resolve merge conflicts

hashicorp · Jun 16, 2022 · c49dd14 · c49dd14
2 parents e4efa07 + 136d312
commit c49dd14
Show file tree

Hide file tree

Showing 59 changed files with 4,694 additions and 431 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,8 +4,8 @@ on:
 
 env:
   TEST_RESULTS: /tmp/test-results # path to where test results are saved
-  CONSUL_VERSION: 1.12.0 # Consul's OSS version to use in tests
-  CONSUL_ENT_VERSION: 1.12.0+ent # Consul's enterprise version to use in tests
+  CONSUL_VERSION: 1.13.0-alpha1 # Consul's OSS version to use in tests
+  CONSUL_ENT_VERSION: 1.13.0-alpha1+ent # Consul's enterprise version to use in tests
   GOTESTSUM_VERSION: 1.6.4 # You cannot use environment variables with workflows. The gotestsum version is hardcoded in the reusable workflows too.
 
 jobs:
@@ -142,14 +142,14 @@ jobs:
       - run:  mkdir -p ${{env.TEST_RESULTS}}
       - run:  echo "$HOME/bin" >> $GITHUB_PATH
 
-      - name: Download consul 
-        working-directory: control-plane 
+      - name: Download consul
+        working-directory: control-plane
         run: |
-            mkdir -p $HOME/bin
-            wget https://releases.hashicorp.com/consul/${{env.CONSUL_VERSION}}/consul_${{env.CONSUL_VERSION}}_linux_amd64.zip && \
-              unzip consul_${{env.CONSUL_VERSION}}_linux_amd64.zip -d $HOME/bin && \
-              rm consul_${{env.CONSUL_VERSION}}_linux_amd64.zip
-            chmod +x $HOME/bin/consul
+          mkdir -p $HOME/bin
+          wget https://releases.hashicorp.com/consul/${{env.CONSUL_VERSION}}/consul_${{env.CONSUL_VERSION}}_linux_amd64.zip && \
+            unzip consul_${{env.CONSUL_VERSION}}_linux_amd64.zip -d $HOME/bin && \
+            rm consul_${{env.CONSUL_VERSION}}_linux_amd64.zip
+          chmod +x $HOME/bin/consul
 
       - name: Run go tests
         working-directory: control-plane
@@ -191,13 +191,13 @@ jobs:
       - run:  mkdir -p ${{env.TEST_RESULTS}}
       - run:  echo "$HOME/bin" >> $GITHUB_PATH
 
-      - name: Download consul 
-        working-directory: control-plane 
+      - name: Download consul
+        working-directory: control-plane
         run: |
-            mkdir -p $HOME/bin
-            wget https://releases.hashicorp.com/consul/${{env.CONSUL_ENT_VERSION}}/consul_${{env.CONSUL_ENT_VERSION}}_linux_amd64.zip && \
-              unzip consul_${{env.CONSUL_ENT_VERSION}}_linux_amd64.zip -d $HOME/bin && \
-              rm consul_${{env.CONSUL_ENT_VERSION}}_linux_amd64.zip
+          mkdir -p $HOME/bin
+          wget https://releases.hashicorp.com/consul/${{env.CONSUL_ENT_VERSION}}/consul_${{env.CONSUL_ENT_VERSION}}_linux_amd64.zip && \
+            unzip consul_${{env.CONSUL_ENT_VERSION}}_linux_amd64.zip -d $HOME/bin && \
+            rm consul_${{env.CONSUL_ENT_VERSION}}_linux_amd64.zip
             chmod +x $HOME/bin/consul
 
       - name: Run go tests

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,21 @@
 ## UNRELEASED
 
+FEATURES:
+* [Experimental] Cluster Peering: Support Consul cluster peering, which allows service connectivity between two independent clusters.
+  [[GH-1273](https://github.com/hashicorp/consul-k8s/pull/1273)]
+
+  Enabling peering will deploy the peering controllers and PeeringAcceptor and PeeringDialer CRDs. The new CRDs are used
+  to establish a peering connection between two clusters.
+
+  See the [Cluster Peering on Kubernetes](https://www.consul.io/docs/connect/cluster-peering/k8s)
+  for full instructions.
+
+  Requirements:
+  * Consul 1.13+
+  * `global.peering.enabled=true` and `connectInject.enabled=true` must be set to enable peering.
+  * Mesh gateways are required for service to service communication across peers, i.e `meshGateway.enabled=true`.
+
 IMPROVEMENTS:
-* Control Plane
-  * Enable configuring Connect Injector and Controller Webhooks' certificates to be managed by Vault. [[GH-1191](https://github.com/hashicorp/consul-k8s/pull/1191/)]
 * Helm
   * Enable the configuring of snapshot intervals in the client snapshot agent via `client.snapshotAgent.interval`. [[GH-1235](https://github.com/hashicorp/consul-k8s/pull/1235)]
   * Enable configuring the pod topologySpreadConstraints for mesh, terminating, and ingress gateways. [[GH-1257](https://github.com/hashicorp/consul-k8s/pull/1257)]
@@ -11,14 +24,17 @@ IMPROVEMENTS:
   * Enable the configuration of Envoy proxy concurrency via `connectInject.sidecarProxy.concurrency` which can
     be overridden at the pod level via the annotation `consul.hashicorp.com/consul-envoy-proxy-concurrency`.
     This PR also sets the default concurrency for envoy proxies to `2`. [[GH-1277](https://github.com/hashicorp/consul-k8s/pull/1277)]
+  * Update Mesh CRD with Mesh HTTP Config. [[GH-1282](https://github.com/hashicorp/consul-k8s/pull/1282)]
 * Control Plane
   * Bump Dockerfile base image for RedHat UBI `consul-k8s-control-plane` image to `ubi-minimal:8.6`. [[GH-1244](https://github.com/hashicorp/consul-k8s/pull/1244)]
   * Add additional metadata to service instances registered via catalog sync. [[GH-447](https://github.com/hashicorp/consul-k8s/pull/447)]
+  * Enable configuring Connect Injector and Controller Webhooks' certificates to be managed by Vault. [[GH-1191](https://github.com/hashicorp/consul-k8s/pull/1191/)]
 
 BUG FIXES:
 * Helm
   * Update client-snapshot-agent so that setting `client.snapshotAgent.caCert` no longer requires root access to modify the trust store. [[GH-1190](https://github.com/hashicorp/consul-k8s/pull/1190/)]
   * Add missing vault agent annotations to the `api-gateway-controller-deployment`. [[GH-1247](https://github.com/hashicorp/consul-k8s/pull/1247)]
+  * Bump default Envoy version to 1.22.2. [[GH-1276](https://github.com/hashicorp/consul-k8s/pull/1276)]
 
 ## 0.44.0 (May 17, 2022)
 

diff --git a/Makefile b/Makefile
@@ -18,9 +18,10 @@ control-plane-dev: ## Build consul-k8s-control-plane binary.
 	@$(SHELL) $(CURDIR)/control-plane/build-support/scripts/build-local.sh -o $(GOOS) -a $(GOARCH)
 
 control-plane-dev-docker: ## Build consul-k8s-control-plane dev Docker image.
-	@$(SHELL) $(CURDIR)/control-plane/build-support/scripts/build-local.sh -o linux -a amd64
-	@DOCKER_DEFAULT_PLATFORM=linux/amd64 docker build -t '$(DEV_IMAGE)' \
+	@$(SHELL) $(CURDIR)/control-plane/build-support/scripts/build-local.sh -o linux -a $(GOARCH)
+	docker build -t '$(DEV_IMAGE)' \
        --target=dev \
+       --build-arg 'ARCH=$(GOARCH)' \
        --build-arg 'GIT_COMMIT=$(GIT_COMMIT)' \
        --build-arg 'GIT_DIRTY=$(GIT_DIRTY)' \
        --build-arg 'GIT_DESCRIBE=$(GIT_DESCRIBE)' \

diff --git a/acceptance/go.mod b/acceptance/go.mod
@@ -5,9 +5,10 @@ go 1.17
 require (
 	github.com/gruntwork-io/terratest v0.31.2
 	github.com/hashicorp/consul-k8s/control-plane v0.0.0-20211207212234-aea9efea5638
-	github.com/hashicorp/consul/api v1.12.0
+	github.com/hashicorp/consul/api v1.10.1-0.20220614213650-6453375ab228
 	github.com/hashicorp/consul/sdk v0.9.0
 	github.com/hashicorp/go-uuid v1.0.3
+	github.com/hashicorp/go-version v1.2.0
 	github.com/hashicorp/vault/api v1.2.0
 	github.com/stretchr/testify v1.7.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -34,7 +35,7 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/uuid v1.1.2 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
@@ -50,7 +51,6 @@ require (
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/hashicorp/go-version v1.2.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/serf v0.9.6 // indirect

diff --git a/acceptance/go.sum b/acceptance/go.sum
@@ -333,8 +333,9 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
+github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk=
 github.com/google/go-querystring v0.0.0-20170111101155-53e6ce116135/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@@ -387,8 +388,8 @@ github.com/hashicorp/consul-k8s/control-plane v0.0.0-20211207212234-aea9efea5638
 github.com/hashicorp/consul-k8s/control-plane v0.0.0-20211207212234-aea9efea5638/go.mod h1:7ZeaiADGbvJDuoWAT8UKj6KCcLsFUk+34OkUGMVtdXg=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.10.1-0.20211116182834-e6956893fb6f/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0=
-github.com/hashicorp/consul/api v1.12.0 h1:k3y1FYv6nuKyNTqj6w9gXOx5r5CfLj/k/euUeBXj1OY=
-github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0=
+github.com/hashicorp/consul/api v1.10.1-0.20220614213650-6453375ab228 h1:BqzKe5O+75uYcFfJI0mJz3rhCgdVztvEj3rEs4xpPr0=
+github.com/hashicorp/consul/api v1.10.1-0.20220614213650-6453375ab228/go.mod h1:ZlVrynguJKcYr54zGaDbaL3fOvKC9m72FhPvA8T35KQ=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/consul/sdk v0.9.0 h1:NGSHAU7X3yDCjo8WBUbNOtD3BSqv8u0vu3+zNxgmxQI=
@@ -440,7 +441,6 @@ github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjG
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=

diff --git a/charts/consul/Chart.yaml b/charts/consul/Chart.yaml
@@ -17,7 +17,7 @@ annotations:
     - name: consul-k8s-control-plane
       image: hashicorp/consul-k8s-control-plane:0.44.0
     - name: envoy
-      image: envoyproxy/envoy:v1.22.0
+      image: envoyproxy/envoy:v1.22.2
   artifacthub.io/license: MPL-2.0
   artifacthub.io/links: |
     - name: Documentation

diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml
@@ -44,6 +44,52 @@ rules:
   - watch
   - patch
 {{- end }}
+{{- if .Values.global.peering.enabled }}
+- apiGroups: [ "" ]
+  resources: ["secrets"]
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "create"
+  - "delete"
+- apiGroups: ["consul.hashicorp.com"]
+  resources: ["peeringacceptors"]
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - consul.hashicorp.com
+  resources:
+    - peeringacceptors/status
+  verbs:
+    - get
+    - patch
+    - update
+- apiGroups: ["consul.hashicorp.com"]
+  resources: ["peeringdialers"]
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - consul.hashicorp.com
+  resources:
+    - peeringdialers/status
+  verbs:
+    - get
+    - patch
+    - update
+{{- end }}
 {{- if .Values.global.enablePodSecurityPolicies }}
 - apiGroups: [ "policy" ]
   resources: [ "podsecuritypolicies" ]

diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml
@@ -1,3 +1,4 @@
+{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }}
 {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
 {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled for connect injection" }}{{ end }}
 {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for connect injection" }}{{ end }}
@@ -131,6 +132,9 @@ spec:
                 {{- else }}
                 -default-enable-transparent-proxy=false \
                 {{- end }}
+                {{- if .Values.global.peering.enabled }}
+                -enable-peering=true \
+                {{- end }}
                 {{- if .Values.global.openshift.enabled }}
                 -enable-openshift \
                 {{- end }}

diff --git a/charts/consul/templates/crd-exportedservices.yaml b/charts/consul/templates/crd-exportedservices.yaml
@@ -75,6 +75,10 @@ spec:
                             description: Partition is the admin partition to export
                               the service to.
                             type: string
+                          peer:
+                            description: '[Experimental] Peer is the name of the peer
+                              to export the service to.'
+                            type: string
                         type: object
                       type: array
                     name:

diff --git a/charts/consul/templates/crd-meshes.yaml b/charts/consul/templates/crd-meshes.yaml
@@ -55,6 +55,14 @@ spec:
           spec:
             description: MeshSpec defines the desired state of Mesh.
             properties:
+              http:
+                description: HTTP defines the HTTP configuration for the service mesh.
+                properties:
+                  sanitizeXForwardedClientCert:
+                    type: boolean
+                required:
+                - sanitizeXForwardedClientCert
+                type: object
               tls:
                 description: TLS defines the TLS configuration for the service mesh.
                 properties:

diff --git a/charts/consul/templates/crd-peeringacceptors.yaml b/charts/consul/templates/crd-peeringacceptors.yaml
@@ -0,0 +1,116 @@
+{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: peeringacceptors.consul.hashicorp.com
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: crd
+spec:
+  group: consul.hashicorp.com
+  names:
+    kind: PeeringAcceptor
+    listKind: PeeringAcceptorList
+    plural: peeringacceptors
+    singular: peeringacceptor
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PeeringAcceptor is the Schema for the peeringacceptors API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor.
+            properties:
+              peer:
+                description: Peer describes the information needed to create a peering.
+                properties:
+                  secret:
+                    description: Secret describes how to store the generated peering
+                      token.
+                    properties:
+                      backend:
+                        description: 'Backend is where the generated secret is stored.
+                          Currently supports the value: "kubernetes".'
+                        type: string
+                      key:
+                        description: Key is the key of the secret generated.
+                        type: string
+                      name:
+                        description: Name is the name of the secret generated.
+                        type: string
+                    type: object
+                type: object
+            required:
+            - peer
+            type: object
+          status:
+            description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor.
+            properties:
+              lastReconcileTime:
+                description: LastReconcileTime is the last time the resource was reconciled.
+                format: date-time
+                type: string
+              reconcileError:
+                description: ReconcileError shows any errors during the last reconciliation
+                  of this resource.
+                properties:
+                  error:
+                    description: Error is a boolean indicating if there was an error
+                      during the last reconcile of this resource.
+                    type: boolean
+                  message:
+                    description: Message displays the error message from the last
+                      reconcile.
+                    type: string
+                type: object
+              secret:
+                description: SecretRef shows the status of the secret.
+                properties:
+                  backend:
+                    description: 'Backend is where the generated secret is stored.
+                      Currently supports the value: "kubernetes".'
+                    type: string
+                  key:
+                    description: Key is the key of the secret generated.
+                    type: string
+                  name:
+                    description: Name is the name of the secret generated.
+                    type: string
+                  resourceVersion:
+                    description: ResourceVersion is the resource version for the secret.
+                    type: string
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+{{- end }}