Skip to content

Commit

Permalink
ACLs Refactor. Bootstrap Token and Snapshot Agent Config in Vault. Pr…
Browse files Browse the repository at this point in the history
…e-configured bootstrap token as k8s secret. (#1128)

* Use kube auth method to provision ACL token for the crd controller (#995)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Support storing bootstrap token in Vault (#1061)

* Global auth method (#1075)

• Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies.
• Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC.
• Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully.
• Updated logout to not pass in the partition flag as it is not required.
• Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns.

* Refactor ConnectInject to use authmethods (#1076)

Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.

* Sync token acl refactor (#1081)

• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.

* rename the controller flag (#1089)

* Refactor Consul API Gateway Controller to use AuthMethod workflow. (#1083)

* Refactor Consul API Gateway Controller to use AuthMethod workflow.

* Refactor snapshot agent to use new acl authmethod workflow (#1084)

* refactor snapshot agent to use new acl authmethod workflow.

* Refactor mesh-gateway ACL flow (#1085)

* Refactor mesh-gateway ACL flow

* Fix flakey server-acl-init tests with retries (#1095)

* Fix flakey server-acl-init tests with retries

* Adding retry for flakey server-acl-init enterprise test

* adding missing retry module in server-acl-init enterprise tests

* Update Binding Rule if it exists for the authmethod (#1094)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* vault: add support for admin partitions (#1098)

* Refactor common.Login (#1101)

* convert function args to a struct
* add some missing tests
* move logic that is only relevant for connect out

* Use bootstrap token from vault to validate exec'ing into consul server (#1116)

Follow up on #1103

* Enable terminating gateways to use ACL Auth Method (#1102)

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Fixing enterprise tests

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Update charts/consul/templates/terminating-gateways-deployment.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Enable snapshot agent configuration to be retrieved from vault (#1113)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles

* PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role.

* Simplifying conditional for vault role.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Ability to set initial_management token when using k8s secret store.  Snapshot agent acceptance tests (#1125)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Adding an acceptance test for snapshot agent.  It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN.  Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent.  Then assert that a *.snap file is created.

* Adding acceptance test for snapshot agent on vault.

* renaming test and removing extra file

* Move vault test helpers into framework folder so we can use it more easily from other folders.

* Adding snapshot agent test for k8s secret

* Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets.

* Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token.

* Adding CHANGELOG entry for ability to pre-set bootstrap ACL token

* Fixing bats tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Fixing broken unit tests

* Lowering snapshot interval from 1mto15s for tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/framework/vault/helpers.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* PR Feedback - clarify comments on Vault helper functions

* PR Feedback - clarify comments on Vault helper functions

* Modifying tests to not incidentally send an encoded file

* Removing logging token in acceptance test code.

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Enable ingress gateways to use ACL Auth Method (#1118)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways (#1120)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways

* Adding check for duplicate terminating gateways and ingress gateway names

* Update charts/consul/templates/ingress-gateways-deployment.yaml

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names

* Fixing rebase conflict

* Merge Conflict- duplicate test

* Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time.

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
  • Loading branch information
7 people authored Mar 31, 2022
1 parent 7ae8173 commit a713f85
Show file tree
Hide file tree
Showing 91 changed files with 8,066 additions and 2,408 deletions.
4 changes: 2 additions & 2 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ executors:
- image: docker.mirror.hashicorp.services/cimg/go:1.17.5
environment:
TEST_RESULTS: /tmp/test-results # path to where test results are saved
CONSUL_VERSION: 1.11.2 # Consul's OSS version to use in tests
CONSUL_ENT_VERSION: 1.11.2+ent # Consul's enterprise version to use in tests
CONSUL_VERSION: 1.11.4 # Consul's OSS version to use in tests
CONSUL_ENT_VERSION: 1.11.4+ent # Consul's enterprise version to use in tests

control-plane-path: &control-plane-path control-plane
cli-path: &cli-path cli
Expand Down
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ IMPROVEMENTS:
* Upgrade Docker image Alpine version from 3.14 to 3.15. [[GH-1058](https://github.com/hashicorp/consul-k8s/pull/1058)]
* Helm
* API Gateway: Allow controller to read Kubernetes namespaces in order to determine if route is allowed for gateway. [[GH-1092](https://github.com/hashicorp/consul-k8s/pull/1092)]
* Support a pre-configured bootstrap ACL token. [[GH-1125](https://github.com/hashicorp/consul-k8s/pull/1125)]
* Vault
* Enable snapshot agent configuration to be retrieved from vault. [[GH-1113](https://github.com/hashicorp/consul-k8s/pull/1113)]
* CLI
* Enable users to set up secondary clusters with existing federation secrets. [[GH-1126](https://github.com/hashicorp/consul-k8s/pull/1126)]

Expand Down
42 changes: 23 additions & 19 deletions acceptance/framework/consul/helm_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -386,25 +386,7 @@ func configurePodSecurityPolicies(t *testing.T, client kubernetes.Interface, cfg
}

func createOrUpdateLicenseSecret(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {
_, err := client.CoreV1().Secrets(namespace).Get(context.Background(), config.LicenseSecretName, metav1.GetOptions{})
if errors.IsNotFound(err) {
_, err := client.CoreV1().Secrets(namespace).Create(context.Background(), &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: config.LicenseSecretName,
},
StringData: map[string]string{
config.LicenseSecretKey: cfg.EnterpriseLicense,
},
Type: corev1.SecretTypeOpaque,
}, metav1.CreateOptions{})
require.NoError(t, err)
} else {
require.NoError(t, err)
}

helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
_ = client.CoreV1().Secrets(namespace).Delete(context.Background(), config.LicenseSecretName, metav1.DeleteOptions{})
})
CreateK8sSecret(t, client, cfg, namespace, config.LicenseSecretName, config.LicenseSecretKey, cfg.EnterpriseLicense)
}

// configureSCCs creates RoleBindings that bind the default service account to cluster roles
Expand Down Expand Up @@ -470,3 +452,25 @@ func defaultValues() map[string]string {
}
return values
}

func CreateK8sSecret(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace, secretName, secretKey, secret string) {
_, err := client.CoreV1().Secrets(namespace).Get(context.Background(), secretName, metav1.GetOptions{})
if errors.IsNotFound(err) {
_, err := client.CoreV1().Secrets(namespace).Create(context.Background(), &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
},
StringData: map[string]string{
secretKey: secret,
},
Type: corev1.SecretTypeOpaque,
}, metav1.CreateOptions{})
require.NoError(t, err)
} else {
require.NoError(t, err)
}

helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
_ = client.CoreV1().Secrets(namespace).Delete(context.Background(), secretName, metav1.DeleteOptions{})
})
}
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,14 @@ const (
path "consul/data/secret/gossip" {
capabilities = ["read"]
}`
replicationTokenPolicy = `
path "consul/data/secret/replication" {
capabilities = ["read", "update"]

tokenPolicyTemplate = `
path "consul/data/secret/%s" {
capabilities = ["read"]
}`

enterpriseLicensePolicy = `
path "consul/data/secret/enterpriselicense" {
path "consul/data/secret/license" {
capabilities = ["read"]
}`

Expand Down Expand Up @@ -55,10 +56,15 @@ path "/%s/connect_inter/*" {
path "pki/cert/ca" {
capabilities = ["read"]
}`

snapshotAgentPolicy = `
path "consul/data/secret/snapshot-agent-config" {
capabilities = ["read"]
}`
)

// generateGossipSecret generates a random 32 byte secret returned as a base64 encoded string.
func generateGossipSecret() (string, error) {
// GenerateGossipSecret generates a random 32 byte secret returned as a base64 encoded string.
func GenerateGossipSecret() (string, error) {
// This code was copied from Consul's Keygen command:
// https://github.com/hashicorp/consul/blob/d652cc86e3d0322102c2b5e9026c6a60f36c17a5/command/keygen/keygen.go

Expand All @@ -74,16 +80,16 @@ func generateGossipSecret() (string, error) {
return base64.StdEncoding.EncodeToString(key), nil
}

// configureGossipVaultSecret generates a gossip encryption key,
// stores it in vault as a secret and configures a policy to access it.
func configureGossipVaultSecret(t *testing.T, vaultClient *vapi.Client) string {
// ConfigureGossipVaultSecret generates a gossip encryption key,
// stores it in Vault as a secret and configures a policy to access it.
func ConfigureGossipVaultSecret(t *testing.T, vaultClient *vapi.Client) string {
// Create the Vault Policy for the gossip key.
logger.Log(t, "Creating gossip policy")
err := vaultClient.Sys().PutPolicy("consul-gossip", gossipPolicy)
err := vaultClient.Sys().PutPolicy("gossip", gossipPolicy)
require.NoError(t, err)

// Generate the gossip secret.
gossipKey, err := generateGossipSecret()
gossipKey, err := GenerateGossipSecret()
require.NoError(t, err)

// Create the gossip secret.
Expand All @@ -99,71 +105,75 @@ func configureGossipVaultSecret(t *testing.T, vaultClient *vapi.Client) string {
return gossipKey
}

// configureEnterpriseLicenseVaultSecret stores it in vault as a secret and configures a policy to access it.
func configureEnterpriseLicenseVaultSecret(t *testing.T, vaultClient *vapi.Client, cfg *config.TestConfig) {
// ConfigureEnterpriseLicenseVaultSecret stores it in Vault as a secret and configures a policy to access it.
func ConfigureEnterpriseLicenseVaultSecret(t *testing.T, vaultClient *vapi.Client, cfg *config.TestConfig) {
// Create the enterprise license secret.
logger.Log(t, "Creating the Enterprise License secret")
params := map[string]interface{}{
"data": map[string]interface{}{
"enterpriselicense": cfg.EnterpriseLicense,
"license": cfg.EnterpriseLicense,
},
}
_, err := vaultClient.Logical().Write("consul/data/secret/enterpriselicense", params)
_, err := vaultClient.Logical().Write("consul/data/secret/license", params)
require.NoError(t, err)

// Create the Vault Policy for the consul-enterpriselicense.
err = vaultClient.Sys().PutPolicy("consul-enterpriselicense", enterpriseLicensePolicy)
err = vaultClient.Sys().PutPolicy("license", enterpriseLicensePolicy)
require.NoError(t, err)
}

// configureKubernetesAuthRoles configures roles for the Kubernetes auth method
// that will be used by the test Helm chart installation.
func configureKubernetesAuthRoles(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, authPath, datacenter string, cfg *config.TestConfig) {
consulClientServiceAccountName := fmt.Sprintf("%s-consul-client", consulReleaseName)
consulServerServiceAccountName := fmt.Sprintf("%s-consul-server", consulReleaseName)
sharedPolicies := "consul-gossip"
if cfg.EnableEnterprise {
sharedPolicies += ",consul-enterpriselicense"
// ConfigureSnapshotAgentSecret stores it in Vault as a secret and configures a policy to access it.
func ConfigureSnapshotAgentSecret(t *testing.T, vaultClient *vapi.Client, cfg *config.TestConfig, config string) {
logger.Log(t, "Creating the Snapshot Agent Config secret in Vault")
params := map[string]interface{}{
"data": map[string]interface{}{
"config": config,
},
}
_, err := vaultClient.Logical().Write("consul/data/secret/snapshot-agent-config", params)
require.NoError(t, err)

err = vaultClient.Sys().PutPolicy("snapshot-agent-config", snapshotAgentPolicy)
require.NoError(t, err)
}

// ConfigureKubernetesAuthRole configures a role in Vault for the component for the Kubernetes auth method
// that will be used by the test Helm chart installation.
func ConfigureKubernetesAuthRole(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, authPath, component, policies string) {
componentServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, component)

// Create the Auth Roles for consul-server and consul-client.
// Create the Auth Roles for the component.
// Auth roles bind policies to Kubernetes service accounts, which
// then enables the Vault agent init container to call 'vault login'
// with the Kubernetes auth method to obtain a Vault token.
// Please see https://www.vaultproject.io/docs/auth/kubernetes#configuration
// for more details.
logger.Log(t, "Creating the consul-server and consul-client roles")
logger.Logf(t, "Creating the %q", componentServiceAccountName)
params := map[string]interface{}{
"bound_service_account_names": consulClientServiceAccountName,
"bound_service_account_names": componentServiceAccountName,
"bound_service_account_namespaces": ns,
"policies": sharedPolicies,
"policies": policies,
"ttl": "24h",
}
_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-client", authPath), params)
require.NoError(t, err)

params = map[string]interface{}{
"bound_service_account_names": consulServerServiceAccountName,
"bound_service_account_namespaces": ns,
"policies": fmt.Sprintf(sharedPolicies+",connect-ca-%s,consul-server-%s,consul-replication-token", datacenter, datacenter),
"ttl": "24h",
}
_, err = vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-server", authPath), params)
_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/%s", authPath, component), params)
require.NoError(t, err)
}

// ConfigureConsulCAKubernetesAuthRole configures a role in Vault that allows all service accounts
// within the installation namespace access to the Consul server CA.
func ConfigureConsulCAKubernetesAuthRole(t *testing.T, vaultClient *vapi.Client, ns, authPath string) {
// Create the CA role that all components will use to fetch the Server CA certs.
params = map[string]interface{}{
params := map[string]interface{}{
"bound_service_account_names": "*",
"bound_service_account_namespaces": ns,
"policies": "consul-ca",
"ttl": "24h",
}
_, err = vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-ca", authPath), params)
_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-ca", authPath), params)
require.NoError(t, err)
}

// configurePKICA generates a CA in Vault.
func configurePKICA(t *testing.T, vaultClient *vapi.Client) {
// ConfigurePKICA generates a CA in Vault.
func ConfigurePKICA(t *testing.T, vaultClient *vapi.Client) {
// Create root CA to issue Consul server certificates and the `consul-server` PKI role.
// See https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls.
// Generate the root CA.
Expand All @@ -178,9 +188,9 @@ func configurePKICA(t *testing.T, vaultClient *vapi.Client) {
require.NoError(t, err)
}

// configurePKICertificates configures roles so that Consul server TLS certificates
// ConfigurePKICertificates configures roles in Vault so that Consul server TLS certificates
// can be issued by Vault.
func configurePKICertificates(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, datacenter string) string {
func ConfigurePKICertificates(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, datacenter string) string {
// Create the Vault PKI Role.
consulServerDNSName := consulReleaseName + "-consul-server"
allowedDomains := fmt.Sprintf("%s.consul,%s,%s.%s,%s.%s.svc", datacenter, consulServerDNSName, consulServerDNSName, ns, consulServerDNSName, ns)
Expand All @@ -193,7 +203,7 @@ func configurePKICertificates(t *testing.T, vaultClient *vapi.Client, consulRele
"max_ttl": "1h",
}

pkiRoleName := fmt.Sprintf("consul-server-%s", datacenter)
pkiRoleName := fmt.Sprintf("server-cert-%s", datacenter)

_, err := vaultClient.Logical().Write(fmt.Sprintf("pki/roles/%s", pkiRoleName), params)
require.NoError(t, err)
Expand All @@ -211,47 +221,35 @@ path %q {
return certificateIssuePath
}

// configureReplicationTokenVaultSecret generates a replication token secret ID,
// stores it in vault as a secret and configures a policy to access it.
func configureReplicationTokenVaultSecret(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns string, authMethodPaths ...string) string {
// Create the Vault Policy for the replication token.
logger.Log(t, "Creating replication token policy")
err := vaultClient.Sys().PutPolicy("consul-replication-token", replicationTokenPolicy)
// ConfigureACLTokenVaultSecret generates a token secret ID for a given name,
// stores it in Vault as a secret and configures a policy to access it.
func ConfigureACLTokenVaultSecret(t *testing.T, vaultClient *vapi.Client, tokenName string) string {
// Create the Vault Policy for the token.
logger.Logf(t, "Creating %s token policy", tokenName)
policyName := fmt.Sprintf("%s-token", tokenName)
tokenPolicy := fmt.Sprintf(tokenPolicyTemplate, tokenName)
err := vaultClient.Sys().PutPolicy(policyName, tokenPolicy)
require.NoError(t, err)

// Generate the token secret.
token, err := uuid.GenerateUUID()
require.NoError(t, err)

// Create the replication token secret.
logger.Log(t, "Creating the replication token secret")
logger.Logf(t, "Creating the %s token secret", tokenName)
params := map[string]interface{}{
"data": map[string]interface{}{
"replication": token,
"token": token,
},
}
_, err = vaultClient.Logical().Write("consul/data/secret/replication", params)
_, err = vaultClient.Logical().Write(fmt.Sprintf("consul/data/secret/%s", tokenName), params)
require.NoError(t, err)

logger.Log(t, "Creating kubernetes auth role for the server-acl-init job")
serverACLInitSAName := fmt.Sprintf("%s-consul-server-acl-init", consulReleaseName)
params = map[string]interface{}{
"bound_service_account_names": serverACLInitSAName,
"bound_service_account_namespaces": ns,
"policies": "consul-replication-token",
"ttl": "24h",
}

for _, authMethodPath := range authMethodPaths {
_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/server-acl-init", authMethodPath), params)
require.NoError(t, err)
}

return token
}

// createConnectCAPolicy creates the Vault Policy for the connect-ca in a given datacenter.
func createConnectCAPolicy(t *testing.T, vaultClient *vapi.Client, datacenter string) {
// CreateConnectCAPolicy creates the Vault Policy for the connect-ca in a given datacenter.
func CreateConnectCAPolicy(t *testing.T, vaultClient *vapi.Client, datacenter string) {
err := vaultClient.Sys().PutPolicy(
fmt.Sprintf("connect-ca-%s", datacenter),
fmt.Sprintf(connectCAPolicyTemplate, datacenter, datacenter))
Expand Down
2 changes: 1 addition & 1 deletion acceptance/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ require (
github.com/hashicorp/consul-k8s/control-plane v0.0.0-20211207212234-aea9efea5638
github.com/hashicorp/consul/api v1.12.0
github.com/hashicorp/consul/sdk v0.9.0
github.com/hashicorp/go-uuid v1.0.2
github.com/hashicorp/vault/api v1.2.0
github.com/stretchr/testify v1.7.0
gopkg.in/yaml.v2 v2.4.0
Expand Down Expand Up @@ -49,7 +50,6 @@ require (
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/hashicorp/go-uuid v1.0.2 // indirect
github.com/hashicorp/go-version v1.2.0 // indirect
github.com/hashicorp/golang-lru v0.5.3 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
Expand Down
Loading

0 comments on commit a713f85

Please sign in to comment.