From 554f93666e929ccc89b3e406c66ee841020e58fb Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Wed, 22 Apr 2020 19:47:04 -0700 Subject: [PATCH] ACLs: Support external servers (#420) * server-acl-init-job sets server addresses if 'externalServers.enabled' is true * server-acl-init and server-acl-init-cleanup jobs and their related resources now run either when servers are enabled or when externalServers are enabled * Add new acls.bootstrapToken value for providing your own bootstrap token. * Allow custom auth method configuration * Fail if both server and externalServers are enabled --- .../server-acl-init-cleanup-clusterrole.yaml | 4 +- ...r-acl-init-cleanup-clusterrolebinding.yaml | 4 +- templates/server-acl-init-cleanup-job.yaml | 4 +- ...er-acl-init-cleanup-podsecuritypolicy.yaml | 4 +- ...erver-acl-init-cleanup-serviceaccount.yaml | 4 +- templates/server-acl-init-clusterrole.yaml | 11 +- .../server-acl-init-clusterrolebinding.yaml | 4 +- templates/server-acl-init-job.yaml | 48 ++- .../server-acl-init-podsecuritypolicy.yaml | 4 +- templates/server-acl-init-serviceaccount.yaml | 4 +- test/unit/helpers.bats | 6 + .../server-acl-init-cleanup-clusterrole.bats | 32 ++ ...r-acl-init-cleanup-clusterrolebinding.bats | 32 ++ test/unit/server-acl-init-cleanup-job.bats | 32 ++ ...er-acl-init-cleanup-podsecuritypolicy.bats | 35 ++ ...erver-acl-init-cleanup-serviceaccount.bats | 32 ++ test/unit/server-acl-init-clusterrole.bats | 32 ++ .../server-acl-init-clusterrolebinding.bats | 32 ++ test/unit/server-acl-init-job.bats | 323 ++++++++++++++++++ .../server-acl-init-podsecuritypolicy.bats | 35 ++ test/unit/server-acl-init-serviceaccount.bats | 32 ++ values.yaml | 36 +- 22 files changed, 722 insertions(+), 28 deletions(-) diff --git a/templates/server-acl-init-cleanup-clusterrole.yaml b/templates/server-acl-init-cleanup-clusterrole.yaml index 5c03ccc70a..4a9d6277d0 100644 --- a/templates/server-acl-init-cleanup-clusterrole.yaml +++ b/templates/server-acl-init-cleanup-clusterrole.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/templates/server-acl-init-cleanup-clusterrolebinding.yaml b/templates/server-acl-init-cleanup-clusterrolebinding.yaml index 197d8b85b4..6cdd1b2b59 100644 --- a/templates/server-acl-init-cleanup-clusterrolebinding.yaml +++ b/templates/server-acl-init-cleanup-clusterrolebinding.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/templates/server-acl-init-cleanup-job.yaml b/templates/server-acl-init-cleanup-job.yaml index d8f04cd232..45f51479a2 100644 --- a/templates/server-acl-init-cleanup-job.yaml +++ b/templates/server-acl-init-cleanup-job.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} {{- /* See reason for this in server-acl-init-job.yaml */ -}} {{- if eq (int .Values.server.updatePartition) 0 }} diff --git a/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/templates/server-acl-init-cleanup-podsecuritypolicy.yaml index 52dcbd1291..71cedecd43 100644 --- a/templates/server-acl-init-cleanup-podsecuritypolicy.yaml +++ b/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} {{- if .Values.global.enablePodSecurityPolicies }} apiVersion: policy/v1beta1 diff --git a/templates/server-acl-init-cleanup-serviceaccount.yaml b/templates/server-acl-init-cleanup-serviceaccount.yaml index 049e75c229..7094430714 100644 --- a/templates/server-acl-init-cleanup-serviceaccount.yaml +++ b/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} apiVersion: v1 kind: ServiceAccount diff --git a/templates/server-acl-init-clusterrole.yaml b/templates/server-acl-init-clusterrole.yaml index b4a0216971..016e4552a7 100644 --- a/templates/server-acl-init-clusterrole.yaml +++ b/templates/server-acl-init-clusterrole.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -30,11 +32,8 @@ rules: - apiGroups: [""] resources: - serviceaccounts - verbs: - - get - - apiGroups: [""] - resources: - - services + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account verbs: - get {{- end }} diff --git a/templates/server-acl-init-clusterrolebinding.yaml b/templates/server-acl-init-clusterrolebinding.yaml index 1502550204..37ba498e61 100644 --- a/templates/server-acl-init-clusterrolebinding.yaml +++ b/templates/server-acl-init-clusterrolebinding.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/templates/server-acl-init-job.yaml b/templates/server-acl-init-job.yaml index 616615689a..420adfe08f 100644 --- a/templates/server-acl-init-job.yaml +++ b/templates/server-acl-init-job.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} {{- /* We don't render this job when server.updatePartition > 0 because that means a server rollout is in progress and this job won't complete unless @@ -32,7 +34,7 @@ spec: spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init - {{- if (or .Values.global.tls.enabled (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey)) }} + {{- if (or .Values.global.tls.enabled (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey)) }} volumes: {{- if .Values.global.tls.enabled }} - name: consul-ca-cert @@ -46,7 +48,14 @@ spec: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} - {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + - name: bootstrap-token + secret: + secretName: {{ .Values.global.acls.bootstrapToken.secretName }} + items: + - key: {{ .Values.global.acls.bootstrapToken.secretKey }} + path: bootstrap-token + {{- else if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} - name: acl-replication-token secret: secretName: {{ .Values.global.acls.replicationToken.secretName }} @@ -63,14 +72,18 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - {{- if (or .Values.global.tls.enabled (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey)) }} + {{- if (or .Values.global.tls.enabled (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey)) }} volumeMounts: {{- if .Values.global.tls.enabled }} - name: consul-ca-cert mountPath: /consul/tls/ca readOnly: true {{- end }} - {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + - name: bootstrap-token + mountPath: /consul/acl/tokens + readOnly: true + {{- else if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} - name: acl-replication-token mountPath: /consul/acl/tokens readOnly: true @@ -83,16 +96,32 @@ spec: CONSUL_FULLNAME="{{template "consul.fullname" . }}" consul-k8s server-acl-init \ + {{- if .Values.externalServers.enabled }} + {{- if not (or .Values.externalServers.https.address .Values.client.join)}}{{ fail "either client.join or externalServers.https.address must be set if externalServers.enabled is true" }}{{ end -}} + {{- if .Values.externalServers.https.address }} + -server-address={{ .Values.externalServers.https.address }} \ + {{- else }} + {{- range .Values.client.join }} + -server-address={{ . }} \ + {{- end }} + {{- end }} + -server-port={{ .Values.externalServers.https.port }} \ + {{- else }} {{- range $index := until (.Values.server.replicas | int) }} -server-address="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc" \ {{- end }} - -resource-prefix={{ template "consul.fullname" . }} \ + {{- end }} + -resource-prefix=${CONSUL_FULLNAME} \ -k8s-namespace={{ .Release.Namespace }} \ {{- if .Values.global.tls.enabled }} -use-https \ + {{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }} -consul-ca-cert=/consul/tls/ca/tls.crt \ + {{- end }} + {{- if not .Values.externalServers.enabled }} -server-port=8501 \ {{- end }} + {{- end }} {{- if .Values.syncCatalog.enabled }} -create-sync-token=true \ {{- end }} @@ -101,6 +130,9 @@ spec: {{- end }} {{- if .Values.connectInject.enabled }} -create-inject-auth-method=true \ + {{- if .Values.connectInject.overrideAuthMethodHost }} + -inject-auth-method-host={{ .Values.connectInject.overrideAuthMethodHost }} \ + {{- end }} {{- end }} {{- if .Values.meshGateway.enabled }} -create-mesh-gateway-token=true \ @@ -120,7 +152,9 @@ spec: {{- if .Values.global.acls.createReplicationToken }} -create-acl-replication-token=true \ {{- end }} - {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + -bootstrap-token-file=/consul/acl/tokens/bootstrap-token \ + {{- else if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ {{- end }} {{- if .Values.global.enableConsulNamespaces }} diff --git a/templates/server-acl-init-podsecuritypolicy.yaml b/templates/server-acl-init-podsecuritypolicy.yaml index 003e06cbc7..de0884599d 100644 --- a/templates/server-acl-init-podsecuritypolicy.yaml +++ b/templates/server-acl-init-podsecuritypolicy.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} {{- if .Values.global.enablePodSecurityPolicies }} apiVersion: policy/v1beta1 diff --git a/templates/server-acl-init-serviceaccount.yaml b/templates/server-acl-init-serviceaccount.yaml index d620afb4af..4e227ab050 100644 --- a/templates/server-acl-init-serviceaccount.yaml +++ b/templates/server-acl-init-serviceaccount.yaml @@ -1,4 +1,6 @@ -{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }} apiVersion: v1 kind: ServiceAccount diff --git a/test/unit/helpers.bats b/test/unit/helpers.bats index 741ad7cb4a..a7fee59df6 100644 --- a/test/unit/helpers.bats +++ b/test/unit/helpers.bats @@ -138,6 +138,7 @@ load _helpers -x templates/tests/test-runner.yaml \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.enabled=false' \ --set 'externalServers.enabled=true' \ --set 'client.join[0]=consul-server.com' \ . | tee /dev/stderr | @@ -162,6 +163,7 @@ load _helpers -x templates/tests/test-runner.yaml \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.enabled=false' \ --set 'externalServers.enabled=true' \ --set 'externalServers.https.address=consul.io' \ . | tee /dev/stderr | @@ -197,6 +199,7 @@ load _helpers -x templates/tests/test-runner.yaml \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.enabled=false' \ --set 'externalServers.enabled=true' \ --set 'externalServers.https.address=consul.io' \ --set 'externalServers.https.port=8501' \ @@ -222,6 +225,7 @@ load _helpers -x templates/tests/test-runner.yaml \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.enabled=false' \ --set 'externalServers.enabled=true' \ --set 'externalServers.https.address=consul.io' \ --set 'externalServers.https.tlsServerName=custom-server-name' \ @@ -237,6 +241,7 @@ load _helpers -x templates/tests/test-runner.yaml \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.enabled=false' \ --set 'externalServers.enabled=true' \ --set 'externalServers.https.address=consul.io' \ --set 'externalServers.https.useSystemRoots=true' \ @@ -252,6 +257,7 @@ load _helpers -x templates/tests/test-runner.yaml \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ + --set 'server.enabled=false' \ --set 'externalServers.enabled=true' \ --set 'externalServers.https.address=consul.io' \ --set 'externalServers.https.useSystemRoots=true' \ diff --git a/test/unit/server-acl-init-cleanup-clusterrole.bats b/test/unit/server-acl-init-cleanup-clusterrole.bats index 455f5e4a73..468fbcdeb0 100644 --- a/test/unit/server-acl-init-cleanup-clusterrole.bats +++ b/test/unit/server-acl-init-cleanup-clusterrole.bats @@ -43,6 +43,38 @@ load _helpers [ "${actual}" = "true" ] } +@test "serverACLInitCleanup/ClusterRole: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-cleanup-clusterrole.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInitCleanup/ClusterRole: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-clusterrole.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInitCleanup/ClusterRole: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-clusterrole.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + #-------------------------------------------------------------------- # global.enablePodSecurityPolicies diff --git a/test/unit/server-acl-init-cleanup-clusterrolebinding.bats b/test/unit/server-acl-init-cleanup-clusterrolebinding.bats index 60f54c8b9a..3e3b361e52 100644 --- a/test/unit/server-acl-init-cleanup-clusterrolebinding.bats +++ b/test/unit/server-acl-init-cleanup-clusterrolebinding.bats @@ -42,3 +42,35 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "serverACLInitCleanup/ClusterRoleBinding: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-cleanup-clusterrolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInitCleanup/ClusterRoleBinding: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-clusterrolebinding.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInitCleanup/ClusterRoleBinding: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-clusterrolebinding.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} diff --git a/test/unit/server-acl-init-cleanup-job.bats b/test/unit/server-acl-init-cleanup-job.bats index 9899ea3c60..0844aa1604 100644 --- a/test/unit/server-acl-init-cleanup-job.bats +++ b/test/unit/server-acl-init-cleanup-job.bats @@ -63,3 +63,35 @@ load _helpers yq -c '.spec.template.spec.containers[0].args' | tee /dev/stderr) [ "${actual}" = '["delete-completed-job","-k8s-namespace=default","release-name-consul-server-acl-init"]' ] } + +@test "serverACLInitCleanup/Job: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-cleanup-job.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInitCleanup/Job: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-job.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInitCleanup/Job: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-job.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} \ No newline at end of file diff --git a/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats b/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats index a1bc249f56..026f482e9f 100644 --- a/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats +++ b/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats @@ -32,3 +32,38 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "serverACLInitCleanup/PodSecurityPolicy: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-cleanup-podsecuritypolicy.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInitCleanup/PodSecurityPolicy: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-podsecuritypolicy.yaml \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInitCleanup/PodSecurityPolicy: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-podsecuritypolicy.yaml \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} \ No newline at end of file diff --git a/test/unit/server-acl-init-cleanup-serviceaccount.bats b/test/unit/server-acl-init-cleanup-serviceaccount.bats index 4296cc3362..468c4cfb9c 100644 --- a/test/unit/server-acl-init-cleanup-serviceaccount.bats +++ b/test/unit/server-acl-init-cleanup-serviceaccount.bats @@ -43,6 +43,38 @@ load _helpers [ "${actual}" = "true" ] } +@test "serverACLInitCleanup/ServiceAccount: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-cleanup-serviceaccount.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInitCleanup/ServiceAccount: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-serviceaccount.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInitCleanup/ServiceAccount: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-cleanup-serviceaccount.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + #-------------------------------------------------------------------- # global.imagePullSecrets diff --git a/test/unit/server-acl-init-clusterrole.bats b/test/unit/server-acl-init-clusterrole.bats index 646f6dc387..78a352ce2a 100644 --- a/test/unit/server-acl-init-clusterrole.bats +++ b/test/unit/server-acl-init-clusterrole.bats @@ -43,6 +43,38 @@ load _helpers [ "${actual}" = "true" ] } +@test "serverACLInit/ClusterRole: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-clusterrole.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/ClusterRole: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-clusterrole.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInit/ClusterRole: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-clusterrole.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + #-------------------------------------------------------------------- # connectInject.enabled diff --git a/test/unit/server-acl-init-clusterrolebinding.bats b/test/unit/server-acl-init-clusterrolebinding.bats index fa73ff0b3a..df5546f053 100644 --- a/test/unit/server-acl-init-clusterrolebinding.bats +++ b/test/unit/server-acl-init-clusterrolebinding.bats @@ -42,3 +42,35 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "serverACLInit/ClusterRoleBinding: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-clusterrolebinding.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/ClusterRoleBinding: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-clusterrolebinding.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInit/ClusterRoleBinding: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-clusterrolebinding.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} \ No newline at end of file diff --git a/test/unit/server-acl-init-job.bats b/test/unit/server-acl-init-job.bats index e63e593fe6..03891182ba 100644 --- a/test/unit/server-acl-init-job.bats +++ b/test/unit/server-acl-init-job.bats @@ -54,6 +54,38 @@ load _helpers [ "${actual}" = "false" ] } +@test "serverACLInit/Job: enabled with externalServers.enabled=true global.acls.manageSystemACLs=true, but server.enabled set to false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInit/Job: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + @test "serverACLInit/Job: does not set -create-client-token=false when client is enabled (the default)" { cd `chart_dir` local actual=$(helm template \ @@ -800,3 +832,294 @@ load _helpers yq '.spec.template.spec.containers[0].volumeMounts | map(select(.name == "acl-replication-token")) | length == 1' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# externalServers.enabled + +@test "serverACLInit/Job: fails if external servers are enabled but neither externalServers.https.address nor client.join are set" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "either client.join or externalServers.https.address must be set if externalServers.enabled is true" ]] +} + +@test "serverACLInit/Job: sets server address if externalServers.https.address is set" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-server-address=foo.com"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: sets server address to the client.join value if externalServers.https.address is not set" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=1.1.1.1' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-server-address=1.1.1.1"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: prefers externalServers.https.address when both externalServers.https.address and client.join are set" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=1.1.1.1' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-server-address=foo.com"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: port 443 is used by default" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=1.1.1.1' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-server-port=443"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: can override externalServers.https.port" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=1.1.1.1' \ + --set 'externalServers.https.port=8501' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-server-port=8501"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: doesn't set server port to 8501 if TLS is enabled and externalServers.enabled is true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=1.1.1.1' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-server-port=8501"))' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "serverACLInit/Job: doesn't set the CA cert if TLS is enabled and externalServers.https.useSystemRoots is true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=1.1.1.1' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-consul-ca-cert=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "serverACLInit/Job: sets the CA cert if TLS is enabled and externalServers.enabled is true but externalServers.https.useSystemRoots is false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=1.1.1.1' \ + --set 'externalServers.https.useSystemRoots=false' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-consul-ca-cert=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: sets the CA cert if TLS is enabled and externalServers.https.useSystemRoots is true but externalServers.enabled is false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'externalServers.enabled=false' \ + --set 'client.join[0]=1.1.1.1' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-consul-ca-cert=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# global.acls.bootstrapToken + +@test "serverACLInit/Job: -bootstrap-token-file is not set by default" { + cd `chart_dir` + local object=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr) + + # Test the flag is not set. + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].command | any(contains("-bootstrap-token-file"))' | tee /dev/stderr) + [ "${actual}" = "false" ] + + # Test the volume doesn't exist + local actual=$(echo "$object" | + yq '.spec.template.spec.volumes | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # Test the volume mount doesn't exist + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].volumeMounts | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: -bootstrap-token-file is not set when acls.bootstrapToken.secretName is set but secretKey is not" { + cd `chart_dir` + local object=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.bootstrapToken.secretName=name' \ + . | tee /dev/stderr) + + # Test the flag is not set. + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].command | any(contains("-bootstrap-token-file"))' | tee /dev/stderr) + [ "${actual}" = "false" ] + + # Test the volume doesn't exist + local actual=$(echo "$object" | + yq '.spec.template.spec.volumes | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # Test the volume mount doesn't exist + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].volumeMounts | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: -bootstrap-token-file is not set when acls.bootstrapToken.secretKey is set but secretName is not" { + cd `chart_dir` + local object=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.bootstrapToken.secretKey=key' \ + . | tee /dev/stderr) + + # Test the flag is not set. + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].command | any(contains("-bootstrap-token-file"))' | tee /dev/stderr) + [ "${actual}" = "false" ] + + # Test the volume doesn't exist + local actual=$(echo "$object" | + yq '.spec.template.spec.volumes | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # Test the volume mount doesn't exist + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].volumeMounts | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: -bootstrap-token-file is set when acls.bootstrapToken.secretKey and secretName are set" { + cd `chart_dir` + local object=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.bootstrapToken.secretName=name' \ + --set 'global.acls.bootstrapToken.secretKey=key' \ + . | tee /dev/stderr) + + # Test the -bootstrap-token-file flag is set. + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].command | any(contains("-bootstrap-token-file=/consul/acl/tokens/bootstrap-token"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # Test the volume exists + local actual=$(echo "$object" | + yq '.spec.template.spec.volumes | map(select(.name == "bootstrap-token")) | length == 1' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # Test the volume mount exists + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].volumeMounts | map(select(.name == "bootstrap-token")) | length == 1' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/Job: -bootstrap-token-file is preferred when both acls.bootstrapToken and acls.replicationToken are set" { + cd `chart_dir` + local object=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.bootstrapToken.secretName=name' \ + --set 'global.acls.bootstrapToken.secretKey=key' \ + --set 'global.acls.replicationToken.secretName=replication' \ + --set 'global.acls.replicationToken.secretKey=token' \ + . | tee /dev/stderr) + + # Test the -bootstrap-token-file flag is set. + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].command | any(contains("-bootstrap-token-file=/consul/acl/tokens/bootstrap-token"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # Test the volume exists + local actual=$(echo "$object" | + yq '.spec.template.spec.volumes | map(select(.name == "bootstrap-token")) | length == 1' | tee /dev/stderr) + [ "${actual}" = "true" ] + + # Test the volume mount exists + local actual=$(echo "$object" | + yq '.spec.template.spec.containers[0].volumeMounts | map(select(.name == "bootstrap-token")) | length == 1' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +#-------------------------------------------------------------------- +# connectInject.overrideAuthMethodHost + +@test "serverACLInit/Job: doesn't set auth method host default" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-inject-auth-method-host"))' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "serverACLInit/Job: can provide custom auth method host" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.overrideAuthMethodHost=foo.com' \ + . | tee /dev/stderr| + yq '.spec.template.spec.containers[0].command | any(contains("-inject-auth-method-host=foo.com"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/server-acl-init-podsecuritypolicy.bats b/test/unit/server-acl-init-podsecuritypolicy.bats index 9e52b56aec..61006eef84 100644 --- a/test/unit/server-acl-init-podsecuritypolicy.bats +++ b/test/unit/server-acl-init-podsecuritypolicy.bats @@ -32,3 +32,38 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "serverACLInit/PodSecurityPolicy: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-podsecuritypolicy.yaml \ + --set 'server.enabled=false' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/PodSecurityPolicy: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-podsecuritypolicy.yaml \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInit/PodSecurityPolicy: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-podsecuritypolicy.yaml \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} \ No newline at end of file diff --git a/test/unit/server-acl-init-serviceaccount.bats b/test/unit/server-acl-init-serviceaccount.bats index 02fa7355cc..6c3afc49e0 100644 --- a/test/unit/server-acl-init-serviceaccount.bats +++ b/test/unit/server-acl-init-serviceaccount.bats @@ -43,6 +43,38 @@ load _helpers [ "${actual}" = "true" ] } +@test "serverACLInit/ServiceAccount: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-acl-init-serviceaccount.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'server.enabled=false' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "serverACLInit/ServiceAccount: fails if both externalServers.enabled=true and server.enabled=true" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-serviceaccount.yaml \ + --set 'server.enabled=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + +@test "serverACLInit/ServiceAccount: fails if both externalServers.enabled=true and server.enabled not set to false" { + cd `chart_dir` + run helm template \ + -x templates/server-acl-init-serviceaccount.yaml \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "only one of server.enabled or externalServers.enabled can be set" ]] +} + #-------------------------------------------------------------------- # global.imagePullSecrets diff --git a/values.yaml b/values.yaml index 5336a25c0f..b6c92fad2e 100644 --- a/values.yaml +++ b/values.yaml @@ -168,21 +168,32 @@ global: acls: # If true, the Helm chart will automatically manage ACL tokens and policies - # for all Consul and consul-k8s components. This requires servers to be running inside Kubernetes. - # Additionally, requires Consul >= 1.4 and consul-k8s >= 0.14.0. + # for all Consul and consul-k8s components. This requires Consul >= 1.4 and consul-k8s >= 0.14.0. manageSystemACLs: false + # bootstrapToken references a Kubernetes secret containing the bootstrap token to use + # for creating policies and tokens for all Consul and consul-k8s components. + # If set, we will skip ACL bootstrapping of the servers and will only initialize + # ACLs for the Consul and consul-k8s system components. + # Requires consul-k8s >= 0.14.0 + bootstrapToken: + secretName: null + secretKey: null + # If true, an ACL token will be created that can be used in secondary # datacenters for replication. This should only be set to true in the # primary datacenter since the replication token must be created from that # datacenter. # In secondary datacenters, the secret needs to be imported from the primary # datacenter and referenced via global.acls.replicationToken. + # Requires consul-k8s >= 0.13.0 createReplicationToken: false # replicationToken references a secret containing the replication ACL token. # This token will be used by secondary datacenters to perform ACL replication # and create ACL tokens and policies. + # This value is ignored if bootstrapToken is also set. + # Requires consul-k8s >= 0.13.0 replicationToken: secretName: null secretKey: null @@ -307,11 +318,14 @@ server: # https_proxy: http://localhost:3128, # no_proxy: internal.domain.com -# Add configuration for Consul servers running externally, -# i.e. outside of Kubernetes. -# This information is required if Consul servers are running -# outside of k8s and you’re setting global.tls.enableAutoEncrypt to true. +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting global.tls.enableAutoEncrypt to true (requires consul-k8s >= 0.13.0) +# or global.acls.manageSystemACLs to true (requires consul-k8s >= 0.14.0). externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set server.enabled to false. + # Note that if you are setting client.join property, https.address property is not required. enabled: false # HTTPS configuration for external servers. @@ -319,6 +333,7 @@ externalServers: # not supported. https: # IP, DNS name, or Cloud auto-join string pointing to the external Consul servers. + # Port must be provided separately with the externalServers.https.port property. # Note that if you’re providing the cloud auto-join string and multiple addresses # can be returned, only the first address will be used. # This value is required only if you would like to use @@ -777,10 +792,17 @@ connectInject: # Requires Consul >= v1.5 and consul-k8s >= v0.8.0. aclBindingRuleSelector: "serviceaccount.name!=default" - # If not using global.acls.manageSystemACLs and instead manually setting up an + # If you are not using global.acls.manageSystemACLs and instead manually setting up an # auth method for Connect inject, set this to the name of your auth method. overrideAuthMethodName: "" + # If you are using global.acls.manageSystemACLs but also setting externalServers.enabled + # to true, set overrideAuthMethodHost to the address of the Kubernetes API server. + # This address must to be reachable from the Consul servers. + # Please see https://www.consul.io/docs/acl/auth-methods/kubernetes.html. + # Requires consul-k8s >= 0.14.0. + overrideAuthMethodHost: "" + # aclInjectToken refers to a Kubernetes secret that you have created that contains # an ACL token for your Consul cluster which allows the Connect injector the correct # permissions. This is only needed if Consul namespaces [Enterprise only] and ACLs