Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ACLs Refactor. Bootstrap Token and Snapshot Agent Config in Vault. Pr…
…e-configured bootstrap token as k8s secret. (#1128) * Use kube auth method to provision ACL token for the crd controller (#995) * Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller. Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Support storing bootstrap token in Vault (#1061) * Global auth method (#1075) • Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies. • Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC. • Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully. • Updated logout to not pass in the partition flag as it is not required. • Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns. * Refactor ConnectInject to use authmethods (#1076) Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used. * Sync token acl refactor (#1081) • Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used. • Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod. * rename the controller flag (#1089) * Refactor Consul API Gateway Controller to use AuthMethod workflow. (#1083) * Refactor Consul API Gateway Controller to use AuthMethod workflow. * Refactor snapshot agent to use new acl authmethod workflow (#1084) * refactor snapshot agent to use new acl authmethod workflow. * Refactor mesh-gateway ACL flow (#1085) * Refactor mesh-gateway ACL flow * Fix flakey server-acl-init tests with retries (#1095) * Fix flakey server-acl-init tests with retries * Adding retry for flakey server-acl-init enterprise test * adding missing retry module in server-acl-init enterprise tests * Update Binding Rule if it exists for the authmethod (#1094) * Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * vault: add support for admin partitions (#1098) * Refactor common.Login (#1101) * convert function args to a struct * add some missing tests * move logic that is only relevant for connect out * Use bootstrap token from vault to validate exec'ing into consul server (#1116) Follow up on #1103 * Enable terminating gateways to use ACL Auth Method (#1102) * Enable terminating gateway policy to be generated via Auth Method * Filtering out failing portion of test for terminating gateway work * PR feedback.Fixing tests. Changing naming conventions for policy and roles for terminating gateways. * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Fixing enterprise tests * Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name> * fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role. * Correcting serviceAccount used on deployment * Making all nameshavea-ingress-gateway * Update charts/consul/templates/terminating-gateways-deployment.yaml Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Enable snapshot agent configuration to be retrieved from vault (#1113) * Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable snapshot agent configuration to be retrieved from vault * Adding CHANGELOG entry * Changing the decoding of snapshot agent config in vault to platform agnostic * Fixing the way we write the encoded vault secret out to a decoded json file * Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension. * Update CHANGELOG.md Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update charts/consul/values.yaml Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update charts/consul/values.yaml Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update charts/consul/values.yaml Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles * PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role. * Simplifying conditional for vault role. Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Ability to set initial_management token when using k8s secret store. Snapshot agent acceptance tests (#1125) * Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable snapshot agent configuration to be retrieved from vault * Adding CHANGELOG entry * Changing the decoding of snapshot agent config in vault to platform agnostic * Fixing the way we write the encoded vault secret out to a decoded json file * Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension. * Adding an acceptance test for snapshot agent. It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN. Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent. Then assert that a *.snap file is created. * Adding acceptance test for snapshot agent on vault. * renaming test and removing extra file * Move vault test helpers into framework folder so we can use it more easily from other folders. * Adding snapshot agent test for k8s secret * Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets. * Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token. * Adding CHANGELOG entry for ability to pre-set bootstrap ACL token * Fixing bats tests * Update acceptance/framework/consul/helm_cluster.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Fixing broken unit tests * Lowering snapshot interval from 1mto15s for tests * Update acceptance/framework/consul/helm_cluster.go Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * Update acceptance/framework/vault/helpers.go Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * PR Feedback - clarify comments on Vault helper functions * PR Feedback - clarify comments on Vault helper functions * Modifying tests to not incidentally send an encoded file * Removing logging token in acceptance test code. Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * Enable ingress gateways to use ACL Auth Method (#1118) * Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable terminating gateway policy to be generated via Auth Method * Filtering out failing portion of test for terminating gateway work * PR feedback.Fixing tests. Changing naming conventions for policy and roles for terminating gateways. * Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name> * Correcting serviceAccount used on deployment * Making all nameshavea-ingress-gateway * Enable ingress gateway policy to be generated via Auth Method * Making all names have a -ingress-gateway suffix * Removing duplicate test * Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * Removing the gateway type suffix from the naming conventions for terminating and ingress gateways (#1120) * Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable terminating gateway policy to be generated via Auth Method * Filtering out failing portion of test for terminating gateway work * PR feedback.Fixing tests. Changing naming conventions for policy and roles for terminating gateways. * Correcting serviceAccount used on deployment * Making all nameshavea-ingress-gateway * Enable ingress gateway policy to be generated via Auth Method * Making all names have a -ingress-gateway suffix * Removing duplicate test * Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * Removing the gateway type suffix from the naming conventions for terminating and ingress gateways * Adding check for duplicate terminating gateways and ingress gateway names * Update charts/consul/templates/ingress-gateways-deployment.yaml Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> * PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names * Fixing rebase conflict * Merge Conflict- duplicate test * Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time. Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
- Loading branch information