Tests: Fix/improve tests with Restricted PSA enforcement (#2780)

* tests: Respect UseAppNamespace in ConnectHelper * tests: Auto-configure restricted PSA enforcement when enabled --------- Co-authored-by: Paul Glass <pglass@hashicorp.com>
hashicorp · Sep 11, 2023 · 09a9f70 · 09a9f70
1 parent bf9fae0
commit 09a9f70
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 9 deletions.
diff --git a/acceptance/framework/connhelper/connect_helper.go b/acceptance/framework/connhelper/connect_helper.go
@@ -141,11 +141,11 @@ func (c *ConnectHelper) DeployClientAndServer(t *testing.T) {
 			k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-openshift-inject")
 		}
 	} else {
-		k8s.DeployKustomize(t, c.Ctx.KubectlOptions(t), c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-server-inject")
+		k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-server-inject")
 		if c.Cfg.EnableTransparentProxy {
-			k8s.DeployKustomize(t, c.Ctx.KubectlOptions(t), c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-tproxy")
+			k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-tproxy")
 		} else {
-			k8s.DeployKustomize(t, c.Ctx.KubectlOptions(t), c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-inject")
+			k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-inject")
 		}
 	}
 	// Check that both static-server and static-client have been injected and

diff --git a/acceptance/framework/consul/helm_cluster.go b/acceptance/framework/consul/helm_cluster.go
@@ -54,6 +54,10 @@ func NewHelmCluster(
 	cfg *config.TestConfig,
 	releaseName string,
 ) *HelmCluster {
+	if cfg.EnableRestrictedPSAEnforcement {
+		configureNamespace(t, ctx.KubernetesClient(t), cfg, ctx.KubectlOptions(t).Namespace)
+	}
+
 	if cfg.EnablePodSecurityPolicies {
 		configurePodSecurityPolicies(t, ctx.KubernetesClient(t), cfg, ctx.KubectlOptions(t).Namespace)
 	}
@@ -467,6 +471,35 @@ func createOrUpdateLicenseSecret(t *testing.T, client kubernetes.Interface, cfg
 	CreateK8sSecret(t, client, cfg, namespace, config.LicenseSecretName, config.LicenseSecretKey, cfg.EnterpriseLicense)
 }
 
+func configureNamespace(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {
+	ctx := context.Background()
+
+	ns := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   namespace,
+			Labels: map[string]string{},
+		},
+	}
+	if cfg.EnableRestrictedPSAEnforcement {
+		ns.ObjectMeta.Labels["pod-security.kubernetes.io/enforce"] = "restricted"
+		ns.ObjectMeta.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
+	}
+
+	_, createErr := client.CoreV1().Namespaces().Create(ctx, ns, metav1.CreateOptions{})
+	if createErr == nil {
+		logger.Logf(t, "Created namespace %s", namespace)
+		return
+	}
+
+	_, updateErr := client.CoreV1().Namespaces().Update(ctx, ns, metav1.UpdateOptions{})
+	if updateErr == nil {
+		logger.Logf(t, "Updated namespace %s", namespace)
+		return
+	}
+
+	require.Failf(t, "Failed to create or update namespace", "Namespace=%s, CreateError=%s, UpdateError=%s", namespace, createErr, updateErr)
+}
+
 // configureSCCs creates RoleBindings that bind the default service account to cluster roles
 // allowing access to the anyuid and privileged Security Context Constraints on OpenShift.
 func configureSCCs(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {

diff --git a/acceptance/framework/flags/flags.go b/acceptance/framework/flags/flags.go
@@ -107,13 +107,13 @@ func (t *TestFlags) init() {
 	flag.BoolVar(&t.flagEnableCNI, "enable-cni", false,
 		"If true, the test suite will run tests with consul-cni plugin enabled. "+
 			"In general, this will only run against tests that are mesh related (connect, mesh-gateway, peering, etc")
+
 	flag.BoolVar(&t.flagEnableRestrictedPSAEnforcement, "enable-restricted-psa-enforcement", false,
-		"If true, this indicates that Consul is being run in a namespace with restricted PSA enforcement enabled. "+
-			"The tests do not configure Consul's namespace with PSA enforcement enabled. This must configured before tests are run. "+
-			"The CNI and test applications need more privilege than is allowed in a restricted namespace. "+
-			"When set, the CNI will be deployed into the kube-system namespace, and in supported test cases, applications "+
-			"are deployed, by default, into a namespace named '<consul-namespace>-apps' instead of being deployed into the "+
-			"Consul namespace.")
+		"If true, deploy Consul into a namespace with restricted PSA enforcement enabled. "+
+			"The Consul namespaces (-kube-namespaces) will be configured with restricted PSA enforcement. "+
+			"The CNI and test applications are deployed in different namespaces because they need more privilege than is allowed in a restricted namespace. "+
+			"The CNI will be deployed into the kube-system namespace, which is a privileged namespace that should always exist. "+
+			"Test applications are deployed, by default, into a namespace named '<consul-namespace>-apps' instead of the Consul namespace.")
 
 	flag.BoolVar(&t.flagEnableTransparentProxy, "enable-transparent-proxy", false,
 		"If true, the test suite will run tests with transparent proxy enabled. "+