api-gateway: allow controller to bind PodSecurityPolicy to ServiceAccounts that it creates #1672
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nathancoleman
added
area/chart-only
2 tasks
nathancoleman
force-pushed
the
gateway-psp
branch
from
e59bfee
to
d247baa
Compare
nathancoleman
requested review from
a team,
thisisnotashwin and
t-eckert
and removed request for
a team
nathancoleman
commented
Nov 3, 2022
Comment on lines
+248
to
+253
| - apiGroups: | ||
| - policy | ||
| resources: | ||
| - podsecuritypolicies | ||
| verbs: | ||
| - use |
There was a problem hiding this comment.
This was previously narrowed to the specific PodSecurityPolicy created for the API Gateway controller; however, the controller needs to be able to create Roles/RoleBindings that use whatever PSP is named in the GatewayClassConfig. Since you can't grant permissions that you don't have, the controller needs to be able to use more than just the PSP that applies to itself.
Comment on lines
+254
to
+263
| - apiGroups: | ||
| - rbac.authorization.k8s.io | ||
| resources: | ||
| - roles | ||
| - rolebindings | ||
| verbs: | ||
| - use | ||
| - create | ||
| - get | ||
| - list | ||
| - watch |
There was a problem hiding this comment.
I'm not a huge fan of allowing the API gateway controller to create Roles + RoleBindings; however, I don't see any other way to accomplish attaching a PodSecurityPolicy to each and every Deployment that the controller creates. Due to this, I've narrowed down the permissions as much as possible - note that it can't update existing resources - and only grant these permissions to the API gateway controller when global.enablePodSecurityPolicies.
There was a problem hiding this comment.
Thanks so much for the detail in the comment. I really appreciate it.
| @@ -15,6 +15,9 @@ spec: | |||
| {{- if .Values.global.acls.manageSystemACLs }} | |||
| managed: true | |||
| method: {{ template "consul.fullname" . }}-k8s-auth-method | |||
| {{- if .Values.global.enablePodSecurityPolicies }} | |||
| podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway | |||
There was a problem hiding this comment.
This specifies the name of the podSecurityPolicy that should apply to any Gateway using this GatewayClassConfig. The API gateway controller will then create a Role and RoleBinding to bind this PSP to the ServiceAccount that it creates.
This is intentionally pretty flexible so that a user doesn't need a code release from us if they, for example, wanted to create their own PodSecurityPolicy and have the API gateway controller use that. By allowing this, we let users tailor to their needs without requiring a code release from us.
| @@ -0,0 +1,45 @@ | |||
| {{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} | |||
There was a problem hiding this comment.
This is the PSP that will be applied to all Gateway deployments by default when global.enablePodSecurityPolicies=true. As I mentioned above, customers needing something more or less restrictive could create their own PodSecurityPolicy or modify this one and have the API gateway controller use it instead.
This is based on the PSP that we use for the API gateway controller with some slight modifications. Please review this for sensibility.
thisisnotashwin
approved these changes
Nov 4, 2022
Comment on lines
+254
to
+263
| - apiGroups: | ||
| - rbac.authorization.k8s.io | ||
| resources: | ||
| - roles | ||
| - rolebindings | ||
| verbs: | ||
| - use | ||
| - create | ||
| - get | ||
| - list | ||
| - watch |
There was a problem hiding this comment.
Thanks so much for the detail in the comment. I really appreciate it.
t-eckert
approved these changes
Nov 4, 2022
| --set 'apiGateway.enabled=true' \ | ||
| --set 'apiGateway.image=foo' \ | ||
| . | tee /dev/stderr | | ||
| yq '.rules[] | select((.resources[0] == "roles") and (.resources[1] == "rolebindings") and (.verbs[0] == "create")) | length > 0' | tee /dev/stderr) |
There was a problem hiding this comment.
Is it worth checking get, list, and watch too?
There was a problem hiding this comment.
No reason not to, I'll add that in a few minutes 💯
2 tasks
nathancoleman
added a commit
that referenced
this pull request
Nov 4, 2022
…ounts that it creates (#1672) * Add PodSecurityPolicy for all Gateway Deployments * Allow API gateway controller to manage roles + bindings * Add entry to CHANGELOG * Consolidate controller ClusterRole mods for enablePodSecurityPolicies * Update/add unit test coverage for controller ClusterRole * Check for additional verbs on cluster role
nathancoleman
added a commit
that referenced
this pull request
Nov 7, 2022
…ounts that it creates (#1672) (#1682) * Add PodSecurityPolicy for all Gateway Deployments * Allow API gateway controller to manage roles + bindings * Add entry to CHANGELOG * Consolidate controller ClusterRole mods for enablePodSecurityPolicies * Update/add unit test coverage for controller ClusterRole * Check for additional verbs on cluster role Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
natitomattis
added a commit
to team-telnyx/consul-k8s
that referenced
this pull request
Jun 6, 2023
* Add support for version annotation on Peering Dialer and Acceptor. (hashicorp#1302) * Acceptance Tests for Cluster Peering (hashicorp#1287) * Add acceptance tests that run connect tests for peering. - Does not support TLS, ACLs and T-Proxy. * Add OSS acceptance test * use anchor link alias for TOC (hashicorp#1298) * use anchor link alias for TOC in auto-generated helm docs code Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> * Read prometheus TLS config from annotations and pass to bootstrap config * Add tests for prometheus TLS config validation * Remove rule preventing agent metrics and TLS from being set simultaneously * Update CHANGELOG.md * Update CHANGELOG.md Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> * fix a broken link (hashicorp#1311) * Add custom annotations support for catalog sync and connectInject pods via Helm (hashicorp#775) * Add custom annotations support for catalog sync and connectInject pods via Helm * changelog for 775 (hashicorp#1312) * Updating contributing doc to add the correct helm and bats versions (hashicorp#1314) * Add annotations to support specifying userVolumes and userVolumeMounts for the envoy sidecar (hashicorp#1315) * add envoy user volumes and volumeMounts via annotations * use ent images for nightlies and add consul-1.13 nightlies (hashicorp#1305) * use ent images for nightlies and add support for consul-1.13 * disable nightlies for now * Updating values docs to only set global.federation.primaryDatacenter outside of the primary datacenter. (hashicorp#1318) * Peering webhooks (hashicorp#1310) - adds validation webhooks for PeeringAcceptor and Peering dialer controllers - fixes panic by doing a nil check on the PeeringAcceptor SecretRef() * Update client-daemonset bats tests (hashicorp#1313) * updates client-daemonset bats tests to be more readable and do not use hard-coded array indexes. * don't set securitycontext on openshift/okd (hashicorp#1308) If running on OpenShift, these settings cause problems because the user and group ids are below the range openshift expects, instead do not set them. * update changelog for community PR 1308 (hashicorp#1325) * update changelog for community PR * fix indentation * Fixes for AWS acceptance tests cleanup (hashicorp#1328) * Fix a bug with ELB deletion where we were comparing pointer values for VPC ID instead of strings * Delete VPCs and their resources even if there's no associated EKS cluster. This so that if EKS cleanup fails in the middle and we re-run it, it will continue deleting resources it couldn't on a previous run. * Adding podDistruptionBudget to connect injector (hashicorp#1316) * Adding podDistruptionBudget to connect injector * update changelog (hashicorp#1331) * CRT Onboarding (hashicorp#1290) * Release: enable using CRT for releases * Updating to go 1.18 (hashicorp#1292) * Updating to go 1.18 * updating changelog, CI, and test dockerfile. * go mod tidy on /acceptance * go mod tidy on /cli * go mod tidy on /control-plane * go mod tidy on /hack/aws-acceptance-test-cleanup * go mod tidy on /hack/helm-reference-gen * updating golangci-lint-action to 3.2.0 * fixing golang version on charts/consul/test/docker/Test.dockerfile * updating .go-version to v1.18.3 * updating go testsum version to 1.8.1 * updating lint-control-plane to go install lint-consul-retry rather than go get lint-consul-retry. consul repo does this. * Updating changelog so that changes are listed under improvements rather than breaking changes. * Replacing strings.Title with cases.Title to make broken CI linting pass (hashicorp#1342) * Disable wan federation tests on kind because of flakiness (hashicorp#1346) Currently, WAN federation tests are flaky on kind. We need more time to investigate. Because these tests run on other clouds and are not flaky, we are disabling them on kind until we can investigate and re-enable them. * Actually disable mesh gateway tests on kind! (hashicorp#1351) * Enable ubi images in the build workflow (hashicorp#1350) * Add makefile target to prepare release (hashicorp#1349) * Fix UBI build (hashicorp#1353) * Skip peering tests on AKS and update AKS version (hashicorp#1355) * On AKS, we cannot run peering tests yet because the pod network is not flat * Add a flag to acceptance tests framework to disable peering tests (to be removed once non-flat networks are supported) * Update AKS version to the supported 1.21.x version (1.21.7 is no longer supported) * Run AKS nightly acceptance tests with -disable-peering flag * Build multi-arch dev-images (hashicorp#1338) * Add a job to build and publish UBI images to dockerhub (hashicorp#1356) * Use buildx to push latest image tag from main (hashicorp#1357) * Read created secrets from the API object (hashicorp#1359) * Read created secrets from the API object - Avoid reading objects from the cache immediately after creating them as they are not guaranteed to exist. This leads to a bug caused by the race condition. - Add update RBAC to the secrets for the connect inject controller. * Update acceptance/tests/peering/peering_connect_test.go Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Update CHANGELOG.md (hashicorp#1360) * Pre-release 0.46.0 (hashicorp#1361) * Pass correct compiler flags to go build for the release (hashicorp#1362) * Remove ECR tags for docker images (hashicorp#1364) * Putting source back into Dev Mode (hashicorp#1365) * Support Conditions on Peering CRDs (hashicorp#1335) * Support Conditions on Peering CRDs - Add printer columns so describes have more metadata. * CHANGELOG * T-Proxy for peering tests (hashicorp#1337) * Expose Server GRPC on port 8503 * acceptance: Add retry to resource deletion and wait for more for ELB deletion to propagate (hashicorp#1368) * Add required UBI labels (hashicorp#1367) * Update alpine to 3.16 (hashicorp#1372) * Release 0.46.1 (hashicorp#1373) * Putting source back into Dev Mode (hashicorp#1374) * Remove unused dockerfiles (hashicorp#1375) * Enable TLS on Consul Peering (hashicorp#1366) * Peering ACL support (hashicorp#1343) * feat(crd): add destination to service-defaults * update to use gox for dev builds * ignore vscode * Bump default Envoy version to 1.23.0 (hashicorp#1377) Signed-off-by: Evan Culver <eculver@hashicorp.com> * Increase ELB propagation wait time (hashicorp#1385) * peering: expose servers over Kubernetes service (hashicorp#1378) - Add new expose-servers service to Helm chart - Support scraping addresses from expose-servers service when type LB or Nodeport and using those to generate the token - Bump consul/api module to use generate token endpoint changes from Update generate token endpoint to take external addresses consul#13844 - Update acceptance tests to deploy 3 servers, and on clouds it'll use a load balancer service, on kind itll use a nodeport service. * peering: support setting externalServers.hosts in peering token for non-default partitions (hashicorp#1384) * peering: support static addresses for exposing servers (hashicorp#1392) * peering: changelog for expose servers over LBs or external addresses (hashicorp#1393) * peering: set peering server config only when peering Helm value is true (hashicorp#1390) * CHANGELOG: re-order changelog and remove extraneous trailing FEATURES (hashicorp#1395) * CHANGELOG: re-order changelog and remove extraneous trailing FEATURES * charts: add ReferenceGrant permissions to Consul API Gateway ClusterRole * changelog: add entry for Consul API Gateway ReferenceGrant support * peering: generate new token only on user-triggered events (hashicorp#1399) Previously, we will call generate token endpoint when secret contents change, i.e. when the resource version in the status of the Acceptor CR doesn't match the resouce version in the existing secret version. However, this results in a race condition when multiple reconciles run concurrently. When that happens, one of them ends up with an outdated CR object and as a result decides that it needs to re-generate the peering token because those resource versions don't match. This is also undesirable because now peering tokens have an establishment secret that can only be used one time. If we re-generate tokens without user knowing, this could result in errors because the dialer will use an outdated secret. Also, make sure we always update the latest version of the acceptor object by re-fetching it before updating. * Add `proxy list` and `proxy read` commands to Consul on Kubernetes CLI * Add a `PortForward` struct which enables the CLI to port forward `localhost` to Kubernetes Pods. * Add a command, `consul-k8s proxy list`, which lists all Kubernetes Pods running Envoy proxies managed by Consul. * Add a command, `consul-k8s proxy read <podname>`, which prints a summary of the Envoy configuration for the proxy running on a given Pod. * Add behavior testing the new commands to the existing Connect Inject acceptance tests. * peering: update unit tests to not reuse peering token to be compatible with consul 1.13 (hashicorp#1401) -and bump unit test consul version to 1.13 * fix permissions for /consul/extra-config (hashicorp#1307) * fix permissions for /consul/extra-config in openshift environments On openshift/okd you might not have permissions to create directories everywhere. But you can introduce mounts. Here we're just creating insignificant mount-points for the extra-config to do it's thing, thus eliminating the need for creating the directory, which the user running the container might not have permissions to do. Fixes hashicorp#1306 * Fix issue where API gateways were being mis-labeled as Sidecar proxies (hashicorp#1403) * update changelog (hashicorp#1405) * Update CHANGELOG.md Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Fix context handling for the CLI (hashicorp#1406) * Use context as set by user for Kubernetes * Pass in context using Kube options to CLI run commands * CHANGELOG: small formatting fixes (hashicorp#1407) * CHANGELOG: small formatting fixes * Release 0.47.0 (hashicorp#1413) * add changelog * Update consul version in ci and api/sdk package versions * update release date * peering: update helm value doc (hashicorp#1415) * revert to dev mode (hashicorp#1416) * 0.47.1 (hashicorp#1417) * 0.47.1 (hashicorp#1418) * peering: add code blocks for helm docs (hashicorp#1419) * Add stanza to ci.hcl to trigger helm pipeline (hashicorp#1398) * put repo in dev mode (hashicorp#1420) * Update the sed match to replace image (hashicorp#1422) * Use the pointer pkg instead of BYO functions everywhere (hashicorp#1423) * Use new GitHub Markdown note syntax (hashicorp#1424) * Various acceptance tests fixes (hashicorp#1414) - parallelize nightly tests (they now take ~5h which is the max time circleci will allow us to run w/o output) - re-establish port forwarding if we lose connection. Sometimes, we lose port-forwarding connection and never re-establish it, which leads to any calls to consul to fail. Instead, we now monitor the local port, and if we can't connect to it, we re-establish port-forwarding - Add retries to aws cleanup script * Rename flag for peering token server addresses. (hashicorp#1426) - The flag was initially named `server-address` but the `server-address` flag has been used across the project to imply ONLY the address of the external server when enabled. This meaning is overloaded in the context of the server address used for generating the peering token. This leads to errors (specifically in the agentless context), where the deployment must explicitly know the list of external servers. * Fix acceptance tests passing "-config" instead of "-kubeconfig" to CLI (hashicorp#1427) * config -> kubeconfig * Run GKE Acceptance * Stop GKE acceptance tests running on PRs * values.yaml: add more detail around using connectCA with vault namespaces (hashicorp#1430) * values.yaml: add more detail around using connectCA with vault namespaces Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * set PRODUCT_VERSION for default docker build (hashicorp#1429) * test: egress destination tests (hashicorp#1383) * README: Update to README regarding upcoming breaking changes (hashicorp#1439) * README: Update to README regarding upcoming breaking changes * Fix some smaller Envoy Debugging bugs. (hashicorp#1412) * Don't show 'non-domain' FQDNs * Show message about no pods being found * Fix tests for not showing "non-domain" FQDNs * Add a warning if field filter and table filter combo is wacky * Fix linting issue * Re-add newline in list command * Return nil from initKubernetes * Change out to exitCode Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> * Use contains instead of regex * Include FQDNs without periods as FQDNs * Expand the filtering tests * Test multiple warnings properly * Add changelog improvements * fix: missing MaxInboundConnections in service-defaults CRD (hashicorp#1437) * enable nightlies for 1.11 and 1.12 and 1.13 (hashicorp#1339) * enable nightlies for 1.11 and 1.12 and 1.13 * Update Kubernetes versions for the nightly acceptance tests. (hashicorp#1444) * Remove Issue Context Bot (hashicorp#1448) * update the helm repo prior to running helm install in acceptance tests. (hashicorp#1451) * fix nightlies * Lint cleanup (hashicorp#1450) * Fix linting errors throughout the codebase * CNI Plugin for Consul-k8s (hashicorp#1456) - Added a CNI installer daemonset to the helm install. On every node, the installer daemonset: - Appends the consul-cni configuration to the main CNI configuration as the final plugin in the CNI chain - Installs the consul-cni binary to the node - Creates a kubeconfig file so that the the consul-cni plugin can communicate with pods. - Repairs the consul-cni configuration if another CNI plugin corrupts the configuration - Added a consul-cni CNI plugin that is executed by the kubelet when a pod is created. - The consul-cni plugin is a chained plugin and must be installed alongside another CNI plugin (eg. calico) - In order to install and use the plugin you must ensure that connect inject (connectInject.enabled = true) and CNI (connectInject.cni.enabled = true) are enabled in the helm chart. - Note: if using consul-cni on GKE, connectInject.cni.cniBinDir must be set to /home/kubernetes/bin - Unit, acceptance, and bats (helm) tests to cover all of the above changes/additions. * Kubernetes 1.24 support (hashicorp#1431) * Support for Kubernetes 1.21+ * update changelog for kube-1.24 (hashicorp#1461) * update changelog * README.md: update K8s versions (hashicorp#1459) * README.md: update versions * Add CNI to CRT (hashicorp#1458) * Get CNI building with CRT * api-gateway: configure ACL auth appropriately in secondary dc (hashicorp#1462) * api-gateway: configure acl-auth-method appropriately for controller in secondary dc Co-Authored-By: Thomas Eckert <thomas.james.eckert@gmail.com> * Add test coverage for secondary datacenter configuration * Add changelog entry * Improve changelog entry * Fulfill flag dependencies for bats test Co-authored-by: Thomas Eckert <thomas.james.eckert@gmail.com> * Fix Listener Filter bugs and cover more Envoy Listener Filter Types (hashicorp#1442) * Extend timeout for port-forward * Resolve merge conflict on config fixture * Resolve merge conflicts on how listeners are displayed * Fix linting issue * Finish Ratelimit config * Unescape > * Add Changelog * Fix unit tests * Fix acceptance tests * Remove the named return parameter Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> * CHANGELOG: formatting and missing links (hashicorp#1467) * Omit non-IP defined endpoints from clusters (hashicorp#1452) * Omit non-IP defined endpoints from clusters * Improve perf with regex * Use ParseIP instead of RegEx * Add test for parseClusters * Update the reference to cni package to the current on main. (hashicorp#1472) * update Kubernetes versions throughout CI (hashicorp#1460) * update Kube versions throughout CI so nightlies run against supported versions of Kubernetes. * release 0.48.0 (hashicorp#1473) * release 0.48.0 * update envoy version to 1.23.1 * put main back into dev (hashicorp#1476) * update acceptance tests to use latest consul-k8s release (hashicorp#1477) * Bump helm.sh/helm/v3 from 3.6.1 to 3.9.4 in /cli (hashicorp#1465) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.6.1 to 3.9.4. - [Release notes](https://github.com/helm/helm/releases) - [Commits](helm/helm@v3.6.1...v3.9.4) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update docs storageclass (hashicorp#1493) * Update storageclass docs - link to ref arch * Notify #feed-consul-k8s-ci (hashicorp#1494) * Make CNI tests dependent on non-CNI tests passing (hashicorp#1495) * Rolling back helm upgrade in CLI back to 3.6.1 (hashicorp#1492) * Revert "Bump helm.sh/helm/v3 from 3.6.1 to 3.9.4 in /cli (hashicorp#1465)" This reverts commit beff736. * run nightlies on this branch * removing changes to circleci config * pin vault helm chart version to v0.21.0 in Acceptance tests (hashicorp#1499) * pin vault helm chart version to v0.21.0 * add target to makefile * update Contributing.md * server-acl-init: Create global ACL auth method for API Gateway in secondary dc (hashicorp#1481) * server-acl-init: Use global policy + auth method for API Gateway in secondary dc * Update test assertions to expect global auth method + token * Add changelog entry * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> * Update CHANGELOG.md Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> * ci: add backport pipeline (hashicorp#1489) * add backport pipeline * added automerge - This will automatically merge backported changes without creating a PR if there are no errors. If there are errors (merge conflicts, failure to cherrypick, etc.), then a PR will be created requiring manual intervention to resolve * added a token with elevated permissions Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com> * Add cli autocomplete (hashicorp#1501) * enable autocomplete * add auto-completions - add AutocompleteFlags() and AutocompleteArgs() to commands to adhere to autocomplete interface - add variables for command flag names where necessary - deleted some unused arguments - refactored some naming package/variable naming collisions * add cli autocomplete tests * fixed some linter errors in set * update changelog * Re-enable MeshGW tests in acceptance on Kind and update CI binary versions (hashicorp#1491) * Re-enables meshGW tests in Kind and updates Kind CI images to latest including latest Kube-1.24 versions. * Update consul-helm-test image and CI to go 1.18 (hashicorp#1498) * using the current circleci go image for 1.18 * updating consul-helm-test image to v0.12.0 * add `release/**` wild card to ci.hcl (hashicorp#1518) * add `release/**` wild card - branches with a leading `release/` will be categorized as release branches * change CRT messaging to be sent to feed-consul-k8s-ci * update docs for helm for global.syncCatalog.aclSyncToken (hashicorp#1524) * update docs for helm for global.syncCatalog.aclSyncToken * Update charts/consul/values.yaml Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> * Populate primary dc flag for APIGW controller in secondary federated dc (hashicorp#1511) * Populate primary dc flag for APIGW controller in secondary federated dc * Add test coverage for primary-datacenter flag * Add changelog entry * Update CHANGELOG.md Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> * fix a typo in the helper template for pdb (hashicorp#1530) * fix a typo in the helper template for pdb * downgrade helm version again (hashicorp#1525) * backport of commit 8a97da4 * backport of commit 69fe217 * create-federation-secret job runs only when server.updatePartition is 0 (hashicorp#1512) * create-federation-secret job runs only when server.updatePartition is 0 * I added a test to check createFederationSecret/Job doesn't run when updatepartition != 0 Co-authored-by: David Yu <dyu@hashicorp.com> * makefile and scripting updates for stable releases (hashicorp#1526) - Handles case where we are releasing a beta and want that beta release reflected in the changelog * fix spacing so ifndef has expected behavior (hashicorp#1536) * Support escaped commas in service tags for connect (hashicorp#1532) * support escaped commas in service tag annotations * backport of commit d46addf * 0.49.0 Pre-release (hashicorp#1538) * Initial 0.49.0 branch creation * backport of commit 96cba08 * backport of commit b3fcc28 * backport of commit 5d07c8d * backport of commit 4a0bd4e * backport of commit 5e6203d * backport of commit 8f50af6 (hashicorp#1550) This pull request was automerged via backport-assistant * backport of [1484](hashicorp#1484) (hashicorp#1562) Co-authored-by: malizz <maliheh.monshizadeh@hashicorp.com> * backport of commit 0f9f738 * cherry picked changes (hashicorp#1564) * Set Sept 30th as release date for 0.49.0 * Trigger the pre-staging release of artifacts (hashicorp#1569) * backport of commit 7c33284 * backport of commit c42526a * backport of commit 00d9349 * backport of commit b609ab5 * backport of commit 928772d * backport of commit 4f9b49c * backport of commit e5a5a6f * backport of commit 19012ef * backport of commit 24e616c * backport of commit 9a3ddc4 * backport of commit bccf760 * backport of commit 428b3af * backport of commit 4ed72fa * Add CHANGELOG entry for PR 1581 (hashicorp#1627) (hashicorp#1630) * Mw/cherry pick ac updates (hashicorp#1649) * removed make target for GitHub, no longer needed * The name CLI conflicts with the runner - build consul-k8s CLI in pipeline instead for GH action (in future commit) - build consul-K8s CLI in pipeline for CircleCI. CircleCI uses some different go pathing so can't use make cli-dev explicitly for build-cli step - change name of cli binary from cli to consul-k8s * replace special characters in tests - GitHub actions can't upload test files with special characters in the name, so replace all special characters with underscores (_) * api-gateway: Allow controller to read MeshService resource (hashicorp#1574) (hashicorp#1653) * Allow the API gateway controller to read MeshService resource * Add changelog entry Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> * backport of commit f67364b * Add PodSecurityPolicy for Consul API Gateway controller (hashicorp#1656) (hashicorp#1666) * Add PodSecurityPolicy for Consul API Gateway controller * Grant Consul API Gateway controller access to new PodSecurityPolicy * Add unit test coverage for clusterrole + podsecuritypolicy * Add changelog entry * Use YQ@3 friendly select Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * backport acceptance test pipeline changes for stable releases (hashicorp#1677) Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com> * Merge pull request hashicorp#1650 from hashicorp/consul-api-gateway-add-tolerations-support Consul API Gateway, Add Tolerations support * api-gateway: allow controller to bind PodSecurityPolicy to ServiceAccounts that it creates (hashicorp#1672) (hashicorp#1682) * Add PodSecurityPolicy for all Gateway Deployments * Allow API gateway controller to manage roles + bindings * Add entry to CHANGELOG * Consolidate controller ClusterRole mods for enablePodSecurityPolicies * Update/add unit test coverage for controller ClusterRole * Check for additional verbs on cluster role Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Mw/release/0.49.x/fix cloud pipeline (hashicorp#1679) * updated libraries based on main, especially helm - resolved an issue with terraform provisioned aws version incompatibility with helm, also updated helm - we are not supporting eks testing for release branches, but this fix will stay in * disabling peering tests as these are a beta feature - peering tests are not fully supported for 0.49 and tests can fail intermittently * update test dockerfile to handle gcloud deprecations - this dockerfile more closely matches what is found in main, the big difference being that 0.49 supports go 1.18 instead of 1.19 (at the time of this commit) - added a new make target for creating the test docker image * created a new workflow for running nightly release branch tests - only run a single cloud test (arbitrarily GKE) and kind testing. A single cloud test is sufficient for release branch testing - gcloud plugin enabled to handle deprecations with older gke cli - updated consul-helm-test-image to latest version * Backport of Add support for maxConnections, maxConcurrentRequests, and maxPendingRequests to IngressGateway CRD into release/0.49.x (hashicorp#1700) * backport of commit 7592592 * backport of commit 876eb7c * backport of commit 438aae1 Co-authored-by: Semir Patel <semir.patel@hashicorp.com> * peering: update exported services CRD and bump api module (hashicorp#1596) (hashicorp#1705) Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> * Add support for maxConnections, maxConcurrentRequests, and maxPendingRequests to IngressGateway CRD (hashicorp#1691) (hashicorp#1706) Co-authored-by: Semir Patel <semir.patel@hashicorp.com> * add missing changelog from backport (hashicorp#1713) * release: bump consul image to 1.13.3 (hashicorp#1715) * bump consul image to 1.13.3 and run make prepare-release * unit test with 1.13.3 * fix unit tests with consul 1.13.3 (hashicorp#1720) * backport of commit 9cb4489 * set release back into dev mode (hashicorp#1724) * Backport of Dockerfile: bump up ubi-minimal image to 9.1 into release/0.49.x (hashicorp#1728) * backport of commit a6f01f3 Co-authored-by: David Yu <dyu@hashicorp.com> * Add support for LocalConnectTimeoutMs and LocalRequestTimeoutMs on service-defaults CRD (hashicorp#1647) (hashicorp#1748) * Add support for LocalConnectTimeoutMs and LocalRequestTimeoutMs on the Service Defaults CRD * auto gen code * revert the change from make ctrl-generate ctrl-manifests Co-authored-by: Zhouyang Zhang <84437068+erdanzhang@users.noreply.github.com> * Backport of Disable PodSecurityPolicy when global.enablePodSecurityPolicies set to false into release/0.49.x (hashicorp#1745) * no-op commit due to failed cherry-picking * Disable PodSecurityPolicy when global.enablePodSecurityPolicies set to false (hashicorp#1693) Co-authored-by: temp <temp@hashicorp.com> Co-authored-by: James (Anh-Tu) Nguyen <tunguyen9889@users.noreply.github.com> * Release 0.49.2 (hashicorp#1764) * Release 0.49.2 * set to 0.49.3 dev mode (hashicorp#1766) * Add global.extraLabels values.yaml setting (hashicorp#1771) (hashicorp#1778) * Add global.extraLabels values.yaml setting This setting lets you apply a set of labels to all pods created by the consul-k8s helm chart. * Also apply global extra labels to deployments/daemonsets/statefulsets/jobs * Add global extraLabels to sync catalog deployment Co-authored-by: Chris Bruce <christopher.bruce@blackrock.com> * Backport of Update CHANGELOG.md to describe change global.extraLabels into release/0.49.x (hashicorp#1780) Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of Ignore partition/namespace on SourceIntention list to match top-level compare logic into release/0.49.x (hashicorp#1806) * backport of commit a2ba891 * Add changelog note Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> * values.yaml - helm chart docs edits for 0.49.x (hashicorp#1805) * helm chart docs edits Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * Create annotation to allows users to use proxy health check (hashicorp#1824) (hashicorp#1830) * Add health checks for services that are synced (hashicorp#1821) (hashicorp#1839) * Add health checks for services that are synced - When the type of the service is ClusterIP, a health check will be added to the catalog registration with the health info of the service based on the state of the readiness probe of the pod associated with the service. - Replace `apiv1` with `corev1` to be consistent across the project. - Run `go mod tidy`. * Use Proxy Healthchecks when configured. (hashicorp#1843) - When a service is configured with the correct annotation, a readiness endpoint with be configured in Consul dataplane, and the readiness probe of the sidecar will be configured to use that endpoint to determine the health of the system. Additionally, when t-proxy is enabled, that port shall be in the ExcludeList for inbound connections. * Pre-release 0.49.3 (hashicorp#1857) * set dev mode for 0.49.4 (hashicorp#1859) * Exclude openebs namespace from injection. (hashicorp#1869) (hashicorp#1875) * Exclude openebs namespace from injection. OpenEBS is a Kubernetes storage solution. When you spin up a PVC, under the hood OpenEBS creates a pod to handle the necessary storage operations. If the openebs namespace is not excluded from injection, that pod can't start because our mutatingwebhook config requires all pod scheduling requests make it to our webhook and our webhook isn't running yet because the consul servers aren't running. This is a breaking change but I think it's worth it because it's very unlikely anyone is using the openebs namespace for anything other than openebs. * Changelog Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> * backport of commit ef500b3 * Backport of Dockerfile: Remove gnupg from Consul k8s container into release/0.49.x (hashicorp#1883) * manual fix of changelog Co-authored-by: David Yu <dyu@hashicorp.com> * Backport of Dockerfile: remove `gnupg` from dev image into release/0.49.x (hashicorp#1886) Co-authored-by: David Yu <dyu@hashicorp.com> * Pre-release update for 0.49.4 (hashicorp#1888) * Prepare dev 0.49.5 (hashicorp#1896) * backport of commit d161351 * [0.49.x] remove livenessProbe from pods with preStop lifecycle hooks that delete ACL tokens (hashicorp#1914) Currently we use an init container to create a consul ACL token via an auth method. We configure a preStop lifecycle hook to delete this token to avoid leaking it but this executes when containers get restarted, not just when the pod is destroyed. This means that if a container livenessProbe fails and triggers a container to be restarted in place the token it was using will be destroyed but not recreated. * Backport of Dockerfile: bump Alpine base image to 3.17 into release/0.49.x (hashicorp#1936) * Manual backport to 0.49.x Co-authored-by: David Yu <dyu@hashicorp.com> * Enable envoy bootstrap config logging if global.logLevel == debug (hashicorp#1910) * Backport of Update links to support DevDot into release/0.49.x (hashicorp#1949) * fix merge conflicts --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * Cherry pick terraform checks (hashicorp#1962) * added CI test to catch bad terraform formatting * formatted terraform files * update prepare release to update the changelog (hashicorp#1959) - Prepare release now requires an additional LAST_RELEASE_GIT_TAG environment variable required by go-changelog - removed adding the unreleased tag to the Changelog as we will no longer be doing that. All changelog entries will be added at the time of release by the go-changelog tool * backport of commit fa4c4be * backport of commit b68593f * backport of commit a020048 * updated go version to fix cve https://go.dev/issue/58001 (hashicorp#1975) * updated go version to fix cve https://go.dev/issue/58001 * updated go version to fix cve https://go.dev/issue/58001 - updated go version to use 1.19 everywhere * update to remove deprecated ioutil * added changelog files (hashicorp#1981) - removed unreleased section, we'll now be generating changelog entries as part of the release process * backport of commit c740fed * backport of commit d482dd9 * update to consul 1.13.7 (hashicorp#1993) * ready for 0.49.5 release (hashicorp#2000) * ready for 0.49.6 dev (hashicorp#2004) * Backport of values.yaml - set default connect inject init cpu resource limits to `null` to increase service registration times into release/0.49.x (hashicorp#2019) * backport of commit 7a99af0 --------- Co-authored-by: David Yu <dyu@hashicorp.com> * backport of commit b89d4aa * Sync GHA release 0.49.x from main (hashicorp#2058) * Manual Backport of security: update Go version to 1.19.9 (hashicorp#2108) (hashicorp#2110) * security: update Go version to 1.19.9 * refactor: go fmt and go mod tidy * backport of commit 620a80b (hashicorp#2112) Co-authored-by: DanStough <dan.stough@hashicorp.com> * chore(ci): fix backport assistant not finding new branches (hashicorp#2116) * backport of commit ee35a30 (hashicorp#2130) Co-authored-by: DanStough <dan.stough@hashicorp.com> * backport of commit 3fdcf96 (hashicorp#2147) Co-authored-by: Curt Bushko <cbushko@gmail.com> * Prep release 0.49.6 (hashicorp#2151) * set dev mode 0.49.7 (hashicorp#2155) * backport of commit 583d51e (hashicorp#2186) Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * backport of commit 35593ca (hashicorp#2190) Co-authored-by: Curt Bushko <cbushko@gmail.com> * backport of commit 08a2cd3 (hashicorp#2206) Co-authored-by: DanStough <dan.stough@hashicorp.com> * backport of commit 5bb00eb (hashicorp#2219) Co-authored-by: Eric <eric@haberkorn.co> * backport of commit 71293af (hashicorp#2234) Co-authored-by: Curt Bushko <cbushko@gmail.com> --------- Signed-off-by: Evan Culver <eculver@hashicorp.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Jean Morais <jeanmorais@users.noreply.github.com> Co-authored-by: John Murret <john.murret@hashicorp.com> Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com> Co-authored-by: Erik Berg <eb4x@users.noreply.github.com> Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> Co-authored-by: jjwong <64273338+WJay-tec@users.noreply.github.com> Co-authored-by: Kyle Penfound <kylepenfound@protonmail.com> Co-authored-by: DanStough <dan.stough@hashicorp.com> Co-authored-by: Evan Culver <eculver@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com> Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: brian shore <bshore@hashicorp.com> Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> Co-authored-by: cskh <hui.kang@hashicorp.com> Co-authored-by: Curt Bushko <cbushko@gmail.com> Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com> Co-authored-by: Thomas Eckert <thomas.james.eckert@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com> Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com> Co-authored-by: Sujata Roy <61177855+20sr20@users.noreply.github.com> Co-authored-by: hc-github-team-consul-ecosystem <82990057+hc-github-team-consul-ecosystem@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: Iryna Shustava <iryna@hashicorp.com> Co-authored-by: malizz <maliheh.monshizadeh@hashicorp.com> Co-authored-by: Michele Degges <mdeggies@gmail.com> Co-authored-by: Sam Salisbury <samsalisbury@gmail.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Semir Patel <semir.patel@hashicorp.com> Co-authored-by: Zhouyang Zhang <84437068+erdanzhang@users.noreply.github.com> Co-authored-by: temp <temp@hashicorp.com> Co-authored-by: James (Anh-Tu) Nguyen <tunguyen9889@users.noreply.github.com> Co-authored-by: Chris Bruce <christopher.bruce@blackrock.com> Co-authored-by: Ashwin Venkatesh <ashwin.what@gmail.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> Co-authored-by: Eric <eric@haberkorn.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
When a user has both
global.enablePodSecurityPolicies=trueandapiGateway.enabled=true:PodSecurityPolicyfor use by allDeploymentsthat the API gateway controller creates to back aGatewayPodSecurityPoliciesWhen
global.acls.manageSystemACLs=trueis also set:PodSecurityPolicyto theGatewayClassConfigso that the API gateway controller can bind the policy to theServiceAccountcreated for eachGateway. It does this by creating aGateway-specificRoleandRoleBinding.The API gateway controller could create the
PodSecurityPolicyitself; however, this isn't nearly as flexible as any user requiring a slight change in thePSPwould need a code release from us. This way, they can modify thePSPcreated by the Helm chart however they wish, or they can create their ownPSPand reference it in theGatewayClassConfig.How I've tested this PR:
Create a K8s cluster that requires
PodSecurityPolicies. On GKE, for example:Then install this version of the Helm chart, verifying that the
PodSecurityPolicyis created and theClusterRolefor the API gateway controller has the modified set of permissions.How I expect reviewers to test this PR:
👀 verify that the permissions added here are as restricted as they can possibly be while meeting requirements
Checklist: