hashicorp · curtbushko · Aug 25, 2022 · Aug 25, 2022 · Aug 24, 2022 · Aug 24, 2022
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -834,6 +834,70 @@ jobs:
           fail_only: true
           failure_message: "EKS acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
+  acceptance-eks-cni-1-19:
+    parallelism: 6
+    environment:
+      - TEST_RESULTS: /tmp/test-results
+    docker:
+      # This image is built from test/docker/Test.dockerfile
+      - image: docker.mirror.hashicorp.services/hashicorpdev/consul-helm-test:0.11.0
+
+    steps:
+      - checkout
+
+      - run:
+          name: configure aws
+          command: |
+            aws configure --profile helm_user set aws_access_key_id "$AWS_ACCESS_KEY_ID"
+            aws configure --profile helm_user set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"
+            aws configure set role_arn "$AWS_ROLE_ARN"
+            aws configure set source_profile helm_user
+
+            echo "unset AWS_ACCESS_KEY_ID" >> $BASH_ENV
+            echo "unset AWS_SECRET_ACCESS_KEY" >> $BASH_ENV
+
+      - run:
+          name: terraform init & apply
+          working_directory: *eks-terraform-path
+          command: |
+            terraform init
+
+            terraform apply -var cluster_count=2 -var tags="{\"build_url\": \"$CIRCLE_BUILD_URL\"}" -auto-approve
+
+            primary_kubeconfig=$(terraform output -json | jq -r .kubeconfigs.value[0])
+            secondary_kubeconfig=$(terraform output -json | jq -r .kubeconfigs.value[1])
+
+            echo "export primary_kubeconfig=$primary_kubeconfig" >> $BASH_ENV
+            echo "export secondary_kubeconfig=$secondary_kubeconfig" >> $BASH_ENV
+
+      # Restore go module cache if there is one
+      - restore_cache:
+          keys:
+            - consul-helm-acceptance-modcache-v2-{{ checksum "acceptance/go.mod" }}
+
+      - run: mkdir -p $TEST_RESULTS
+
+      - run-acceptance-tests:
+          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni
+
+      - store_test_results:
+          path: /tmp/test-results
+      - store_artifacts:
+          path: /tmp/test-results
+
+      - run:
+          name: terraform destroy
+          working_directory: *eks-terraform-path
+          command: |
+            terraform destroy -var cluster_count=2 -auto-approve
+          when: always
+
+      - slack/status:
+          # temporarily sending to #cni-acceptance-tests channel
+          channel: C03V3K0040G
+          fail_only: true
+          failure_message: "EKS CNI acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}"
+
   acceptance-openshift:
     environment:
       TEST_RESULTS: /tmp/test-results
@@ -922,7 +986,7 @@ jobs:
           failure_message: "Acceptance tests against Kind with Kubernetes v1.23 failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
   acceptance-kind-cni-1-23:
-    parallelism: 6 
+    parallelism: 6
     environment:
       - TEST_RESULTS: /tmp/test-results
     machine:
@@ -1072,10 +1136,10 @@ workflows:
   version: 2
   test-and-build:
     jobs:
-     # Build this one control-plane binary so that acceptance and acceptance-tproxy will run
-     # The rest of these CircleCI jobs have been migrated to Github Actions. We need to wait until
-     # the summer of 2022 for larger puplic Github Action VMs be available before the acceptance tests can
-     # be moved
+      # Build this one control-plane binary so that acceptance and acceptance-tproxy will run
+      # The rest of these CircleCI jobs have been migrated to Github Actions. We need to wait until
+      # the summer of 2022 for larger puplic Github Action VMs be available before the acceptance tests can
+      # be moved
       - build-distro:
           OS: "linux"
           ARCH: "amd64 arm64"
@@ -1117,9 +1181,9 @@ workflows:
       - cleanup-azure-resources
       - cleanup-eks-resources
       # Disable until we can use UBI images.
-      #      - acceptance-openshift:
-      #          requires:
-      #          - cleanup-azure-resources
+      - acceptance-openshift:
+               requires:
+               - cleanup-azure-resources
       - acceptance-gke-1-20:
           requires:
             - cleanup-gcp-resources
@@ -1128,6 +1192,11 @@ workflows:
           requires:
             - cleanup-eks-resources
             - dev-upload-docker
+      - acceptance-eks-cni-1-19:
+          requires:
+            # TODO: Cleanup on merge
+            #  - cleanup-eks-resources
+            - dev-upload-docker
       - acceptance-aks-1-21:
           requires:
             - cleanup-azure-resources
@@ -1138,7 +1207,9 @@ workflows:
       - acceptance-kind-cni-1-23:
           requires:
             - dev-upload-docker
-
+      - acceptance-kind-cni-1-23:
+          requires:
+            - dev-upload-docker
 
   nightly-acceptance-tests-consul:
     triggers:

diff --git a/charts/consul/templates/cni-clusterrole.yaml b/charts/consul/templates/cni-clusterrole.yaml
@@ -20,4 +20,11 @@ rules:
   - watch
   - patch
   - update
+- apiGroups: ["policy"]
+  resources:
+  - podsecuritypolicies 
+  resourceNames:
+  - {{ template "consul.fullname" . }}-cni
+  verbs:
+  - use
 {{- end }}
diff --git a/charts/consul/templates/cni-podsecuritypolicy.yaml b/charts/consul/templates/cni-podsecuritypolicy.yaml
@@ -12,8 +12,8 @@ metadata:
     component: cni 
 spec:
   privileged: true
-  # Required to prevent escalations to root.
-  allowPrivilegeEscalation: false
+  # GKE requires that allowPrivilegeEscalation:true if privileged: true.
+  allowPrivilegeEscalation: true 
   volumes:
   - hostPath
   - secret