From 75beda657a20a1523a817dbd48f13fb7f797f546 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Mon, 11 Jan 2021 16:36:05 -0800 Subject: [PATCH 1/4] Remove -default-protocol and annotation support --- CHANGELOG.md | 28 ++ connect-inject/container_init.go | 38 --- connect-inject/container_init_test.go | 378 ---------------------- connect-inject/handler.go | 47 ++- connect-inject/handler_test.go | 163 ++-------- subcommand/inject-connect/command.go | 10 +- subcommand/inject-connect/command_test.go | 10 + 7 files changed, 100 insertions(+), 574 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32de9e25ea..a236285b4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,34 @@ IMPROVEMENTS: FEATURES: * TLS: add `tls-init` command that is responsible for creating and updating Server TLS certificates. [[GH-410](https://github.com/hashicorp/consul-k8s/pull/410)] +BREAKING CHANGES +* Connect: the `-default-protocol` and `-enable-central-config` flags are no longer supported. + The `consul.hashicorp.com/connect-service-protocol` annotation on Connect pods is also + no longer supported. [[GH-418](https://github.com/hashicorp/consul-k8s/pull/418)] + + Current deployments that have the annotation should remove it, otherwise they + will get an error if a pod from that deployment is rescheduled. + + Removing the annotation will not change their protocol + since the config entry was already written to Consul. If you wish to change + the protocol you must migrate the config entry to be managed by a + [`ServiceDefaults`](https://www.consul.io/docs/agent/config-entries/service-defaults) resource. + See [Upgrade to CRDs](https://www.consul.io/docs/k8s/crds/upgrade-to-crds) for more + information. + + To set the protocol for __new__ services, you must use the + [`ServiceDefaults`](https://www.consul.io/docs/agent/config-entries/service-defaults) resource, + e.g. + + ```yaml + apiVersion: consul.hashicorp.com/v1alpha1 + kind: ServiceDefaults + metadata: + name: my-service-name + spec: + protocol: "http" + ``` + ## 0.22.0 (December 21, 2020) BUG FIXES: diff --git a/connect-inject/container_init.go b/connect-inject/container_init.go index 1a54a71805..8b6ca88163 100644 --- a/connect-inject/container_init.go +++ b/connect-inject/container_init.go @@ -48,23 +48,10 @@ type initContainerCommandUpstreamData struct { // containerInit returns the init container spec for registering the Consul // service, setting up the Envoy bootstrap, etc. func (h *Handler) containerInit(pod *corev1.Pod, k8sNamespace string) (corev1.Container, error) { - protocol := h.DefaultProtocol - if annoProtocol, ok := pod.Annotations[annotationProtocol]; ok { - protocol = annoProtocol - } - // We only write a service-defaults config if central config is enabled - // and a protocol is specified. Previously, we would write a config when - // the protocol was empty. This is the same as setting it to tcp. This - // would then override any global proxy-defaults config. Now, we only - // write the config if a protocol is explicitly set. - writeServiceDefaults := h.WriteServiceDefaults && protocol != "" - data := initContainerCommandData{ ServiceName: pod.Annotations[annotationService], ProxyServiceName: fmt.Sprintf("%s-sidecar-proxy", pod.Annotations[annotationService]), - ServiceProtocol: protocol, AuthMethod: h.AuthMethod, - WriteServiceDefaults: writeServiceDefaults, ConsulNamespace: h.consulNamespace(k8sNamespace), NamespaceMirroringEnabled: h.EnableK8SNSMirroring, ConsulCACert: h.ConsulCACert, @@ -342,18 +329,6 @@ services { } EOF -{{- if .WriteServiceDefaults }} -# Create the service-defaults config for the service -cat </consul/connect-inject/service-defaults.hcl -kind = "service-defaults" -name = "{{ .ServiceName }}" -protocol = "{{ .ServiceProtocol }}" -{{- if .ConsulNamespace }} -namespace = "{{ .ConsulNamespace }}" -{{- end }} -EOF -{{- end }} - {{- if .AuthMethod }} /bin/consul login -method="{{ .AuthMethod }}" \ -bearer-token-file="/var/run/secrets/kubernetes.io/serviceaccount/token" \ @@ -373,19 +348,6 @@ EOF chmod 444 /consul/connect-inject/acl-token {{- end }} -{{- if .WriteServiceDefaults }} -{{- /* We use -cas and -modify-index 0 so that if a service-defaults config - already exists for this service, we don't override it */}} -/bin/consul config write -cas -modify-index 0 \ - {{- if .AuthMethod }} - -token-file="/consul/connect-inject/acl-token" \ - {{- end }} - {{- if .ConsulNamespace }} - -namespace="{{ .ConsulNamespace }}" \ - {{- end }} - /consul/connect-inject/service-defaults.hcl || true -{{- end }} - /bin/consul services register \ {{- if .AuthMethod }} -token-file="/consul/connect-inject/acl-token" \ diff --git a/connect-inject/container_init_test.go b/connect-inject/container_init_test.go index e754321005..34aa0d68f1 100644 --- a/connect-inject/container_init_test.go +++ b/connect-inject/container_init_test.go @@ -939,189 +939,6 @@ EOF -meta="pod=${POD_NAMESPACE}/${POD_NAME}" chmod 444 /consul/connect-inject/acl-token -/bin/consul services register \ - -token-file="/consul/connect-inject/acl-token" \ - -namespace="k8snamespace" \ - /consul/connect-inject/service.hcl - -# Generate the envoy bootstrap code -/bin/consul connect envoy \ - -proxy-id="${PROXY_SERVICE_ID}" \ - -token-file="/consul/connect-inject/acl-token" \ - -namespace="k8snamespace" \ - -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml - -# Copy the Consul binary -cp /bin/consul /consul/connect-inject/consul`, - "", - }, - - { - "Whole template, service defaults and no auth method, non-default namespace", - func(pod *corev1.Pod) *corev1.Pod { - pod.Annotations[annotationService] = "web" - return pod - }, - Handler{ - WriteServiceDefaults: true, - DefaultProtocol: "http", - EnableNamespaces: true, - ConsulDestinationNamespace: "non-default", - }, - k8sNamespace, - `/bin/sh -ec -export CONSUL_HTTP_ADDR="${HOST_IP}:8500" -export CONSUL_GRPC_ADDR="${HOST_IP}:8502" - -# Register the service. The HCL is stored in the volume so that -# the preStop hook can access it to deregister the service. -cat </consul/connect-inject/service.hcl -services { - id = "${SERVICE_ID}" - name = "web" - address = "${POD_IP}" - port = 0 - namespace = "non-default" - meta = { - pod-name = "${POD_NAME}" - } -} - -services { - id = "${PROXY_SERVICE_ID}" - name = "web-sidecar-proxy" - kind = "connect-proxy" - address = "${POD_IP}" - port = 20000 - namespace = "non-default" - meta = { - pod-name = "${POD_NAME}" - } - - proxy { - destination_service_name = "web" - destination_service_id = "${SERVICE_ID}" - } - - checks { - name = "Proxy Public Listener" - tcp = "${POD_IP}:20000" - interval = "10s" - deregister_critical_service_after = "10m" - } - - checks { - name = "Destination Alias" - alias_service = "${SERVICE_ID}" - } -} -EOF -# Create the service-defaults config for the service -cat </consul/connect-inject/service-defaults.hcl -kind = "service-defaults" -name = "web" -protocol = "http" -namespace = "non-default" -EOF -/bin/consul config write -cas -modify-index 0 \ - -namespace="non-default" \ - /consul/connect-inject/service-defaults.hcl || true - -/bin/consul services register \ - -namespace="non-default" \ - /consul/connect-inject/service.hcl - -# Generate the envoy bootstrap code -/bin/consul connect envoy \ - -proxy-id="${PROXY_SERVICE_ID}" \ - -namespace="non-default" \ - -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml - -# Copy the Consul binary -cp /bin/consul /consul/connect-inject/consul`, - "", - }, - - { - "Whole template, service defaults and auth method, non-default namespace, mirroring enabled", - func(pod *corev1.Pod) *corev1.Pod { - pod.Annotations[annotationService] = "web" - return pod - }, - Handler{ - AuthMethod: "auth-method", - WriteServiceDefaults: true, - DefaultProtocol: "http", - EnableNamespaces: true, - ConsulDestinationNamespace: "non-default", // Overridden by mirroring - EnableK8SNSMirroring: true, - }, - k8sNamespace, - `/bin/sh -ec -export CONSUL_HTTP_ADDR="${HOST_IP}:8500" -export CONSUL_GRPC_ADDR="${HOST_IP}:8502" - -# Register the service. The HCL is stored in the volume so that -# the preStop hook can access it to deregister the service. -cat </consul/connect-inject/service.hcl -services { - id = "${SERVICE_ID}" - name = "web" - address = "${POD_IP}" - port = 0 - namespace = "k8snamespace" - meta = { - pod-name = "${POD_NAME}" - } -} - -services { - id = "${PROXY_SERVICE_ID}" - name = "web-sidecar-proxy" - kind = "connect-proxy" - address = "${POD_IP}" - port = 20000 - namespace = "k8snamespace" - meta = { - pod-name = "${POD_NAME}" - } - - proxy { - destination_service_name = "web" - destination_service_id = "${SERVICE_ID}" - } - - checks { - name = "Proxy Public Listener" - tcp = "${POD_IP}:20000" - interval = "10s" - deregister_critical_service_after = "10m" - } - - checks { - name = "Destination Alias" - alias_service = "${SERVICE_ID}" - } -} -EOF -# Create the service-defaults config for the service -cat </consul/connect-inject/service-defaults.hcl -kind = "service-defaults" -name = "web" -protocol = "http" -namespace = "k8snamespace" -EOF -/bin/consul login -method="auth-method" \ - -bearer-token-file="/var/run/secrets/kubernetes.io/serviceaccount/token" \ - -token-sink-file="/consul/connect-inject/acl-token" \ - -namespace="default" \ - -meta="pod=${POD_NAMESPACE}/${POD_NAME}" -chmod 444 /consul/connect-inject/acl-token -/bin/consul config write -cas -modify-index 0 \ - -token-file="/consul/connect-inject/acl-token" \ - -namespace="k8snamespace" \ - /consul/connect-inject/service-defaults.hcl || true - /bin/consul services register \ -token-file="/consul/connect-inject/acl-token" \ -namespace="k8snamespace" \ @@ -1205,101 +1022,6 @@ cp /bin/consul /consul/connect-inject/consul`, } } -// Test that we write service-defaults config and use the default protocol. -func TestHandlerContainerInit_writeServiceDefaultsDefaultProtocol(t *testing.T) { - require := require.New(t) - h := Handler{ - WriteServiceDefaults: true, - DefaultProtocol: "grpc", - } - pod := &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - annotationService: "foo", - }, - }, - - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "web", - }, - }, - }, - } - container, err := h.containerInit(pod, k8sNamespace) - require.NoError(err) - actual := strings.Join(container.Command, " ") - require.Contains(actual, ` -# Create the service-defaults config for the service -cat </consul/connect-inject/service-defaults.hcl -kind = "service-defaults" -name = "foo" -protocol = "grpc" -EOF -/bin/consul config write -cas -modify-index 0 \ - /consul/connect-inject/service-defaults.hcl || true - -/bin/consul services register \ - /consul/connect-inject/service.hcl - -# Generate the envoy bootstrap code -/bin/consul connect envoy \ - -proxy-id="${PROXY_SERVICE_ID}" \ - -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml - -# Copy the Consul binary -cp /bin/consul /consul/connect-inject/consul`) -} - -// Test that we write service-defaults config and use the protocol from the Pod. -func TestHandlerContainerInit_writeServiceDefaultsPodProtocol(t *testing.T) { - require := require.New(t) - h := Handler{ - WriteServiceDefaults: true, - DefaultProtocol: "http", - } - pod := &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - annotationService: "foo", - annotationProtocol: "grpc", - }, - }, - - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "web", - }, - }, - }, - } - container, err := h.containerInit(pod, k8sNamespace) - require.NoError(err) - actual := strings.Join(container.Command, " ") - require.Contains(actual, ` -# Create the service-defaults config for the service -cat </consul/connect-inject/service-defaults.hcl -kind = "service-defaults" -name = "foo" -protocol = "grpc" -EOF -/bin/consul config write -cas -modify-index 0 \ - /consul/connect-inject/service-defaults.hcl || true - -/bin/consul services register \ - /consul/connect-inject/service.hcl - -# Generate the envoy bootstrap code -/bin/consul connect envoy \ - -proxy-id="${PROXY_SERVICE_ID}" \ - -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml - -# Copy the Consul binary -cp /bin/consul /consul/connect-inject/consul`) -} - func TestHandlerContainerInit_authMethod(t *testing.T) { require := require.New(t) h := Handler{ @@ -1349,106 +1071,6 @@ chmod 444 /consul/connect-inject/acl-token -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`) } -func TestHandlerContainerInit_authMethodAndCentralConfig(t *testing.T) { - require := require.New(t) - h := Handler{ - AuthMethod: "release-name-consul-k8s-auth-method", - WriteServiceDefaults: true, - DefaultProtocol: "grpc", - } - pod := &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - annotationService: "foo", - }, - }, - - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "web", - VolumeMounts: []corev1.VolumeMount{ - { - Name: "default-token-podid", - ReadOnly: true, - MountPath: "/var/run/secrets/kubernetes.io/serviceaccount", - }, - }, - }, - }, - ServiceAccountName: "foo", - }, - } - container, err := h.containerInit(pod, k8sNamespace) - require.NoError(err) - actual := strings.Join(container.Command, " ") - require.Contains(actual, ` -# Create the service-defaults config for the service -cat </consul/connect-inject/service-defaults.hcl -kind = "service-defaults" -name = "foo" -protocol = "grpc" -EOF -/bin/consul login -method="release-name-consul-k8s-auth-method" \ - -bearer-token-file="/var/run/secrets/kubernetes.io/serviceaccount/token" \ - -token-sink-file="/consul/connect-inject/acl-token" \ - -meta="pod=${POD_NAMESPACE}/${POD_NAME}" -chmod 444 /consul/connect-inject/acl-token -/bin/consul config write -cas -modify-index 0 \ - -token-file="/consul/connect-inject/acl-token" \ - /consul/connect-inject/service-defaults.hcl || true - -/bin/consul services register \ - -token-file="/consul/connect-inject/acl-token" \ - /consul/connect-inject/service.hcl - -# Generate the envoy bootstrap code -/bin/consul connect envoy \ - -proxy-id="${PROXY_SERVICE_ID}" \ - -token-file="/consul/connect-inject/acl-token" \ - -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml -`) -} - -// If the default protocol is empty and no protocol is set on the Pod, -// we expect no service-defaults config to be written. -func TestHandlerContainerInit_noDefaultProtocol(t *testing.T) { - require := require.New(t) - h := Handler{ - WriteServiceDefaults: true, - DefaultProtocol: "", - } - pod := &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - annotationService: "foo", - }, - }, - - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "web", - }, - }, - }, - } - container, err := h.containerInit(pod, k8sNamespace) - require.NoError(err) - actual := strings.Join(container.Command, " ") - require.NotContains(actual, ` -# Create the service-defaults config for the service -cat </consul/connect-inject/service-defaults.hcl -kind = "service-defaults" -name = "foo" -protocol = "" -EOF`) - require.NotContains(actual, ` -/bin/consul config write -cas -modify-index 0 \ - -token-file="/consul/connect-inject/acl-token" \ - /consul/connect-inject/service-defaults.hcl || true`) -} - // If Consul CA cert is set, // Consul addresses should use HTTPS // and CA cert should be set as env variable diff --git a/connect-inject/handler.go b/connect-inject/handler.go index 91bac78182..4c3e9eab09 100644 --- a/connect-inject/handler.go +++ b/connect-inject/handler.go @@ -42,6 +42,8 @@ const ( // annotationProtocol contains the protocol that should be used for // the service that is being injected. Valid values are "http", "http2", // "grpc" and "tcp". + // + // Deprecated: This annotation is no longer supported. annotationProtocol = "consul.hashicorp.com/connect-service-protocol" // annotationUpstreams is a list of upstreams to register with the @@ -130,15 +132,6 @@ type Handler struct { // use for identity with connectInjection if ACLs are enabled AuthMethod string - // WriteServiceDefaults controls whether injection should write a - // service-defaults config entry for each service. - // Requires an additional `protocol` parameter. - WriteServiceDefaults bool - - // DefaultProtocol is the default protocol to use for central config - // registrations. It will be overridden by a specific annotation. - DefaultProtocol string - // The PEM-encoded CA certificate string // to use when communicating with Consul clients over HTTPS. // If not set, will use HTTP. @@ -277,8 +270,18 @@ func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionRespon // Accumulate any patches here var patches []jsonpatch.JsonPatchOperation + if err := h.validatePod(pod); err != nil { + h.Log.Error("Error validating pod", "err", err, "Request Name", req.Name) + return &v1beta1.AdmissionResponse{ + Result: &metav1.Status{ + Message: fmt.Sprintf("Error validating pod: %s", err), + }, + } + } + // Setup the default annotation values that are used for the container. - // This MUST be done before shouldInject is called since k. + // This MUST be done before shouldInject is called since that function + // uses these annotations. if err := h.defaultAnnotations(&pod, &patches); err != nil { h.Log.Error("Error creating default annotations", "err", err, "Request Name", req.Name) return &v1beta1.AdmissionResponse{ @@ -498,22 +501,6 @@ func (h *Handler) defaultAnnotations(pod *corev1.Pod, patches *[]jsonpatch.JsonP } } - if h.WriteServiceDefaults { - // Default protocol is specified by a flag if not explicitly annotated - if _, ok := pod.ObjectMeta.Annotations[annotationProtocol]; !ok && h.DefaultProtocol != "" { - if cs := pod.Spec.Containers; len(cs) > 0 { - // Create the patch for this first, so that the Annotation - // object will be created if necessary - *patches = append(*patches, updateAnnotation( - pod.Annotations, - map[string]string{annotationProtocol: h.DefaultProtocol})...) - - // Set the annotation for protocol - pod.ObjectMeta.Annotations[annotationProtocol] = h.DefaultProtocol - } - } - } - return nil } @@ -524,6 +511,14 @@ func (h *Handler) consulNamespace(ns string) string { return namespaces.ConsulNamespace(ns, h.EnableNamespaces, h.ConsulDestinationNamespace, h.EnableK8SNSMirroring, h.K8SNSMirroringPrefix) } +func (h *Handler) validatePod(pod corev1.Pod) error { + if _, ok := pod.Annotations[annotationProtocol]; ok { + return fmt.Errorf("the %s annotation is no longer supported. Instead, create a ServiceDefaults resource (see www.consul.io/docs/k8s/crds/upgrade-to-crds)", + annotationProtocol) + } + return nil +} + func portValue(pod *corev1.Pod, value string) (int32, error) { // First search for the named port for _, c := range pod.Spec.Containers { diff --git a/connect-inject/handler_test.go b/connect-inject/handler_test.go index 1e7858ca3f..4d20785af6 100644 --- a/connect-inject/handler_test.go +++ b/connect-inject/handler_test.go @@ -257,10 +257,8 @@ func TestHandlerHandle(t *testing.T) { }, { - "empty pod basic, no default protocol", + "empty pod basic", Handler{ - WriteServiceDefaults: true, - DefaultProtocol: "", Log: hclog.Default().Named("handler"), AllowK8sNamespacesSet: mapset.NewSetWith("*"), DenyK8sNamespacesSet: mapset.NewSet(), @@ -304,105 +302,6 @@ func TestHandlerHandle(t *testing.T) { }, }, - { - "empty pod basic, protocol in annotation", - Handler{ - WriteServiceDefaults: true, - Log: hclog.Default().Named("handler"), - AllowK8sNamespacesSet: mapset.NewSetWith("*"), - DenyK8sNamespacesSet: mapset.NewSet(), - }, - v1beta1.AdmissionRequest{ - Object: encodeRaw(t, &corev1.Pod{ - Spec: basicSpec, - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - annotationService: "foo", - annotationProtocol: "grpc", - }, - }, - }), - }, - "", - []jsonpatch.JsonPatchOperation{ - { - Operation: "add", - Path: "/spec/volumes", - }, - { - Operation: "add", - Path: "/spec/initContainers", - }, - { - Operation: "add", - Path: "/spec/containers/-", - }, - { - Operation: "add", - Path: "/spec/containers/-", - }, - { - Operation: "add", - Path: "/metadata/annotations/" + escapeJSONPointer(annotationStatus), - }, - { - Operation: "add", - Path: "/metadata/labels", - }, - }, - }, - - { - "empty pod basic, default protocol specified", - Handler{ - WriteServiceDefaults: true, - DefaultProtocol: "http", - Log: hclog.Default().Named("handler"), - AllowK8sNamespacesSet: mapset.NewSetWith("*"), - DenyK8sNamespacesSet: mapset.NewSet(), - }, - v1beta1.AdmissionRequest{ - Object: encodeRaw(t, &corev1.Pod{ - Spec: basicSpec, - }), - }, - "", - []jsonpatch.JsonPatchOperation{ - { - Operation: "add", - Path: "/metadata/annotations", - }, - { - Operation: "add", - Path: "/metadata/annotations/" + escapeJSONPointer(annotationProtocol), - }, - { - Operation: "add", - Path: "/spec/volumes", - }, - { - Operation: "add", - Path: "/spec/initContainers", - }, - { - Operation: "add", - Path: "/spec/containers/-", - }, - { - Operation: "add", - Path: "/spec/containers/-", - }, - { - Operation: "add", - Path: "/metadata/annotations/" + escapeJSONPointer(annotationStatus), - }, - { - Operation: "add", - Path: "/metadata/labels", - }, - }, - }, - { "pod with existing label", Handler{ @@ -479,6 +378,38 @@ func TestHandlerHandle(t *testing.T) { } } +// Test that we error out if the protocol annotation is set. +func TestHandler_ErrorsOnProtocolAnnotations(t *testing.T) { + require := require.New(t) + handler := Handler{ + Log: hclog.Default().Named("handler"), + AllowK8sNamespacesSet: mapset.NewSetWith("*"), + DenyK8sNamespacesSet: mapset.NewSet(), + } + + request := v1beta1.AdmissionRequest{ + Namespace: "default", + Object: encodeRaw(t, &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + annotationProtocol: "http", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "web", + }, + }, + }, + }), + } + + response := handler.Mutate(&request) + require.False(response.Allowed) + require.Equal(response.Result.Message, "Error validating pod: the consul.hashicorp.com/connect-service-protocol annotation is no longer supported. Instead, create a ServiceDefaults resource (see www.consul.io/docs/k8s/crds/upgrade-to-crds)") +} + // Test that an incorrect content type results in an error. func TestHandlerHandle_badContentType(t *testing.T) { req, err := http.NewRequest("POST", "/", nil) @@ -629,34 +560,6 @@ func TestHandlerDefaultAnnotations(t *testing.T) { }, "", }, - - { - "basic pod, protocol annotated", - &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - annotationProtocol: "http", - }, - }, - - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - corev1.Container{ - Name: "web", - }, - - corev1.Container{ - Name: "web-side", - }, - }, - }, - }, - map[string]string{ - annotationService: "web", - annotationProtocol: "http", - }, - "", - }, } for _, tt := range cases { diff --git a/subcommand/inject-connect/command.go b/subcommand/inject-connect/command.go index 3aaf2ccdb2..be4ad6e506 100644 --- a/subcommand/inject-connect/command.go +++ b/subcommand/inject-connect/command.go @@ -195,6 +195,14 @@ func (c *Command) Run(args []string) int { c.UI.Error("-envoy-image must be set") return 1 } + if c.flagWriteServiceDefaults { + c.UI.Error("-enable-central-config is no longer supported") + return 1 + } + if c.flagDefaultProtocol != "" { + c.UI.Error("-default-protocol is no longer supported") + return 1 + } logger, err := common.Logger(c.flagLogLevel) if err != nil { @@ -330,8 +338,6 @@ func (c *Command) Run(args []string) int { ImageConsulK8S: c.flagConsulK8sImage, RequireAnnotation: !c.flagDefaultInject, AuthMethod: c.flagACLAuthMethod, - WriteServiceDefaults: c.flagWriteServiceDefaults, - DefaultProtocol: c.flagDefaultProtocol, ConsulCACert: string(consulCACert), DefaultProxyCPURequest: sidecarProxyCPURequest, DefaultProxyCPULimit: sidecarProxyCPULimit, diff --git a/subcommand/inject-connect/command_test.go b/subcommand/inject-connect/command_test.go index 7340e74811..2c547a84c8 100644 --- a/subcommand/inject-connect/command_test.go +++ b/subcommand/inject-connect/command_test.go @@ -36,6 +36,16 @@ func TestRun_FlagValidation(t *testing.T) { "-log-level", "invalid"}, expErr: "unknown log level: invalid", }, + { + flags: []string{"-consul-k8s-image", "foo", "-consul-image", "foo", "-envoy-image", "envoy:1.16.0", + "-enable-central-config", "true"}, + expErr: "-enable-central-config is no longer supported", + }, + { + flags: []string{"-consul-k8s-image", "foo", "-consul-image", "foo", "-envoy-image", "envoy:1.16.0", + "-default-protocol", "http"}, + expErr: "-default-protocol is no longer supported", + }, { flags: []string{"-consul-k8s-image", "foo", "-consul-image", "foo", "-envoy-image", "envoy:1.16.0", "-ca-file", "bar"}, From 00f7c0935ad5659d5b5fe02708d3e2b2a12647e8 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Thu, 14 Jan 2021 08:45:49 -0800 Subject: [PATCH 2/4] Update connect-inject/handler.go Co-authored-by: Iryna Shustava --- connect-inject/handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/connect-inject/handler.go b/connect-inject/handler.go index 4c3e9eab09..41a3523a47 100644 --- a/connect-inject/handler.go +++ b/connect-inject/handler.go @@ -513,7 +513,7 @@ func (h *Handler) consulNamespace(ns string) string { func (h *Handler) validatePod(pod corev1.Pod) error { if _, ok := pod.Annotations[annotationProtocol]; ok { - return fmt.Errorf("the %s annotation is no longer supported. Instead, create a ServiceDefaults resource (see www.consul.io/docs/k8s/crds/upgrade-to-crds)", + return fmt.Errorf("the %q annotation is no longer supported. Instead, create a ServiceDefaults resource (see www.consul.io/docs/k8s/crds/upgrade-to-crds)", annotationProtocol) } return nil From 606ea73594e292412cac5d718e41eaa894ee347f Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Mon, 25 Jan 2021 09:29:34 -0800 Subject: [PATCH 3/4] Fix tests --- connect-inject/handler_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/connect-inject/handler_test.go b/connect-inject/handler_test.go index 4d20785af6..2f1a2736d9 100644 --- a/connect-inject/handler_test.go +++ b/connect-inject/handler_test.go @@ -407,7 +407,7 @@ func TestHandler_ErrorsOnProtocolAnnotations(t *testing.T) { response := handler.Mutate(&request) require.False(response.Allowed) - require.Equal(response.Result.Message, "Error validating pod: the consul.hashicorp.com/connect-service-protocol annotation is no longer supported. Instead, create a ServiceDefaults resource (see www.consul.io/docs/k8s/crds/upgrade-to-crds)") + require.Equal(response.Result.Message, "Error validating pod: the \"consul.hashicorp.com/connect-service-protocol\" annotation is no longer supported. Instead, create a ServiceDefaults resource (see www.consul.io/docs/k8s/crds/upgrade-to-crds)") } // Test that an incorrect content type results in an error. From 7136f9361f8226b3f92e9a5acbe01536c2d78565 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Mon, 25 Jan 2021 09:30:47 -0800 Subject: [PATCH 4/4] Fix changelog --- CHANGELOG.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a236285b4b..dd45e52514 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,19 +1,5 @@ ## UNRELEASED -## 0.23.0 (January 22, 2021) - -BUG FIXES: -* CRDs: Fix issue where a `ServiceIntentions` resource could be continually resynced with Consul - because Consul's internal representation had a different order for an array than the Kubernetes resource. [[GH-416](https://github.com/hashicorp/consul-k8s/pull/416)] -* CRDs: **(Consul Enterprise only)** default the `namespace` fields on resources where Consul performs namespace defaulting to prevent constant re-syncing. - [[GH-413](https://github.com/hashicorp/consul-k8s/pull/413)] - -IMPROVEMENTS: -* ACLs: give better error if policy that consul-k8s tries to update was created manually by user. [[GH-412](https://github.com/hashicorp/consul-k8s/pull/412)] - -FEATURES: -* TLS: add `tls-init` command that is responsible for creating and updating Server TLS certificates. [[GH-410](https://github.com/hashicorp/consul-k8s/pull/410)] - BREAKING CHANGES * Connect: the `-default-protocol` and `-enable-central-config` flags are no longer supported. The `consul.hashicorp.com/connect-service-protocol` annotation on Connect pods is also @@ -42,6 +28,20 @@ BREAKING CHANGES protocol: "http" ``` +## 0.23.0 (January 22, 2021) + +BUG FIXES: +* CRDs: Fix issue where a `ServiceIntentions` resource could be continually resynced with Consul + because Consul's internal representation had a different order for an array than the Kubernetes resource. [[GH-416](https://github.com/hashicorp/consul-k8s/pull/416)] +* CRDs: **(Consul Enterprise only)** default the `namespace` fields on resources where Consul performs namespace defaulting to prevent constant re-syncing. + [[GH-413](https://github.com/hashicorp/consul-k8s/pull/413)] + +IMPROVEMENTS: +* ACLs: give better error if policy that consul-k8s tries to update was created manually by user. [[GH-412](https://github.com/hashicorp/consul-k8s/pull/412)] + +FEATURES: +* TLS: add `tls-init` command that is responsible for creating and updating Server TLS certificates. [[GH-410](https://github.com/hashicorp/consul-k8s/pull/410)] + ## 0.22.0 (December 21, 2020) BUG FIXES: