Backport of Support restricted PSA enforcement part 2 into release/1.0.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #2702 to be assessed for backporting due to the inclusion of the label backport/1.0.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@pglass
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul-k8s/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

Changes proposed in this PR:

Part 2 of #2572.

Update the following to set a "restricted" security context:

• create-federation-secret-job.yaml
• ingress-gateways-deployment.yaml
• mesh-gateway-deployment.yaml
  • This is not included because adding the "restricted" security context settings to MGW makes it impossible to use hostNetwork=true
• partition-init-job.yaml
• terminating-gateways-deployment.yaml
• sync-catalog-deployment.yaml

Also, fix a WAN federation test to run on kind

How I've tested this PR:

Run acceptance tests on kind with restricted PSA enforcement enabled on the consul namespace (see script)

• Run the WAN fed test that is fixed in this PR, in order to validate the create federation secret job and mesh gateway deployment
• Run TestTerminatingGateway and TestIngressGateway and manually validate the gateways start and run successfully in the restricted consul namespace
  • (note: these tests fail when test applications are deployed to a restricted namespace, because the test applications do not support running in a restricted namespace)
• Run TestPartitions_Gateway and manually validate the partitions-init job succeeds

Test script:

• Run make kind and then ./test-psa-kind.sh (no tproxy) or ./test-psa-kind.sh -tproxy (tproxy enabled). Toggle comments at the bottom to try to run other tests.
• Run make kind-cni and ./test-psa-kind.sh -cni to test with tproxy+cni

Test script

#!/usr/bin/env bash

set -euo pipefail

SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

export CONSUL_LICENSE=$(cat ~/.consul-ent-license)
export CONSUL_ENT_LICENSE=$CONSUL_LICENSE

# Cleanup old namespaces
# for context in $(kubectl config get-contexts -o name | grep '^kind-') ; do
for context in kind-dc1 kind-dc2 ; do
    kubectl --context $context get ns \
		| grep ^acceptance | awk '{print $1}' \
		| xargs -n 1 -I '{}' kubectl --context $context delete ns '{}' || true
done

EXTRA_FLAGS=""

while [[ $# -gt 0 ]]; do
    case $1 in
        -tproxy)
            EXTRA_FLAGS+=" -enable-transparent-proxy"
            shift;
            ;;
        -cni)
            EXTRA_FLAGS+=" -enable-cni -enable-transparent-proxy"
            shift;
            ;;
        *)
            echo "Unrecognized argument: '$1'"
            exit 1
    esac
done

function runtest() {
    local testdir=$1
    local runtest=$2

    if [ -n "$runtest" ]; then
        runtest="-run $runtest"
    fi

    # Create consul namespaces with restricted PSA enformcement.
    set -xeuo pipefail

    local ns_base="acceptance-$1-$RANDOM"
    local contexts=""
    local namespaces=""
    #for context in $(kubectl config get-contexts -o name | grep '^kind-') ; do
    for context in kind-dc1 kind-dc2 ; do
        local consul_namespace="${ns_base}-$context"
        kubectl --context $context create ns $consul_namespace
        kubectl --context $context label --overwrite ns $consul_namespace \
            pod-security.kubernetes.io/enforce=restricted \
            pod-security.kubernetes.io/enforce-version=v1.24

        if [ -n "$contexts" ]; then
            contexts+=","
            namespaces+=","
        fi
        contexts+="$context"
        namespaces+="$consul_namespace"
    done

    # Grab the default image versions from the helm values.
    imageK8S=$(cat ../charts/consul/values.yaml | yq -r '.global.imageK8S' \
        | sed 's/-dev/-dev-ubi/')
    imageConsul=$(cat ../charts/consul/values.yaml | yq -r '.global.image' \
        | sed 's/consul:/consul-enterprise:/' | sed 's/-dev/-dev-ubi/')
    imageDataplane=$(cat ../charts/consul/values.yaml | yq -r '.global.imageConsulDataplane' \
        | sed 's/-dev/-dev-ubi/')

    cd "${SCRIPT_DIR}/tests/$testdir"
    rm -rf ./_debug
    mkdir ./_debug
    go test  -v -p 1 -timeout 15m -failfast \
        -consul-k8s-image "$imageK8S" \
        -consul-image "$imageConsul" \
        -consul-dataplane-image "$imageDataplane" \
        -debug-directory ./_debug \
        -enable-enterprise \
        -kube-contexts "$contexts" \
        -kube-namespaces "$namespaces" \
        -enable-multi-cluster -use-kind \
        -enable-restricted-psa-enforcement \
        $EXTRA_FLAGS $runtest \
        ./...
}

runtest "connect" 'TestConnectInject$'
runtest wan-federation 'TestWANFederation/secure'
#runtest terminating-gateway 'TestTerminatingGateway$/secure:_true'
#runtest terminating-gateway 'TestTerminatingGatewaySingleNamespace'
#runtest ingress-gateway 'TestIngressGatewaySingleNamespace'
#runtest ingress-gateway 'TestIngressGateway$/secure:_true'
#runtest cloud 'TestBasicCloud'
#runtest partitions 'TestPartitions_Connect/default_destination_namespace'

How I expect reviewers to test this PR:

Checklist:

• Tests added
• CHANGELOG entry added

---

Overview of commits

• 2a9ffe6 - 904bdb6 - 2625d5b - cf58272

[hashicorp-cla]

All committers have signed the CLA.