Skip to content

Commit

Permalink
Refactor ConnectInject to use authmethods (#1076)
Browse files Browse the repository at this point in the history 
Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
  • Loading branch information
@thisisnotashwin @jmurret
thisisnotashwin authored and jmurret committed Mar 11, 2022
1 parent eba45eb commit c5cbcec
Show file tree
Hide file tree
Showing 10 changed files with 560 additions and 542 deletions.
7 changes: 0 additions & 7 deletions charts/consul/templates/connect-inject-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,6 @@ rules:
- use
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-connect-inject-acl-token
verbs:
- get
- apiGroups: [""]
resources:
- serviceaccounts
Expand Down
76 changes: 64 additions & 12 deletions charts/consul/templates/connect-inject-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN_FILE
value: "/consul/login/acl-token"
{{- end }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
Expand All @@ -80,12 +84,6 @@ spec:
secretKeyRef:
name: {{ .Values.connectInject.aclInjectToken.secretName }}
key: {{ .Values.connectInject.aclInjectToken.secretKey }}
{{- else if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ template "consul.fullname" . }}-connect-inject-acl-token"
key: "token"
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
Expand Down Expand Up @@ -216,6 +214,16 @@ spec:
-default-consul-sidecar-cpu-request={{ $consulSidecarResources.requests.cpu }} \
{{- end }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane consul-logout
{{- end }}
startupProbe:
httpGet:
path: /readyz/ready
Expand Down Expand Up @@ -246,6 +254,9 @@ spec:
- name: certs
mountPath: /etc/connect-injector/certs
readOnly: true
- mountPath: /consul/login
name: consul-data
readOnly: true
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
Expand All @@ -264,6 +275,9 @@ spec:
secret:
defaultMode: 420
secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert
- name: consul-data
emptyDir:
medium: "Memory"
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
- name: consul-ca-cert
Expand All @@ -285,16 +299,57 @@ spec:
{{- end }}
{{- if or (and .Values.global.acls.manageSystemACLs) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
initContainers:
{{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: injector-acl-init
- name: connect-injector-acl-init
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
image: {{ .Values.global.imageK8S }}
volumeMounts:
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane acl-init \
-secret-name="{{ template "consul.fullname" . }}-connect-inject-acl-token" \
-k8s-namespace={{ .Release.Namespace }}
-component-name=connect-injector \
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \
-primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \
{{- else }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
-log-json={{ .Values.global.logJSON }}
resources:
requests:
memory: "25Mi"
Expand All @@ -303,9 +358,6 @@ spec:
memory: "25Mi"
cpu: "50m"
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.connectInject.priorityClassName }}
priorityClassName: {{ .Values.connectInject.priorityClassName | quote }}
Expand Down
4 changes: 2 additions & 2 deletions charts/consul/templates/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
spec:
{{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
initContainers:
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
{{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
Expand Down Expand Up @@ -97,7 +97,7 @@ spec:
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
-log-json={{ .Values.global.logJSON }} \
-log-json={{ .Values.global.logJSON }}
resources:
requests:
memory: "25Mi"
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/server-acl-init-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ spec:
{{- end }}
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
-create-inject-token=true \
-connect-inject=true \
{{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }}
-auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \
{{- end }}
Expand Down
14 changes: 0 additions & 14 deletions charts/consul/test/unit/connect-inject-clusterrole.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,3 @@ load _helpers
yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}

#--------------------------------------------------------------------
# global.acls.manageSystemACLs

@test "connectInject/ClusterRole: secret access with global.acls.manageSystemACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-s templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resources[0] == "secrets")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
Loading

0 comments on commit c5cbcec

Please sign in to comment.