From ab52bd17b996331bb3c3d1c1afb38626fa4b6cda Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Fri, 29 Apr 2022 12:02:41 -0400 Subject: [PATCH 1/4] Match release name when looking for autogenerated gossip encryption key --- .../create-federation-secret-job.yaml | 2 +- .../unit/create-federation-secret-job.bats | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/charts/consul/templates/create-federation-secret-job.yaml b/charts/consul/templates/create-federation-secret-job.yaml index 7b81424931..4ec224f8b8 100644 --- a/charts/consul/templates/create-federation-secret-job.yaml +++ b/charts/consul/templates/create-federation-secret-job.yaml @@ -82,7 +82,7 @@ spec: {{- else if .Values.global.gossipEncryption.autoGenerate }} - name: gossip-encryption-key secret: - secretName: consul-gossip-encryption-key + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key items: - key: key path: gossip.key diff --git a/charts/consul/test/unit/create-federation-secret-job.bats b/charts/consul/test/unit/create-federation-secret-job.bats index 09e823efe6..aaeb345066 100644 --- a/charts/consul/test/unit/create-federation-secret-job.bats +++ b/charts/consul/test/unit/create-federation-secret-job.bats @@ -206,6 +206,30 @@ load _helpers [ "${actual}" = "true" ] } +@test "createFederationSecet/Job: gossip encryption key autogenerated" { + cd `chart_dir` + local obj=$(helm template \ + -s templates/create-federation-secret-job.yaml \ + --set 'global.federation.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.gossipEncryption.autoGenerate=true' \ + --set 'global.federation.createFederationSecret=true' \ + . | tee /dev/stderr) + + local actual + + + # test it mounts the secret + actual=$(echo "$obj" | yq '.spec.template.spec.volumes | map(select(.name == "gossip-encryption-key" and .secret.secretName == "release-name-consul-gossip-encryption-key" and .secret.items[0].key == "key")) | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # test it sets the -gossip-key-file flag + actual=$(echo "$obj" | yq '.spec.template.spec.containers[0].command | any(contains("-gossip-key-file"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # global.acls.createReplicationToken From a628ce022a5c95183f902957a476ccba8f436d47 Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Fri, 29 Apr 2022 12:03:16 -0400 Subject: [PATCH 2/4] s/Secet/Secret/g --- .../unit/create-federation-secret-job.bats | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/charts/consul/test/unit/create-federation-secret-job.bats b/charts/consul/test/unit/create-federation-secret-job.bats index aaeb345066..55e8c82510 100644 --- a/charts/consul/test/unit/create-federation-secret-job.bats +++ b/charts/consul/test/unit/create-federation-secret-job.bats @@ -2,14 +2,14 @@ load _helpers -@test "createFederationSecet/Job: disabled by default" { +@test "createFederationSecret/Job: disabled by default" { cd `chart_dir` assert_empty helm template \ -s templates/create-federation-secret-job.yaml \ . } -@test "createFederationSecet/Job: fails when global.federation.enabled=false" { +@test "createFederationSecret/Job: fails when global.federation.enabled=false" { cd `chart_dir` run helm template \ -s templates/create-federation-secret-job.yaml \ @@ -20,7 +20,7 @@ load _helpers # NOTE: This error actually comes from server-statefulset but we test it here # too because this job requires TLS to be enabled. -@test "createFederationSecet/Job: fails when global.tls.enabled=false" { +@test "createFederationSecret/Job: fails when global.tls.enabled=false" { cd `chart_dir` run helm template \ -s templates/create-federation-secret-job.yaml \ @@ -32,7 +32,7 @@ load _helpers # NOTE: This error actually comes from server-acl-init but we test it here # too because this job requires that ACLs are enabled when createReplicationToken is true. -@test "createFederationSecet/Job: fails when global.acls.createReplicationToken is true but global.acls.manageSystemACLs is false" { +@test "createFederationSecret/Job: fails when global.acls.createReplicationToken is true but global.acls.manageSystemACLs is false" { cd `chart_dir` run helm template \ -s templates/create-federation-secret-job.yaml \ @@ -46,7 +46,7 @@ load _helpers [[ "$output" =~ "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" ]] } -@test "createFederationSecet/Job: fails when global.acls.createReplicationToken is false but global.acls.manageSystemACLs is true" { +@test "createFederationSecret/Job: fails when global.acls.createReplicationToken is false but global.acls.manageSystemACLs is true" { cd `chart_dir` run helm template \ -s templates/create-federation-secret-job.yaml \ @@ -61,7 +61,7 @@ load _helpers [[ "$output" =~ "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" ]] } -@test "createFederationSecet/Job: mounts auto-created ca secrets by default" { +@test "createFederationSecret/Job: mounts auto-created ca secrets by default" { cd `chart_dir` local volumes=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -95,7 +95,7 @@ load _helpers #-------------------------------------------------------------------- # global.tls -@test "createFederationSecet/Job: mounts caCert secrets when set manually" { +@test "createFederationSecret/Job: mounts caCert secrets when set manually" { cd `chart_dir` local volumes=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -130,7 +130,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "createFederationSecet/Job: auto-encrypt disabled" { +@test "createFederationSecret/Job: auto-encrypt disabled" { cd `chart_dir` local obj=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -152,7 +152,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "createFederationSecet/Job: auto-encrypt enabled" { +@test "createFederationSecret/Job: auto-encrypt enabled" { cd `chart_dir` local obj=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -182,7 +182,7 @@ load _helpers #-------------------------------------------------------------------- # global.gossipEncryption -@test "createFederationSecet/Job: gossip encryption key set" { +@test "createFederationSecret/Job: gossip encryption key set" { cd `chart_dir` local obj=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -206,7 +206,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "createFederationSecet/Job: gossip encryption key autogenerated" { +@test "createFederationSecret/Job: gossip encryption key autogenerated" { cd `chart_dir` local obj=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -233,7 +233,7 @@ load _helpers #-------------------------------------------------------------------- # global.acls.createReplicationToken -@test "createFederationSecet/Job: global.acls.createReplicationToken=true" { +@test "createFederationSecret/Job: global.acls.createReplicationToken=true" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -251,7 +251,7 @@ load _helpers #-------------------------------------------------------------------- # meshGateway.consulServiceName -@test "createFederationSecet/Job: sets -mesh-gateway-service-name to meshGateway.consulServiceName" { +@test "createFederationSecret/Job: sets -mesh-gateway-service-name to meshGateway.consulServiceName" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -268,7 +268,7 @@ load _helpers #-------------------------------------------------------------------- # tolerations -@test "createFederationSecet/Job: tolerations not set by default" { +@test "createFederationSecret/Job: tolerations not set by default" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -282,7 +282,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "createFederationSecet/Job: tolerations can be set" { +@test "createFederationSecret/Job: tolerations can be set" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -300,7 +300,7 @@ load _helpers #-------------------------------------------------------------------- # priorityClassName -@test "createFederationSecet/Job: priorityClassName is not set by default" { +@test "createFederationSecret/Job: priorityClassName is not set by default" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -314,7 +314,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "createFederationSecet/Job: specified priorityClassName" { +@test "createFederationSecret/Job: specified priorityClassName" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -332,7 +332,7 @@ load _helpers #-------------------------------------------------------------------- # nodeSelector -@test "createFederationSecet/Job: nodeSelector is not set by default" { +@test "createFederationSecret/Job: nodeSelector is not set by default" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ @@ -346,7 +346,7 @@ load _helpers [ "${actual}" = "null" ] } -@test "createFederationSecet/Job: specified nodeSelector" { +@test "createFederationSecret/Job: specified nodeSelector" { cd `chart_dir` local actual=$(helm template \ -s templates/create-federation-secret-job.yaml \ From 2a4b58eb984b93772eaa17bac87fb522d84ce15f Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Fri, 29 Apr 2022 12:18:07 -0400 Subject: [PATCH 3/4] Add CHANGELOG entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d76c728215..24bc9965d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ BUG FIXES: * Helm * Update client-daemonset to include ca-cert volumeMount only when tls is enabled. [[GH-1194](https://github.com/hashicorp/consul-k8s/pull/1194)] + * Update create-federation-secret-job to look up the automatically generated gossip encryption key by the right name when the release name is set. [[GH-1196](https://github.com/hashicorp/consul-k8s/pull/1196)] ## 0.43.0 (April 21, 2022) From 69731097099df9c55a56d1f7d57bdbcd2308fdf7 Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Fri, 29 Apr 2022 13:45:25 -0400 Subject: [PATCH 4/4] Update CHANGELOG.md Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24bc9965d0..fc9096b10d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ BUG FIXES: * Helm * Update client-daemonset to include ca-cert volumeMount only when tls is enabled. [[GH-1194](https://github.com/hashicorp/consul-k8s/pull/1194)] - * Update create-federation-secret-job to look up the automatically generated gossip encryption key by the right name when the release name is set. [[GH-1196](https://github.com/hashicorp/consul-k8s/pull/1196)] + * Update create-federation-secret-job to look up the automatically generated gossip encryption key by the right name when global.name is unset or set to something other than consul. [[GH-1196](https://github.com/hashicorp/consul-k8s/pull/1196)] ## 0.43.0 (April 21, 2022)