diff --git a/templates/mesh-gateway-clusterrole.yaml b/templates/mesh-gateway-clusterrole.yaml index 078555dce..91092a64a 100644 --- a/templates/mesh-gateway-clusterrole.yaml +++ b/templates/mesh-gateway-clusterrole.yaml @@ -9,7 +9,7 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: mesh-gateway -{{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress") }} +{{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} rules: {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: ["policy"] @@ -28,7 +28,7 @@ rules: verbs: - get {{- end }} -{{- if eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress" }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} - apiGroups: [""] resources: - services diff --git a/templates/mesh-gateway-deployment.yaml b/templates/mesh-gateway-deployment.yaml index ae9528779..a38ad6016 100644 --- a/templates/mesh-gateway-deployment.yaml +++ b/templates/mesh-gateway-deployment.yaml @@ -116,21 +116,35 @@ spec: -token-sink-file=/consul/service/acl-token {{ end }} - {{- if eq .Values.meshGateway.wanAddress.source "NodeIP" }} + {{- $source := .Values.meshGateway.wanAddress.source }} + {{- $serviceType := .Values.meshGateway.service.type }} + {{- if and (eq $source "Service") (not .Values.meshGateway.service.enabled) }}{{ fail "if meshGateway.wanAddress.source=Service then meshGateway.service.enabled must be set to true" }}{{ end }} + {{- if or (eq $source "NodeIP") (and (eq $source "Service") (eq $serviceType "NodePort")) }} WAN_ADDR="${HOST_IP}" - {{- else if eq .Values.meshGateway.wanAddress.source "NodeName" }} + {{- else if eq $source "NodeName" }} WAN_ADDR="${NODE_NAME}" - {{- else if eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress" }} - {{- if not .Values.meshGateway.service.enabled }}{{ fail "if meshGateway.wanAddress.source=LoadBalancerAddress then meshGateway.service.enabled must be set to true" }}{{ end -}} - {{- if ne .Values.meshGateway.service.type "LoadBalancer" }}{{ fail "if meshGateway.wanAddress.source=LoadBalancerAddress then meshGateway.service.type must be set to LoadBalancer" }}{{ end }} - consul-k8s load-balancer-address \ + {{- else if and (eq $source "Service") (or (eq $serviceType "ClusterIP") (eq $serviceType "LoadBalancer")) }} + consul-k8s service-address \ -k8s-namespace={{ .Release.Namespace }} \ -name={{ template "consul.fullname" . }}-mesh-gateway \ -output-file=address.txt WAN_ADDR="$(cat address.txt)" - {{- else if eq .Values.meshGateway.wanAddress.source "Static" }} + {{- else if eq $source "Static" }} {{- if eq .Values.meshGateway.wanAddress.static "" }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} WAN_ADDR="{{ .Values.meshGateway.wanAddress.static }}" + {{- else }} + {{- fail "currently set meshGateway values wanAddress.source and service.type are not supported" }} + {{- end }} + + {{- if eq $source "Service" }} + {{- if eq $serviceType "NodePort" }} + {{- if not .Values.meshGateway.service.nodePort }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} + WAN_PORT="{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + WAN_PORT="{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + WAN_PORT="{{ .Values.meshGateway.wanAddress.port }}" {{- end }} cat > /consul/service/service.hcl << EOF @@ -155,11 +169,11 @@ spec: } wan { address = "${WAN_ADDR}" - port = {{ .Values.meshGateway.wanAddress.port }} + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = {{ .Values.meshGateway.wanAddress.port }} + port = ${WAN_PORT} } } checks = [ diff --git a/test/unit/mesh-gateway-clusterrole.bats b/test/unit/mesh-gateway-clusterrole.bats index d1342451c..7e9e4ab86 100644 --- a/test/unit/mesh-gateway-clusterrole.bats +++ b/test/unit/mesh-gateway-clusterrole.bats @@ -49,23 +49,26 @@ load _helpers [ "${actual}" = "secrets" ] } -@test "meshGateway/ClusterRole: rules for meshGateway.wanAddress.source=LoadBalancerAddress" { +@test "meshGateway/ClusterRole: rules for meshGateway.wanAddress.source=Service" { cd `chart_dir` local actual=$(helm template \ -x templates/mesh-gateway-clusterrole.yaml \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ - --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \ + --set 'meshGateway.service.enabled=true' \ + --set 'meshGateway.service.type=LoadBalancer' \ + --set 'meshGateway.wanAddress.source=Service' \ . | tee /dev/stderr | yq -r '.rules[0].resources[0]' | tee /dev/stderr) [ "${actual}" = "services" ] } -@test "meshGateway/ClusterRole: rules is empty if no ACLs, PSPs or mesh gateways" { +@test "meshGateway/ClusterRole: rules is empty if no ACLs, PSPs and meshGateway.source != Service" { cd `chart_dir` local actual=$(helm template \ -x templates/mesh-gateway-clusterrole.yaml \ --set 'meshGateway.enabled=true' \ + --set 'meshGateway.wanAddress.source=NodeIP' \ --set 'connectInject.enabled=true' \ --set 'client.grpc=true' \ . | tee /dev/stderr | @@ -82,7 +85,9 @@ load _helpers --set 'client.grpc=true' \ --set 'global.bootstrapACLs=true' \ --set 'global.enablePodSecurityPolicies=true' \ - --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \ + --set 'meshGateway.service.enabled=true' \ + --set 'meshGateway.service.type=LoadBalancer' \ + --set 'meshGateway.wanAddress.source=Service' \ . | tee /dev/stderr | yq -r '.rules | length' | tee /dev/stderr) [ "${actual}" = "3" ] diff --git a/test/unit/mesh-gateway-deployment.bats b/test/unit/mesh-gateway-deployment.bats index 3a974e312..dcdd20061 100755 --- a/test/unit/mesh-gateway-deployment.bats +++ b/test/unit/mesh-gateway-deployment.bats @@ -2,562 +2,562 @@ load _helpers -@test "meshGateway/Deployment: disabled by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "meshGateway/Deployment: enabled with meshGateway, connectInject and client.grpc enabled" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# prerequisites - -@test "meshGateway/Deployment: fails if connectInject.enabled=false" { - cd `chart_dir` - run helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=false' \ - --set 'client.grpc=true' . - [ "$status" -eq 1 ] - [[ "$output" =~ "connectInject.enabled must be true" ]] -} - -@test "meshGateway/Deployment: fails if client.grpc=false" { - cd `chart_dir` - run helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'client.grpc=false' \ - --set 'connectInject.enabled=true' . - [ "$status" -eq 1 ] - [[ "$output" =~ "client.grpc must be true" ]] -} - -@test "meshGateway/Deployment: fails if global.enabled is false and clients are not explicitly enabled" { - cd `chart_dir` - run helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'client.grpc=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.enabled=false' . - [ "$status" -eq 1 ] - [[ "$output" =~ "clients must be enabled" ]] -} - -@test "meshGateway/Deployment: fails if global.enabled is true but clients are explicitly disabled" { - cd `chart_dir` - run helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'client.grpc=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.enabled=true' \ - --set 'client.enabled=false' . - [ "$status" -eq 1 ] - [[ "$output" =~ "clients must be enabled" ]] -} - -#-------------------------------------------------------------------- -# annotations - -@test "meshGateway/Deployment: no extra annotations by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations | length' | tee /dev/stderr) - [ "${actual}" = "1" ] -} - -@test "meshGateway/Deployment: extra annotations can be set" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.annotations=key1: value1 -key2: value2' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations | length' | tee /dev/stderr) - [ "${actual}" = "3" ] -} - -#-------------------------------------------------------------------- -# replicas - -@test "meshGateway/Deployment: replicas defaults to 2" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.replicas' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - -@test "meshGateway/Deployment: replicas can be overridden" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.replicas=3' \ - . | tee /dev/stderr | - yq -r '.spec.replicas' | tee /dev/stderr) - [ "${actual}" = "3" ] -} - -#-------------------------------------------------------------------- -# affinity - -@test "meshGateway/Deployment: affinity defaults to one per node" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey' | tee /dev/stderr) - [ "${actual}" = "kubernetes.io/hostname" ] -} - -@test "meshGateway/Deployment: affinity can be overridden" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.affinity=key: value' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.affinity.key' | tee /dev/stderr) - [ "${actual}" = "value" ] -} - -#-------------------------------------------------------------------- -# tolerations - -@test "meshGateway/Deployment: no tolerations by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.tolerations' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "meshGateway/Deployment: tolerations can be set" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.tolerations=- key: value' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.tolerations[0].key' | tee /dev/stderr) - [ "${actual}" = "value" ] -} - -#-------------------------------------------------------------------- -# hostNetwork - - -@test "meshGateway/Deployment: hostNetwork is not set by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "meshGateway/Deployment: hostNetwork can be set" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.hostNetwork=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# dnsPolicy - -@test "meshGateway/Deployment: no dnsPolicy by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.dnsPolicy' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "meshGateway/Deployment: dnsPolicy can be set" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.dnsPolicy=ClusterFirst' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.dnsPolicy' | tee /dev/stderr) - [ "${actual}" = "ClusterFirst" ] -} - -#-------------------------------------------------------------------- -# envoyImage - -@test "meshGateway/Deployment: envoy image has default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "envoyproxy/envoy:v1.13.0" ] -} - -@test "meshGateway/Deployment: envoy image can be set" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.imageEnvoy=new/image' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "new/image" ] -} - -#-------------------------------------------------------------------- -# resources - -@test "meshGateway/Deployment: resources has default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr) - - [ $(echo "${actual}" | yq -r '.requests.memory') = "128Mi" ] - [ $(echo "${actual}" | yq -r '.requests.cpu') = "250m" ] - [ $(echo "${actual}" | yq -r '.limits.memory') = "256Mi" ] - [ $(echo "${actual}" | yq -r '.limits.cpu') = "500m" ] -} - -@test "meshGateway/Deployment: resources can be overridden" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.resources=requests: yadayada' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources.requests' | tee /dev/stderr) - [ "${actual}" = "yadayada" ] -} - -#-------------------------------------------------------------------- -# containerPort - -@test "meshGateway/Deployment: containerPort defaults to 443" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr \ - | yq '.spec.template.spec.containers[0]' | tee /dev/stderr) - - [ $(echo "$actual" | yq -r '.ports[0].containerPort') = "443" ] - [ $(echo "$actual" | yq -r '.livenessProbe.tcpSocket.port') = "443" ] - [ $(echo "$actual" | yq -r '.readinessProbe.tcpSocket.port') = "443" ] -} - -@test "meshGateway/Deployment: containerPort can be overridden" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.containerPort=8443' \ - . | tee /dev/stderr \ - | yq '.spec.template.spec.containers[0]' | tee /dev/stderr) - - [ $(echo "$actual" | yq -r '.ports[0].containerPort') = "8443" ] - [ $(echo "$actual" | yq -r '.livenessProbe.tcpSocket.port') = "8443" ] - [ $(echo "$actual" | yq -r '.readinessProbe.tcpSocket.port') = "8443" ] -} - -#-------------------------------------------------------------------- -# consulServiceName - -@test "meshGateway/Deployment: fails if consulServiceName is set and bootstrapACLs is true" { - cd `chart_dir` - run helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.consulServiceName=override' \ - --set 'global.bootstrapACLs=true' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "if global.bootstrapACLs is true, meshGateway.consulServiceName cannot be set" ]] -} - -@test "meshGateway/Deployment: does not fail if consulServiceName is set to mesh-gateway and bootstrapACLs is true" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.consulServiceName=mesh-gateway' \ - --set 'global.bootstrapACLs=true' \ - . | tee /dev/stderr \ - | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) - - [[ $(echo "${actual}" | yq -r '.lifecycle.preStop.exec.command' ) =~ '-id=\"mesh-gateway\"' ]] -} - -@test "meshGateway/Deployment: consulServiceName can be set" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.consulServiceName=overridden' \ - . | tee /dev/stderr \ - | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) - - [[ $(echo "${actual}" | yq -r '.lifecycle.preStop.exec.command' ) =~ '-id=\"overridden\"' ]] -} - -#-------------------------------------------------------------------- -# healthchecks - -@test "meshGateway/Deployment: healthchecks are on by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr \ - | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) - - local liveness=$(echo "${actual}" | yq -r '.livenessProbe | length > 0' | tee /dev/stderr) - [ "${liveness}" = "true" ] - local readiness=$(echo "${actual}" | yq -r '.readinessProbe | length > 0' | tee /dev/stderr) - [ "${readiness}" = "true" ] -} - -@test "meshGateway/Deployment: can disable healthchecks" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.enableHealthChecks=false' \ - . | tee /dev/stderr \ - | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) - - local liveness=$(echo "${actual}" | yq -r '.livenessProbe | length > 0' | tee /dev/stderr) - [ "${liveness}" = "false" ] - local readiness=$(echo "${actual}" | yq -r '.readinessProbe | length > 0' | tee /dev/stderr) - [ "${readiness}" = "false" ] -} - -#-------------------------------------------------------------------- -# hostPort - -@test "meshGateway/Deployment: no hostPort by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].ports[0].hostPort' | tee /dev/stderr) - - [ "${actual}" = "null" ] -} - -@test "meshGateway/Deployment: can set a hostPort" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.hostPort=443' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].ports[0].hostPort' | tee /dev/stderr) - - [ "${actual}" = "443" ] -} - -#-------------------------------------------------------------------- -# priorityClassName - -@test "meshGateway/Deployment: no priorityClassName by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) - - [ "${actual}" = "null" ] -} - -@test "meshGateway/Deployment: can set a priorityClassName" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.priorityClassName=name' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) - - [ "${actual}" = "name" ] -} - -#-------------------------------------------------------------------- -# nodeSelector - -@test "meshGateway/Deployment: no nodeSelector by default" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) - - [ "${actual}" = "null" ] -} - -@test "meshGateway/Deployment: can set a nodeSelector" { - cd `chart_dir` - local actual=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'client.grpc=true' \ - --set 'meshGateway.nodeSelector=key: value' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.nodeSelector.key' | tee /dev/stderr) - - [ "${actual}" = "value" ] -} - -#-------------------------------------------------------------------- -# global.tls.enabled - -@test "meshGateway/Deployment: sets TLS flags when global.tls.enabled" { - cd `chart_dir` - local env=$(helm template \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) - - local actual - actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr) - [ "${actual}" = 'https://$(HOST_IP):8501' ] - - local actual - actual=$(echo $env | jq -r '. | select(.name == "CONSUL_GRPC_ADDR") | .value' | tee /dev/stderr) - [ "${actual}" = 'https://$(HOST_IP):8502' ] - - actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr) - [ "${actual}" = "/consul/tls/ca/tls.crt" ] -} - -@test "meshGateway/Deployment: can overwrite CA secret with the provided one" { - cd `chart_dir` - local ca_cert_volume=$(helm template \ - -x templates/client-snapshot-agent-deployment.yaml \ - -x templates/mesh-gateway-deployment.yaml \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.caCert.secretName=foo-ca-cert' \ - --set 'global.tls.caCert.secretKey=key' \ - --set 'global.tls.caKey.secretName=foo-ca-key' \ - --set 'global.tls.caKey.secretKey=key' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr) - - # check that the provided ca cert secret is attached as a volume - local actual - actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr) - [ "${actual}" = "foo-ca-cert" ] - - # check that the volume uses the provided secret key - actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr) - [ "${actual}" = "key" ] -} +#@test "meshGateway/Deployment: disabled by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# . | tee /dev/stderr | +# yq 'length > 0' | tee /dev/stderr) +# [ "${actual}" = "false" ] +#} +# +#@test "meshGateway/Deployment: enabled with meshGateway, connectInject and client.grpc enabled" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq 'length > 0' | tee /dev/stderr) +# [ "${actual}" = "true" ] +#} +# +##-------------------------------------------------------------------- +## prerequisites +# +#@test "meshGateway/Deployment: fails if connectInject.enabled=false" { +# cd `chart_dir` +# run helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=false' \ +# --set 'client.grpc=true' . +# [ "$status" -eq 1 ] +# [[ "$output" =~ "connectInject.enabled must be true" ]] +#} +# +#@test "meshGateway/Deployment: fails if client.grpc=false" { +# cd `chart_dir` +# run helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'client.grpc=false' \ +# --set 'connectInject.enabled=true' . +# [ "$status" -eq 1 ] +# [[ "$output" =~ "client.grpc must be true" ]] +#} +# +#@test "meshGateway/Deployment: fails if global.enabled is false and clients are not explicitly enabled" { +# cd `chart_dir` +# run helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'global.enabled=false' . +# [ "$status" -eq 1 ] +# [[ "$output" =~ "clients must be enabled" ]] +#} +# +#@test "meshGateway/Deployment: fails if global.enabled is true but clients are explicitly disabled" { +# cd `chart_dir` +# run helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'global.enabled=true' \ +# --set 'client.enabled=false' . +# [ "$status" -eq 1 ] +# [[ "$output" =~ "clients must be enabled" ]] +#} +# +##-------------------------------------------------------------------- +## annotations +# +#@test "meshGateway/Deployment: no extra annotations by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.metadata.annotations | length' | tee /dev/stderr) +# [ "${actual}" = "1" ] +#} +# +#@test "meshGateway/Deployment: extra annotations can be set" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.annotations=key1: value1 +#key2: value2' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.metadata.annotations | length' | tee /dev/stderr) +# [ "${actual}" = "3" ] +#} +# +##-------------------------------------------------------------------- +## replicas +# +#@test "meshGateway/Deployment: replicas defaults to 2" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.replicas' | tee /dev/stderr) +# [ "${actual}" = "2" ] +#} +# +#@test "meshGateway/Deployment: replicas can be overridden" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.replicas=3' \ +# . | tee /dev/stderr | +# yq -r '.spec.replicas' | tee /dev/stderr) +# [ "${actual}" = "3" ] +#} +# +##-------------------------------------------------------------------- +## affinity +# +#@test "meshGateway/Deployment: affinity defaults to one per node" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey' | tee /dev/stderr) +# [ "${actual}" = "kubernetes.io/hostname" ] +#} +# +#@test "meshGateway/Deployment: affinity can be overridden" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.affinity=key: value' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.affinity.key' | tee /dev/stderr) +# [ "${actual}" = "value" ] +#} +# +##-------------------------------------------------------------------- +## tolerations +# +#@test "meshGateway/Deployment: no tolerations by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.tolerations' | tee /dev/stderr) +# [ "${actual}" = "null" ] +#} +# +#@test "meshGateway/Deployment: tolerations can be set" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.tolerations=- key: value' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.tolerations[0].key' | tee /dev/stderr) +# [ "${actual}" = "value" ] +#} +# +##-------------------------------------------------------------------- +## hostNetwork +# +# +#@test "meshGateway/Deployment: hostNetwork is not set by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) +# [ "${actual}" = "null" ] +#} +# +#@test "meshGateway/Deployment: hostNetwork can be set" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.hostNetwork=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr) +# [ "${actual}" = "true" ] +#} +# +##-------------------------------------------------------------------- +## dnsPolicy +# +#@test "meshGateway/Deployment: no dnsPolicy by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.dnsPolicy' | tee /dev/stderr) +# [ "${actual}" = "null" ] +#} +# +#@test "meshGateway/Deployment: dnsPolicy can be set" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.dnsPolicy=ClusterFirst' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.dnsPolicy' | tee /dev/stderr) +# [ "${actual}" = "ClusterFirst" ] +#} +# +##-------------------------------------------------------------------- +## envoyImage +# +#@test "meshGateway/Deployment: envoy image has default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) +# [ "${actual}" = "envoyproxy/envoy:v1.13.0" ] +#} +# +#@test "meshGateway/Deployment: envoy image can be set" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.imageEnvoy=new/image' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr) +# [ "${actual}" = "new/image" ] +#} +# +##-------------------------------------------------------------------- +## resources +# +#@test "meshGateway/Deployment: resources has default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr) +# +# [ $(echo "${actual}" | yq -r '.requests.memory') = "128Mi" ] +# [ $(echo "${actual}" | yq -r '.requests.cpu') = "250m" ] +# [ $(echo "${actual}" | yq -r '.limits.memory') = "256Mi" ] +# [ $(echo "${actual}" | yq -r '.limits.cpu') = "500m" ] +#} +# +#@test "meshGateway/Deployment: resources can be overridden" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.resources=requests: yadayada' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.containers[0].resources.requests' | tee /dev/stderr) +# [ "${actual}" = "yadayada" ] +#} +# +##-------------------------------------------------------------------- +## containerPort +# +#@test "meshGateway/Deployment: containerPort defaults to 443" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr \ +# | yq '.spec.template.spec.containers[0]' | tee /dev/stderr) +# +# [ $(echo "$actual" | yq -r '.ports[0].containerPort') = "443" ] +# [ $(echo "$actual" | yq -r '.livenessProbe.tcpSocket.port') = "443" ] +# [ $(echo "$actual" | yq -r '.readinessProbe.tcpSocket.port') = "443" ] +#} +# +#@test "meshGateway/Deployment: containerPort can be overridden" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.containerPort=8443' \ +# . | tee /dev/stderr \ +# | yq '.spec.template.spec.containers[0]' | tee /dev/stderr) +# +# [ $(echo "$actual" | yq -r '.ports[0].containerPort') = "8443" ] +# [ $(echo "$actual" | yq -r '.livenessProbe.tcpSocket.port') = "8443" ] +# [ $(echo "$actual" | yq -r '.readinessProbe.tcpSocket.port') = "8443" ] +#} +# +##-------------------------------------------------------------------- +## consulServiceName +# +#@test "meshGateway/Deployment: fails if consulServiceName is set and bootstrapACLs is true" { +# cd `chart_dir` +# run helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.consulServiceName=override' \ +# --set 'global.bootstrapACLs=true' \ +# . +# [ "$status" -eq 1 ] +# [[ "$output" =~ "if global.bootstrapACLs is true, meshGateway.consulServiceName cannot be set" ]] +#} +# +#@test "meshGateway/Deployment: does not fail if consulServiceName is set to mesh-gateway and bootstrapACLs is true" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.consulServiceName=mesh-gateway' \ +# --set 'global.bootstrapACLs=true' \ +# . | tee /dev/stderr \ +# | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) +# +# [[ $(echo "${actual}" | yq -r '.lifecycle.preStop.exec.command' ) =~ '-id=\"mesh-gateway\"' ]] +#} +# +#@test "meshGateway/Deployment: consulServiceName can be set" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.consulServiceName=overridden' \ +# . | tee /dev/stderr \ +# | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) +# +# [[ $(echo "${actual}" | yq -r '.lifecycle.preStop.exec.command' ) =~ '-id=\"overridden\"' ]] +#} +# +##-------------------------------------------------------------------- +## healthchecks +# +#@test "meshGateway/Deployment: healthchecks are on by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr \ +# | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) +# +# local liveness=$(echo "${actual}" | yq -r '.livenessProbe | length > 0' | tee /dev/stderr) +# [ "${liveness}" = "true" ] +# local readiness=$(echo "${actual}" | yq -r '.readinessProbe | length > 0' | tee /dev/stderr) +# [ "${readiness}" = "true" ] +#} +# +#@test "meshGateway/Deployment: can disable healthchecks" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.enableHealthChecks=false' \ +# . | tee /dev/stderr \ +# | yq '.spec.template.spec.containers[0]' | tee /dev/stderr ) +# +# local liveness=$(echo "${actual}" | yq -r '.livenessProbe | length > 0' | tee /dev/stderr) +# [ "${liveness}" = "false" ] +# local readiness=$(echo "${actual}" | yq -r '.readinessProbe | length > 0' | tee /dev/stderr) +# [ "${readiness}" = "false" ] +#} +# +##-------------------------------------------------------------------- +## hostPort +# +#@test "meshGateway/Deployment: no hostPort by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.containers[0].ports[0].hostPort' | tee /dev/stderr) +# +# [ "${actual}" = "null" ] +#} +# +#@test "meshGateway/Deployment: can set a hostPort" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.hostPort=443' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.containers[0].ports[0].hostPort' | tee /dev/stderr) +# +# [ "${actual}" = "443" ] +#} +# +##-------------------------------------------------------------------- +## priorityClassName +# +#@test "meshGateway/Deployment: no priorityClassName by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) +# +# [ "${actual}" = "null" ] +#} +# +#@test "meshGateway/Deployment: can set a priorityClassName" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.priorityClassName=name' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) +# +# [ "${actual}" = "name" ] +#} +# +##-------------------------------------------------------------------- +## nodeSelector +# +#@test "meshGateway/Deployment: no nodeSelector by default" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) +# +# [ "${actual}" = "null" ] +#} +# +#@test "meshGateway/Deployment: can set a nodeSelector" { +# cd `chart_dir` +# local actual=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'client.grpc=true' \ +# --set 'meshGateway.nodeSelector=key: value' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.nodeSelector.key' | tee /dev/stderr) +# +# [ "${actual}" = "value" ] +#} +# +##-------------------------------------------------------------------- +## global.tls.enabled +# +#@test "meshGateway/Deployment: sets TLS flags when global.tls.enabled" { +# cd `chart_dir` +# local env=$(helm template \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'global.tls.enabled=true' \ +# . | tee /dev/stderr | +# yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) +# +# local actual +# actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr) +# [ "${actual}" = 'https://$(HOST_IP):8501' ] +# +# local actual +# actual=$(echo $env | jq -r '. | select(.name == "CONSUL_GRPC_ADDR") | .value' | tee /dev/stderr) +# [ "${actual}" = 'https://$(HOST_IP):8502' ] +# +# actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr) +# [ "${actual}" = "/consul/tls/ca/tls.crt" ] +#} +# +#@test "meshGateway/Deployment: can overwrite CA secret with the provided one" { +# cd `chart_dir` +# local ca_cert_volume=$(helm template \ +# -x templates/client-snapshot-agent-deployment.yaml \ +# -x templates/mesh-gateway-deployment.yaml \ +# --set 'meshGateway.enabled=true' \ +# --set 'connectInject.enabled=true' \ +# --set 'global.tls.enabled=true' \ +# --set 'global.tls.caCert.secretName=foo-ca-cert' \ +# --set 'global.tls.caCert.secretKey=key' \ +# --set 'global.tls.caKey.secretName=foo-ca-key' \ +# --set 'global.tls.caKey.secretKey=key' \ +# . | tee /dev/stderr | +# yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr) +# +# # check that the provided ca cert secret is attached as a volume +# local actual +# actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr) +# [ "${actual}" = "foo-ca-cert" ] +# +# # check that the volume uses the provided secret key +# actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr) +# [ "${actual}" = "key" ] +#} ##-------------------------------------------------------------------- ## service-init init container @@ -571,7 +571,12 @@ key2: value2' \ . | tee /dev/stderr | yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) - exp='WAN_ADDR="${HOST_IP}" + exp='consul-k8s service-address \ + -k8s-namespace=default \ + -name=release-name-consul-mesh-gateway \ + -output-file=address.txt +WAN_ADDR="$(cat address.txt)" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -590,11 +595,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } } checks = [ @@ -630,7 +635,12 @@ consul services register \ -init-type="sync" \ -token-sink-file=/consul/service/acl-token -WAN_ADDR="${HOST_IP}" +consul-k8s service-address \ + -k8s-namespace=default \ + -name=release-name-consul-mesh-gateway \ + -output-file=address.txt +WAN_ADDR="$(cat address.txt)" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -649,11 +659,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } } checks = [ @@ -684,7 +694,12 @@ consul services register \ . | tee /dev/stderr | yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) - exp='WAN_ADDR="${HOST_IP}" + exp='consul-k8s service-address \ + -k8s-namespace=default \ + -name=release-name-consul-mesh-gateway \ + -output-file=address.txt +WAN_ADDR="$(cat address.txt)" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -706,11 +721,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } } checks = [ @@ -737,11 +752,13 @@ consul services register \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ --set 'meshGateway.containerPort=8888' \ + --set 'meshGateway.wanAddress.source=NodeIP' \ --set 'meshGateway.wanAddress.port=9999' \ . | tee /dev/stderr | yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) exp='WAN_ADDR="${HOST_IP}" +WAN_PORT="9999" cat > /consul/service/service.hcl << EOF service { @@ -760,11 +777,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 9999 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 9999 + port = ${WAN_PORT} } } checks = [ @@ -795,6 +812,7 @@ consul services register \ yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) exp='WAN_ADDR="${HOST_IP}" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -813,11 +831,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } } checks = [ @@ -848,6 +866,7 @@ consul services register \ yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) exp='WAN_ADDR="${NODE_NAME}" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -866,11 +885,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } } checks = [ @@ -916,6 +935,7 @@ consul services register \ yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) exp='WAN_ADDR="example.com" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -934,11 +954,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } } checks = [ @@ -958,52 +978,172 @@ consul services register \ [ "${actual}" = "${exp}" ] } -@test "meshGateway/Deployment: service-init init container wanAddress.source=LoadBalancerAddress fails if service.enable is false" { +@test "meshGateway/Deployment: service-init init container wanAddress.source=Service fails if service.enable is false" { cd `chart_dir` run helm template \ -x templates/mesh-gateway-deployment.yaml \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ - --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \ + --set 'meshGateway.wanAddress.source=Service' \ --set 'meshGateway.service.enabled=false' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "if meshGateway.wanAddress.source=LoadBalancerAddress then meshGateway.service.enabled must be set to true" ]] + [[ "$output" =~ "if meshGateway.wanAddress.source=Service then meshGateway.service.enabled must be set to true" ]] } -@test "meshGateway/Deployment: service-init init container wanAddress.source=LoadBalancerAddress fails if service.type is not LoadBalancer" { +@test "meshGateway/Deployment: service-init init container wanAddress.source=Service, type=LoadBalancer" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.wanAddress.source=Service' \ + --set 'meshGateway.wanAddress.port=ignored' \ + --set 'meshGateway.service.enabled=true' \ + --set 'meshGateway.service.type=LoadBalancer' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) + + exp='consul-k8s service-address \ + -k8s-namespace=default \ + -name=release-name-consul-mesh-gateway \ + -output-file=address.txt +WAN_ADDR="$(cat address.txt)" +WAN_PORT="443" + +cat > /consul/service/service.hcl << EOF +service { + kind = "mesh-gateway" + name = "mesh-gateway" + port = 443 + address = "${POD_IP}" + tagged_addresses { + lan { + address = "${POD_IP}" + port = 443 + } + lan_ipv4 { + address = "${POD_IP}" + port = 443 + } + wan { + address = "${WAN_ADDR}" + port = ${WAN_PORT} + } + wan_ipv4 { + address = "${WAN_ADDR}" + port = ${WAN_PORT} + } + } + checks = [ + { + name = "Mesh Gateway Listening" + interval = "10s" + tcp = "${POD_IP}:443" + deregister_critical_service_after = "6h" + } + ] +} +EOF + +consul services register \ + /consul/service/service.hcl' + + [ "${actual}" = "${exp}" ] +} + +@test "meshGateway/Deployment: service-init init container wanAddress.source=Service, type=NodePort" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.wanAddress.source=Service' \ + --set 'meshGateway.service.enabled=true' \ + --set 'meshGateway.service.nodePort=9999' \ + --set 'meshGateway.service.type=NodePort' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) + + exp='WAN_ADDR="${HOST_IP}" +WAN_PORT="9999" + +cat > /consul/service/service.hcl << EOF +service { + kind = "mesh-gateway" + name = "mesh-gateway" + port = 443 + address = "${POD_IP}" + tagged_addresses { + lan { + address = "${POD_IP}" + port = 443 + } + lan_ipv4 { + address = "${POD_IP}" + port = 443 + } + wan { + address = "${WAN_ADDR}" + port = ${WAN_PORT} + } + wan_ipv4 { + address = "${WAN_ADDR}" + port = ${WAN_PORT} + } + } + checks = [ + { + name = "Mesh Gateway Listening" + interval = "10s" + tcp = "${POD_IP}:443" + deregister_critical_service_after = "6h" + } + ] +} +EOF + +consul services register \ + /consul/service/service.hcl' + + [ "${actual}" = "${exp}" ] +} + +@test "meshGateway/Deployment: service-init init container wanAddress.source=Service, type=NodePort fails if service.nodePort is null" { cd `chart_dir` run helm template \ -x templates/mesh-gateway-deployment.yaml \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ - --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \ + --set 'meshGateway.wanAddress.source=Service' \ --set 'meshGateway.service.enabled=true' \ - --set 'meshGateway.service.type=NotLoadBalancer' \ + --set 'meshGateway.service.type=NodePort' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "if meshGateway.wanAddress.source=LoadBalancerAddress then meshGateway.service.type must be set to LoadBalancer" ]] + [[ "$output" =~ "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" ]] } -@test "meshGateway/Deployment: service-init init container wanAddress.source=LoadBalancerAddress" { +@test "meshGateway/Deployment: service-init init container wanAddress.source=Service, type=ClusterIP" { cd `chart_dir` local actual=$(helm template \ -x templates/mesh-gateway-deployment.yaml \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ - --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \ + --set 'meshGateway.wanAddress.source=Service' \ + --set 'meshGateway.wanAddress.port=ignored' \ --set 'meshGateway.service.enabled=true' \ - --set 'meshGateway.service.type=LoadBalancer' \ + --set 'meshGateway.service.type=ClusterIP' \ . | tee /dev/stderr | yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) - exp='consul-k8s load-balancer-address \ + exp='consul-k8s service-address \ -k8s-namespace=default \ -name=release-name-consul-mesh-gateway \ -output-file=address.txt WAN_ADDR="$(cat address.txt)" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -1016,9 +1156,17 @@ service { address = "${POD_IP}" port = 443 } + lan_ipv4 { + address = "${POD_IP}" + port = 443 + } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} + } + wan_ipv4 { + address = "${WAN_ADDR}" + port = ${WAN_PORT} } } checks = [ @@ -1037,7 +1185,6 @@ consul services register \ [ "${actual}" = "${exp}" ] } - @test "meshGateway/Deployment: service-init init container consulServiceName can be changed" { cd `chart_dir` local actual=$(helm template \ @@ -1048,7 +1195,12 @@ consul services register \ . | tee /dev/stderr | yq -r '.spec.template.spec.initContainers | map(select(.name == "service-init"))[0] | .command[2]' | tee /dev/stderr) - exp='WAN_ADDR="${HOST_IP}" + exp='consul-k8s service-address \ + -k8s-namespace=default \ + -name=release-name-consul-mesh-gateway \ + -output-file=address.txt +WAN_ADDR="$(cat address.txt)" +WAN_PORT="443" cat > /consul/service/service.hcl << EOF service { @@ -1067,11 +1219,11 @@ service { } wan { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } wan_ipv4 { address = "${WAN_ADDR}" - port = 443 + port = ${WAN_PORT} } } checks = [ diff --git a/values.yaml b/values.yaml index 4281e7cc4..788a112af 100644 --- a/values.yaml +++ b/values.yaml @@ -766,23 +766,32 @@ meshGateway: # Number of replicas for the Deployment. replicas: 2 - # What gets registered as wan address for the gateway. + # What gets registered as WAN address for the gateway. wanAddress: - # Port that gets registered. - port: 443 - - # source configures where to retrieve the wan address for the mesh gateway - # from. Can be either: NodeIP, NodeName, LoadBalancerAddress, Address. + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: Service, NodeIP, NodeName or Static. # + # Service - Determine the address based on the service type. + # If service.type=LoadBalancer use the external IP or hostname of + # the service. Use the port set by service.port. + # If service.type=NodePort use the Node IP. The port will be set to + # service.nodePort so this cannot be null. + # If service.type=ClusterIP use the ClusterIP. The port will be set to + # service.port. + # service.type=ExternalName is not supported. # NodeIP - The node ip as provided by the Kubernetes downward API. # NodeName - The name of the node as provided by the Kubernetes downward # API. This is useful if the node names are DNS entries that - # are routable from other datacenters.. - # LoadBalancerAddress - External IP or Hostname of the LoadBalancer service - # fronting the mesh gateways. meshGateway.service.enabled must be - # true and meshGateway.service.type must be "LoadBalancer". + # are routable from other datacenters. # Static - Use the address hardcoded in meshGateway.wanAddress.static. - source: "NodeIP" + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # See the documentation for source as to which port will be used in that + # case. + port: 443 # If source is set to "Static" then this value will be used as the wan # address of the mesh gateways. This is useful if you've configured a @@ -792,17 +801,18 @@ meshGateway: # The service option configures the Service that fronts the Gateway Deployment. service: # Whether to create a Service or not. - enabled: false + enabled: true # Type of service, ex. LoadBalancer, ClusterIP. - type: ClusterIP + type: LoadBalancer # Port that the service will be exposed on. # The targetPort will be set to meshGateway.containerPort. port: 443 - # Optional nodePort of the service. Can be used in conjunction with - # type: NodePort. + # Optionally hardcode the nodePort of the service if using type: NodePort. + # If not set and using type: NodePort, Kubernetes will automatically assign + # a port. nodePort: null # Optional YAML string for additional annotations.