[NET-10567] Fix namespace normalization on external registration/ACL Setup for Terminating Gateways #4224
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jm96441n
added
pr/no-changelog
jm96441n
commented
Jul 31, 2024
| @@ -165,10 +165,10 @@ func CheckStaticServerConnectionSuccessfulWithMessage(t *testing.T, options *k8s | |||
|
|
|||
| // CheckStaticServerConnectionSuccessful is just like CheckStaticServerConnection | |||
| // but it always expects a successful connection. | |||
| func CheckStaticServerConnectionSuccessful(t *testing.T, options *k8s.KubectlOptions, sourceApp string, curlArgs ...string) { | |||
There was a problem hiding this comment.
modified this argument to make it more clear what options it should be for (in multi-namespace scenarios)
jm96441n
commented
Jul 31, 2024
| // WaitForInput starts a http server on a random port (which is output in the logs) and waits until you | ||
| // issue a request to that endpoint to continue the tests. This is useful for debugging tests that require | ||
| // inspecting the current state of a running cluster and you don't need to use long sleeps | ||
| func WaitForInput(t *testing.T) { |
There was a problem hiding this comment.
this was super useful for debugging the state of the cluster during tests and not needing to put a random sleep time in the test
There was a problem hiding this comment.
moved this into it's own PR #4225
jm96441n
commented
Aug 1, 2024
| @@ -231,9 +227,9 @@ func (c *RegistrationCache) updateTermGWACLRole(log logr.Logger, registration *v | |||
| var data bytes.Buffer | |||
| if err := gatewayTpl.Execute(&data, templateArgs{ | |||
| EnablePartitions: c.partitionsEnabled, | |||
| Partition: registration.Spec.Service.Partition, | |||
| Partition: defaultIfEmpty(registration.Spec.Service.Partition), | |||
There was a problem hiding this comment.
these bits here fix the bug, the rest is just updating tests
jm96441n
force-pushed
the
NET-10567-fix-namespace-normalization-registration
branch
from
d05eb97
to
bd7508f
Compare
jm96441n
removed
the
pr/no-changelog
jm96441n
requested review from
a team,
NiniOak and
wangxinyi7
and removed request for
a team
jm96441n
commented
Aug 12, 2024
| @@ -90,6 +90,10 @@ func TestControllerNamespaces(t *testing.T) { | |||
|
|
|||
| "global.acls.manageSystemACLs": strconv.FormatBool(c.secure), | |||
| "global.tls.enabled": strconv.FormatBool(c.secure), | |||
|
|
|||
There was a problem hiding this comment.
this test exercises the terminating gateway path and those don't function correctly without this in your helm chart
jm96441n
changed the title
jm96441n
commented
Aug 12, 2024
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
| ) | ||
|
|
||
| const NotInServiceMeshFilter = "ServiceMeta[\"managed-by\"] != \"consul-k8s-endpoints-controller\"" | ||
|
|
||
| func init() { |
There was a problem hiding this comment.
all this moved to the term gateway controller
jm96441n
commented
Aug 12, 2024
|
|
||
| if err := c.k8sClient.Get(c.ctx, types.NamespacedName{Name: svc, Namespace: namespace}, registration); err != nil { |
There was a problem hiding this comment.
the service name here doesn't necessarily map directly to the registration name
jm96441n
commented
Aug 12, 2024
| @@ -44,12 +44,12 @@ type RegistrationsController struct { | |||
| Log logr.Logger | |||
| } | |||
|
|
|||
| // +kubebuilder:rbac:groups=consul.hashicorp.com,resources=servicerouters,verbs=get;list;watch;create;update;patch;delete | |||
| // +kubebuilder:rbac:groups=consul.hashicorp.com,resources=servicerouters/status,verbs=get;update;patch | |||
There was a problem hiding this comment.
found this copy/pasta mistake
jm96441n
commented
Aug 12, 2024
|
|
||
| func (r *RegistrationsController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { | ||
| log := r.Log.V(1).WithValues("registration", req.NamespacedName) | ||
| log.Info("Reconciling Registaration") |
jm96441n
commented
Aug 12, 2024
| t.Run(c.kubeKind, func(t *testing.T) { | ||
| req := require.New(t) | ||
| ctx := context.Background() | ||
| for _, secure := range []bool{true, false} { |
There was a problem hiding this comment.
updated these tests to run in secure and non secure mode to ensure config entries are created when acls are enabled
left emtpy in acl policy if not specified in the CRD which results in an invalid acl policy
external service config entry registration from tests
jm96441n
commented
Aug 16, 2024
| } | ||
|
|
||
| t.Log("input received, continuing test") | ||
| go func() { |
There was a problem hiding this comment.
this was causing the caller to hang if we didn't do it async
jm96441n
commented
Aug 16, 2024
| @@ -60,18 +60,6 @@ func (r *RegistrationsController) Reconcile(ctx context.Context, req ctrl.Reques | |||
| return ctrl.Result{}, client.IgnoreNotFound(err) | |||
| } | |||
|
|
|||
| cachedRegistration, ok := r.Cache.get(registration.Spec.Service.Name) | |||
There was a problem hiding this comment.
moved this down so we handle deletion correctly
jm96441n
commented
Aug 16, 2024
| @@ -143,48 +143,9 @@ func (r *RegistrationsController) handleRegistration(ctx context.Context, log lo | |||
| return result | |||
| } | |||
|
|
|||
| if r.Cache.aclsEnabled() { | |||
There was a problem hiding this comment.
all the acl updates are done on the terminating gateway now to remove this controller racing with that one
missylbytes
reviewed
Aug 19, 2024
...ating-gateway-namespaces/all-non-default/external-service-registration/external-service.yaml
Show resolved
Hide resolved
missylbytes
reviewed
Aug 19, 2024
jm96441n
commented
Aug 20, 2024
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
jm96441n
commented
Aug 20, 2024
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
jm96441n
commented
Aug 20, 2024
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
missylbytes
approved these changes
Aug 20, 2024
There was a problem hiding this comment.
Some thoughts after walking through the PR with @jm96441n on a call a few minutes ago
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
needed and updating variable names to be more consistent
control-plane/controllers/configentries/terminatinggateway_controller.go
Outdated
Show resolved
Hide resolved
nathancoleman
approved these changes
Aug 20, 2024
jm96441n
deleted the
NET-10567-fix-namespace-normalization-registration
branch
2 tasks
jm96441n
added a commit
that referenced
this pull request
Aug 21, 2024
…Setup for Terminating Gateways (#4224) * fix bug in external service registration ACL creation where namespace is left emtpy in acl policy if not specified in the CRD which results in an invalid acl policy * Remove check for timestamp * update tests! * update to use helper function * all non default working * test cases all working * move wait for it to separate PR * use replace for consul-k8s control-plane * update single namespace test * updated namespaces and destinations test * remove usage of creating terminating gateway config entry creation and external service config entry registration from tests * fix typo * update comment * comment out broken test for the time being * remove unused import and add period to comment * add changelog * fix bug in cache creation for registrations, still debugging issue with termianting gateways and acl roles * fix issue with terminating gateway acl role by moving role modification from registrations controller to terminating gateway controller * appease the linter * add acl status condition to terminating gateways * linter * update config entry terminating gateway tests * Use more robust method of checking if acls are enabled * update config entries controller unit tests to run with acls and without * fix config entries namespaces test setup * fix unused import * fix config entries main test * remove block for deregistering service * fix comment * fix acceptance test registration * handle removing policies when no other gateways reference them * fix terminating gateway configuration for peering connect test * remove unnecessary nodeMeta on fixture, remove unused yaml files from fixtures * fix wildcard service names * use more specific matchers to avoid potential substring collisions * Update .changelog/4224.txt Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * cleaning up from PR review: moving template execution to where it's needed and updating variable names to be more consistent * add comment * fix typo --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
jm96441n
added a commit
that referenced
this pull request
Aug 21, 2024
…tration/ACL Setup for Terminating Gateways into release/1.5.x (#4259) [NET-10567] Fix namespace normalization on external registration/ACL Setup for Terminating Gateways (#4224) * fix bug in external service registration ACL creation where namespace is left emtpy in acl policy if not specified in the CRD which results in an invalid acl policy * Remove check for timestamp * update tests! * update to use helper function * all non default working * test cases all working * move wait for it to separate PR * use replace for consul-k8s control-plane * update single namespace test * updated namespaces and destinations test * remove usage of creating terminating gateway config entry creation and external service config entry registration from tests * fix typo * update comment * comment out broken test for the time being * remove unused import and add period to comment * add changelog * fix bug in cache creation for registrations, still debugging issue with termianting gateways and acl roles * fix issue with terminating gateway acl role by moving role modification from registrations controller to terminating gateway controller * appease the linter * add acl status condition to terminating gateways * linter * update config entry terminating gateway tests * Use more robust method of checking if acls are enabled * update config entries controller unit tests to run with acls and without * fix config entries namespaces test setup * fix unused import * fix config entries main test * remove block for deregistering service * fix comment * fix acceptance test registration * handle removing policies when no other gateways reference them * fix terminating gateway configuration for peering connect test * remove unnecessary nodeMeta on fixture, remove unused yaml files from fixtures * fix wildcard service names * use more specific matchers to avoid potential substring collisions * Update .changelog/4224.txt * cleaning up from PR review: moving template execution to where it's needed and updating variable names to be more consistent * add comment * fix typo --------- Co-authored-by: John Maguire <john.maguire@hashicorp.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
|
@jm96441n -- Awesome update to the TGW workflow! Can you ensure that this gets updated though to account for enabling Admin Partitions -- Testing this I had to manually (tproxy destinations method) update the ACL policy for one of my external services from: namespace "default" {
service "example" {
policy = "write"
}
}to partition "default" {
namespace "default" {
node_prefix "" {
policy = "read"
}
service "example" {
policy = "write"
intention = "read"
}
}
}Additionally, I'm positive the
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR
How I've tested this PR
How I expect reviewers to test this PR
make docker-devCONSUL_K8S_CHART_LOCATIONvariable in thestart.shfile to point to the helm charts in your local version of consul-start.shfile (this requires you to havekindandyqon your machine, and you'll need to runchmod +x ./start.sh)consul acl role listand you will see both terminating gateways with the term gateway policy and the zoidberg and nibbler policiesconsul acl policy read -name zoidberg-write-policyto see the policy include the namespacecurl localhost:1234to see the request to zoidberg go through, runcurl localhost:5678to see the request to nibbler go throughtermgw.yamlfile to no longer reference the zoidberg service and apply the fileconsul acl role listand see the first terminating gateway no longer references the zoidberg policyconsul acl policy listand you'll see the zoidberg policy still existsconsul acl role listand see that none of the terminating gateways reference that policyconsul acl policy listand see that the zoidberg policy no longer exists because no gateway is referencing itChecklist