Skip to content

Commit

Permalink
Use a single serviceaccount and rolebinding for all authmethods.
Browse files Browse the repository at this point in the history
  • Loading branch information
Ashwin Venkatesh committed Mar 7, 2022
1 parent cf1492f commit 6fdd05a
Show file tree
Hide file tree
Showing 17 changed files with 117 additions and 163 deletions.
18 changes: 18 additions & 0 deletions charts/consul/templates/authmethod-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-authmethod
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: authmethod
rules:
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
39 changes: 39 additions & 0 deletions charts/consul/templates/authmethod-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-authdelegator
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: authmethod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:auth-delegator"
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-authmethod
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-authmethod
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: authmethod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-authmethod
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-authmethod
namespace: {{ .Release.Namespace }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-component-authmethod
name: {{ template "consul.fullname" . }}-authmethod
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: component-authmethod
component: authmethod
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
Expand Down

This file was deleted.

This file was deleted.

14 changes: 0 additions & 14 deletions charts/consul/templates/connect-inject-clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,6 @@ metadata:
release: {{ .Release.Name }}
component: connect-injector
rules:
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
- apiGroups: [ "" ]
resources: [ "pods", "endpoints", "services", "namespaces" ]
verbs:
Expand All @@ -41,11 +34,4 @@ rules:
verbs:
- use
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
{{- end }}
13 changes: 1 addition & 12 deletions charts/consul/templates/server-acl-init-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,13 @@ rules:
verbs:
- create
- get
{{- if .Values.connectInject.enabled }}
- apiGroups: [ "" ]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-connect-injector
- {{ template "consul.fullname" . }}-authmethod
verbs:
- get
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [ "" ]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-component-authmethod
verbs:
- get
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
Expand Down
20 changes: 20 additions & 0 deletions charts/consul/test/unit/authmethod-clusterrole.bats
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/usr/bin/env bats

load _helpers

@test "authmethod/ClusterRole: disabled by default" {
cd `chart_dir`
assert_empty helm template \
-s templates/authmethod-clusterrole.yaml \
.
}

@test "authmethod/ClusterRole: enabled with global.acls.manageSystemACLs true" {
cd `chart_dir`
local actual=$(helm template \
-s templates/authmethod-clusterrole.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
20 changes: 20 additions & 0 deletions charts/consul/test/unit/authmethod-clusterrolebinding.bats
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/usr/bin/env bats

load _helpers

@test "authmethod/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
assert_empty helm template \
-s templates/authmethod-clusterrolebinding.yaml \
.
}

@test "authmethod/ClusterRoleBinding: enabled with global.acls.manageSystemACLs true" {
cd `chart_dir`
local actual=$(helm template \
-s templates/authmethod-clusterrolebinding.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,17 @@

load _helpers

@test "componentAuthMethod/ServiceAccount: disabled by default" {
@test "authMethod/ServiceAccount: disabled by default" {
cd `chart_dir`
assert_empty helm template \
-s templates/component-authmethod-serviceaccount.yaml \
-s templates/authmethod-serviceaccount.yaml \
.
}

@test "componentAuthMethod/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" {
@test "authMethod/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" {
cd `chart_dir`
local actual=$(helm template \
-s templates/component-authmethod-serviceaccount.yaml \
-s templates/authmethod-serviceaccount.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
Expand All @@ -22,10 +22,10 @@ load _helpers
#--------------------------------------------------------------------
# global.imagePullSecrets

@test "componentAuthMethod/ServiceAccount: can set image pull secrets" {
@test "authMethod/ServiceAccount: can set image pull secrets" {
cd `chart_dir`
local object=$(helm template \
-s templates/component-authmethod-serviceaccount.yaml \
-s templates/authmethod-serviceaccount.yaml \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.imagePullSecrets[0].name=my-secret' \
--set 'global.imagePullSecrets[1].name=my-secret2' \
Expand Down

This file was deleted.

This file was deleted.

14 changes: 0 additions & 14 deletions charts/consul/test/unit/server-acl-init-role.bats
Original file line number Diff line number Diff line change
Expand Up @@ -52,20 +52,6 @@ load _helpers
[ "${actual}" = "true" ]
}

#--------------------------------------------------------------------
# connectInject.enabled

@test "serverACLInit/Role: allows service accounts when connectInject.enabled is true" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-acl-init-role.yaml \
--set 'global.acls.manageSystemACLs=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resources[0] == "serviceaccounts")) | length' | tee /dev/stderr)
[ "${actual}" = "2" ]
}

#--------------------------------------------------------------------
# manageSystemACLs.enabled

Expand Down
4 changes: 2 additions & 2 deletions control-plane/subcommand/server-acl-init/command.go
Original file line number Diff line number Diff line change
Expand Up @@ -768,7 +768,7 @@ func (c *Command) Run(args []string) int {
// that the Consul components will use to issue global ACL tokens with.
func (c *Command) configureGlobalComponentAuthMethod(consulClient *api.Client, authMethodName, primaryDC string) error {
// Create the auth method template. This requires calls to the kubernetes environment.
authMethod, err := c.createAuthMethodTmpl(authMethodName, c.withPrefix("component-authmethod"), false)
authMethod, err := c.createAuthMethodTmpl(authMethodName, false)
if err != nil {
return err
}
Expand All @@ -781,7 +781,7 @@ func (c *Command) configureGlobalComponentAuthMethod(consulClient *api.Client, a
// that the Consul components will use to issue local ACL tokens with.
func (c *Command) configureLocalComponentAuthMethod(consulClient *api.Client, authMethodName string) error {
// Create the auth method template. This requires calls to the kubernetes environment.
authMethod, err := c.createAuthMethodTmpl(authMethodName, c.withPrefix("component-authmethod"), false)
authMethod, err := c.createAuthMethodTmpl(authMethodName, false)
if err != nil {
return err
}
Expand Down
6 changes: 3 additions & 3 deletions control-plane/subcommand/server-acl-init/command_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2842,7 +2842,7 @@ func getBootToken(t *testing.T, k8s *fake.Clientset, prefix string, k8sNamespace
func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) (string, string) {
// Create ServiceAccount for the kubernetes auth method if it doesn't exist,
// otherwise, do nothing.
serviceAccountName := resourcePrefix + "-connect-injector"
serviceAccountName := resourcePrefix + "-authmethod"
sa, _ := k8s.CoreV1().ServiceAccounts(namespace).Get(context.Background(), serviceAccountName, metav1.GetOptions{})
if sa == nil {
// Create a service account that references two secrets.
Expand All @@ -2859,7 +2859,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string)
Name: resourcePrefix + "-some-other-secret",
},
{
Name: resourcePrefix + "-connect-injector",
Name: resourcePrefix + "-authmethod",
},
},
},
Expand All @@ -2874,7 +2874,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string)
require.NoError(t, err)

// Create a Kubernetes secret if it doesn't exist, otherwise update it
secretName := resourcePrefix + "-connect-injector"
secretName := resourcePrefix + "-authmethod"
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Expand Down
Loading

0 comments on commit 6fdd05a

Please sign in to comment.