Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable ACL Client Token #1093

Merged
merged 19 commits into from
Mar 15, 2022
Merged

Enable ACL Client Token #1093

merged 19 commits into from
Mar 15, 2022

Conversation

jmurret
Copy link
Member

@jmurret jmurret commented Mar 10, 2022

This PR is best viewed Commit by Commit to see the description/purpose and what got added.

Changes proposed in this PR:

  • control-plane/subcommand/acl-init/command.go
    • when using ACLs, retrieve the token secret from consul login rather than k8s secrets
    • when external servers are configured, use them for the cases of partition set up
  • control-plane/subcommand/common/common.go
  • control-plane/subcommand/connect-init/command.go - minor changes to support return type change toConsulLogin
  • control-plane/subcommand/partition-init/command.go - refactor touse existing tls-server-name flag.
  • control-plane/subcommand/server-acl-init/create_or_update.go - make change to create BindingRule if it does not exist rather than error when there are other existing BindingRules associated with the auth method
  • control-plane/subcommand/server-acl-init/command.go
    • change -create-client-token flag to -client flag
    • create consul policy and binding role rather than a k8s secret so it can be used to authenticate client-acl-init when it calls ConsulLogin().

How I've tested this PR:

  • Acceptance Tests
  • Unit Tests

How I expect reviewers to test this PR:
👀

Checklist:

  • Tests added
  • CHANGELOG entry added

@jmurret jmurret force-pushed the jm/acl-client branch 5 times, most recently from e62995f to f305e0e Compare March 11, 2022 21:16
@hashicorp-cla
Copy link

hashicorp-cla commented Mar 11, 2022

CLA assistant check
All committers have signed the CLA.

@jmurret jmurret force-pushed the acls-refactor-base-branch branch from 158bb3d to e41855a Compare March 11, 2022 21:57
@jmurret jmurret force-pushed the jm/acl-client branch 6 times, most recently from 7a56bb8 to 818a5db Compare March 14, 2022 15:49
@@ -48,7 +48,7 @@ as well as the global.name setting.
{{- define "consul.serverTLSAltNames" -}}
{{- $name := include "consul.fullname" . -}}
{{- $ns := .Release.Namespace -}}
{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,*.%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }}
{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modifying SANs in cert so client pod can talk to server load balancer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we also include %s-server.%s and %s-server for completeness?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are the 2nd and 4th entries above.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh good point! I didn't notice the 2nd entry. The 4th one though is *.%s-server.%s and I'm wondering about %s-server.%s (i.e. without a wildcard).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Gotcha. Coming up.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just pushed it up.

@@ -78,6 +78,7 @@ spec:
-additional-dnsname="*.{{ template "consul.fullname" . }}-server" \
-additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \
-additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \
-additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modifying SANs in cert so client pod can talk to server load balancer.

@@ -47,6 +48,7 @@ spec:
annotations:
{{- if .Values.global.secretsBackend.vault.enabled }}
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/agent-init-first": "true"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need vault agent injector to fun before client-acl-init initContainer.

@@ -135,6 +140,13 @@ spec:
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- else }}
emptyDir:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when using vault, the cert will come form a temp file, not a k8s secret.

env:
{{- if .Values.global.acls.manageSystemACLs }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need this also for the logout command in the preStop above.

{{- end }}
-log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \
-log-json={{ .Values.global.logJSON }} \
{{- if .Values.externalServers.enabled }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this follows prior art of partition-init-job and tls-init-job. In a partition scenario, the client container needs to talk directly to the servers in another DC and external servers will be configured. When configured, client-acl-init should use them.

@@ -86,10 +86,10 @@ spec:
{{- if .Values.global.tls.enabled }}
-use-https \
{{- if not .Values.externalServers.useSystemRoots }}
-consul-ca-cert=/consul/tls/ca/tls.crt \
-ca-file=/consul/tls/ca/tls.crt \
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two flags are already available in c.http so we will use those instead of having two similar, unnecessary flags.

@@ -244,7 +244,7 @@ spec:
{{- end }}

{{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
-create-client-token=false \
-client=false \
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing flag to the new flag convention.

@@ -91,7 +91,7 @@ load _helpers
actual=$(echo $command | jq -r '. | any(contains("-use-https"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

actual=$(echo $command | jq -r '. | any(contains("-consul-ca-cert=/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This flag already existed, so we will use it instead.

// For all of the next operations we'll need a Consul client.
serverAddr := fmt.Sprintf("%s:%d", serverAddresses[0], c.flagServerPort)
cfg.Address = serverAddr
cfg.Scheme = scheme
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This whole added block is taken from prior art in partition-init command. basically an external server(s) has been passed in and we want to talk to that and not the default endpoint.

// Write out the resultant token file.
// Must be 0644 because this is written by the consul-k8s user but needs
// to be readable by the consul user
if err := WriteFileWithPerms(tokenSinkFile, tok.SecretID, 0644); err != nil {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -88,15 +88,15 @@ func ValidateUnprivilegedPort(flagName, flagValue string) error {

// ConsulLogin issues an ACL().Login to Consul and writes out the token to tokenSinkFile.
// The logic of this is taken from the `consul login` command.
func ConsulLogin(client *api.Client, cfg *api.Config, authMethodName, datacenter, namespace, bearerTokenFile, serviceAccountName, tokenSinkFile string, meta map[string]string, log hclog.Logger) error {
func ConsulLogin(client *api.Client, cfg *api.Config, authMethodName, datacenter, namespace, bearerTokenFile, serviceAccountName, tokenSinkFile string, meta map[string]string, log hclog.Logger) (*api.ACLToken, error) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change signature to return token so that it can be used directly from a ConsulLogin call and we don't have to use i/oto read it from the sink file if not necessary.

@@ -123,7 +123,7 @@ func (c *Command) Run(args []string) int {
if c.flagACLAuthMethod != "" {
// loginMeta is the default metadata that we pass to the consul login API.
loginMeta := map[string]string{"pod": fmt.Sprintf("%s/%s", c.flagPodNamespace, c.flagPodName)}
err = common.ConsulLogin(consulClient, cfg, c.flagACLAuthMethod, "", c.flagAuthMethodNamespace, c.flagBearerTokenFile, c.flagServiceAccountName, c.flagACLTokenSink, loginMeta, c.logger)
_, err = common.ConsulLogin(consulClient, cfg, c.flagACLAuthMethod, "", c.flagAuthMethodNamespace, c.flagBearerTokenFile, c.flagServiceAccountName, c.flagACLTokenSink, loginMeta, c.logger)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

byproduct of refactoring ConsulLogin signature

@@ -64,7 +64,7 @@ func TestConsulLogin(t *testing.T) {
log, err := Logger("INFO", false)
require.NoError(err)
client, cfg := startMockServer(t, &counter)
err = ConsulLogin(client, cfg, testAuthMethod, "dc1", "", bearerTokenFile, "", tokenFile, testPodMeta, log)
_, err = ConsulLogin(client, cfg, testAuthMethod, "dc1", "", bearerTokenFile, "", tokenFile, testPodMeta, log)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything in this file is a byproduct of refactoring ConsulLogin signature

agentRules, err := c.agentRules()
if err != nil {
c.log.Error("Error templating client agent rules", "err", err)
return 1
}

err = c.createLocalACL("client", agentRules, consulDC, primary, consulClient)
serviceAccountName := c.withPrefix("client")
err = c.createACLPolicyRoleAndBindingRule("client", agentRules, consulDC, primaryDC, false, primary, localComponentAuthMethodName, serviceAccountName, consulClient)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set up the binding rule and policy that later client-acl-init will be authenticated with the BindingRule and get a token.

@jmurret jmurret marked this pull request as ready for review March 14, 2022 17:50
@jmurret jmurret merged commit 1476ecf into acls-refactor-base-branch Mar 15, 2022
@jmurret jmurret deleted the jm/acl-client branch March 15, 2022 21:44
jmurret added a commit that referenced this pull request Mar 16, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 22, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
@jmurret jmurret added the area/acls Related to ACLs label Mar 24, 2022
jmurret added a commit that referenced this pull request Mar 29, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 29, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 29, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 29, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 29, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 30, 2022
* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles

* PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role.

* Simplifying conditional for vault role.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
jmurret added a commit that referenced this pull request Mar 30, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 30, 2022
…Snapshot agent acceptance tests (#1125)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Adding an acceptance test for snapshot agent.  It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN.  Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent.  Then assert that a *.snap file is created.

* Adding acceptance test for snapshot agent on vault.

* renaming test and removing extra file

* Move vault test helpers into framework folder so we can use it more easily from other folders.

* Adding snapshot agent test for k8s secret

* Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets.

* Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token.

* Adding CHANGELOG entry for ability to pre-set bootstrap ACL token

* Fixing bats tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Fixing broken unit tests

* Lowering snapshot interval from 1mto15s for tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/framework/vault/helpers.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* PR Feedback - clarify comments on Vault helper functions

* PR Feedback - clarify comments on Vault helper functions

* Modifying tests to not incidentally send an encoded file

* Removing logging token in acceptance test code.

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
jmurret added a commit that referenced this pull request Mar 30, 2022
* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
jmurret added a commit that referenced this pull request Mar 30, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 30, 2022
…inating and ingress gateways (#1120)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways

* Adding check for duplicate terminating gateways and ingress gateway names

* Update charts/consul/templates/ingress-gateways-deployment.yaml

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names

* Fixing rebase conflict

* Merge Conflict- duplicate test

* Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time.

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
jmurret added a commit that referenced this pull request Mar 31, 2022
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
jmurret added a commit that referenced this pull request Mar 31, 2022
…e-configured bootstrap token as k8s secret. (#1128)

* Use kube auth method to provision ACL token for the crd controller (#995)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Support storing bootstrap token in Vault (#1061)

* Global auth method (#1075)

• Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies.
• Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC.
• Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully.
• Updated logout to not pass in the partition flag as it is not required.
• Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns.

* Refactor ConnectInject to use authmethods (#1076)

Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.

* Sync token acl refactor (#1081)

• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.

* rename the controller flag (#1089)

* Refactor Consul API Gateway Controller to use AuthMethod workflow. (#1083)

* Refactor Consul API Gateway Controller to use AuthMethod workflow.

* Refactor snapshot agent to use new acl authmethod workflow (#1084)

* refactor snapshot agent to use new acl authmethod workflow.

* Refactor mesh-gateway ACL flow (#1085)

* Refactor mesh-gateway ACL flow

* Fix flakey server-acl-init tests with retries (#1095)

* Fix flakey server-acl-init tests with retries

* Adding retry for flakey server-acl-init enterprise test

* adding missing retry module in server-acl-init enterprise tests

* Update Binding Rule if it exists for the authmethod (#1094)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* vault: add support for admin partitions (#1098)

* Refactor common.Login (#1101)

* convert function args to a struct
* add some missing tests
* move logic that is only relevant for connect out

* Use bootstrap token from vault to validate exec'ing into consul server (#1116)

Follow up on #1103

* Enable terminating gateways to use ACL Auth Method (#1102)

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Fixing enterprise tests

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Update charts/consul/templates/terminating-gateways-deployment.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Enable snapshot agent configuration to be retrieved from vault (#1113)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles

* PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role.

* Simplifying conditional for vault role.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Ability to set initial_management token when using k8s secret store.  Snapshot agent acceptance tests (#1125)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Adding an acceptance test for snapshot agent.  It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN.  Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent.  Then assert that a *.snap file is created.

* Adding acceptance test for snapshot agent on vault.

* renaming test and removing extra file

* Move vault test helpers into framework folder so we can use it more easily from other folders.

* Adding snapshot agent test for k8s secret

* Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets.

* Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token.

* Adding CHANGELOG entry for ability to pre-set bootstrap ACL token

* Fixing bats tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Fixing broken unit tests

* Lowering snapshot interval from 1mto15s for tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/framework/vault/helpers.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* PR Feedback - clarify comments on Vault helper functions

* PR Feedback - clarify comments on Vault helper functions

* Modifying tests to not incidentally send an encoded file

* Removing logging token in acceptance test code.

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Enable ingress gateways to use ACL Auth Method (#1118)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways (#1120)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways

* Adding check for duplicate terminating gateways and ingress gateway names

* Update charts/consul/templates/ingress-gateways-deployment.yaml

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names

* Fixing rebase conflict

* Merge Conflict- duplicate test

* Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time.

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
jmurret added a commit that referenced this pull request Apr 4, 2022
* Use kube auth method to provision ACL token for the crd controller (#995)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Support storing bootstrap token in Vault (#1061)

* Global auth method (#1075)

• Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies.
• Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC.
• Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully.
• Updated logout to not pass in the partition flag as it is not required.
• Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns.

* Refactor ConnectInject to use authmethods (#1076)

Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.

* Sync token acl refactor (#1081)

• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.

* rename the controller flag (#1089)

* Refactor Consul API Gateway Controller to use AuthMethod workflow. (#1083)

* Refactor Consul API Gateway Controller to use AuthMethod workflow.

* Refactor snapshot agent to use new acl authmethod workflow (#1084)

* refactor snapshot agent to use new acl authmethod workflow.

* Refactor mesh-gateway ACL flow (#1085)

* Refactor mesh-gateway ACL flow

* Fix flakey server-acl-init tests with retries (#1095)

* Fix flakey server-acl-init tests with retries

* Adding retry for flakey server-acl-init enterprise test

* adding missing retry module in server-acl-init enterprise tests

* Update Binding Rule if it exists for the authmethod (#1094)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* vault: add support for admin partitions (#1098)

* Refactor common.Login (#1101)

* convert function args to a struct
* add some missing tests
* move logic that is only relevant for connect out

* Use bootstrap token from vault to validate exec'ing into consul server (#1116)

Follow up on #1103

* Enable terminating gateways to use ACL Auth Method (#1102)

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Fixing enterprise tests

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Update charts/consul/templates/terminating-gateways-deployment.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Enable snapshot agent configuration to be retrieved from vault (#1113)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles

* PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role.

* Simplifying conditional for vault role.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Ability to set initial_management token when using k8s secret store.  Snapshot agent acceptance tests (#1125)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Adding an acceptance test for snapshot agent.  It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN.  Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent.  Then assert that a *.snap file is created.

* Adding acceptance test for snapshot agent on vault.

* renaming test and removing extra file

* Move vault test helpers into framework folder so we can use it more easily from other folders.

* Adding snapshot agent test for k8s secret

* Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets.

* Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token.

* Adding CHANGELOG entry for ability to pre-set bootstrap ACL token

* Fixing bats tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Fixing broken unit tests

* Lowering snapshot interval from 1mto15s for tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/framework/vault/helpers.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* PR Feedback - clarify comments on Vault helper functions

* PR Feedback - clarify comments on Vault helper functions

* Modifying tests to not incidentally send an encoded file

* Removing logging token in acceptance test code.

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Enable ingress gateways to use ACL Auth Method (#1118)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways (#1120)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways

* Adding check for duplicate terminating gateways and ingress gateway names

* Update charts/consul/templates/ingress-gateways-deployment.yaml

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names

* Fixing rebase conflict

* Merge Conflict- duplicate test

* Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time.

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Updating changelog for ACLs work.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

* Adding note about old acl token cleanup.  Adding note about configuring k8sAuthMethodHost in secondary datacenters when using mesh gateways in mesh federation.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/acls Related to ACLs
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants