Skip to content

Commit

Permalink
Sync token acl refactor (#1081)
Browse files Browse the repository at this point in the history
• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.
  • Loading branch information
Ashwin Venkatesh authored and jmurret committed Mar 11, 2022
1 parent fa040ab commit 9679f5b
Show file tree
Hide file tree
Showing 29 changed files with 632 additions and 206 deletions.
18 changes: 18 additions & 0 deletions charts/consul/templates/auth-method-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-auth-method
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
rules:
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
39 changes: 39 additions & 0 deletions charts/consul/templates/auth-method-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-authdelegator
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:auth-delegator"
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-auth-method
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-auth-method
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
{{- end }}
19 changes: 19 additions & 0 deletions charts/consul/templates/auth-method-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}

This file was deleted.

17 changes: 6 additions & 11 deletions charts/consul/templates/connect-inject-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -11,14 +12,14 @@ metadata:
component: connect-injector
rules:
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "namespaces"]
- apiGroups: [ "" ]
resources: [ "pods", "endpoints", "services", "namespaces" ]
verbs:
- "get"
- "list"
Expand All @@ -33,17 +34,11 @@ rules:
- list
- update
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
resourceNames:
- {{ template "consul.fullname" . }}-connect-injector
verbs:
- use
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -16,3 +17,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
{{- end }}
4 changes: 3 additions & 1 deletion charts/consul/templates/connect-inject-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -16,6 +17,7 @@ metadata:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/consul/templates/server-acl-init-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ spec:
{{- end }}
{{- if .Values.syncCatalog.enabled }}
-create-sync-token=true \
-sync-catalog=true \
{{- if .Values.syncCatalog.consulNodeName }}
-sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \
{{- end }}
Expand Down
38 changes: 19 additions & 19 deletions charts/consul/templates/server-acl-init-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,26 +13,26 @@ metadata:
release: {{ .Release.Name }}
component: server-acl-init
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- create
- get
- apiGroups: [""]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-connect-injector
verbs:
- get
- apiGroups: [ "" ]
resources:
- secrets
verbs:
- create
- get
- apiGroups: [ "" ]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-auth-method
verbs:
- get
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-server-acl-init
verbs:
- use
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
resourceNames:
- {{ template "consul.fullname" . }}-server-acl-init
verbs:
- use
{{- end }}
{{- end }}
{{- end }}
9 changes: 0 additions & 9 deletions charts/consul/templates/sync-catalog-clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,6 @@ rules:
- nodes
verbs:
- get
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-catalog-sync-acl-token
verbs:
- get
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
Expand Down
87 changes: 69 additions & 18 deletions charts/consul/templates/sync-catalog-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,11 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog
{{- if .Values.global.tls.enabled }}
volumes:
- name: consul-data
emptyDir:
medium: "Memory"
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
- name: consul-ca-cert
secret:
Expand All @@ -70,9 +73,13 @@ spec:
{{- end }}
{{- end }}
containers:
- name: consul-sync-catalog
- name: sync-catalog
image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}"
env:
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN_FILE
value: "/consul/login/acl-token"
{{- end }}
- name: HOST_IP
valueFrom:
fieldRef:
Expand All @@ -88,13 +95,6 @@ spec:
name: {{ .Values.syncCatalog.aclSyncToken.secretName }}
key: {{ .Values.syncCatalog.aclSyncToken.secretKey }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ template "consul.fullname" . }}-catalog-sync-acl-token"
key: "token"
{{- end}}
{{- if .Values.global.tls.enabled }}
{{- if .Values.client.enabled }}
- name: CONSUL_HTTP_ADDR
Expand All @@ -114,16 +114,19 @@ spec:
value: http://{{ template "consul.fullname" . }}-server:8500
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
volumeMounts:
{{- if (and .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
- mountPath: /consul/login
name: consul-data
readOnly: true
{{- if .Values.global.tls.enabled }}
{{- if and .Values.global.tls.enableAutoEncrypt $clientEnabled }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
Expand Down Expand Up @@ -188,6 +191,16 @@ spec:
-consul-cross-namespace-acl-policy=cross-namespace-policy \
{{- end }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane consul-logout
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
Expand All @@ -214,16 +227,57 @@ spec:
{{- end }}
{{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
initContainers:
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: sync-acl-init
- name: sync-catalog-acl-init
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
image: {{ .Values.global.imageK8S }}
volumeMounts:
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane acl-init \
-secret-name="{{ template "consul.fullname" . }}-catalog-sync-acl-token" \
-k8s-namespace={{ .Release.Namespace }}
-component-name=sync-catalog \
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \
-primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \
{{- else }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
-log-json={{ .Values.global.logJSON }}
resources:
requests:
memory: "25Mi"
Expand All @@ -232,9 +286,6 @@ spec:
memory: "25Mi"
cpu: "50m"
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.syncCatalog.priorityClassName }}
priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }}
Expand Down
Loading

0 comments on commit 9679f5b

Please sign in to comment.