthMethodPath: "kubernetes", - } - vault.ConfigurePKIAndAuthRole(t, vaultClient, connectInjectorWebhookPKIConfig) - // ------------------------- // KV2 secrets // ------------------------- @@ -187,13 +159,6 @@ func TestVault(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - // pathForConnectInjectWebookCerts := - // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - // pathForControllerWebookCerts := - // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ @@ -204,18 +169,12 @@ func TestVault(t *testing.T) { "connectInject.enabled": "true", "connectInject.replicas": "1", "controller.enabled": "true", - "global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath, - "global.secretsBackend.vault.connectInject.caCert.secretName": connectInjectorWebhookPKIConfig.CAPath, - "global.secretsBackend.vault.controller.tlsCert.secretName": controllerWebhookPKIConfig.CertPath, - "global.secretsBackend.vault.controller.caCert.secretName": controllerWebhookPKIConfig.CAPath, - - "global.secretsBackend.vault.enabled": "true", - "global.secretsBackend.vault.consulServerRole": consulServerRole, - "global.secretsBackend.vault.consulClientRole": consulClientRole, - "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, - "global.secretsBackend.vault.consulConnectInjectCARole": connectInjectorWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.consulControllerCARole": controllerWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, + + "global.secretsBackend.vault.enabled": "true", + "global.secretsBackend.vault.consulServerRole": consulServerRole, + "global.secretsBackend.vault.consulClientRole": consulClientRole, + "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, + "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, "global.secretsBackend.vault.ca.secretName": vaultCASecret, "global.secretsBackend.vault.ca.secretKey": "tls.crt", diff --git a/acceptance/tests/vault/vault_tls_auto_reload_test.go b/acceptance/tests/vault/vault_tls_auto_reload_test.go index 84cefb63d4..6cbcb5d351 100644 --- a/acceptance/tests/vault/vault_tls_auto_reload_test.go +++ b/acceptance/tests/vault/vault_tls_auto_reload_test.go @@ -162,13 +162,6 @@ func TestVault_TLSAutoReload(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - // pathForConnectInjectWebookCerts := - // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - // pathForControllerWebookCerts := - // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go new file mode 100644 index 0000000000..8a36c88400 --- /dev/null +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -0,0 +1,293 @@ +package vault + +import ( + "fmt" + "testing" + + terratestLogger "github.com/gruntwork-io/terratest/modules/logger" + "github.com/hashicorp/consul-k8s/acceptance/framework/consul" + "github.com/hashicorp/consul-k8s/acceptance/framework/helpers" + "github.com/hashicorp/consul-k8s/acceptance/framework/k8s" + "github.com/hashicorp/consul-k8s/acceptance/framework/logger" + "github.com/hashicorp/consul-k8s/acceptance/framework/vault" + "github.com/hashicorp/go-uuid" + "github.com/stretchr/testify/require" +) + +// TestVault_WebhookCerts installs Vault, bootstraps it with secrets, policies, and Kube Auth Method. +// It then configures Consul to use vault as the backend and checks that it works +// by turning off web cert manager and configuring controller and connect injector +// to receive ca bundles and tls certs from Vault PKI engine. +func TestVault_WebhookCerts(t *testing.T) { + cfg := suite.Config() + ctx := suite.Environment().DefaultContext(t) + ns := ctx.KubectlOptions(t).Namespace + + consulReleaseName := helpers.RandomName() + vaultReleaseName := helpers.RandomName() + + vaultCluster := vault.NewVaultCluster(t, ctx, cfg, vaultReleaseName, nil) + vaultCluster.Create(t, ctx, "") + // Vault is now installed in the cluster. + + // Now fetch the Vault client so we can create the policies and secrets. + vaultClient := vaultCluster.VaultClient(t) + + // ------------------------- + // PKI + // ------------------------- + // Configure Service Mesh CA + connectCAPolicy := "connect-ca-dc1" + connectCARootPath := "connect_root" + connectCAIntermediatePath := "dc1/connect_inter" + // Configure Policy for Connect CA + vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicy, connectCARootPath, connectCAIntermediatePath) + + // Configure Server PKI + serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "pki", + PolicyName: "consul-ca-policy", + RoleName: "consul-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + MaxTTL: "1h", + AuthMethodPath: "kubernetes", + } + vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfig) + + // Configure controller webhook PKI + controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "controller", + PolicyName: "controller-ca-policy", + RoleName: "controller-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), + MaxTTL: "1h", + AuthMethodPath: "kubernetes", + } + vault.ConfigurePKIAndAuthRole(t, vaultClient, controllerWebhookPKIConfig) + + // Configure controller webhook PKI + connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "connect", + PolicyName: "connect-ca-policy", + RoleName: "connect-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + MaxTTL: "1h", + AuthMethodPath: "kubernetes", + } + vault.ConfigurePKIAndAuthRole(t, vaultClient, connectInjectorWebhookPKIConfig) + + // ------------------------- + // KV2 secrets + // ------------------------- + // Gossip key + gossipKey, err := vault.GenerateGossipSecret() + require.NoError(t, err) + gossipSecret := &vault.SaveVaultSecretConfiguration{ + Path: "consul/data/secret/gossip", + Key: "gossip", + Value: gossipKey, + PolicyName: "gossip", + } + vault.SaveSecret(t, vaultClient, gossipSecret) + + // License + licenseSecret := &vault.SaveVaultSecretConfiguration{ + Path: "consul/data/secret/license", + Key: "license", + Value: cfg.EnterpriseLicense, + PolicyName: "license", + } + if cfg.EnableEnterprise { + vault.SaveSecret(t, vaultClient, licenseSecret) + } + + // Bootstrap Token + bootstrapToken, err := uuid.GenerateUUID() + require.NoError(t, err) + bootstrapTokenSecret := &vault.SaveVaultSecretConfiguration{ + Path: "consul/data/secret/bootstrap", + Key: "token", + Value: bootstrapToken, + PolicyName: "bootstrap", + } + vault.SaveSecret(t, vaultClient, bootstrapTokenSecret) + + // ------------------------- + // Additional Auth Roles + // ------------------------- + serverPolicies := fmt.Sprintf("%s,%s,%s,%s", gossipSecret.PolicyName, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) + if cfg.EnableEnterprise { + serverPolicies += fmt.Sprintf(",%s", licenseSecret.PolicyName) + } + + // server + consulServerRole := "server" + vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: serverPKIConfig.ServiceAccountName, + KubernetesNamespace: ns, + AuthMethodPath: "kubernetes", + RoleName: consulServerRole, + PolicyNames: serverPolicies, + }) + + // client + consulClientRole := "client" + consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "client") + vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: consulClientServiceAccountName, + KubernetesNamespace: ns, + AuthMethodPath: "kubernetes", + RoleName: consulClientRole, + PolicyNames: gossipSecret.PolicyName, + }) + + // manageSystemACLs + manageSystemACLsRole := "server-acl-init" + manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "server-acl-init") + vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: manageSystemACLsServiceAccountName, + KubernetesNamespace: ns, + AuthMethodPath: "kubernetes", + RoleName: manageSystemACLsRole, + PolicyNames: bootstrapTokenSecret.PolicyName, + }) + + // allow all components to access server ca + vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: "*", + KubernetesNamespace: ns, + AuthMethodPath: "kubernetes", + RoleName: serverPKIConfig.RoleName, + PolicyNames: serverPKIConfig.PolicyName, + }) + + // pathForConnectInjectWebookCerts := + // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") + // pathForControllerWebookCerts := + // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, + // consulReleaseName, ns, "dc1", "1h") + + vaultCASecret := vault.CASecretName(vaultReleaseName) + + consulHelmValues := map[string]string{ + "server.extraVolumes[0].type": "secret", + "server.extraVolumes[0].name": vaultCASecret, + "server.extraVolumes[0].load": "false", + + "connectInject.enabled": "true", + "connectInject.replicas": "1", + "controller.enabled": "true", + "global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath, + "global.secretsBackend.vault.connectInject.caCert.secretName": connectInjectorWebhookPKIConfig.CAPath, + "global.secretsBackend.vault.controller.tlsCert.secretName": controllerWebhookPKIConfig.CertPath, + "global.secretsBackend.vault.controller.caCert.secretName": controllerWebhookPKIConfig.CAPath, + + "global.secretsBackend.vault.enabled": "true", + "global.secretsBackend.vault.consulServerRole": consulServerRole, + "global.secretsBackend.vault.consulClientRole": consulClientRole, + "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, + "global.secretsBackend.vault.consulConnectInjectCARole": connectInjectorWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.consulControllerCARole": controllerWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, + + "global.secretsBackend.vault.ca.secretName": vaultCASecret, + "global.secretsBackend.vault.ca.secretKey": "tls.crt", + + "global.secretsBackend.vault.connectCA.address": vaultCluster.Address(), + "global.secretsBackend.vault.connectCA.rootPKIPath": connectCARootPath, + "global.secretsBackend.vault.connectCA.intermediatePKIPath": connectCAIntermediatePath, + + "global.acls.manageSystemACLs": "true", + "global.acls.bootstrapToken.secretName": bootstrapTokenSecret.Path, + "global.acls.bootstrapToken.secretKey": bootstrapTokenSecret.Key, + "global.tls.enabled": "true", + "global.gossipEncryption.secretName": gossipSecret.Path, + "global.gossipEncryption.secretKey": gossipSecret.Key, + + "ingressGateways.enabled": "true", + "ingressGateways.defaults.replicas": "1", + "terminatingGateways.enabled": "true", + "terminatingGateways.defaults.replicas": "1", + + "server.serverCert.secretName": serverPKIConfig.CertPath, + "global.tls.caCert.secretName": serverPKIConfig.CAPath, + "global.tls.enableAutoEncrypt": "true", + + // For sync catalog, it is sufficient to check that the deployment is running and ready + // because we only care that get-auto-encrypt-client-ca init container was able + // to talk to the Consul server using the CA from Vault. For this reason, + // we don't need any services to be synced in either direction. + "syncCatalog.enabled": "true", + "syncCatalog.toConsul": "false", + "syncCatalog.toK8S": "false", + } + + if cfg.EnableEnterprise { + consulHelmValues["global.enterpriseLicense.secretName"] = licenseSecret.Path + consulHelmValues["global.enterpriseLicense.secretKey"] = licenseSecret.Key + } + + logger.Log(t, "Installing Consul") + consulCluster := consul.NewHelmCluster(t, consulHelmValues, ctx, cfg, consulReleaseName) + consulCluster.Create(t) + + // Validate that the gossip encryption key is set correctly. + logger.Log(t, "Validating the gossip key has been set correctly.") + consulCluster.ACLToken = bootstrapToken + consulClient, _ := consulCluster.SetupConsulClient(t, true) + keys, err := consulClient.Operator().KeyringList(nil) + require.NoError(t, err) + // There are two identical keys for LAN and WAN since there is only 1 dc. + require.Len(t, keys, 2) + require.Equal(t, 1, keys[0].PrimaryKeys[gossipKey]) + + // Confirm that the Vault Connect CA has been bootstrapped correctly. + caConfig, _, err := consulClient.Connect().CAGetConfig(nil) + require.NoError(t, err) + require.Equal(t, caConfig.Provider, "vault") + + // Validate that consul sever is running correctly and the consul members command works + logger.Log(t, "Confirming that we can run Consul commands when exec'ing into server container") + membersOutput, err := k8s.RunKubectlAndGetOutputWithLoggerE(t, ctx.KubectlOptions(t), terratestLogger.Discard, "exec", fmt.Sprintf("%s-consul-server-0", consulReleaseName), "-c", "consul", "--", "sh", "-c", fmt.Sprintf("CONSUL_HTTP_TOKEN=%s consul members", bootstrapToken)) + logger.Logf(t, "Members: \n%s", membersOutput) + require.NoError(t, err) + require.Contains(t, membersOutput, fmt.Sprintf("%s-consul-server-0", consulReleaseName)) + + if cfg.EnableEnterprise { + // Validate that the enterprise license is set correctly. + logger.Log(t, "Validating the enterprise license has been set correctly.") + license, licenseErr := consulClient.Operator().LicenseGet(nil) + require.NoError(t, licenseErr) + require.True(t, license.Valid) + } + + // Deploy two services and check that they can talk to each other. + logger.Log(t, "creating static-server and static-client deployments") + k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject") + if cfg.EnableTransparentProxy { + k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-client-tproxy") + } else { + k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-client-inject") + } + helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { + k8s.KubectlDeleteK(t, ctx.KubectlOptions(t), "../fixtures/bases/intention") + }) + k8s.KubectlApplyK(t, ctx.KubectlOptions(t), "../fixtures/bases/intention") + + logger.Log(t, "checking that connection is successful") + if cfg.EnableTransparentProxy { + k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), staticClientName, "http://static-server") + } else { + k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), staticClientName, "http://localhost:1234") + } +} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index bf755a2152..f85efd37eb 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -44,6 +44,8 @@ spec: "vault.hashicorp.com/agent-inject": "true" {{- if .Values.global.secretsBackend.vault.consulConnectInjectCARole }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectCARole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} {{ end }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 7159f660e7..a37c35c5bd 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -36,6 +36,8 @@ spec: "vault.hashicorp.com/agent-inject": "true" {{- if .Values.global.secretsBackend.vault.consulControllerCARole }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerCARole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} {{ end }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 93b9a403d6..c9de5bb9e7 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2169,7 +2169,7 @@ EOF [ "${actual}" == "" ] } -@test "connectInject/Deployment: vault vault.hashicorp.com/role not set if global.secretsBackend.vault.consulConnectInjectCARole is not set" { +@test "connectInject/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulCARole if global.secretsBackend.vault.consulConnectInjectCARole is not set" { cd `chart_dir` local cmd=$(helm template \ -s templates/connect-inject-deployment.yaml \ @@ -2186,7 +2186,7 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)" - [ "${actual}" = "" ] + [ "${actual}" = "carole" ] } #-------------------------------------------------------------------- diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 7c445958f1..168e8f2e0d 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -1145,7 +1145,7 @@ load _helpers [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "controller/Deployment: vault vault.hashicorp.com/role not set if global.secretsBackend.vault.consulControllerCARole is not set" { +@test "controller/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulControllerCARole if global.secretsBackend.vault.consulControllerCARole is not set" { cd `chart_dir` local cmd=$(helm template \ -s templates/controller-deployment.yaml \ @@ -1154,7 +1154,6 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ @@ -1164,7 +1163,7 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)" - [ "${actual}" = "" ] + [ "${actual}" = "test2" ] } #-------------------------------------------------------------------- # Vault agent annotations From dfe53c41930b4fcdd8b94ce14f5717de9de5c2c3 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 20 May 2022 18:27:34 -0600 Subject: [PATCH 46/80] Updating the doc string for TestVault_WebhookCerts --- acceptance/tests/vault/vault_webhook_certs_test.go | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index 8a36c88400..ace9d612a9 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -18,6 +18,10 @@ import ( // It then configures Consul to use vault as the backend and checks that it works // by turning off web cert manager and configuring controller and connect injector // to receive ca bundles and tls certs from Vault PKI engine. +// This test is modeled after TestVault() with the addition of configuring it +// to turn off web cert manager and have controller get tls and ca certs +// from Vault PKI Engine. + func TestVault_WebhookCerts(t *testing.T) { cfg := suite.Config() ctx := suite.Environment().DefaultContext(t) @@ -170,13 +174,6 @@ func TestVault_WebhookCerts(t *testing.T) { PolicyNames: serverPKIConfig.PolicyName, }) - // pathForConnectInjectWebookCerts := - // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - // pathForControllerWebookCerts := - // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ From 75e2248594bdcfb28613b1b84bc36aca777a6d76 Mon Sep 17 00:00:00 2001 From: John Murret Date: Sun, 22 May 2022 12:11:38 -0600 Subject: [PATCH 47/80] correct rebasing issues --- acceptance/tests/vault/vault_wan_fed_test.go | 87 +------------------ .../tests/vault/vault_webhook_certs_test.go | 60 +++++++------ 2 files changed, 36 insertions(+), 111 deletions(-) diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go index 586b540ab9..2a1b3178b4 100644 --- a/acceptance/tests/vault/vault_wan_fed_test.go +++ b/acceptance/tests/vault/vault_wan_fed_test.go @@ -209,92 +209,13 @@ func TestVault_WANFederationViaGateways(t *testing.T) { } replicationTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) - // ------------------------- - // PKI - // ------------------------- - // dc1 - // Configure Service Mesh CA - connectCAPolicy := "connect-ca-dc1" - connectCARootPath := "connect_root" - connectCAIntermediatePath := "dc1/connect_inter" - // Configure Policy for Connect CA - vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicy, connectCARootPath, connectCAIntermediatePath) - - //Configure Server PKI - serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{ - BaseURL: "pki", - PolicyName: "consul-ca-policy", - RoleName: "consul-ca-role", - KubernetesNamespace: ns, - DataCenter: "dc1", - ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), - AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), - MaxTTL: "1h", - AuthMethodPath: "kubernetes", - } - vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfig) - - // dc2 - // Configure Service Mesh CA - connectCAPolicySecondary := "connect-ca-dc2" - connectCARootPathSecondary := "connect_root" - connectCAIntermediatePathSecondary := "dc2/connect_inter" - // Configure Policy for Connect CA - vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicySecondary, connectCARootPathSecondary, connectCAIntermediatePathSecondary) - - // Configure Server PKI - serverPKIConfigSecondary := &vault.PKIAndAuthRoleConfiguration{ - BaseURL: "pki", - PolicyName: "consul-ca-policy-dc2", - RoleName: "consul-ca-role-dc2", - KubernetesNamespace: ns, - DataCenter: "dc2", - ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), - AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), - MaxTTL: "1h", - AuthMethodPath: secondaryAuthMethodName, - SkipPKIMount: true, - } - vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfigSecondary) - - // ------------------------- - // KV2 secrets - // ------------------------- - // Gossip key - gossipKey, err := vault.GenerateGossipSecret() - require.NoError(t, err) - gossipSecret := &vault.SaveVaultSecretConfiguration{ - Path: "consul/data/secret/gossip", - Key: "gossip", - Value: gossipKey, - PolicyName: "gossip", - } - vault.SaveSecret(t, vaultClient, gossipSecret) - - // License - licenseSecret := &vault.SaveVaultSecretConfiguration{ - Path: "consul/data/secret/license", - Key: "license", - Value: cfg.EnterpriseLicense, - PolicyName: "license", - } - if cfg.EnableEnterprise { - vault.SaveSecret(t, vaultClient, licenseSecret) - } - - // Bootstrap Token - bootstrapToken, err := uuid.GenerateUUID() - require.NoError(t, err) - bootstrapTokenSecret := &vault.SaveVaultSecretConfiguration{ - Path: "consul/data/secret/bootstrap", - Key: "token", - Value: bootstrapToken, - PolicyName: "bootstrap", - } - // -------------------------------------------- // Additional Auth Roles for Primary Datacenter // -------------------------------------------- + commonServerPolicies := "gossip" + if cfg.EnableEnterprise { + commonServerPolicies += ",license" + } // server serverPolicies := fmt.Sprintf("%s,%s,%s,%s", commonServerPolicies, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) if cfg.EnableEnterprise { diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index ace9d612a9..bc6c5cde22 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -59,7 +59,7 @@ func TestVault_WebhookCerts(t *testing.T) { MaxTTL: "1h", AuthMethodPath: "kubernetes", } - vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfig) + serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) // Configure controller webhook PKI controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ @@ -73,7 +73,7 @@ func TestVault_WebhookCerts(t *testing.T) { MaxTTL: "1h", AuthMethodPath: "kubernetes", } - vault.ConfigurePKIAndAuthRole(t, vaultClient, controllerWebhookPKIConfig) + controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) // Configure controller webhook PKI connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ @@ -87,7 +87,7 @@ func TestVault_WebhookCerts(t *testing.T) { MaxTTL: "1h", AuthMethodPath: "kubernetes", } - vault.ConfigurePKIAndAuthRole(t, vaultClient, connectInjectorWebhookPKIConfig) + connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) // ------------------------- // KV2 secrets @@ -95,35 +95,35 @@ func TestVault_WebhookCerts(t *testing.T) { // Gossip key gossipKey, err := vault.GenerateGossipSecret() require.NoError(t, err) - gossipSecret := &vault.SaveVaultSecretConfiguration{ + gossipSecret := &vault.KV2Secret{ Path: "consul/data/secret/gossip", Key: "gossip", Value: gossipKey, PolicyName: "gossip", } - vault.SaveSecret(t, vaultClient, gossipSecret) + gossipSecret.SaveSecretAndAddReadPolicy(t, vaultClient) // License - licenseSecret := &vault.SaveVaultSecretConfiguration{ + licenseSecret := &vault.KV2Secret{ Path: "consul/data/secret/license", Key: "license", Value: cfg.EnterpriseLicense, PolicyName: "license", } if cfg.EnableEnterprise { - vault.SaveSecret(t, vaultClient, licenseSecret) + licenseSecret.SaveSecretAndAddReadPolicy(t, vaultClient) } // Bootstrap Token bootstrapToken, err := uuid.GenerateUUID() require.NoError(t, err) - bootstrapTokenSecret := &vault.SaveVaultSecretConfiguration{ + bootstrapTokenSecret := &vault.KV2Secret{ Path: "consul/data/secret/bootstrap", Key: "token", Value: bootstrapToken, PolicyName: "bootstrap", } - vault.SaveSecret(t, vaultClient, bootstrapTokenSecret) + bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) // ------------------------- // Additional Auth Roles @@ -134,45 +134,49 @@ func TestVault_WebhookCerts(t *testing.T) { } // server - consulServerRole := "server" - vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + consulServerRole := ServerRole + srvAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: serverPKIConfig.ServiceAccountName, KubernetesNamespace: ns, - AuthMethodPath: "kubernetes", + AuthMethodPath: KubernetesAuthMethodPath, RoleName: consulServerRole, PolicyNames: serverPolicies, - }) + } + srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) // client - consulClientRole := "client" - consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "client") - vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + consulClientRole := ClientRole + consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ClientRole) + clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: consulClientServiceAccountName, KubernetesNamespace: ns, - AuthMethodPath: "kubernetes", + AuthMethodPath: KubernetesAuthMethodPath, RoleName: consulClientRole, PolicyNames: gossipSecret.PolicyName, - }) + } + clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) // manageSystemACLs - manageSystemACLsRole := "server-acl-init" - manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "server-acl-init") - vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + manageSystemACLsRole := ManageSystemACLsRole + manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ManageSystemACLsRole) + aclAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: manageSystemACLsServiceAccountName, KubernetesNamespace: ns, - AuthMethodPath: "kubernetes", + AuthMethodPath: KubernetesAuthMethodPath, RoleName: manageSystemACLsRole, PolicyNames: bootstrapTokenSecret.PolicyName, - }) + } + aclAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) // allow all components to access server ca - vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{ + srvCAAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ ServiceAccountName: "*", KubernetesNamespace: ns, - AuthMethodPath: "kubernetes", + AuthMethodPath: KubernetesAuthMethodPath, RoleName: serverPKIConfig.RoleName, PolicyNames: serverPKIConfig.PolicyName, - }) + } + srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) vaultCASecret := vault.CASecretName(vaultReleaseName) @@ -283,8 +287,8 @@ func TestVault_WebhookCerts(t *testing.T) { logger.Log(t, "checking that connection is successful") if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), staticClientName, "http://static-server") + k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://static-server") } else { - k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), staticClientName, "http://localhost:1234") + k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") } } From 2c1a2dd763b36d451cd34dec88dc2980606b8e5b Mon Sep 17 00:00:00 2001 From: John Murret Date: Sun, 22 May 2022 12:28:48 -0600 Subject: [PATCH 48/80] removing unneccessary format changes. refactoring consul.serverTLSCATemplate to use consul.vaultCATemplate --- .../tests/snapshot-agent/snapshot_agent_vault_test.go | 11 +---------- acceptance/tests/vault/vault_namespaces_test.go | 2 -- acceptance/tests/vault/vault_wan_fed_test.go | 7 ++++--- charts/consul/templates/_helpers.tpl | 5 +---- 4 files changed, 6 insertions(+), 19 deletions(-) diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go index cbcafb7f71..bde2d88ab0 100644 --- a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go +++ b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go @@ -177,13 +177,6 @@ func TestSnapshotAgent_Vault(t *testing.T) { } saAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - // pathForConnectInjectWebookCerts := - // vault.ConfigurePKICertificatesForConnectInjectWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - // pathForControllerWebookCerts := - // vault.ConfigurePKICertificatesForControllerWebhook(t, vaultClient, - // consulReleaseName, ns, "dc1", "1h") - vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ @@ -193,9 +186,7 @@ func TestSnapshotAgent_Vault(t *testing.T) { "connectInject.enabled": "true", "connectInject.replicas": "1", - // "secretsBackend.vault.connectInject.tlsCert.secretName": pathForConnectInjectWebookCerts, - "controller.enabled": "true", - // "secretsBackend.vault.controller.tlsCert.secretName": pathForControllerWebookCerts, + "controller.enabled": "true", "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go index a7ddec906c..82ed605a48 100644 --- a/acceptance/tests/vault/vault_namespaces_test.go +++ b/acceptance/tests/vault/vault_namespaces_test.go @@ -93,7 +93,6 @@ func TestVault_VaultNamespace(t *testing.T) { Value: gossipKey, PolicyName: "gossip", } - gossipSecret.SaveSecretAndAddReadPolicy(t, vaultClient) // License @@ -116,7 +115,6 @@ func TestVault_VaultNamespace(t *testing.T) { Value: bootstrapToken, PolicyName: "bootstrap", } - bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) // ------------------------- diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go index 2a1b3178b4..1d24614907 100644 --- a/acceptance/tests/vault/vault_wan_fed_test.go +++ b/acceptance/tests/vault/vault_wan_fed_test.go @@ -209,13 +209,14 @@ func TestVault_WANFederationViaGateways(t *testing.T) { } replicationTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) - // -------------------------------------------- - // Additional Auth Roles for Primary Datacenter - // -------------------------------------------- commonServerPolicies := "gossip" if cfg.EnableEnterprise { commonServerPolicies += ",license" } + + // -------------------------------------------- + // Additional Auth Roles for Primary Datacenter + // -------------------------------------------- // server serverPolicies := fmt.Sprintf("%s,%s,%s,%s", commonServerPolicies, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) if cfg.EnableEnterprise { diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index eb2ed1f7aa..bb8f80a5ed 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -30,10 +30,7 @@ as well as the global.name setting. {{- end -}} {{- define "consul.serverTLSCATemplate" -}} - | - {{ "{{" }}- with secret "{{ .Values.global.tls.caCert.secretName }}" -{{ "}}" }} - {{ "{{" }}- .Data.certificate -{{ "}}" }} - {{ "{{" }}- end -{{ "}}" }} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} {{- end -}} {{- define "consul.serverTLSCertTemplate" -}} From 7450ca54e52eebe5c201ff322af62d08ada76fe6 Mon Sep 17 00:00:00 2001 From: John Murret Date: Sun, 22 May 2022 12:52:22 -0600 Subject: [PATCH 49/80] updating test descriptions for webhook-cert-manager resources --- charts/consul/test/unit/webhook-cert-manager-clusterrole.bats | 2 +- .../test/unit/webhook-cert-manager-clusterrolebinding.bats | 2 +- charts/consul/test/unit/webhook-cert-manager-configmap.bats | 2 +- charts/consul/test/unit/webhook-cert-manager-deployment.bats | 2 +- .../test/unit/webhook-cert-manager-podsecuritypolicy.bats | 2 +- .../consul/test/unit/webhook-cert-manager-serviceaccount.bats | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index 06eca25c7a..8992054337 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -149,7 +149,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRole: disabled when global.secretsBackend.vault.enabled=true" { +@test "webhookCertManager/ClusterRole: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats index f1802620ba..da7a4a5fa5 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats @@ -43,7 +43,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRoleBinding: disabled when global.secretsBackend.vault.enabled=true" { +@test "webhookCertManager/ClusterRoleBinding: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrolebinding.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-configmap.bats b/charts/consul/test/unit/webhook-cert-manager-configmap.bats index d8ae415079..83e630148e 100644 --- a/charts/consul/test/unit/webhook-cert-manager-configmap.bats +++ b/charts/consul/test/unit/webhook-cert-manager-configmap.bats @@ -95,7 +95,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Configmap: disabled when global.secretsBackend.vault.enabled=true" { +@test "webhookCertManager/Configmap: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-configmap.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-deployment.bats b/charts/consul/test/unit/webhook-cert-manager-deployment.bats index cb202f1b70..781d5af881 100644 --- a/charts/consul/test/unit/webhook-cert-manager-deployment.bats +++ b/charts/consul/test/unit/webhook-cert-manager-deployment.bats @@ -66,7 +66,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Deployment: disabled when global.secretsBackend.vault.enabled=true" { +@test "webhookCertManager/Deployment: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-deployment.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats index af071cdd75..b87d233bf5 100644 --- a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats +++ b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats @@ -54,7 +54,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/PodSecurityPolicy: disabled when global.secretsBackend.vault.enabled=true" { +@test "webhookCertManager/PodSecurityPolicy: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats index 0e740189c0..f06b0f772e 100644 --- a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats +++ b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats @@ -64,7 +64,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ServiceAccount: disabled when global.secretsBackend.vault.enabled=true" { +@test "webhookCertManager/ServiceAccount: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-serviceaccount.yaml \ From d1cdbc783871471f3046a4b57a637b86e1ff49c7 Mon Sep 17 00:00:00 2001 From: John Murret Date: Sun, 22 May 2022 19:09:34 -0600 Subject: [PATCH 50/80] updating connect-inject-clusterrole and controller-clusterrole tests --- .../templates/connect-inject-clusterrole.yaml | 2 + .../templates/controller-clusterrole.yaml | 2 + .../test/unit/connect-inject-clusterrole.bats | 74 ++++--- .../test/unit/controller-clusterrole.bats | 186 ++++++++++++++++++ .../webhook-cert-manager-clusterrole.bats | 2 +- ...bhook-cert-manager-clusterrolebinding.bats | 2 +- .../unit/webhook-cert-manager-configmap.bats | 2 +- .../unit/webhook-cert-manager-deployment.bats | 2 +- ...ebhook-cert-manager-podsecuritypolicy.bats | 2 +- .../webhook-cert-manager-serviceaccount.bats | 2 +- 10 files changed, 241 insertions(+), 35 deletions(-) diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index 12beb949b9..953ac4169d 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -33,6 +33,7 @@ rules: - get - list - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} - apiGroups: - admissionregistration.k8s.io resources: @@ -42,6 +43,7 @@ rules: - list - watch - patch +{{- end }} {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: [ "policy" ] resources: [ "podsecuritypolicies" ] diff --git a/charts/consul/templates/controller-clusterrole.yaml b/charts/consul/templates/controller-clusterrole.yaml index aa7a09c414..4cf41bed3b 100644 --- a/charts/consul/templates/controller-clusterrole.yaml +++ b/charts/consul/templates/controller-clusterrole.yaml @@ -57,6 +57,7 @@ rules: - get - list - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName)}} - apiGroups: - admissionregistration.k8s.io resources: @@ -66,6 +67,7 @@ rules: - list - watch - patch +{{- end }} {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: ["policy"] resources: ["podsecuritypolicies"] diff --git a/charts/consul/test/unit/connect-inject-clusterrole.bats b/charts/consul/test/unit/connect-inject-clusterrole.bats index 44bfab62a2..de06be9bc6 100644 --- a/charts/consul/test/unit/connect-inject-clusterrole.bats +++ b/charts/consul/test/unit/connect-inject-clusterrole.bats @@ -96,35 +96,6 @@ load _helpers [ "${actual}" != null ] } -@test "connectInject/ClusterRole: sets get, list, watch, and patch access to mutatingwebhookconfigurations" { - cd `chart_dir` - local object=$(helm template \ - -s templates/connect-inject-clusterrole.yaml \ - --set 'global.enabled=false' \ - --set 'client.enabled=true' \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq -r '.rules[2]' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) - [ "${actual}" = "mutatingwebhookconfigurations" ] - - local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) - [ "${actual}" = "admissionregistration.k8s.io" ] - - local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) - [ "${actual}" != null ] - - local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) - [ "${actual}" != null ] - - local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) - [ "${actual}" != null ] - - local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) - [ "${actual}" != null ] -} - @test "connectInject/ClusterRole: sets get access to serviceaccounts when manageSystemACLSis true" { cd `chart_dir` local object=$(helm template \ @@ -170,3 +141,48 @@ load _helpers yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr) [ "${actual}" = "1" ] } + +#-------------------------------------------------------------------- +# vault + +@test "connectInject/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, and global.secretsBackend.vault.connectInject.caCert.secretName." { + cd `chart_dir` + local object=$(helm template \ + -s templates/connect-inject-clusterrole.yaml \ + --set 'global.enabled=false' \ + --set 'client.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + . | tee /dev/stderr | + yq -r '.rules[2]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) + [ "${actual}" = "mutatingwebhookconfigurations" ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "admissionregistration.k8s.io" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] +} diff --git a/charts/consul/test/unit/controller-clusterrole.bats b/charts/consul/test/unit/controller-clusterrole.bats index dc0b560e1d..1d8fefd3b2 100644 --- a/charts/consul/test/unit/controller-clusterrole.bats +++ b/charts/consul/test/unit/controller-clusterrole.bats @@ -18,6 +18,149 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# rules + +@test "controller/ClusterRole: sets create, delete, get, list, patch, update and watch access to all CRDs in the consul.hashicorp.com api group" { + cd `chart_dir` + local object=$(helm template \ + -s templates/controller-clusterrole.yaml \ + --set 'controller.enabled=true' \ + . | tee /dev/stderr | + yq -r '.rules[0]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "consul.hashicorp.com" ] + + local actual=$(echo $object | yq -r '.resources | index("servicedefaults")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("serviceresolvers")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("proxydefaults")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("meshes")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("exportedservices")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("servicerouters")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("servicesplitters")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("serviceintentions")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("ingressgateways")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("terminatinggateways")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("create")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("delete")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("update")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "controller/ClusterRole: sets get, patch, and update to all CRDs status in the consul.hashicorp.com api group" { + cd `chart_dir` + local object=$(helm template \ + -s templates/controller-clusterrole.yaml \ + --set 'controller.enabled=true' \ + . | tee /dev/stderr | + yq -r '.rules[1]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "consul.hashicorp.com" ] + + local actual=$(echo $object | yq -r '.resources | index("servicedefaults/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("serviceresolvers/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("proxydefaults/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("meshes/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("exportedservices/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("servicerouters/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("servicesplitters/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("serviceintentions/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("ingressgateways/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.resources | index("terminatinggateways/status")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("update")' | tee /dev/stderr) + [ "${actual}" != null ] +} + +@test "controller/ClusterRole: sets create, get, list, and update access to leases in the coordination.k8s.io api group" { + cd `chart_dir` + local object=$(helm template \ + -s templates/controller-clusterrole.yaml \ + --set 'controller.enabled=true' \ + . | tee /dev/stderr | + yq -r '.rules[2]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[| index("leases")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "coordination.k8s.io" ] + + local actual=$(echo $object | yq -r '.verbs | index("create")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("update")' | tee /dev/stderr) + [ "${actual}" != null ] +} #-------------------------------------------------------------------- # global.enablePodSecurityPolicies @@ -43,3 +186,46 @@ load _helpers yq '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr) [ "${actual}" = "1" ] } + +#-------------------------------------------------------------------- +# vault + +@test "controller/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." { + cd `chart_dir` + local object=$(helm template \ + -s templates/controller-clusterrole.yaml \ + --set 'controller.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=carole' \ + --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ + --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ + --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ + --set 'global.secretsBackend.vault.consulClientRole=foo' \ + --set 'global.secretsBackend.vault.consulServerRole=bar' \ + --set 'global.secretsBackend.vault.consulCARole=test2' \ + . | tee /dev/stderr | + yq -r '.rules[3]' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr) + [ "${actual}" = "mutatingwebhookconfigurations" ] + + local actual=$(echo $object | yq -r '.apiGroups[0]' | tee /dev/stderr) + [ "${actual}" = "admissionregistration.k8s.io" ] + + local actual=$(echo $object | yq -r '.verbs | index("get")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("list")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("patch")' | tee /dev/stderr) + [ "${actual}" != null ] + + local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr) + [ "${actual}" != null ] +} diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index 8992054337..717f19f33c 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -149,7 +149,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRole: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ClusterRole: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats index da7a4a5fa5..7d617c8471 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats @@ -43,7 +43,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRoleBinding: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ClusterRoleBinding: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrolebinding.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-configmap.bats b/charts/consul/test/unit/webhook-cert-manager-configmap.bats index 83e630148e..02c0d86461 100644 --- a/charts/consul/test/unit/webhook-cert-manager-configmap.bats +++ b/charts/consul/test/unit/webhook-cert-manager-configmap.bats @@ -95,7 +95,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Configmap: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/Configmap: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-configmap.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-deployment.bats b/charts/consul/test/unit/webhook-cert-manager-deployment.bats index 781d5af881..889422e19b 100644 --- a/charts/consul/test/unit/webhook-cert-manager-deployment.bats +++ b/charts/consul/test/unit/webhook-cert-manager-deployment.bats @@ -66,7 +66,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Deployment: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/Deployment: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-deployment.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats index b87d233bf5..386363405f 100644 --- a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats +++ b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats @@ -54,7 +54,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/PodSecurityPolicy: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/PodSecurityPolicy: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats index f06b0f772e..04e295bc29 100644 --- a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats +++ b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats @@ -64,7 +64,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ServiceAccount: disabled when the following are configured - global.secretsBackend.vault.enabled, .global.secretsBackend.vault.enabled, .global.secretsBackend.vault.consulConnectInjectCARole, .global.secretsBackend.vault.connectInject.tlsCert.secretName, .global.secretsBackend.vault.connectInject.caCert.secretName, .global.secretsBackend.vault.consulControllerCARole, .global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ServiceAccount: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-serviceaccount.yaml \ From c061aa8404e9244685a8f72ac5e356531a654322 Mon Sep 17 00:00:00 2001 From: John Murret Date: Sun, 22 May 2022 19:16:58 -0600 Subject: [PATCH 51/80] updated maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete --- charts/consul/templates/_helpers.tpl | 4 ++-- charts/consul/templates/connect-inject-deployment.yaml | 2 +- charts/consul/templates/controller-deployment.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index bb8f80a5ed..863d331d19 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -289,10 +289,10 @@ Fails when at least one but not all of the following have been set: The above values are needed in full to turn off web cert manager and allow connect inject and controller to manage its own webhook certs. -Usage: {{ template "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" . }} +Usage: {{ template "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" . }} */}} -{{- define "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" -}} +{{- define "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" -}} {{- if or .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} {{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectCARole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerCARole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} {{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index f85efd37eb..31a35378d5 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -8,7 +8,7 @@ {{- if .Values.connectInject.centralConfig }}{{ if .Values.connectInject.centralConfig.proxyDefaults }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end }}{{ end -}} {{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} -{{ template "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" . }} +{{ template "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" . }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index a37c35c5bd..63a612921a 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -1,6 +1,6 @@ {{- if .Values.controller.enabled }} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.maybeFailValuesForVaultWebhookCertsAreIncomplete" . }} +{{ template "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" . }} apiVersion: apps/v1 kind: Deployment metadata: From c3b4c2f9719fd55a990ecbbc4d0d7440ca985969 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 23 May 2022 09:46:23 -0600 Subject: [PATCH 52/80] Adding Changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9fb9fa53e..07704fde5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ ## UNRELEASED IMPROVEMENTS: +* Control Plane + * Enable configure Connect Injector and Controller Webhooks to be managed by Vault. [[GH-1191](https://github.com/hashicorp/consul-k8s/pull/1191/)] * Helm * Enable the configuring of snapshot intervals in the client snapshot agent via `client.snapshotAgent.interval`. [[GH-1235](https://github.com/hashicorp/consul-k8s/pull/1235)] * Enable configuring the pod topologySpreadConstraints for mesh, terminating, and ingress gateways. [[GH-1257](https://github.com/hashicorp/consul-k8s/pull/1257)] From 1ee0d6c82817c424d2e9173192405a8e7ed0ce97 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 23 May 2022 09:48:08 -0600 Subject: [PATCH 53/80] Update maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete to validateVaultWebhookCertConfiguration --- charts/consul/templates/_helpers.tpl | 4 ++-- charts/consul/templates/connect-inject-deployment.yaml | 2 +- charts/consul/templates/controller-deployment.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 863d331d19..5d7e76e116 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -289,10 +289,10 @@ Fails when at least one but not all of the following have been set: The above values are needed in full to turn off web cert manager and allow connect inject and controller to manage its own webhook certs. -Usage: {{ template "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" . }} +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} */}} -{{- define "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" -}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} {{- if or .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} {{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectCARole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerCARole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} {{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 31a35378d5..eb5a5a9faa 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -8,7 +8,7 @@ {{- if .Values.connectInject.centralConfig }}{{ if .Values.connectInject.centralConfig.proxyDefaults }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end }}{{ end -}} {{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} -{{ template "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" . }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 63a612921a..732bad339d 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -1,6 +1,6 @@ {{- if .Values.controller.enabled }} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.maybeFailValuesIfVaultWebhookCertSettingsAreIncomplete" . }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} apiVersion: apps/v1 kind: Deployment metadata: From 91b432c586d9a34f1666ed3a51f5f8b3406e5ec1 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 23 May 2022 10:50:35 -0600 Subject: [PATCH 54/80] Updating wbhook vault test to make sure that webhook-cert-manager is not deployed. --- .../tests/vault/vault_webhook_certs_test.go | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index bc6c5cde22..a6896fd578 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -1,31 +1,37 @@ package vault import ( + "context" "fmt" "testing" + "time" terratestLogger "github.com/gruntwork-io/terratest/modules/logger" "github.com/hashicorp/consul-k8s/acceptance/framework/consul" + "github.com/hashicorp/consul-k8s/acceptance/framework/environment" "github.com/hashicorp/consul-k8s/acceptance/framework/helpers" "github.com/hashicorp/consul-k8s/acceptance/framework/k8s" "github.com/hashicorp/consul-k8s/acceptance/framework/logger" "github.com/hashicorp/consul-k8s/acceptance/framework/vault" "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // TestVault_WebhookCerts installs Vault, bootstraps it with secrets, policies, and Kube Auth Method. // It then configures Consul to use vault as the backend and checks that it works // by turning off web cert manager and configuring controller and connect injector // to receive ca bundles and tls certs from Vault PKI engine. -// This test is modeled after TestVault() with the addition of configuring it -// to turn off web cert manager and have controller get tls and ca certs -// from Vault PKI Engine. +// This test is modeled after TestVault() with the addition of: +// - ensuring webhook-cert-manager is not deployed. +// - setting the maxTTL for both controller and connect-inject PKI to rotate +// to ensure that certificate rotation occurs properly and without error. func TestVault_WebhookCerts(t *testing.T) { cfg := suite.Config() ctx := suite.Environment().DefaultContext(t) - ns := ctx.KubectlOptions(t).Namespace + kubectlOptions := ctx.KubectlOptions(t) + ns := kubectlOptions.Namespace consulReleaseName := helpers.RandomName() vaultReleaseName := helpers.RandomName() @@ -61,6 +67,7 @@ func TestVault_WebhookCerts(t *testing.T) { } serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + webhookCertTtl := 25 * time.Second // Configure controller webhook PKI controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ BaseURL: "controller", @@ -70,7 +77,7 @@ func TestVault_WebhookCerts(t *testing.T) { DataCenter: "dc1", ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), - MaxTTL: "1h", + MaxTTL: webhookCertTtl.String(), AuthMethodPath: "kubernetes", } controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) @@ -84,7 +91,7 @@ func TestVault_WebhookCerts(t *testing.T) { DataCenter: "dc1", ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), - MaxTTL: "1h", + MaxTTL: webhookCertTtl.String(), AuthMethodPath: "kubernetes", } connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) @@ -272,6 +279,11 @@ func TestVault_WebhookCerts(t *testing.T) { require.True(t, license.Valid) } + // Check that webhook-cert-manager is not deployed. + client := environment.KubernetesClientFromOptions(t, kubectlOptions) + deployments, err := client.AppsV1().Deployments(kubectlOptions.Namespace).List(context.Background(), metav1.ListOptions{LabelSelector: "component=webhook-cert-manager"}) + require.Empty(t, deployments) + // Deploy two services and check that they can talk to each other. logger.Log(t, "creating static-server and static-client deployments") k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject") @@ -291,4 +303,5 @@ func TestVault_WebhookCerts(t *testing.T) { } else { k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") } + t.Fail() } From 23d30b85bef4ae551744c9d5e2352af3d0866a40 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 23 May 2022 11:26:47 -0600 Subject: [PATCH 55/80] Fixing the validation that webhook-cert-manager is not running in the TestVault_WebhookCerts test --- acceptance/tests/vault/vault_webhook_certs_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index a6896fd578..258c6928d8 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -281,8 +281,9 @@ func TestVault_WebhookCerts(t *testing.T) { // Check that webhook-cert-manager is not deployed. client := environment.KubernetesClientFromOptions(t, kubectlOptions) - deployments, err := client.AppsV1().Deployments(kubectlOptions.Namespace).List(context.Background(), metav1.ListOptions{LabelSelector: "component=webhook-cert-manager"}) - require.Empty(t, deployments) + deployments, err := client.AppsV1().Deployments(kubectlOptions.Namespace).List(context.Background(), metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=webhook-cert-manager,release=%s", consulReleaseName)}) + require.NoError(t, err) + require.Empty(t, deployments.Items) // Deploy two services and check that they can talk to each other. logger.Log(t, "creating static-server and static-client deployments") @@ -303,5 +304,4 @@ func TestVault_WebhookCerts(t *testing.T) { } else { k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") } - t.Fail() } From 914dfa5446afbc41e52a9fa7c8c8f4c0f53f56cb Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 26 May 2022 14:37:13 -0600 Subject: [PATCH 56/80] Renamed consulControllerCARole to consulControllerRole and consulContronnectInjectCARole to consulConnectInjectRole --- .../tests/vault/vault_webhook_certs_test.go | 4 +- charts/consul/templates/_helpers.tpl | 10 ++--- .../templates/connect-inject-clusterrole.yaml | 2 +- .../templates/connect-inject-deployment.yaml | 4 +- .../templates/controller-clusterrole.yaml | 2 +- .../templates/controller-deployment.yaml | 4 +- .../webhook-cert-manager-clusterrole.yaml | 2 +- ...bhook-cert-manager-clusterrolebinding.yaml | 2 +- .../webhook-cert-manager-configmap.yaml | 2 +- .../webhook-cert-manager-deployment.yaml | 2 +- ...ebhook-cert-manager-podsecuritypolicy.yaml | 2 +- .../webhook-cert-manager-serviceaccount.yaml | 2 +- .../test/unit/connect-inject-clusterrole.bats | 6 +-- .../test/unit/connect-inject-deployment.bats | 40 +++++++++---------- .../test/unit/controller-clusterrole.bats | 6 +-- .../test/unit/controller-deployment.bats | 38 +++++++++--------- .../webhook-cert-manager-clusterrole.bats | 6 +-- ...bhook-cert-manager-clusterrolebinding.bats | 6 +-- .../unit/webhook-cert-manager-configmap.bats | 6 +-- .../unit/webhook-cert-manager-deployment.bats | 6 +-- ...ebhook-cert-manager-podsecuritypolicy.bats | 6 +-- .../webhook-cert-manager-serviceaccount.bats | 6 +-- charts/consul/values.yaml | 4 +- 23 files changed, 84 insertions(+), 84 deletions(-) diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index 258c6928d8..0d822dab60 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -204,8 +204,8 @@ func TestVault_WebhookCerts(t *testing.T) { "global.secretsBackend.vault.consulServerRole": consulServerRole, "global.secretsBackend.vault.consulClientRole": consulClientRole, "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, - "global.secretsBackend.vault.consulConnectInjectCARole": connectInjectorWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.consulControllerCARole": controllerWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.consulConnectInjectRole": connectInjectorWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.consulControllerRole": controllerWebhookPKIConfig.RoleName, "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, "global.secretsBackend.vault.ca.secretName": vaultCASecret, diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 5d7e76e116..f7cbfb2227 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -279,10 +279,10 @@ Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} {{/* Fails when at least one but not all of the following have been set: -- global.secretsBackend.vault.consulConnectInjectCARole +- global.secretsBackend.vault.consulConnectInjectRole - global.secretsBackend.vault.connectInject.tlsCert.secretName - global.secretsBackend.vault.connectInject.caCert.secretName -- global.secretsBackend.vault.consulControllerCARole +- global.secretsBackend.vault.consulControllerRole - global.secretsBackend.vault.controller.tlsCert.secretName - global.secretsBackend.vault.controller.caCert.secretName @@ -293,9 +293,9 @@ Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} */}} {{- define "consul.validateVaultWebhookCertConfiguration" -}} -{{- if or .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} -{{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectCARole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerCARole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} -{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} +{{- if or .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerRole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} {{ end }} {{ end }} {{- end -}} diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index 953ac4169d..409e68f003 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -33,7 +33,7 @@ rules: - get - list - update -{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} - apiGroups: - admissionregistration.k8s.io resources: diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index eb5a5a9faa..b0bf11fb81 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -42,8 +42,8 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" - {{- if .Values.global.secretsBackend.vault.consulConnectInjectCARole }} - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectCARole }} + {{- if .Values.global.secretsBackend.vault.consulConnectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectRole }} {{ else }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} {{ end }} diff --git a/charts/consul/templates/controller-clusterrole.yaml b/charts/consul/templates/controller-clusterrole.yaml index 4cf41bed3b..9787f32768 100644 --- a/charts/consul/templates/controller-clusterrole.yaml +++ b/charts/consul/templates/controller-clusterrole.yaml @@ -57,7 +57,7 @@ rules: - get - list - update -{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName)}} +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName)}} - apiGroups: - admissionregistration.k8s.io resources: diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 732bad339d..2c584b9f0a 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -34,8 +34,8 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" - {{- if .Values.global.secretsBackend.vault.consulControllerCARole }} - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerCARole }} + {{- if .Values.global.secretsBackend.vault.consulControllerRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerRole }} {{ else }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} {{ end }} diff --git a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml index 39bbf1c62c..783f99b7fa 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml index 004d8abd24..115be64a1f 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/consul/templates/webhook-cert-manager-configmap.yaml b/charts/consul/templates/webhook-cert-manager-configmap.yaml index 6776b9816d..eae95ba4f1 100644 --- a/charts/consul/templates/webhook-cert-manager-configmap.yaml +++ b/charts/consul/templates/webhook-cert-manager-configmap.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/consul/templates/webhook-cert-manager-deployment.yaml b/charts/consul/templates/webhook-cert-manager-deployment.yaml index be5511bc0c..b209bd61bf 100644 --- a/charts/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/consul/templates/webhook-cert-manager-deployment.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml index 883156031b..66fb5326d8 100644 --- a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml +++ b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) .Values.global.enablePodSecurityPolicies (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) .Values.global.enablePodSecurityPolicies (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml index e0fc8fd97c..a461f25103 100644 --- a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml +++ b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/consul/test/unit/connect-inject-clusterrole.bats b/charts/consul/test/unit/connect-inject-clusterrole.bats index de06be9bc6..e56f02b833 100644 --- a/charts/consul/test/unit/connect-inject-clusterrole.bats +++ b/charts/consul/test/unit/connect-inject-clusterrole.bats @@ -145,7 +145,7 @@ load _helpers #-------------------------------------------------------------------- # vault -@test "connectInject/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, and global.secretsBackend.vault.connectInject.caCert.secretName." { +@test "connectInject/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, and global.secretsBackend.vault.connectInject.caCert.secretName." { cd `chart_dir` local object=$(helm template \ -s templates/connect-inject-clusterrole.yaml \ @@ -156,10 +156,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index c9de5bb9e7..252b8b605d 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1842,10 +1842,10 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=test' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -1944,7 +1944,7 @@ EOF [ "${actual}" = "/vault/custom/tls.crt" ] } -@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulConnectInjectCARole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulConnectInjectRole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/connect-inject-deployment.yaml \ @@ -1956,13 +1956,13 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=connectinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/connect-inject-deployment.yaml \ @@ -1977,10 +1977,10 @@ EOF --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/connect-inject-deployment.yaml \ @@ -1995,7 +1995,7 @@ EOF --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: vault tls annotations are set when tls is enabled" { @@ -2011,10 +2011,10 @@ EOF --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=test' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -2076,10 +2076,10 @@ EOF -s templates/connect-inject-deployment.yaml \ --set 'connectInject.enabled=true' \ --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -2101,10 +2101,10 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.tls.enabled=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.tls.enableAutoEncrypt=true' \ @@ -2135,10 +2135,10 @@ EOF --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -2158,10 +2158,10 @@ EOF --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -2169,7 +2169,7 @@ EOF [ "${actual}" == "" ] } -@test "connectInject/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulCARole if global.secretsBackend.vault.consulConnectInjectCARole is not set" { +@test "connectInject/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulCARole if global.secretsBackend.vault.consulConnectInjectRole is not set" { cd `chart_dir` local cmd=$(helm template \ -s templates/connect-inject-deployment.yaml \ diff --git a/charts/consul/test/unit/controller-clusterrole.bats b/charts/consul/test/unit/controller-clusterrole.bats index 1d8fefd3b2..8798ca2ba5 100644 --- a/charts/consul/test/unit/controller-clusterrole.bats +++ b/charts/consul/test/unit/controller-clusterrole.bats @@ -190,7 +190,7 @@ load _helpers #-------------------------------------------------------------------- # vault -@test "controller/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." { +@test "controller/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." { cd `chart_dir` local object=$(helm template \ -s templates/controller-clusterrole.yaml \ @@ -199,10 +199,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 168e8f2e0d..0a23fa3180 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -75,10 +75,10 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=test' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -958,15 +958,15 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1027,10 +1027,10 @@ load _helpers --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1053,10 +1053,10 @@ load _helpers --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1076,10 +1076,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1091,7 +1091,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulControllerCARole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulControllerRole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -1103,13 +1103,13 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulControllerCARole=controllerinjectcarole' \ + --set 'global.secretsBackend.vault.consulControllerRole=controllerinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -1124,10 +1124,10 @@ load _helpers --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -1142,10 +1142,10 @@ load _helpers --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "controller/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulControllerCARole if global.secretsBackend.vault.consulControllerCARole is not set" { +@test "controller/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulControllerRole if global.secretsBackend.vault.consulControllerRole is not set" { cd `chart_dir` local cmd=$(helm template \ -s templates/controller-deployment.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index 717f19f33c..65c5c57bbb 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -149,7 +149,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRole: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ClusterRole: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ @@ -158,10 +158,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats index 7d617c8471..775cef17dd 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats @@ -43,7 +43,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRoleBinding: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ClusterRoleBinding: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrolebinding.yaml \ @@ -52,10 +52,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-configmap.bats b/charts/consul/test/unit/webhook-cert-manager-configmap.bats index 02c0d86461..ef8754659d 100644 --- a/charts/consul/test/unit/webhook-cert-manager-configmap.bats +++ b/charts/consul/test/unit/webhook-cert-manager-configmap.bats @@ -95,7 +95,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Configmap: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/Configmap: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-configmap.yaml \ @@ -104,10 +104,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-deployment.bats b/charts/consul/test/unit/webhook-cert-manager-deployment.bats index 889422e19b..fec228562b 100644 --- a/charts/consul/test/unit/webhook-cert-manager-deployment.bats +++ b/charts/consul/test/unit/webhook-cert-manager-deployment.bats @@ -66,7 +66,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Deployment: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/Deployment: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-deployment.yaml \ @@ -75,10 +75,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats index 386363405f..cdfe23e532 100644 --- a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats +++ b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats @@ -54,7 +54,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/PodSecurityPolicy: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/PodSecurityPolicy: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ @@ -64,10 +64,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats index 04e295bc29..fe2c746797 100644 --- a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats +++ b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats @@ -64,7 +64,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ServiceAccount: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ServiceAccount: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-serviceaccount.yaml \ @@ -73,10 +73,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \ + --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerCARole=test' \ + --set 'global.secretsBackend.vault.consulControllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 1778290b16..80ab0cec74 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -281,7 +281,7 @@ global: # The Vault role for consul controller to read the Consul's controllers's CA Certificate (unauthenticated). # A Vault policy must be created which grants read capabilities to # `global.secretsBackend.vault.controller.tlsCert.secretName`. - consulControllerCARole: "" + consulControllerRole: "" connectInject: # The directory that Kubernetes will use on Kubernetes CRD creation, @@ -301,7 +301,7 @@ global: # The Vault role for consul connect inject to read the Consul's controllers's CA Certificate (unauthenticated). # A Vault policy must be created which grants read capabilities to # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. - consulConnectInjectCARole: "" + consulConnectInjectRole: "" # Configures Consul's gossip encryption key. # (see `-encrypt` (https://www.consul.io/docs/agent/config/cli-flags#_encrypt)). From b2db4f1f00f374c522fac1cde6f192af638fe55c Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 26 May 2022 16:13:14 -0600 Subject: [PATCH 57/80] fixing linting --- acceptance/tests/vault/vault_webhook_certs_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index 0d822dab60..6595e39a04 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -200,13 +200,13 @@ func TestVault_WebhookCerts(t *testing.T) { "global.secretsBackend.vault.controller.tlsCert.secretName": controllerWebhookPKIConfig.CertPath, "global.secretsBackend.vault.controller.caCert.secretName": controllerWebhookPKIConfig.CAPath, - "global.secretsBackend.vault.enabled": "true", - "global.secretsBackend.vault.consulServerRole": consulServerRole, - "global.secretsBackend.vault.consulClientRole": consulClientRole, - "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, + "global.secretsBackend.vault.enabled": "true", + "global.secretsBackend.vault.consulServerRole": consulServerRole, + "global.secretsBackend.vault.consulClientRole": consulClientRole, + "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, "global.secretsBackend.vault.consulConnectInjectRole": connectInjectorWebhookPKIConfig.RoleName, "global.secretsBackend.vault.consulControllerRole": controllerWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, + "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, "global.secretsBackend.vault.ca.secretName": vaultCASecret, "global.secretsBackend.vault.ca.secretKey": "tls.crt", From 130360fa30bdd4e3723d9fe0789b3254fd790c44 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 26 May 2022 16:38:08 -0600 Subject: [PATCH 58/80] Renamed configureCABundleUpdate() to updateWebhookCABundle() --- control-plane/subcommand/controller/command.go | 4 ++-- control-plane/subcommand/inject-connect/command.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index 2da74e6b93..d87d5d9c68 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -333,7 +333,7 @@ func (c *Command) Run(args []string) int { // +kubebuilder:scaffold:builder if c.flagEnableWebhookCAUpdate { - err := c.configureCABundleUpdate() + err := c.updateWebhookCABundle() if err != nil { setupLog.Error(err, "problem getting CA Cert") return 1 @@ -348,7 +348,7 @@ func (c *Command) Run(args []string) int { return 0 } -func (c *Command) configureCABundleUpdate() error { +func (c *Command) updateWebhookCABundle() error { // Create a context to be used by the processes started in this command. ctx, cancelFunc := context.WithCancel(context.Background()) defer cancelFunc() diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index d446b43ce1..55f6c06a65 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -469,7 +469,7 @@ func (c *Command) Run(args []string) int { }}) if c.flagEnableWebhookCAUpdate { - err := c.configureCABundleUpdate(ctx) + err := c.updateWebhookCABundle(ctx) if err != nil { setupLog.Error(err, "problem getting CA Cert") return 1 @@ -483,7 +483,7 @@ func (c *Command) Run(args []string) int { return 0 } -func (c *Command) configureCABundleUpdate(ctx context.Context) error { +func (c *Command) updateWebhookCABundle(ctx context.Context) error { webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "connect-injector") caPath := fmt.Sprintf("%s/%s", c.flagCertDir, "ca.crt") caCert, err := ioutil.ReadFile(caPath) From f7c5023f75ea7f0330d1ec683ecd5a6a4841052c Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 26 May 2022 16:41:15 -0600 Subject: [PATCH 59/80] Make ca.crt a constant --- control-plane/subcommand/controller/command.go | 6 ++++-- control-plane/subcommand/inject-connect/command.go | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index d87d5d9c68..46adc3aaa8 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -28,6 +28,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" ) +const WebhookCAFilename = "ca.crt" + type Command struct { UI cli.Ui @@ -361,8 +363,8 @@ func (c *Command) updateWebhookCABundle() error { return err } - webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "controller") - caPath := fmt.Sprintf("%s/%s", c.flagWebhookTLSCertDir, "ca.crt") + webhookConfigName := fmt.Sprintf("%s-controller", c.flagResourcePrefix) + caPath := fmt.Sprintf("%s/%s", c.flagWebhookTLSCertDir, WebhookCAFilename) caCert, err := ioutil.ReadFile(caPath) if err != nil { return err diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index 55f6c06a65..afb2be5505 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -32,6 +32,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" ) +const WebhookCAFilename = "ca.crt" + type Command struct { UI cli.Ui @@ -484,8 +486,8 @@ func (c *Command) Run(args []string) int { } func (c *Command) updateWebhookCABundle(ctx context.Context) error { - webhookConfigName := fmt.Sprintf("%s-%s", c.flagResourcePrefix, "connect-injector") - caPath := fmt.Sprintf("%s/%s", c.flagCertDir, "ca.crt") + webhookConfigName := fmt.Sprintf("%s-connect-injector", c.flagResourcePrefix) + caPath := fmt.Sprintf("%s/%s", c.flagCertDir, WebhookCAFilename) caCert, err := ioutil.ReadFile(caPath) if err != nil { return err From 8db287fbdc72e7322adffac852813aff90e4f8c4 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 26 May 2022 18:00:57 -0600 Subject: [PATCH 60/80] Adding doc strings for webhook certs secretName --- charts/consul/values.yaml | 18 ++++++++++++++---- control-plane/subcommand/controller/command.go | 2 +- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 80ab0cec74..23991acb18 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -268,6 +268,8 @@ global: # deletion, and update, to get TLS certificates used issued from vault # to send webhooks to the controller. tlsCert: + # The Vault secret path that issues TLS certificates for controller + # webhooks. # @type: string secretName: null @@ -275,10 +277,13 @@ global: # deletion, and update, to get CA certificates used issued from vault # to send webhooks to the controller. caCert: + # The Vault secret path that contains the CA certificate for controller + # webhooks. # @type: string secretName: null - # The Vault role for consul controller to read the Consul's controllers's CA Certificate (unauthenticated). + # The Vault role for consul controller to read the Consul controllers's + # CA Certificate and the webhook certificate and private key. # A Vault policy must be created which grants read capabilities to # `global.secretsBackend.vault.controller.tlsCert.secretName`. consulControllerRole: "" @@ -288,17 +293,22 @@ global: # deletion, and update, to get CA certificates used issued from vault # to send webhooks to ConnectInject caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. # @type: string secretName: null # The directory that Kubernetes will use on Kubernetes CRD creation, # deletion, and update, to get TLS certificates used issued from vault - # to send webhooks to ConnectInject - tlsCert: + # to send webhooks to Connect Inject + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. # @type: string secretName: null - # The Vault role for consul connect inject to read the Consul's controllers's CA Certificate (unauthenticated). + # The Vault role for consul connect inject to read the Consul controller's + # CA Certificate and the webhook certificate and private key. # A Vault policy must be created which grants read capabilities to # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. consulConnectInjectRole: "" diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index 46adc3aaa8..386737f7d7 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -91,7 +91,7 @@ func (c *Command) init() { c.flagSet.BoolVar(&c.flagEnableWebhooks, "enable-webhooks", true, "Enable webhooks. Disable when running locally since Kube API server won't be able to route to local server.") c.flagSet.StringVar(&c.flagResourcePrefix, "resource-prefix", "", - "Release prefix of the Consul installation used to determine Consul DNS Service name.") + "Release prefix of the Consul installation used to prepend on the webhook name that will have its CA bundle updated.") c.flagSet.BoolVar(&c.flagEnableWebhookCAUpdate, "enable-webhook-ca-update", false, "Enables updating the CABundle on the webhook within this controller rather than using the web cert manager.") c.flagSet.StringVar(&c.flagLogLevel, "log-level", zapcore.InfoLevel.String(), From ff519a1f1b41f40da499f70ca75b880f4032e013 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 27 May 2022 15:13:20 -0600 Subject: [PATCH 61/80] updated alt_names for controller and connect inject deployments to be the same as they are under web-cert-manager. updated path of where webhook certs get saved. --- acceptance/framework/vault/helpers.go | 4 +-- .../tests/vault/vault_webhook_certs_test.go | 2 ++ charts/consul/templates/_helpers.tpl | 4 +-- .../templates/connect-inject-deployment.yaml | 5 ++- .../templates/controller-deployment.yaml | 5 ++- .../test/unit/connect-inject-deployment.bats | 30 +++++++++++++--- .../test/unit/controller-deployment.bats | 36 +++++++++++++++++-- 7 files changed, 74 insertions(+), 12 deletions(-) diff --git a/acceptance/framework/vault/helpers.go b/acceptance/framework/vault/helpers.go index 850f8efbed..6ebfb5cf62 100644 --- a/acceptance/framework/vault/helpers.go +++ b/acceptance/framework/vault/helpers.go @@ -33,8 +33,8 @@ func GenerateGossipSecret() (string, error) { func ConfigurePKICerts(t *testing.T, vaultClient *vapi.Client, baseUrl, allowedSubdomain, roleName, ns, datacenter, maxTTL string) string { - allowedDomains := fmt.Sprintf("%s.consul,%s,%s.%s,%s.%s.svc", datacenter, - allowedSubdomain, allowedSubdomain, ns, allowedSubdomain, ns) + allowedDomains := fmt.Sprintf("%s.consul,%s,%s.%s,%s.%s.svc,%s.default.svc.cluster.local", datacenter, + allowedSubdomain, allowedSubdomain, ns, allowedSubdomain, ns, allowedSubdomain) params := map[string]interface{}{ "allowed_domains": allowedDomains, "allow_bare_domains": "true", diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index 6595e39a04..573bdb5843 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -79,6 +79,7 @@ func TestVault_WebhookCerts(t *testing.T) { AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), MaxTTL: webhookCertTtl.String(), AuthMethodPath: "kubernetes", + CommonName: "Consul Webhook Certificates", } controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) @@ -93,6 +94,7 @@ func TestVault_WebhookCerts(t *testing.T) { AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), MaxTTL: webhookCertTtl.String(), AuthMethodPath: "kubernetes", + CommonName: "Consul Webhook Certificates", } connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index f7cbfb2227..6d254a8039 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -106,13 +106,13 @@ as well as the global.name setting. {{- define "consul.connectInjectorTLSAltNames" -}} {{- $name := include "consul.fullname" . -}} {{- $ns := .Release.Namespace -}} -{{ printf "localhost,%s-connect-injector,*.%s-connect-injector,*.%s-connect-injector.%s,%s-connect-injector.%s,*.%s-connect-injector.%s.svc,%s-connect-injector.%s.svc,*.connect-injector.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} {{- end -}} {{- define "consul.controllerWebhookTLSAltNames" -}} {{- $name := include "consul.fullname" . -}} {{- $ns := .Release.Namespace -}} -{{ printf "localhost,%s-controller-webhook,*.%s-controller-webhook,*.%s-controller-webhook.%s,%s-controller-webhook.%s,*.%s-controller-webhook.%s.svc,%s-controller-webhook.%s.svc,*.controller-webhook.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }} +{{ printf "%s-controller-webhook,%s-controller-webhook.%s,%s-controller-webhook.%s.svc,%s-controller-webhook.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} {{- end -}} {{- define "consul.vaultReplicationTokenTemplate" -}} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index b0bf11fb81..de1ad5d360 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -53,13 +53,16 @@ spec: {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" {{- end }} {{- end }} {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" @@ -186,7 +189,7 @@ spec: {{- end }} {{- end }} {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} - -tls-cert-dir=/vault/secrets \ + -tls-cert-dir=/vault/secrets/connect-injector/certs \ -enable-webhook-ca-update \ {{- else }} -tls-cert-dir=/etc/connect-injector/certs \ diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 2c584b9f0a..a531efe450 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -45,13 +45,16 @@ spec: {{- with .Values.global.secretsBackend.vault.controller.caCert }} "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/controller-webhook/certs" {{- end }} {{- end }} {{- if .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.controllerWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/controller-webhook/certs" "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.controllerWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/controller-webhook/certs" {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" @@ -137,7 +140,7 @@ spec: -resource-prefix={{ template "consul.fullname" . }} \ {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.controller.tlsCert.secretName }} -enable-webhook-ca-update \ - -webhook-tls-cert-dir=/vault/secrets \ + -webhook-tls-cert-dir=/vault/secrets/controller-webhook/certs \ {{- else }} -webhook-tls-cert-dir=/tmp/controller-webhook/certs \ {{- end }} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 252b8b605d..4604352f6f 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -617,6 +617,17 @@ EOF [ "${actual}" = "key" ] } +@test "connectInject/Deployment: Adds -tls-cert-dir=/etc/connect-injector/certs to command" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-dir=/etc/connect-injector/certs"))' | tee /dev/stderr) + [ "${actual}" != "" ] +} + #-------------------------------------------------------------------- # global.tls.enableAutoEncrypt @@ -2038,6 +2049,10 @@ EOF yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-ca.crt"]' | tee /dev/stderr)" [ "${actual}" = "foo/ca" ] + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/secret-volume-path-ca.crt"]' | tee /dev/stderr)" + [ "${actual}" = "/vault/secrets/connect-injector/certs" ] + local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-init-first"]' | tee /dev/stderr)" [ "${actual}" = "true" ] @@ -2056,21 +2071,28 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/secret-volume-path-tls.crt"]' | tee /dev/stderr)" + [ "${actual}" = "/vault/secrets/connect-injector/certs" ] + local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.key"]' | tee /dev/stderr)" [ "${actual}" = "pki/issue/connect-webhook-cert-dc1" ] local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=localhost,release-name-consul-connect-injector,*.release-name-consul-connect-injector,*.release-name-consul-connect-injector.default,release-name-consul-connect-injector.default,*.release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc,*.connect-injector.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/secret-volume-path-tls.key"]' | tee /dev/stderr)" + [ "${actual}" = "/vault/secrets/connect-injector/certs" ] } -@test "connectInject/Deployment: vault tls-cert-dir flag is set to /vault/secrets" { +@test "connectInject/Deployment: vault tls-cert-dir flag is set to /vault/secrets/connect-injector/certs" { cd `chart_dir` local actual=$(helm template \ -s templates/connect-inject-deployment.yaml \ @@ -2086,7 +2108,7 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-dir=/vault/secrets"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-dir=/vault/secrets/connect-injector/certs"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 0a23fa3180..9fb70d6970 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -392,6 +392,17 @@ load _helpers [ "${actual}" = "key" ] } +@test "controller/Deployment: Adds -webhook-tls-cert-dir=/tmp/controller-webhook/certs to command" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-webhook-tls-cert-dir=/tmp/controller-webhook/certs"))' | tee /dev/stderr) + [ "${actual}" != "" ] +} + #-------------------------------------------------------------------- # global.tls.enableAutoEncrypt @@ -984,6 +995,19 @@ load _helpers yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-serverca.crt"]' | tee /dev/stderr)" [ "${actual}" = "pki_int/cert/ca" ] + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-ca.crt"]' | tee /dev/stderr)" + local expected=$'{{- with secret \"foo/ca\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-ca.crt"]' | tee /dev/stderr)" + [ "${actual}" = "foo/ca" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/secret-volume-path-ca.crt"]' | tee /dev/stderr)" + [ "${actual}" = "/vault/secrets/controller-webhook/certs" ] + local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-init-first"]' | tee /dev/stderr)" [ "${actual}" = "true" ] @@ -1002,17 +1026,25 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=localhost,release-name-consul-controller-webhook,*.release-name-consul-controller-webhook,*.release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default,*.release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc,*.controller-webhook.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/secret-volume-path-tls.crt"]' | tee /dev/stderr)" + [ "${actual}" = "/vault/secrets/controller-webhook/certs" ] + local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-tls.key"]' | tee /dev/stderr)" [ "${actual}" = "pki/issue/controller-webhook-cert-dc1" ] local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=localhost,release-name-consul-controller-webhook,*.release-name-consul-controller-webhook,*.release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default,*.release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc,*.controller-webhook.dc1.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] + + local actual="$(echo $cmd | + yq -r '.annotations["vault.hashicorp.com/secret-volume-path-tls.key"]' | tee /dev/stderr)" + [ "${actual}" = "/vault/secrets/controller-webhook/certs" ] } @test "controller/Deployment: vault does not add cert volume when global.tls.enabled is true" { From a97e04191893ee2abe9c3fc0544002b8f2d0477d Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 27 May 2022 15:18:27 -0600 Subject: [PATCH 62/80] Change mutatingwebhookconfigurationswhen to mutatingwebhookconfigurations when --- charts/consul/test/unit/connect-inject-clusterrole.bats | 2 +- charts/consul/test/unit/controller-clusterrole.bats | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/consul/test/unit/connect-inject-clusterrole.bats b/charts/consul/test/unit/connect-inject-clusterrole.bats index e56f02b833..95023a9d0b 100644 --- a/charts/consul/test/unit/connect-inject-clusterrole.bats +++ b/charts/consul/test/unit/connect-inject-clusterrole.bats @@ -145,7 +145,7 @@ load _helpers #-------------------------------------------------------------------- # vault -@test "connectInject/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, and global.secretsBackend.vault.connectInject.caCert.secretName." { +@test "connectInject/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurations when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, and global.secretsBackend.vault.connectInject.caCert.secretName." { cd `chart_dir` local object=$(helm template \ -s templates/connect-inject-clusterrole.yaml \ diff --git a/charts/consul/test/unit/controller-clusterrole.bats b/charts/consul/test/unit/controller-clusterrole.bats index 8798ca2ba5..2bd20aa92a 100644 --- a/charts/consul/test/unit/controller-clusterrole.bats +++ b/charts/consul/test/unit/controller-clusterrole.bats @@ -190,7 +190,7 @@ load _helpers #-------------------------------------------------------------------- # vault -@test "controller/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurationswhen the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." { +@test "controller/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurations when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." { cd `chart_dir` local object=$(helm template \ -s templates/controller-clusterrole.yaml \ From 31884b0f012ab971495d14b0d93390e00949a8d1 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 31 May 2022 15:59:57 -0600 Subject: [PATCH 63/80] added test cases for vault to controller test --- .../tests/controller/controller_test.go | 231 +++++++++++++++++- 1 file changed, 228 insertions(+), 3 deletions(-) diff --git a/acceptance/tests/controller/controller_test.go b/acceptance/tests/controller/controller_test.go index 52a78f6fa7..505df3d6f3 100644 --- a/acceptance/tests/controller/controller_test.go +++ b/acceptance/tests/controller/controller_test.go @@ -6,25 +6,42 @@ import ( "testing" "time" + "github.com/hashicorp/consul-k8s/acceptance/framework/config" "github.com/hashicorp/consul-k8s/acceptance/framework/consul" + "github.com/hashicorp/consul-k8s/acceptance/framework/environment" "github.com/hashicorp/consul-k8s/acceptance/framework/helpers" "github.com/hashicorp/consul-k8s/acceptance/framework/k8s" "github.com/hashicorp/consul-k8s/acceptance/framework/logger" + "github.com/hashicorp/consul-k8s/acceptance/framework/vault" "github.com/hashicorp/consul/api" "github.com/hashicorp/consul/sdk/testutil/retry" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" ) +const ( + KubernetesAuthMethodPath = "kubernetes" + ManageSystemACLsRole = "server-acl-init" + ClientRole = "client" + ServerRole = "server" +) + func TestController(t *testing.T) { cfg := suite.Config() cases := []struct { secure bool autoEncrypt bool + useVault bool }{ - {false, false}, - {true, false}, - {true, true}, + {false, false, false}, + {true, false, false}, + {true, true, false}, + {true, true, true}, + {false, false, true}, + // Vault with TLS requires autoEncrypt set to true as well, so the below + // is not valid + // {true, false, true}, } // The name of a service intention in consul is @@ -46,11 +63,23 @@ func TestController(t *testing.T) { } releaseName := helpers.RandomName() + + var bootstrapToken string + var helmConsulValues map[string]string + if c.useVault { + helmConsulValues, bootstrapToken = configureAndGetVaultHelmValues(t, ctx, cfg, releaseName, c.secure) + helpers.MergeMaps(helmConsulValues, helmValues) + } consulCluster := consul.NewHelmCluster(t, helmValues, ctx, cfg, releaseName) consulCluster.Create(t) consulClient, _ := consulCluster.SetupConsulClient(t, c.secure) + if c.useVault { + consulCluster.ACLToken = bootstrapToken + + } + // Test creation. { logger.Log(t, "creating custom resources") @@ -340,3 +369,199 @@ func TestController(t *testing.T) { }) } } + +func configureAndGetVaultHelmValues(t *testing.T, ctx environment.TestContext, + cfg *config.TestConfig, consulReleaseName string, secure bool) (map[string]string, string) { + vaultReleaseName := helpers.RandomName() + ns := ctx.KubectlOptions(t).Namespace + + vaultCluster := vault.NewVaultCluster(t, ctx, cfg, vaultReleaseName, nil) + vaultCluster.Create(t, ctx, "") + // Vault is now installed in the cluster. + + // Now fetch the Vault client so we can create the policies and secrets. + vaultClient := vaultCluster.VaultClient(t) + + // ------------------------- + // PKI + // ------------------------- + // Configure Service Mesh CA + connectCAPolicy := "connect-ca-dc1" + connectCARootPath := "connect_root" + connectCAIntermediatePath := "dc1/connect_inter" + // Configure Policy for Connect CA + vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicy, connectCARootPath, connectCAIntermediatePath) + + // Configure Server PKI + serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "pki", + PolicyName: "consul-ca-policy", + RoleName: "consul-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), + MaxTTL: "1h", + AuthMethodPath: "kubernetes", + } + serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + + webhookCertTtl := 25 * time.Second + // Configure controller webhook PKI + controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "controller", + PolicyName: "controller-ca-policy", + RoleName: "controller-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), + MaxTTL: webhookCertTtl.String(), + AuthMethodPath: "kubernetes", + CommonName: "Consul Webhook Certificates", + } + controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + + // Configure controller webhook PKI + connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "connect", + PolicyName: "connect-ca-policy", + RoleName: "connect-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + MaxTTL: webhookCertTtl.String(), + AuthMethodPath: "kubernetes", + CommonName: "Consul Webhook Certificates", + } + connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + + // ------------------------- + // KV2 secrets + // ------------------------- + // Gossip key + gossipKey, err := vault.GenerateGossipSecret() + require.NoError(t, err) + gossipSecret := &vault.KV2Secret{ + Path: "consul/data/secret/gossip", + Key: "gossip", + Value: gossipKey, + PolicyName: "gossip", + } + gossipSecret.SaveSecretAndAddReadPolicy(t, vaultClient) + + // License + licenseSecret := &vault.KV2Secret{ + Path: "consul/data/secret/license", + Key: "license", + Value: cfg.EnterpriseLicense, + PolicyName: "license", + } + if cfg.EnableEnterprise { + licenseSecret.SaveSecretAndAddReadPolicy(t, vaultClient) + } + + // Bootstrap Token + bootstrapToken, err := uuid.GenerateUUID() + require.NoError(t, err) + bootstrapTokenSecret := &vault.KV2Secret{ + Path: "consul/data/secret/bootstrap", + Key: "token", + Value: bootstrapToken, + PolicyName: "bootstrap", + } + bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) + + // ------------------------- + // Additional Auth Roles + // ------------------------- + serverPolicies := fmt.Sprintf("%s,%s,%s,%s", gossipSecret.PolicyName, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) + if cfg.EnableEnterprise { + serverPolicies += fmt.Sprintf(",%s", licenseSecret.PolicyName) + } + + // server + consulServerRole := ServerRole + srvAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: serverPKIConfig.ServiceAccountName, + KubernetesNamespace: ns, + AuthMethodPath: KubernetesAuthMethodPath, + RoleName: consulServerRole, + PolicyNames: serverPolicies, + } + srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + + // client + consulClientRole := ClientRole + consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ClientRole) + clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: consulClientServiceAccountName, + KubernetesNamespace: ns, + AuthMethodPath: KubernetesAuthMethodPath, + RoleName: consulClientRole, + PolicyNames: gossipSecret.PolicyName, + } + clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + + // manageSystemACLs + manageSystemACLsRole := ManageSystemACLsRole + manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ManageSystemACLsRole) + aclAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: manageSystemACLsServiceAccountName, + KubernetesNamespace: ns, + AuthMethodPath: KubernetesAuthMethodPath, + RoleName: manageSystemACLsRole, + PolicyNames: bootstrapTokenSecret.PolicyName, + } + aclAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + + // allow all components to access server ca + srvCAAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ + ServiceAccountName: "*", + KubernetesNamespace: ns, + AuthMethodPath: KubernetesAuthMethodPath, + RoleName: serverPKIConfig.RoleName, + PolicyNames: serverPKIConfig.PolicyName, + } + srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) + + vaultCASecret := vault.CASecretName(vaultReleaseName) + + consulHelmValues := map[string]string{ + "server.extraVolumes[0].type": "secret", + "server.extraVolumes[0].name": vaultCASecret, + "server.extraVolumes[0].load": "false", + + "global.secretsBackend.vault.enabled": "true", + "global.secretsBackend.vault.consulServerRole": consulServerRole, + "global.secretsBackend.vault.consulClientRole": consulClientRole, + "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, + "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, + + "global.secretsBackend.vault.ca.secretName": vaultCASecret, + "global.secretsBackend.vault.ca.secretKey": "tls.crt", + } + + if cfg.EnableEnterprise { + consulHelmValues["global.enterpriseLicense.secretName"] = licenseSecret.Path + consulHelmValues["global.enterpriseLicense.secretKey"] = licenseSecret.Key + } + + if secure { + consulHelmValues["server.serverCert.secretName"] = serverPKIConfig.CertPath + consulHelmValues["global.tls.caCert.secretName"] = serverPKIConfig.CAPath + consulHelmValues["global.secretsBackend.vault.connectInject.tlsCert.secretName"] = connectInjectorWebhookPKIConfig.CertPath + consulHelmValues["global.secretsBackend.vault.connectInject.caCert.secretName"] = connectInjectorWebhookPKIConfig.CAPath + consulHelmValues["global.secretsBackend.vault.controller.tlsCert.secretName"] = controllerWebhookPKIConfig.CertPath + consulHelmValues["global.secretsBackend.vault.controller.caCert.secretName"] = controllerWebhookPKIConfig.CAPath + consulHelmValues["global.secretsBackend.vault.consulConnectInjectRole"] = connectInjectorWebhookPKIConfig.RoleName + consulHelmValues["global.secretsBackend.vault.consulControllerRole"] = controllerWebhookPKIConfig.RoleName + consulHelmValues["global.acls.bootstrapToken.secretName"] = bootstrapTokenSecret.Path + consulHelmValues["global.acls.bootstrapToken.secretKey"] = bootstrapTokenSecret.Key + consulHelmValues["global.gossipEncryption.secretName"] = gossipSecret.Path + consulHelmValues["global.gossipEncryption.secretKey"] = gossipSecret.Key + } + + return consulHelmValues, bootstrapToken +} From 687b99e89841ed4d5b0da6b8007a06057bbc1fbb Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 31 May 2022 17:27:17 -0600 Subject: [PATCH 64/80] Webhook certs vault test - checking cert rotation. currently failing. --- acceptance/framework/consul/helm_cluster.go | 8 +++- .../tests/vault/vault_webhook_certs_test.go | 42 ++++++++++++++----- 2 files changed, 38 insertions(+), 12 deletions(-) diff --git a/acceptance/framework/consul/helm_cluster.go b/acceptance/framework/consul/helm_cluster.go index ca752509e9..151f0c852a 100644 --- a/acceptance/framework/consul/helm_cluster.go +++ b/acceptance/framework/consul/helm_cluster.go @@ -274,12 +274,16 @@ func (h *HelmCluster) Upgrade(t *testing.T, helmValues map[string]string) { } func (h *HelmCluster) CreatePortForwardTunnel(t *testing.T, remotePort int) string { - localPort := terratestk8s.GetAvailablePort(t) serverPod := fmt.Sprintf("%s-consul-server-0", h.releaseName) + return h.CreatePortForwardTunnelToResourcePort(t, serverPod, remotePort) +} + +func (h *HelmCluster) CreatePortForwardTunnelToResourcePort(t *testing.T, resourceName string, remotePort int) string { + localPort := terratestk8s.GetAvailablePort(t) tunnel := terratestk8s.NewTunnelWithLogger( h.helmOptions.KubectlOptions, terratestk8s.ResourceTypePod, - serverPod, + resourceName, localPort, remotePort, h.logger) diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go index 573bdb5843..09647b774d 100644 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ b/acceptance/tests/vault/vault_webhook_certs_test.go @@ -43,6 +43,14 @@ func TestVault_WebhookCerts(t *testing.T) { // Now fetch the Vault client so we can create the policies and secrets. vaultClient := vaultCluster.VaultClient(t) + // Initially tried toset the expiration to 5-20s to keep the test as short running as possible, + // but at those levels, the pods would fail to start becuase the certs had expired and would throw errors. + // 30s seconds seemed to consistently clear this issue and not have startup problems. + // If trying to go lower, be sure to run this several times in CI to ensure that there are little issues. + // If wanting to make this higher, there is no problem except for consideration of how long the test will + // take to complete. + expirationInSeconds := 30 + // ------------------------- // PKI // ------------------------- @@ -62,12 +70,11 @@ func TestVault_WebhookCerts(t *testing.T) { DataCenter: "dc1", ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), - MaxTTL: "1h", + MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), AuthMethodPath: "kubernetes", } serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) - webhookCertTtl := 25 * time.Second // Configure controller webhook PKI controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ BaseURL: "controller", @@ -77,7 +84,7 @@ func TestVault_WebhookCerts(t *testing.T) { DataCenter: "dc1", ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), - MaxTTL: webhookCertTtl.String(), + MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), AuthMethodPath: "kubernetes", CommonName: "Consul Webhook Certificates", } @@ -92,7 +99,7 @@ func TestVault_WebhookCerts(t *testing.T) { DataCenter: "dc1", ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), - MaxTTL: webhookCertTtl.String(), + MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), AuthMethodPath: "kubernetes", CommonName: "Consul Webhook Certificates", } @@ -251,6 +258,20 @@ func TestVault_WebhookCerts(t *testing.T) { consulCluster := consul.NewHelmCluster(t, consulHelmValues, ctx, cfg, consulReleaseName) consulCluster.Create(t) + // Portforward to connect injector pod and get cert + client := environment.KubernetesClientFromOptions(t, kubectlOptions) + podList, err := client.CoreV1().Pods(kubectlOptions.Namespace).List(context.Background(), + metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=connect-injector,release=%s", consulReleaseName)}) + require.NotEmpty(t, podList.Items) + connectInjectorPodName := podList.Items[0].Name + connectInjectorPodAddress := consulCluster.CreatePortForwardTunnelToResourcePort(t, connectInjectorPodName, 443) + connectInjectorCert, err := getCertificate(t, connectInjectorPodAddress) + require.NoError(t, err) + logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert.NotAfter.String()) + + logger.Logf(t, "Wait %d seconds for certificates to rotate....", expirationInSeconds) + time.Sleep(time.Duration(expirationInSeconds) * time.Second) + // Validate that the gossip encryption key is set correctly. logger.Log(t, "Validating the gossip key has been set correctly.") consulCluster.ACLToken = bootstrapToken @@ -281,12 +302,6 @@ func TestVault_WebhookCerts(t *testing.T) { require.True(t, license.Valid) } - // Check that webhook-cert-manager is not deployed. - client := environment.KubernetesClientFromOptions(t, kubectlOptions) - deployments, err := client.AppsV1().Deployments(kubectlOptions.Namespace).List(context.Background(), metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=webhook-cert-manager,release=%s", consulReleaseName)}) - require.NoError(t, err) - require.Empty(t, deployments.Items) - // Deploy two services and check that they can talk to each other. logger.Log(t, "creating static-server and static-client deployments") k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject") @@ -306,4 +321,11 @@ func TestVault_WebhookCerts(t *testing.T) { } else { k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") } + + connectInjectorCert2, err := getCertificate(t, connectInjectorPodAddress) + require.NoError(t, err) + logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert2.NotAfter.String()) + // verify that a previous cert expired and that a new one has been issued + // by comparing the NotAfter on the two certs. + require.NotEqual(t, connectInjectorCert.NotAfter, connectInjectorCert2.NotAfter) } From 282057da92d890d7f9da8c7c422041550b05c71a Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 1 Jun 2022 10:53:45 -0600 Subject: [PATCH 65/80] moved vault webhook stuff into main vault test and deleted the webhook cert specific test. --- acceptance/tests/vault/vault_test.go | 85 ++++- .../tests/vault/vault_webhook_certs_test.go | 331 ------------------ 2 files changed, 77 insertions(+), 339 deletions(-) delete mode 100644 acceptance/tests/vault/vault_webhook_certs_test.go diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index f746f73ed1..ba3ad98fb8 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -1,11 +1,14 @@ package vault import ( + "context" "fmt" "testing" + "time" terratestLogger "github.com/gruntwork-io/terratest/modules/logger" "github.com/hashicorp/consul-k8s/acceptance/framework/consul" + "github.com/hashicorp/consul-k8s/acceptance/framework/environment" "github.com/hashicorp/consul-k8s/acceptance/framework/helpers" "github.com/hashicorp/consul-k8s/acceptance/framework/k8s" "github.com/hashicorp/consul-k8s/acceptance/framework/logger" @@ -13,6 +16,7 @@ import ( "github.com/hashicorp/go-uuid" "github.com/hashicorp/go-version" "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) const ( @@ -28,7 +32,8 @@ const ( func TestVault(t *testing.T) { cfg := suite.Config() ctx := suite.Environment().DefaultContext(t) - ns := ctx.KubectlOptions(t).Namespace + kubectlOptions := ctx.KubectlOptions(t) + ns := kubectlOptions.Namespace ver, err := version.NewVersion("1.12.0") require.NoError(t, err) @@ -46,6 +51,14 @@ func TestVault(t *testing.T) { // Now fetch the Vault client so we can create the policies and secrets. vaultClient := vaultCluster.VaultClient(t) + // Initially tried toset the expiration to 5-20s to keep the test as short running as possible, + // but at those levels, the pods would fail to start becuase the certs had expired and would throw errors. + // 30s seconds seemed to consistently clear this issue and not have startup problems. + // If trying to go lower, be sure to run this several times in CI to ensure that there are little issues. + // If wanting to make this higher, there is no problem except for consideration of how long the test will + // take to complete. + expirationInSeconds := 30 + // ------------------------- // PKI // ------------------------- @@ -65,11 +78,41 @@ func TestVault(t *testing.T) { DataCenter: "dc1", ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, ServerRole), AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, ServerRole), - MaxTTL: "1h", + MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), AuthMethodPath: KubernetesAuthMethodPath, } serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + // Configure controller webhook PKI + controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "controller", + PolicyName: "controller-ca-policy", + RoleName: "controller-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), + MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), + AuthMethodPath: KubernetesAuthMethodPath, + CommonName: "Consul Webhook Certificates", + } + controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + + // Configure controller webhook PKI + connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ + BaseURL: "connect", + PolicyName: "connect-ca-policy", + RoleName: "connect-ca-role", + KubernetesNamespace: ns, + DataCenter: "dc1", + ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), + MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), + AuthMethodPath: KubernetesAuthMethodPath, + CommonName: "Consul Webhook Certificates", + } + connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) + // ------------------------- // KV2 secrets // ------------------------- @@ -169,12 +212,18 @@ func TestVault(t *testing.T) { "connectInject.enabled": "true", "connectInject.replicas": "1", "controller.enabled": "true", - - "global.secretsBackend.vault.enabled": "true", - "global.secretsBackend.vault.consulServerRole": consulServerRole, - "global.secretsBackend.vault.consulClientRole": consulClientRole, - "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, - "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, + "global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath, + "global.secretsBackend.vault.connectInject.caCert.secretName": connectInjectorWebhookPKIConfig.CAPath, + "global.secretsBackend.vault.controller.tlsCert.secretName": controllerWebhookPKIConfig.CertPath, + "global.secretsBackend.vault.controller.caCert.secretName": controllerWebhookPKIConfig.CAPath, + + "global.secretsBackend.vault.enabled": "true", + "global.secretsBackend.vault.consulServerRole": consulServerRole, + "global.secretsBackend.vault.consulClientRole": consulClientRole, + "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, + "global.secretsBackend.vault.consulConnectInjectRole": connectInjectorWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.consulControllerRole": controllerWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, "global.secretsBackend.vault.ca.secretName": vaultCASecret, "global.secretsBackend.vault.ca.secretKey": "tls.crt", @@ -217,6 +266,20 @@ func TestVault(t *testing.T) { consulCluster := consul.NewHelmCluster(t, consulHelmValues, ctx, cfg, consulReleaseName) consulCluster.Create(t) + // Portforward to connect injector pod and get cert + client := environment.KubernetesClientFromOptions(t, kubectlOptions) + podList, err := client.CoreV1().Pods(kubectlOptions.Namespace).List(context.Background(), + metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=connect-injector,release=%s", consulReleaseName)}) + require.NotEmpty(t, podList.Items) + connectInjectorPodName := podList.Items[0].Name + connectInjectorPodAddress := consulCluster.CreatePortForwardTunnelToResourcePort(t, connectInjectorPodName, 8080) + connectInjectorCert, err := getCertificate(t, connectInjectorPodAddress) + require.NoError(t, err) + logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert.NotAfter.String()) + + logger.Logf(t, "Wait %d seconds for certificates to rotate....", expirationInSeconds) + time.Sleep(time.Duration(expirationInSeconds) * time.Second) + // Validate that the gossip encryption key is set correctly. logger.Log(t, "Validating the gossip key has been set correctly.") consulCluster.ACLToken = bootstrapToken @@ -266,4 +329,10 @@ func TestVault(t *testing.T) { } else { k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") } + + connectInjectorCert2, err := getCertificate(t, connectInjectorPodAddress) + require.NoError(t, err) + // verify that a previous cert expired and that a new one has been issued + // by comparing the NotAfter on the two certs. + require.NotEqual(t, connectInjectorCert.NotAfter, connectInjectorCert2.NotAfter) } diff --git a/acceptance/tests/vault/vault_webhook_certs_test.go b/acceptance/tests/vault/vault_webhook_certs_test.go deleted file mode 100644 index 09647b774d..0000000000 --- a/acceptance/tests/vault/vault_webhook_certs_test.go +++ /dev/null @@ -1,331 +0,0 @@ -package vault - -import ( - "context" - "fmt" - "testing" - "time" - - terratestLogger "github.com/gruntwork-io/terratest/modules/logger" - "github.com/hashicorp/consul-k8s/acceptance/framework/consul" - "github.com/hashicorp/consul-k8s/acceptance/framework/environment" - "github.com/hashicorp/consul-k8s/acceptance/framework/helpers" - "github.com/hashicorp/consul-k8s/acceptance/framework/k8s" - "github.com/hashicorp/consul-k8s/acceptance/framework/logger" - "github.com/hashicorp/consul-k8s/acceptance/framework/vault" - "github.com/hashicorp/go-uuid" - "github.com/stretchr/testify/require" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// TestVault_WebhookCerts installs Vault, bootstraps it with secrets, policies, and Kube Auth Method. -// It then configures Consul to use vault as the backend and checks that it works -// by turning off web cert manager and configuring controller and connect injector -// to receive ca bundles and tls certs from Vault PKI engine. -// This test is modeled after TestVault() with the addition of: -// - ensuring webhook-cert-manager is not deployed. -// - setting the maxTTL for both controller and connect-inject PKI to rotate -// to ensure that certificate rotation occurs properly and without error. - -func TestVault_WebhookCerts(t *testing.T) { - cfg := suite.Config() - ctx := suite.Environment().DefaultContext(t) - kubectlOptions := ctx.KubectlOptions(t) - ns := kubectlOptions.Namespace - - consulReleaseName := helpers.RandomName() - vaultReleaseName := helpers.RandomName() - - vaultCluster := vault.NewVaultCluster(t, ctx, cfg, vaultReleaseName, nil) - vaultCluster.Create(t, ctx, "") - // Vault is now installed in the cluster. - - // Now fetch the Vault client so we can create the policies and secrets. - vaultClient := vaultCluster.VaultClient(t) - - // Initially tried toset the expiration to 5-20s to keep the test as short running as possible, - // but at those levels, the pods would fail to start becuase the certs had expired and would throw errors. - // 30s seconds seemed to consistently clear this issue and not have startup problems. - // If trying to go lower, be sure to run this several times in CI to ensure that there are little issues. - // If wanting to make this higher, there is no problem except for consideration of how long the test will - // take to complete. - expirationInSeconds := 30 - - // ------------------------- - // PKI - // ------------------------- - // Configure Service Mesh CA - connectCAPolicy := "connect-ca-dc1" - connectCARootPath := "connect_root" - connectCAIntermediatePath := "dc1/connect_inter" - // Configure Policy for Connect CA - vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicy, connectCARootPath, connectCAIntermediatePath) - - // Configure Server PKI - serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{ - BaseURL: "pki", - PolicyName: "consul-ca-policy", - RoleName: "consul-ca-role", - KubernetesNamespace: ns, - DataCenter: "dc1", - ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), - AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), - MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), - AuthMethodPath: "kubernetes", - } - serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) - - // Configure controller webhook PKI - controllerWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ - BaseURL: "controller", - PolicyName: "controller-ca-policy", - RoleName: "controller-ca-role", - KubernetesNamespace: ns, - DataCenter: "dc1", - ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller"), - AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), - MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), - AuthMethodPath: "kubernetes", - CommonName: "Consul Webhook Certificates", - } - controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) - - // Configure controller webhook PKI - connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ - BaseURL: "connect", - PolicyName: "connect-ca-policy", - RoleName: "connect-ca-role", - KubernetesNamespace: ns, - DataCenter: "dc1", - ServiceAccountName: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), - AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), - MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), - AuthMethodPath: "kubernetes", - CommonName: "Consul Webhook Certificates", - } - connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) - - // ------------------------- - // KV2 secrets - // ------------------------- - // Gossip key - gossipKey, err := vault.GenerateGossipSecret() - require.NoError(t, err) - gossipSecret := &vault.KV2Secret{ - Path: "consul/data/secret/gossip", - Key: "gossip", - Value: gossipKey, - PolicyName: "gossip", - } - gossipSecret.SaveSecretAndAddReadPolicy(t, vaultClient) - - // License - licenseSecret := &vault.KV2Secret{ - Path: "consul/data/secret/license", - Key: "license", - Value: cfg.EnterpriseLicense, - PolicyName: "license", - } - if cfg.EnableEnterprise { - licenseSecret.SaveSecretAndAddReadPolicy(t, vaultClient) - } - - // Bootstrap Token - bootstrapToken, err := uuid.GenerateUUID() - require.NoError(t, err) - bootstrapTokenSecret := &vault.KV2Secret{ - Path: "consul/data/secret/bootstrap", - Key: "token", - Value: bootstrapToken, - PolicyName: "bootstrap", - } - bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) - - // ------------------------- - // Additional Auth Roles - // ------------------------- - serverPolicies := fmt.Sprintf("%s,%s,%s,%s", gossipSecret.PolicyName, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) - if cfg.EnableEnterprise { - serverPolicies += fmt.Sprintf(",%s", licenseSecret.PolicyName) - } - - // server - consulServerRole := ServerRole - srvAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ - ServiceAccountName: serverPKIConfig.ServiceAccountName, - KubernetesNamespace: ns, - AuthMethodPath: KubernetesAuthMethodPath, - RoleName: consulServerRole, - PolicyNames: serverPolicies, - } - srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - - // client - consulClientRole := ClientRole - consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ClientRole) - clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ - ServiceAccountName: consulClientServiceAccountName, - KubernetesNamespace: ns, - AuthMethodPath: KubernetesAuthMethodPath, - RoleName: consulClientRole, - PolicyNames: gossipSecret.PolicyName, - } - clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - - // manageSystemACLs - manageSystemACLsRole := ManageSystemACLsRole - manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, ManageSystemACLsRole) - aclAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ - ServiceAccountName: manageSystemACLsServiceAccountName, - KubernetesNamespace: ns, - AuthMethodPath: KubernetesAuthMethodPath, - RoleName: manageSystemACLsRole, - PolicyNames: bootstrapTokenSecret.PolicyName, - } - aclAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - - // allow all components to access server ca - srvCAAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ - ServiceAccountName: "*", - KubernetesNamespace: ns, - AuthMethodPath: KubernetesAuthMethodPath, - RoleName: serverPKIConfig.RoleName, - PolicyNames: serverPKIConfig.PolicyName, - } - srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - - vaultCASecret := vault.CASecretName(vaultReleaseName) - - consulHelmValues := map[string]string{ - "server.extraVolumes[0].type": "secret", - "server.extraVolumes[0].name": vaultCASecret, - "server.extraVolumes[0].load": "false", - - "connectInject.enabled": "true", - "connectInject.replicas": "1", - "controller.enabled": "true", - "global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath, - "global.secretsBackend.vault.connectInject.caCert.secretName": connectInjectorWebhookPKIConfig.CAPath, - "global.secretsBackend.vault.controller.tlsCert.secretName": controllerWebhookPKIConfig.CertPath, - "global.secretsBackend.vault.controller.caCert.secretName": controllerWebhookPKIConfig.CAPath, - - "global.secretsBackend.vault.enabled": "true", - "global.secretsBackend.vault.consulServerRole": consulServerRole, - "global.secretsBackend.vault.consulClientRole": consulClientRole, - "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, - "global.secretsBackend.vault.consulConnectInjectRole": connectInjectorWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.consulControllerRole": controllerWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, - - "global.secretsBackend.vault.ca.secretName": vaultCASecret, - "global.secretsBackend.vault.ca.secretKey": "tls.crt", - - "global.secretsBackend.vault.connectCA.address": vaultCluster.Address(), - "global.secretsBackend.vault.connectCA.rootPKIPath": connectCARootPath, - "global.secretsBackend.vault.connectCA.intermediatePKIPath": connectCAIntermediatePath, - - "global.acls.manageSystemACLs": "true", - "global.acls.bootstrapToken.secretName": bootstrapTokenSecret.Path, - "global.acls.bootstrapToken.secretKey": bootstrapTokenSecret.Key, - "global.tls.enabled": "true", - "global.gossipEncryption.secretName": gossipSecret.Path, - "global.gossipEncryption.secretKey": gossipSecret.Key, - - "ingressGateways.enabled": "true", - "ingressGateways.defaults.replicas": "1", - "terminatingGateways.enabled": "true", - "terminatingGateways.defaults.replicas": "1", - - "server.serverCert.secretName": serverPKIConfig.CertPath, - "global.tls.caCert.secretName": serverPKIConfig.CAPath, - "global.tls.enableAutoEncrypt": "true", - - // For sync catalog, it is sufficient to check that the deployment is running and ready - // because we only care that get-auto-encrypt-client-ca init container was able - // to talk to the Consul server using the CA from Vault. For this reason, - // we don't need any services to be synced in either direction. - "syncCatalog.enabled": "true", - "syncCatalog.toConsul": "false", - "syncCatalog.toK8S": "false", - } - - if cfg.EnableEnterprise { - consulHelmValues["global.enterpriseLicense.secretName"] = licenseSecret.Path - consulHelmValues["global.enterpriseLicense.secretKey"] = licenseSecret.Key - } - - logger.Log(t, "Installing Consul") - consulCluster := consul.NewHelmCluster(t, consulHelmValues, ctx, cfg, consulReleaseName) - consulCluster.Create(t) - - // Portforward to connect injector pod and get cert - client := environment.KubernetesClientFromOptions(t, kubectlOptions) - podList, err := client.CoreV1().Pods(kubectlOptions.Namespace).List(context.Background(), - metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=connect-injector,release=%s", consulReleaseName)}) - require.NotEmpty(t, podList.Items) - connectInjectorPodName := podList.Items[0].Name - connectInjectorPodAddress := consulCluster.CreatePortForwardTunnelToResourcePort(t, connectInjectorPodName, 443) - connectInjectorCert, err := getCertificate(t, connectInjectorPodAddress) - require.NoError(t, err) - logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert.NotAfter.String()) - - logger.Logf(t, "Wait %d seconds for certificates to rotate....", expirationInSeconds) - time.Sleep(time.Duration(expirationInSeconds) * time.Second) - - // Validate that the gossip encryption key is set correctly. - logger.Log(t, "Validating the gossip key has been set correctly.") - consulCluster.ACLToken = bootstrapToken - consulClient, _ := consulCluster.SetupConsulClient(t, true) - keys, err := consulClient.Operator().KeyringList(nil) - require.NoError(t, err) - // There are two identical keys for LAN and WAN since there is only 1 dc. - require.Len(t, keys, 2) - require.Equal(t, 1, keys[0].PrimaryKeys[gossipKey]) - - // Confirm that the Vault Connect CA has been bootstrapped correctly. - caConfig, _, err := consulClient.Connect().CAGetConfig(nil) - require.NoError(t, err) - require.Equal(t, caConfig.Provider, "vault") - - // Validate that consul sever is running correctly and the consul members command works - logger.Log(t, "Confirming that we can run Consul commands when exec'ing into server container") - membersOutput, err := k8s.RunKubectlAndGetOutputWithLoggerE(t, ctx.KubectlOptions(t), terratestLogger.Discard, "exec", fmt.Sprintf("%s-consul-server-0", consulReleaseName), "-c", "consul", "--", "sh", "-c", fmt.Sprintf("CONSUL_HTTP_TOKEN=%s consul members", bootstrapToken)) - logger.Logf(t, "Members: \n%s", membersOutput) - require.NoError(t, err) - require.Contains(t, membersOutput, fmt.Sprintf("%s-consul-server-0", consulReleaseName)) - - if cfg.EnableEnterprise { - // Validate that the enterprise license is set correctly. - logger.Log(t, "Validating the enterprise license has been set correctly.") - license, licenseErr := consulClient.Operator().LicenseGet(nil) - require.NoError(t, licenseErr) - require.True(t, license.Valid) - } - - // Deploy two services and check that they can talk to each other. - logger.Log(t, "creating static-server and static-client deployments") - k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject") - if cfg.EnableTransparentProxy { - k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-client-tproxy") - } else { - k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-client-inject") - } - helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { - k8s.KubectlDeleteK(t, ctx.KubectlOptions(t), "../fixtures/bases/intention") - }) - k8s.KubectlApplyK(t, ctx.KubectlOptions(t), "../fixtures/bases/intention") - - logger.Log(t, "checking that connection is successful") - if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://static-server") - } else { - k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") - } - - connectInjectorCert2, err := getCertificate(t, connectInjectorPodAddress) - require.NoError(t, err) - logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert2.NotAfter.String()) - // verify that a previous cert expired and that a new one has been issued - // by comparing the NotAfter on the two certs. - require.NotEqual(t, connectInjectorCert.NotAfter, connectInjectorCert2.NotAfter) -} From 26e2c345921959d7e7b18241ad8112a162a2f01e Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 1 Jun 2022 11:05:15 -0600 Subject: [PATCH 66/80] getting rid of lint error --- acceptance/tests/vault/vault_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index ba3ad98fb8..620128848b 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -270,6 +270,7 @@ func TestVault(t *testing.T) { client := environment.KubernetesClientFromOptions(t, kubectlOptions) podList, err := client.CoreV1().Pods(kubectlOptions.Namespace).List(context.Background(), metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=connect-injector,release=%s", consulReleaseName)}) + require.NoError(t, err) require.NotEmpty(t, podList.Items) connectInjectorPodName := podList.Items[0].Name connectInjectorPodAddress := consulCluster.CreatePortForwardTunnelToResourcePort(t, connectInjectorPodName, 8080) From dffe549d749e7ca7b72818ae59e616aa3cd0bcb6 Mon Sep 17 00:00:00 2001 From: John Murret Date: Wed, 1 Jun 2022 11:16:59 -0600 Subject: [PATCH 67/80] refactoring long conditional in webhook-cert-manager files into a variable for readability --- charts/consul/templates/webhook-cert-manager-clusterrole.yaml | 3 ++- .../templates/webhook-cert-manager-clusterrolebinding.yaml | 3 ++- charts/consul/templates/webhook-cert-manager-configmap.yaml | 3 ++- charts/consul/templates/webhook-cert-manager-deployment.yaml | 3 ++- .../templates/webhook-cert-manager-podsecuritypolicy.yaml | 3 ++- .../consul/templates/webhook-cert-manager-serviceaccount.yaml | 3 ++- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml index 783f99b7fa..82d2111fbb 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml @@ -1,4 +1,5 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml index 115be64a1f..90bee7319a 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/consul/templates/webhook-cert-manager-configmap.yaml b/charts/consul/templates/webhook-cert-manager-configmap.yaml index eae95ba4f1..1d57d2c53c 100644 --- a/charts/consul/templates/webhook-cert-manager-configmap.yaml +++ b/charts/consul/templates/webhook-cert-manager-configmap.yaml @@ -1,4 +1,5 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/consul/templates/webhook-cert-manager-deployment.yaml b/charts/consul/templates/webhook-cert-manager-deployment.yaml index b209bd61bf..7c4d3ba17a 100644 --- a/charts/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/consul/templates/webhook-cert-manager-deployment.yaml @@ -1,4 +1,5 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml index 66fb5326d8..4b37614340 100644 --- a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml +++ b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -1,4 +1,5 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) .Values.global.enablePodSecurityPolicies (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) .Values.global.enablePodSecurityPolicies (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml index a461f25103..f34c43dcda 100644 --- a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml +++ b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml @@ -1,4 +1,5 @@ -{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName))) }} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: v1 kind: ServiceAccount metadata: From 5ea8b94bbc311e5b8079aee446358879ae58e592 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 2 Jun 2022 11:38:42 -0600 Subject: [PATCH 68/80] addressing PR feedback --- acceptance/tests/vault/vault_test.go | 7 ++- .../tests/vault/vault_tls_auto_reload_test.go | 47 +++++++++---------- .../templates/connect-inject-deployment.yaml | 2 +- charts/consul/values.yaml | 36 +++++++------- .../subcommand/inject-connect/command.go | 1 + 5 files changed, 46 insertions(+), 47 deletions(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index 620128848b..42a3386fb8 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -98,7 +98,7 @@ func TestVault(t *testing.T) { } controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) - // Configure controller webhook PKI + // Configure connect injector webhook PKI connectInjectorWebhookPKIConfig := &vault.PKIAndAuthRoleConfiguration{ BaseURL: "connect", PolicyName: "connect-ca-policy", @@ -274,7 +274,7 @@ func TestVault(t *testing.T) { require.NotEmpty(t, podList.Items) connectInjectorPodName := podList.Items[0].Name connectInjectorPodAddress := consulCluster.CreatePortForwardTunnelToResourcePort(t, connectInjectorPodName, 8080) - connectInjectorCert, err := getCertificate(t, connectInjectorPodAddress) + connectInjectorCert := getCertificate(t, connectInjectorPodAddress) require.NoError(t, err) logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert.NotAfter.String()) @@ -331,8 +331,7 @@ func TestVault(t *testing.T) { k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") } - connectInjectorCert2, err := getCertificate(t, connectInjectorPodAddress) - require.NoError(t, err) + connectInjectorCert2 := getCertificate(t, connectInjectorPodAddress) // verify that a previous cert expired and that a new one has been issued // by comparing the NotAfter on the two certs. require.NotEqual(t, connectInjectorCert.NotAfter, connectInjectorCert2.NotAfter) diff --git a/acceptance/tests/vault/vault_tls_auto_reload_test.go b/acceptance/tests/vault/vault_tls_auto_reload_test.go index 6cbcb5d351..f89346fa5a 100644 --- a/acceptance/tests/vault/vault_tls_auto_reload_test.go +++ b/acceptance/tests/vault/vault_tls_auto_reload_test.go @@ -15,6 +15,7 @@ import ( "github.com/hashicorp/consul-k8s/acceptance/framework/vault" "github.com/hashicorp/go-uuid" "github.com/hashicorp/go-version" + "github.com/hashicorp/serf/testutil/retry" "github.com/stretchr/testify/require" ) @@ -227,12 +228,10 @@ func TestVault_TLSAutoReload(t *testing.T) { rpcAddress := consulCluster.CreatePortForwardTunnel(t, 8300) // here we can verify that the cert expiry changed - httpsCert, err := getCertificate(t, httpsAddress) - require.NoError(t, err) + httpsCert := getCertificate(t, httpsAddress) logger.Logf(t, "HTTPS expiry: %s \n", httpsCert.NotAfter.String()) - rpcCert, err := getCertificate(t, rpcAddress) - require.NoError(t, err) + rpcCert := getCertificate(t, rpcAddress) logger.Logf(t, "RPC expiry: %s \n", rpcCert.NotAfter.String()) // Validate that consul sever is running correctly and the consul members command works @@ -265,12 +264,10 @@ func TestVault_TLSAutoReload(t *testing.T) { logger.Logf(t, "Wait %d seconds for certificates to rotate....", expirationInSeconds) time.Sleep(time.Duration(expirationInSeconds) * time.Second) - httpsCert2, err := getCertificate(t, httpsAddress) - require.NoError(t, err) + httpsCert2 := getCertificate(t, httpsAddress) logger.Logf(t, "HTTPS 2 expiry: %s \n", httpsCert2.NotAfter.String()) - rpcCert2, err := getCertificate(t, rpcAddress) - require.NoError(t, err) + rpcCert2 := getCertificate(t, rpcAddress) logger.Logf(t, "RPC 2 expiry: %s \n", rpcCert2.NotAfter.String()) // verify that a previous cert expired and that a new one has been issued @@ -280,22 +277,24 @@ func TestVault_TLSAutoReload(t *testing.T) { } -func getCertificate(t *testing.T, address string) (*x509.Certificate, error) { - logger.Log(t, "Checking TLS....") - conf := &tls.Config{ - InsecureSkipVerify: true, - } - - logger.Logf(t, "Dialing %s", address) - conn, err := tls.Dial("tcp", address, conf) - if err != nil { - logger.Log(t, "Error in Dial", err) - return nil, err - } +func getCertificate(t *testing.T, address string) *x509.Certificate { + var conn tls.Conn + var cert *x509.Certificate defer conn.Close() - connState := conn.ConnectionState() - logger.Logf(t, "Connection State: %+v", connState) - cert := connState.PeerCertificates[0] - return cert, nil + retry.RunWith(&retry.Counter{Wait: 1 * time.Second, Count: 20}, t, func(r *retry.R) { + logger.Log(t, "Checking TLS....") + conf := &tls.Config{ + InsecureSkipVerify: true, + } + + logger.Logf(t, "Dialing %s", address) + conn, err := tls.Dial("tcp", address, conf) + require.NoError(r, err) + + connState := conn.ConnectionState() + logger.Logf(t, "Connection State: %+v", connState) + cert = connState.PeerCertificates[0] + }) + return cert } diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index de1ad5d360..cf79f9d2c5 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -281,7 +281,7 @@ spec: - name: certs mountPath: /etc/connect-injector/certs readOnly: true - {{- end}} + {{- end }} - mountPath: /consul/login name: consul-data readOnly: true diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 23991acb18..a790cc61d8 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -195,6 +195,24 @@ global: # and check the name of `metadata.name`. adminPartitionsRole: "" + # The Vault role for consul controller to read the Consul controllers's + # CA Certificate and the webhook certificate and private key. + # A Vault policy must be created which grants read capabilities to + # `global.secretsBackend.vault.controller.tlsCert.secretName`. + consulControllerRole: "" + + # The Vault role for consul connect inject to read the Consul controller's + # CA Certificate and the webhook certificate and private key. + # A Vault policy must be created which grants read capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + consulConnectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + # This value defines additional annotations for # Vault agent on any pods where it'll be running. # This should be formatted as a multi-line string. @@ -208,12 +226,6 @@ global: # @type: string agentAnnotations: null - # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). - # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it - # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants - # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. - consulCARole: "" - # Configuration for Vault server CA certificate. This certificate will be mounted # to any pod where Vault agent needs to run. ca: @@ -282,12 +294,6 @@ global: # @type: string secretName: null - # The Vault role for consul controller to read the Consul controllers's - # CA Certificate and the webhook certificate and private key. - # A Vault policy must be created which grants read capabilities to - # `global.secretsBackend.vault.controller.tlsCert.secretName`. - consulControllerRole: "" - connectInject: # The directory that Kubernetes will use on Kubernetes CRD creation, # deletion, and update, to get CA certificates used issued from vault @@ -307,12 +313,6 @@ global: # @type: string secretName: null - # The Vault role for consul connect inject to read the Consul controller's - # CA Certificate and the webhook certificate and private key. - # A Vault policy must be created which grants read capabilities to - # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. - consulConnectInjectRole: "" - # Configures Consul's gossip encryption key. # (see `-encrypt` (https://www.consul.io/docs/agent/config/cli-flags#_encrypt)). # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index afb2be5505..ef15998244 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -480,6 +480,7 @@ func (c *Command) Run(args []string) int { if err := mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") + return 1 } c.UI.Info("shutting down") return 0 From fcf5cac7e93f05016fd68e3533749e10abc5ba6e Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 2 Jun 2022 15:35:22 -0600 Subject: [PATCH 69/80] Apply suggestions from code review Co-authored-by: Iryna Shustava --- CHANGELOG.md | 2 +- acceptance/tests/controller/controller_test.go | 1 - acceptance/tests/vault/vault_test.go | 2 +- charts/consul/values.yaml | 12 ++++++------ 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07704fde5f..386112f00c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ IMPROVEMENTS: * Control Plane - * Enable configure Connect Injector and Controller Webhooks to be managed by Vault. [[GH-1191](https://github.com/hashicorp/consul-k8s/pull/1191/)] + * Enable configuring Connect Injector and Controller Webhooks' certificates to be managed by Vault. [[GH-1191](https://github.com/hashicorp/consul-k8s/pull/1191/)] * Helm * Enable the configuring of snapshot intervals in the client snapshot agent via `client.snapshotAgent.interval`. [[GH-1235](https://github.com/hashicorp/consul-k8s/pull/1235)] * Enable configuring the pod topologySpreadConstraints for mesh, terminating, and ingress gateways. [[GH-1257](https://github.com/hashicorp/consul-k8s/pull/1257)] diff --git a/acceptance/tests/controller/controller_test.go b/acceptance/tests/controller/controller_test.go index 505df3d6f3..3e7bc4e691 100644 --- a/acceptance/tests/controller/controller_test.go +++ b/acceptance/tests/controller/controller_test.go @@ -77,7 +77,6 @@ func TestController(t *testing.T) { if c.useVault { consulCluster.ACLToken = bootstrapToken - } // Test creation. diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index 42a3386fb8..a8eae40317 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -51,7 +51,7 @@ func TestVault(t *testing.T) { // Now fetch the Vault client so we can create the policies and secrets. vaultClient := vaultCluster.VaultClient(t) - // Initially tried toset the expiration to 5-20s to keep the test as short running as possible, + // Initially tried to set the expiration to 5-20s to keep the test as short running as possible, // but at those levels, the pods would fail to start becuase the certs had expired and would throw errors. // 30s seconds seemed to consistently clear this issue and not have startup problems. // If trying to go lower, be sure to run this several times in CI to ensure that there are little issues. diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index a790cc61d8..43253d7f41 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -195,15 +195,15 @@ global: # and check the name of `metadata.name`. adminPartitionsRole: "" - # The Vault role for consul controller to read the Consul controllers's - # CA Certificate and the webhook certificate and private key. - # A Vault policy must be created which grants read capabilities to + # The Vault role to read Consul controller's webhook's + # CA and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.controller.tlsCert.secretName`. consulControllerRole: "" - # The Vault role for consul connect inject to read the Consul controller's - # CA Certificate and the webhook certificate and private key. - # A Vault policy must be created which grants read capabilities to + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. consulConnectInjectRole: "" From ea52b4eee73acc585680667f4ae50191db8aec8d Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 2 Jun 2022 15:56:48 -0600 Subject: [PATCH 70/80] Fixing broken test with retry change --- acceptance/tests/vault/vault_test.go | 5 +- .../tests/vault/vault_tls_auto_reload_test.go | 47 ++++++++++--------- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index a8eae40317..620503bf4e 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -274,7 +274,7 @@ func TestVault(t *testing.T) { require.NotEmpty(t, podList.Items) connectInjectorPodName := podList.Items[0].Name connectInjectorPodAddress := consulCluster.CreatePortForwardTunnelToResourcePort(t, connectInjectorPodName, 8080) - connectInjectorCert := getCertificate(t, connectInjectorPodAddress) + connectInjectorCert, err := getCertificate(t, connectInjectorPodAddress) require.NoError(t, err) logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert.NotAfter.String()) @@ -331,7 +331,8 @@ func TestVault(t *testing.T) { k8s.CheckStaticServerConnectionSuccessful(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234") } - connectInjectorCert2 := getCertificate(t, connectInjectorPodAddress) + connectInjectorCert2, err := getCertificate(t, connectInjectorPodAddress) + require.NoError(t, err) // verify that a previous cert expired and that a new one has been issued // by comparing the NotAfter on the two certs. require.NotEqual(t, connectInjectorCert.NotAfter, connectInjectorCert2.NotAfter) diff --git a/acceptance/tests/vault/vault_tls_auto_reload_test.go b/acceptance/tests/vault/vault_tls_auto_reload_test.go index f89346fa5a..6cbcb5d351 100644 --- a/acceptance/tests/vault/vault_tls_auto_reload_test.go +++ b/acceptance/tests/vault/vault_tls_auto_reload_test.go @@ -15,7 +15,6 @@ import ( "github.com/hashicorp/consul-k8s/acceptance/framework/vault" "github.com/hashicorp/go-uuid" "github.com/hashicorp/go-version" - "github.com/hashicorp/serf/testutil/retry" "github.com/stretchr/testify/require" ) @@ -228,10 +227,12 @@ func TestVault_TLSAutoReload(t *testing.T) { rpcAddress := consulCluster.CreatePortForwardTunnel(t, 8300) // here we can verify that the cert expiry changed - httpsCert := getCertificate(t, httpsAddress) + httpsCert, err := getCertificate(t, httpsAddress) + require.NoError(t, err) logger.Logf(t, "HTTPS expiry: %s \n", httpsCert.NotAfter.String()) - rpcCert := getCertificate(t, rpcAddress) + rpcCert, err := getCertificate(t, rpcAddress) + require.NoError(t, err) logger.Logf(t, "RPC expiry: %s \n", rpcCert.NotAfter.String()) // Validate that consul sever is running correctly and the consul members command works @@ -264,10 +265,12 @@ func TestVault_TLSAutoReload(t *testing.T) { logger.Logf(t, "Wait %d seconds for certificates to rotate....", expirationInSeconds) time.Sleep(time.Duration(expirationInSeconds) * time.Second) - httpsCert2 := getCertificate(t, httpsAddress) + httpsCert2, err := getCertificate(t, httpsAddress) + require.NoError(t, err) logger.Logf(t, "HTTPS 2 expiry: %s \n", httpsCert2.NotAfter.String()) - rpcCert2 := getCertificate(t, rpcAddress) + rpcCert2, err := getCertificate(t, rpcAddress) + require.NoError(t, err) logger.Logf(t, "RPC 2 expiry: %s \n", rpcCert2.NotAfter.String()) // verify that a previous cert expired and that a new one has been issued @@ -277,24 +280,22 @@ func TestVault_TLSAutoReload(t *testing.T) { } -func getCertificate(t *testing.T, address string) *x509.Certificate { - var conn tls.Conn - var cert *x509.Certificate - defer conn.Close() - - retry.RunWith(&retry.Counter{Wait: 1 * time.Second, Count: 20}, t, func(r *retry.R) { - logger.Log(t, "Checking TLS....") - conf := &tls.Config{ - InsecureSkipVerify: true, - } +func getCertificate(t *testing.T, address string) (*x509.Certificate, error) { + logger.Log(t, "Checking TLS....") + conf := &tls.Config{ + InsecureSkipVerify: true, + } - logger.Logf(t, "Dialing %s", address) - conn, err := tls.Dial("tcp", address, conf) - require.NoError(r, err) + logger.Logf(t, "Dialing %s", address) + conn, err := tls.Dial("tcp", address, conf) + if err != nil { + logger.Log(t, "Error in Dial", err) + return nil, err + } + defer conn.Close() - connState := conn.ConnectionState() - logger.Logf(t, "Connection State: %+v", connState) - cert = connState.PeerCertificates[0] - }) - return cert + connState := conn.ConnectionState() + logger.Logf(t, "Connection State: %+v", connState) + cert := connState.PeerCertificates[0] + return cert, nil } From 43e238a8dad9f74431e42098194fa55a6a62b36c Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 2 Jun 2022 15:57:25 -0600 Subject: [PATCH 71/80] Update charts/consul/templates/_helpers.tpl Co-authored-by: Iryna Shustava --- charts/consul/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 6d254a8039..6369b1cb94 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -60,7 +60,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSCertTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} From 04ead9c7761904775186b245cd9a124d38990569 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 6 Jun 2022 16:03:49 -0600 Subject: [PATCH 72/80] Removing 127.0.0.1 from ip_sans --- charts/consul/templates/_helpers.tpl | 10 +++++----- charts/consul/test/unit/connect-inject-deployment.bats | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 6369b1cb94..9b6a444405 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -36,7 +36,7 @@ as well as the global.name setting. {{- define "consul.serverTLSCertTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans={{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} @@ -52,7 +52,7 @@ as well as the global.name setting. {{- define "consul.serverTLSKeyTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans={{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} @@ -68,7 +68,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} @@ -76,7 +76,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSCertTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} + "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} @@ -84,7 +84,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSKeyTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" "ip_sans=127.0.0.1" -{{ "}}" }} + "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 4604352f6f..e71baaa52b 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2071,7 +2071,7 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | From afe02887b8c99ed7a1bc85066d79f608041a5bf9 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 6 Jun 2022 16:09:54 -0600 Subject: [PATCH 73/80] Removing reference to common_name: Consul Webhook Certificates Service --- acceptance/tests/controller/controller_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/acceptance/tests/controller/controller_test.go b/acceptance/tests/controller/controller_test.go index 3e7bc4e691..a476ce7047 100644 --- a/acceptance/tests/controller/controller_test.go +++ b/acceptance/tests/controller/controller_test.go @@ -402,6 +402,7 @@ func configureAndGetVaultHelmValues(t *testing.T, ctx environment.TestContext, AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "server"), MaxTTL: "1h", AuthMethodPath: "kubernetes", + CommonName: "Consul CA", } serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) @@ -417,7 +418,6 @@ func configureAndGetVaultHelmValues(t *testing.T, ctx environment.TestContext, AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), MaxTTL: webhookCertTtl.String(), AuthMethodPath: "kubernetes", - CommonName: "Consul Webhook Certificates", } controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) @@ -432,7 +432,6 @@ func configureAndGetVaultHelmValues(t *testing.T, ctx environment.TestContext, AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), MaxTTL: webhookCertTtl.String(), AuthMethodPath: "kubernetes", - CommonName: "Consul Webhook Certificates", } connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) From fae8c2fa369018909e730fcada0489e6cc835c7a Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 6 Jun 2022 16:11:53 -0600 Subject: [PATCH 74/80] Removing a dangle reference to Consul Webhook Certificates Service --- acceptance/tests/vault/vault_test.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index 620503bf4e..b58085406b 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -94,7 +94,6 @@ func TestVault(t *testing.T) { AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "controller-webhook"), MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), AuthMethodPath: KubernetesAuthMethodPath, - CommonName: "Consul Webhook Certificates", } controllerWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) @@ -109,7 +108,6 @@ func TestVault(t *testing.T) { AllowedSubdomain: fmt.Sprintf("%s-consul-%s", consulReleaseName, "connect-injector"), MaxTTL: fmt.Sprintf("%ds", expirationInSeconds), AuthMethodPath: KubernetesAuthMethodPath, - CommonName: "Consul Webhook Certificates", } connectInjectorWebhookPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient) From 04bd8d9a79a901df5932eb6f12941eea4bae25d2 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 13 Jun 2022 12:23:14 -0600 Subject: [PATCH 75/80] adding 127.0.0.1 back into server ip_sans --- charts/consul/templates/_helpers.tpl | 6 +++--- charts/consul/test/unit/connect-inject-deployment.bats | 2 +- charts/consul/test/unit/controller-deployment.bats | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 9b6a444405..ca79679726 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -36,7 +36,7 @@ as well as the global.name setting. {{- define "consul.serverTLSCertTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans={{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} @@ -52,7 +52,7 @@ as well as the global.name setting. {{- define "consul.serverTLSKeyTemplate" -}} | {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" - "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans={{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} {{- end -}} @@ -100,7 +100,7 @@ as well as the global.name setting. {{- end -}} {{- define "consul.serverAdditionalIPSANs" -}} -{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $ipsan := .Values.global.tls.serverAdditionalIPSANs }},{{ $ipsan }} {{- end -}}{{- end -}}{{- end -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} {{- end -}} {{- define "consul.connectInjectorTLSAltNames" -}} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index e71baaa52b..f2af755290 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2084,7 +2084,7 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 9fb70d6970..9a6b2b2805 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -1026,7 +1026,7 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | @@ -1039,7 +1039,7 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | From 81cde1bf628c6d810f10643e6e271557c743b75b Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 7 Jun 2022 20:08:33 -0600 Subject: [PATCH 76/80] making common name the name of the service for connect-inject and controller --- charts/consul/templates/_helpers.tpl | 8 ++++---- charts/consul/test/unit/connect-inject-deployment.bats | 4 ++-- charts/consul/test/unit/controller-deployment.bats | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index ca79679726..6182981861 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -59,7 +59,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSCertTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -67,7 +67,7 @@ as well as the global.name setting. {{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{ printf "common_name=connect-injector.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -75,7 +75,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSCertTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-controller-webhook" $name }}" "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.certificate -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} @@ -83,7 +83,7 @@ as well as the global.name setting. {{- define "consul.controllerWebhookTLSKeyTemplate" -}} | - {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{ printf "common_name=controller-webhook.%s.%s" .Values.global.datacenter .Values.global.domain }}" + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.controller.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-controller-webhook" $name }}" "alt_names={{ include "consul.controllerWebhookTLSAltNames" . }}" -{{ "}}" }} {{ "{{" }}- .Data.private_key -{{ "}}" }} {{ "{{" }}- end -{{ "}}" }} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index f2af755290..24e8511c71 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2071,7 +2071,7 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=release-name-consul-connect-injector\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | @@ -2084,7 +2084,7 @@ EOF local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=connect-injector.dc1.consul\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/connect-webhook-cert-dc1\" \"common_name=release-name-consul-connect-injector\"\n\"alt_names=release-name-consul-connect-injector,release-name-consul-connect-injector.default,release-name-consul-connect-injector.default.svc,release-name-consul-connect-injector.default.svc.cluster.local\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 9a6b2b2805..8b8243b349 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -1026,7 +1026,7 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=release-name-consul-controller-webhook\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | @@ -1039,7 +1039,7 @@ load _helpers local actual="$(echo $cmd | yq -r '.annotations["vault.hashicorp.com/agent-inject-template-tls.key"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=controller-webhook.dc1.consul\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' + local expected=$'{{- with secret \"pki/issue/controller-webhook-cert-dc1\" \"common_name=release-name-consul-controller-webhook\"\n\"alt_names=release-name-consul-controller-webhook,release-name-consul-controller-webhook.default,release-name-consul-controller-webhook.default.svc,release-name-consul-controller-webhook.default.svc.cluster.local\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] local actual="$(echo $cmd | From 21c2ee796b40dc287aded54661f08e5b24f2b3c7 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 13 Jun 2022 11:53:07 -0600 Subject: [PATCH 77/80] Update the description for enable-webhook-ca-update flag in control-plane/subcommand/controller/command.go Co-authored-by: Iryna Shustava --- control-plane/subcommand/controller/command.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/control-plane/subcommand/controller/command.go b/control-plane/subcommand/controller/command.go index 386737f7d7..f5815b0dfa 100644 --- a/control-plane/subcommand/controller/command.go +++ b/control-plane/subcommand/controller/command.go @@ -93,7 +93,7 @@ func (c *Command) init() { c.flagSet.StringVar(&c.flagResourcePrefix, "resource-prefix", "", "Release prefix of the Consul installation used to prepend on the webhook name that will have its CA bundle updated.") c.flagSet.BoolVar(&c.flagEnableWebhookCAUpdate, "enable-webhook-ca-update", false, - "Enables updating the CABundle on the webhook within this controller rather than using the web cert manager.") + "Enables updating the CABundle on the webhook within this controller rather than using the webhook-cert-manager.") c.flagSet.StringVar(&c.flagLogLevel, "log-level", zapcore.InfoLevel.String(), fmt.Sprintf("Log verbosity level. Supported values (in order of detail) are "+ "%q, %q, %q, and %q.", zapcore.DebugLevel.String(), zapcore.InfoLevel.String(), zapcore.WarnLevel.String(), zapcore.ErrorLevel.String())) From 5cec9a4e461d54f515313babcf2e08af6b4c1c05 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 13 Jun 2022 12:25:51 -0600 Subject: [PATCH 78/80] Dropping the consul prefix from consulConnectInjectRole and consulControllerRole --- .../tests/controller/controller_test.go | 4 +- acceptance/tests/vault/vault_test.go | 14 +++---- charts/consul/templates/_helpers.tpl | 10 ++--- .../templates/connect-inject-clusterrole.yaml | 2 +- .../templates/connect-inject-deployment.yaml | 4 +- .../templates/controller-clusterrole.yaml | 2 +- .../templates/controller-deployment.yaml | 4 +- .../webhook-cert-manager-clusterrole.yaml | 2 +- ...bhook-cert-manager-clusterrolebinding.yaml | 2 +- .../webhook-cert-manager-configmap.yaml | 2 +- .../webhook-cert-manager-deployment.yaml | 2 +- ...ebhook-cert-manager-podsecuritypolicy.yaml | 2 +- .../webhook-cert-manager-serviceaccount.yaml | 2 +- .../test/unit/connect-inject-clusterrole.bats | 6 +-- .../test/unit/connect-inject-deployment.bats | 40 +++++++++---------- .../test/unit/controller-clusterrole.bats | 6 +-- .../test/unit/controller-deployment.bats | 38 +++++++++--------- .../webhook-cert-manager-clusterrole.bats | 6 +-- ...bhook-cert-manager-clusterrolebinding.bats | 6 +-- .../unit/webhook-cert-manager-configmap.bats | 6 +-- .../unit/webhook-cert-manager-deployment.bats | 6 +-- ...ebhook-cert-manager-podsecuritypolicy.bats | 6 +-- .../webhook-cert-manager-serviceaccount.bats | 6 +-- charts/consul/values.yaml | 4 +- 24 files changed, 91 insertions(+), 91 deletions(-) diff --git a/acceptance/tests/controller/controller_test.go b/acceptance/tests/controller/controller_test.go index a476ce7047..6c8dcbe4e7 100644 --- a/acceptance/tests/controller/controller_test.go +++ b/acceptance/tests/controller/controller_test.go @@ -553,8 +553,8 @@ func configureAndGetVaultHelmValues(t *testing.T, ctx environment.TestContext, consulHelmValues["global.secretsBackend.vault.connectInject.caCert.secretName"] = connectInjectorWebhookPKIConfig.CAPath consulHelmValues["global.secretsBackend.vault.controller.tlsCert.secretName"] = controllerWebhookPKIConfig.CertPath consulHelmValues["global.secretsBackend.vault.controller.caCert.secretName"] = controllerWebhookPKIConfig.CAPath - consulHelmValues["global.secretsBackend.vault.consulConnectInjectRole"] = connectInjectorWebhookPKIConfig.RoleName - consulHelmValues["global.secretsBackend.vault.consulControllerRole"] = controllerWebhookPKIConfig.RoleName + consulHelmValues["global.secretsBackend.vault.connectInjectRole"] = connectInjectorWebhookPKIConfig.RoleName + consulHelmValues["global.secretsBackend.vault.controllerRole"] = controllerWebhookPKIConfig.RoleName consulHelmValues["global.acls.bootstrapToken.secretName"] = bootstrapTokenSecret.Path consulHelmValues["global.acls.bootstrapToken.secretKey"] = bootstrapTokenSecret.Key consulHelmValues["global.gossipEncryption.secretName"] = gossipSecret.Path diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index b58085406b..a5b8fc1bf6 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -215,13 +215,13 @@ func TestVault(t *testing.T) { "global.secretsBackend.vault.controller.tlsCert.secretName": controllerWebhookPKIConfig.CertPath, "global.secretsBackend.vault.controller.caCert.secretName": controllerWebhookPKIConfig.CAPath, - "global.secretsBackend.vault.enabled": "true", - "global.secretsBackend.vault.consulServerRole": consulServerRole, - "global.secretsBackend.vault.consulClientRole": consulClientRole, - "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, - "global.secretsBackend.vault.consulConnectInjectRole": connectInjectorWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.consulControllerRole": controllerWebhookPKIConfig.RoleName, - "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, + "global.secretsBackend.vault.enabled": "true", + "global.secretsBackend.vault.consulServerRole": consulServerRole, + "global.secretsBackend.vault.consulClientRole": consulClientRole, + "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, + "global.secretsBackend.vault.connectInjectRole": connectInjectorWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.controllerRole": controllerWebhookPKIConfig.RoleName, + "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, "global.secretsBackend.vault.ca.secretName": vaultCASecret, "global.secretsBackend.vault.ca.secretKey": "tls.crt", diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 6182981861..56f4fbf128 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -279,10 +279,10 @@ Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} {{/* Fails when at least one but not all of the following have been set: -- global.secretsBackend.vault.consulConnectInjectRole +- global.secretsBackend.vault.connectInjectRole - global.secretsBackend.vault.connectInject.tlsCert.secretName - global.secretsBackend.vault.connectInject.caCert.secretName -- global.secretsBackend.vault.consulControllerRole +- global.secretsBackend.vault.controllerRole - global.secretsBackend.vault.controller.tlsCert.secretName - global.secretsBackend.vault.controller.caCert.secretName @@ -293,9 +293,9 @@ Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} */}} {{- define "consul.validateVaultWebhookCertConfiguration" -}} -{{- if or .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} -{{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerRole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} -{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.controllerRole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}} {{ end }} {{ end }} {{- end -}} diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index 409e68f003..9018320dd2 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -33,7 +33,7 @@ rules: - get - list - update -{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} - apiGroups: - admissionregistration.k8s.io resources: diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index cf79f9d2c5..65e0c1d87e 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -42,8 +42,8 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" - {{- if .Values.global.secretsBackend.vault.consulConnectInjectRole }} - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulConnectInjectRole }} + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} {{ else }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} {{ end }} diff --git a/charts/consul/templates/controller-clusterrole.yaml b/charts/consul/templates/controller-clusterrole.yaml index 9787f32768..fc0753cc06 100644 --- a/charts/consul/templates/controller-clusterrole.yaml +++ b/charts/consul/templates/controller-clusterrole.yaml @@ -57,7 +57,7 @@ rules: - get - list - update -{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName)}} +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName)}} - apiGroups: - admissionregistration.k8s.io resources: diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index a531efe450..44b13553bc 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -34,8 +34,8 @@ spec: {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" - {{- if .Values.global.secretsBackend.vault.consulControllerRole }} - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulControllerRole }} + {{- if .Values.global.secretsBackend.vault.controllerRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.controllerRole }} {{ else }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} {{ end }} diff --git a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml index 82d2111fbb..ce8dfb846c 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml @@ -1,4 +1,4 @@ -{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} {{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml index 90bee7319a..90192d5966 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} {{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/consul/templates/webhook-cert-manager-configmap.yaml b/charts/consul/templates/webhook-cert-manager-configmap.yaml index 1d57d2c53c..61520fe230 100644 --- a/charts/consul/templates/webhook-cert-manager-configmap.yaml +++ b/charts/consul/templates/webhook-cert-manager-configmap.yaml @@ -1,4 +1,4 @@ -{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} {{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: v1 kind: ConfigMap diff --git a/charts/consul/templates/webhook-cert-manager-deployment.yaml b/charts/consul/templates/webhook-cert-manager-deployment.yaml index 7c4d3ba17a..609f3314b3 100644 --- a/charts/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/consul/templates/webhook-cert-manager-deployment.yaml @@ -1,4 +1,4 @@ -{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} {{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml index 4b37614340..833d902343 100644 --- a/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml +++ b/charts/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} {{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) .Values.global.enablePodSecurityPolicies (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy diff --git a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml index f34c43dcda..e1680d6e50 100644 --- a/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml +++ b/charts/consul/templates/webhook-cert-manager-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.consulConnectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName) -}} {{- if (and (or .Values.connectInject.enabled .Values.controller.enabled) (not $hasConfiguredWebhookCertsUsingVault)) }} apiVersion: v1 kind: ServiceAccount diff --git a/charts/consul/test/unit/connect-inject-clusterrole.bats b/charts/consul/test/unit/connect-inject-clusterrole.bats index 95023a9d0b..7939755f81 100644 --- a/charts/consul/test/unit/connect-inject-clusterrole.bats +++ b/charts/consul/test/unit/connect-inject-clusterrole.bats @@ -145,7 +145,7 @@ load _helpers #-------------------------------------------------------------------- # vault -@test "connectInject/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurations when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, and global.secretsBackend.vault.connectInject.caCert.secretName." { +@test "connectInject/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurations when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, and global.secretsBackend.vault.connectInject.caCert.secretName." { cd `chart_dir` local object=$(helm template \ -s templates/connect-inject-clusterrole.yaml \ @@ -156,10 +156,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 24e8511c71..552fe72c21 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1853,10 +1853,10 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=test' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=test' \ + --set 'global.secretsBackend.vault.connectInjectRole=test' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -1955,7 +1955,7 @@ EOF [ "${actual}" = "/vault/custom/tls.crt" ] } -@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulConnectInjectRole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInjectRole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/connect-inject-deployment.yaml \ @@ -1967,13 +1967,13 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=connectinjectcarole' \ + --set 'global.secretsBackend.vault.connectInjectRole=connectinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.connectInjectRole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/connect-inject-deployment.yaml \ @@ -1988,10 +1988,10 @@ EOF --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { +@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.connectInjectRole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/connect-inject-deployment.yaml \ @@ -2006,7 +2006,7 @@ EOF --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } @test "connectInject/Deployment: vault tls annotations are set when tls is enabled" { @@ -2022,10 +2022,10 @@ EOF --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=test' \ + --set 'global.secretsBackend.vault.connectInjectRole=test' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -2098,10 +2098,10 @@ EOF -s templates/connect-inject-deployment.yaml \ --set 'connectInject.enabled=true' \ --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -2123,10 +2123,10 @@ EOF --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ --set 'global.tls.enabled=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.tls.enableAutoEncrypt=true' \ @@ -2157,10 +2157,10 @@ EOF --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -2180,10 +2180,10 @@ EOF --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ . | tee /dev/stderr | @@ -2191,7 +2191,7 @@ EOF [ "${actual}" == "" ] } -@test "connectInject/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulCARole if global.secretsBackend.vault.consulConnectInjectRole is not set" { +@test "connectInject/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulCARole if global.secretsBackend.vault.connectInjectRole is not set" { cd `chart_dir` local cmd=$(helm template \ -s templates/connect-inject-deployment.yaml \ diff --git a/charts/consul/test/unit/controller-clusterrole.bats b/charts/consul/test/unit/controller-clusterrole.bats index 2bd20aa92a..708d32d6be 100644 --- a/charts/consul/test/unit/controller-clusterrole.bats +++ b/charts/consul/test/unit/controller-clusterrole.bats @@ -190,7 +190,7 @@ load _helpers #-------------------------------------------------------------------- # vault -@test "controller/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurations when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." { +@test "controller/ClusterRole: vault sets get, list, watch, and patch access to mutatingwebhookconfigurations when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." { cd `chart_dir` local object=$(helm template \ -s templates/controller-clusterrole.yaml \ @@ -199,10 +199,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 8b8243b349..87bb98b1f9 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -75,10 +75,10 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=test' \ --set 'global.secretsBackend.vault.consulCARole=test' \ --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -969,15 +969,15 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test2' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'server.serverCert.secretName=pki_int/issue/test' \ --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=pki/issue/controller-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1059,10 +1059,10 @@ load _helpers --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1085,10 +1085,10 @@ load _helpers --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1108,10 +1108,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=foo' \ --set 'global.secretsBackend.vault.consulServerRole=bar' \ --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ @@ -1123,7 +1123,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.consulControllerRole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controllerRole is set but global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -1135,13 +1135,13 @@ load _helpers --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.tls.caCert.secretName=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulControllerRole=controllerinjectcarole' \ + --set 'global.secretsBackend.vault.controllerRole=controllerinjectcarole' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.tlsCert.secretName is set but global.secretsBackend.vault.connectInjectRole and global.secretsBackend.vault.connectInject.caCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -1156,10 +1156,10 @@ load _helpers --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectRole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { +@test "controller/Deployment: fails if vault is enabled and global.secretsBackend.vault.controller.caCert.secretName is set but global.secretsBackend.vault.connectInjectRole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -1174,10 +1174,10 @@ load _helpers --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' . [ "$status" -eq 1 ] - [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] + [[ "$output" =~ "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]] } -@test "controller/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.consulControllerRole if global.secretsBackend.vault.consulControllerRole is not set" { +@test "controller/Deployment: vault vault.hashicorp.com/role set to global.secretsBackend.vault.controllerRole if global.secretsBackend.vault.controllerRole is not set" { cd `chart_dir` local cmd=$(helm template \ -s templates/controller-deployment.yaml \ diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats index 65c5c57bbb..5f7a03c319 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrole.bats @@ -149,7 +149,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRole: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ClusterRole: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ @@ -158,10 +158,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats index 775cef17dd..ffabf41ee7 100644 --- a/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats +++ b/charts/consul/test/unit/webhook-cert-manager-clusterrolebinding.bats @@ -43,7 +43,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ClusterRoleBinding: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ClusterRoleBinding: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-clusterrolebinding.yaml \ @@ -52,10 +52,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-configmap.bats b/charts/consul/test/unit/webhook-cert-manager-configmap.bats index ef8754659d..7d7262b9af 100644 --- a/charts/consul/test/unit/webhook-cert-manager-configmap.bats +++ b/charts/consul/test/unit/webhook-cert-manager-configmap.bats @@ -95,7 +95,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Configmap: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/Configmap: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-configmap.yaml \ @@ -104,10 +104,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-deployment.bats b/charts/consul/test/unit/webhook-cert-manager-deployment.bats index fec228562b..78b6e52997 100644 --- a/charts/consul/test/unit/webhook-cert-manager-deployment.bats +++ b/charts/consul/test/unit/webhook-cert-manager-deployment.bats @@ -66,7 +66,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/Deployment: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/Deployment: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-deployment.yaml \ @@ -75,10 +75,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats index cdfe23e532..00bb55a2d4 100644 --- a/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats +++ b/charts/consul/test/unit/webhook-cert-manager-podsecuritypolicy.bats @@ -54,7 +54,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/PodSecurityPolicy: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/PodSecurityPolicy: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.enabled, global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ @@ -64,10 +64,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats index fe2c746797..e4307c9409 100644 --- a/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats +++ b/charts/consul/test/unit/webhook-cert-manager-serviceaccount.bats @@ -64,7 +64,7 @@ load _helpers #-------------------------------------------------------------------- # Vault -@test "webhookCertManager/ServiceAccount: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.consulConnectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { +@test "webhookCertManager/ServiceAccount: disabled when the following are configured - global.secretsBackend.vault.enabled, global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.controllerRole, global.secretsBackend.vault.controller.tlsCert.secretName, and .global.secretsBackend.vault.controller.caCert.secretName" { cd `chart_dir` assert_empty helm template \ -s templates/webhook-cert-manager-serviceaccount.yaml \ @@ -73,10 +73,10 @@ load _helpers --set 'global.secretsBackend.vault.consulClientRole=test' \ --set 'global.secretsBackend.vault.consulServerRole=foo' \ --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.consulConnectInjectRole=inject-ca-role' \ + --set 'global.secretsBackend.vault.connectInjectRole=inject-ca-role' \ --set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \ --set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \ - --set 'global.secretsBackend.vault.consulControllerRole=test' \ + --set 'global.secretsBackend.vault.controllerRole=test' \ --set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \ --set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \ --set 'global.secretsBackend.vault.consulClientRole=foo' \ diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 43253d7f41..1a115f4d87 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -199,13 +199,13 @@ global: # CA and issue a certificate and private key. # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.controller.tlsCert.secretName`. - consulControllerRole: "" + controllerRole: "" # The Vault role to read Consul connect-injector webhook's CA # and issue a certificate and private key. # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. - consulConnectInjectRole: "" + connectInjectRole: "" # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it From bf9de95f43b746adb902653c4dc24df332aac444 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 13 Jun 2022 12:30:33 -0600 Subject: [PATCH 79/80] Updating values.yaml file descriptions for connectInject and controller under vault. --- charts/consul/values.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 1a115f4d87..8e2925a8f4 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -276,18 +276,18 @@ global: {} controller: - # The directory that Kubernetes will use on Kubernetes CRD creation, - # deletion, and update, to get TLS certificates used issued from vault - # to send webhooks to the controller. + # Configuration to the Vault Secret that Kubernetes will use on + # Kubernetes CRD creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the controller. tlsCert: # The Vault secret path that issues TLS certificates for controller # webhooks. # @type: string secretName: null - # The directory that Kubernetes will use on Kubernetes CRD creation, - # deletion, and update, to get CA certificates used issued from vault - # to send webhooks to the controller. + # Configuration to the Vault Secret that Kubernetes will use on + # Kubernetes CRD creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the controller. caCert: # The Vault secret path that contains the CA certificate for controller # webhooks. @@ -295,18 +295,18 @@ global: secretName: null connectInject: - # The directory that Kubernetes will use on Kubernetes CRD creation, - # deletion, and update, to get CA certificates used issued from vault - # to send webhooks to ConnectInject + # Configuration to the Vault Secret that Kubernetes will use on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. caCert: # The Vault secret path that contains the CA certificate for # Connect Inject webhooks. # @type: string secretName: null - # The directory that Kubernetes will use on Kubernetes CRD creation, - # deletion, and update, to get TLS certificates used issued from vault - # to send webhooks to Connect Inject + # Configuration to the Vault Secret that Kubernetes will use on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. tlsCert: # The Vault secret path that issues TLS certificates for connect # inject webhooks. From 53b740bb8d931a3d8819c7ccdedb716f6b1743ff Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 13 Jun 2022 12:32:40 -0600 Subject: [PATCH 80/80] Updating cert expiry in logging in vault test from RPC expiry. --- acceptance/tests/vault/vault_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go index a5b8fc1bf6..49b1b59bf8 100644 --- a/acceptance/tests/vault/vault_test.go +++ b/acceptance/tests/vault/vault_test.go @@ -274,7 +274,7 @@ func TestVault(t *testing.T) { connectInjectorPodAddress := consulCluster.CreatePortForwardTunnelToResourcePort(t, connectInjectorPodName, 8080) connectInjectorCert, err := getCertificate(t, connectInjectorPodAddress) require.NoError(t, err) - logger.Logf(t, "RPC expiry: %s \n", connectInjectorCert.NotAfter.String()) + logger.Logf(t, "Connect Inject Webhook Cert expiry: %s \n", connectInjectorCert.NotAfter.String()) logger.Logf(t, "Wait %d seconds for certificates to rotate....", expirationInSeconds) time.Sleep(time.Duration(expirationInSeconds) * time.Second)