Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ACL support #766

Merged
merged 4 commits into from
Oct 15, 2021
Merged

Add ACL support #766

merged 4 commits into from
Oct 15, 2021

Conversation

thisisnotashwin
Copy link
Contributor

@thisisnotashwin thisisnotashwin commented Oct 6, 2021
edited
Loading

Changes proposed in this PR:

  • Update server-acl-init job to create tokens that are partition aware when Admin Partitions are enabled.
  • server-acl-init creates a partition-token that is used by partition-init and server-acl-init in non-default-partitions.
  • Update partition-init to use provided partition-token when ACLs are enabled.

How I've tested this PR:

  • deployed manifests with ACLs enabled on server and non-server cluster and validated things worked as expected.
    sample server YAML
global:
  enableConsulNamespaces: true
  tls:
    enabled: true
  image: ashwinvenkatesh/consul@sha256:d799bdc9f6c42fd42438b22cb17cce1e3f49a188df2b55a85b8bc0906b78b081
  imageK8S: ashwinvenkatesh/consul-k8s@sha256:2c328df1337dddeebe85b886098e70ed8ab8e9ee44f027cd9502b5f14f7c28fa
  adminPartitions:
    enabled: true
  acls:
    manageSystemACLs: true
server:
  exposeGossipAndRPCPorts: true
  enterpriseLicense:
    secretName: license
    secretKey: key
connectInject:
  enabled: true
  transparentProxy:
    defaultEnabled: false
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

sample non-server YAML

global:
  enabled: false
  enableConsulNamespaces: true
  image: ashwinvenkatesh/consul@sha256:d799bdc9f6c42fd42438b22cb17cce1e3f49a188df2b55a85b8bc0906b78b081
  imageK8S: ashwinvenkatesh/consul-k8s@sha256:2c328df1337dddeebe85b886098e70ed8ab8e9ee44f027cd9502b5f14f7c28fa
  adminPartitions:
    enabled: true
    name: "red"
  tls:
    enabled: true
    caCert:
      secretName: consul-consul-ca-cert
      secretKey: tls.crt
    caKey:
      secretName: consul-consul-ca-key
      secretKey: tls.key
  acls:
    manageSystemACLs: true
    bootstrapToken:
      secretName: consul-consul-partitions-acl-token
      secretKey: token
server:
  enterpriseLicense:
    secretName: license
    secretKey: key
externalServers:
  enabled: true
  hosts: [ "35.192.119.38" ]
  tlsServerName: server.dc1.consul
  k8sAuthMethodHost: https://34.121.209.52
client:
  enabled: true
  exposeGossipPorts: true
  join: [ "35.192.119.38" ]
connectInject:
  enabled: true
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

k8s auth method host and join addresses will vary depending on your clusters. copy over the tls certs for ca-cert and ca-key and also the consul-partitions-acl-token

How I expect reviewers to test this PR:

  • code review
  • try creating partitions. reach out if you'd like to pair on it

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@thisisnotashwin thisisnotashwin requested review from ishustava, a team and lkysow and removed request for a team October 6, 2021 22:29
@thisisnotashwin
Copy link
Contributor Author

Looks like connect appears to not work right now. Moving this PR back to draft until I fix this.

@thisisnotashwin thisisnotashwin marked this pull request as draft October 7, 2021 12:48
@thisisnotashwin thisisnotashwin force-pushed the partition-acls branch 3 times, most recently from a8008ac to 084fa55 Compare October 7, 2021 16:19
@thisisnotashwin
Copy link
Contributor Author

UPDATE: The connect issue has been resolved, but there is a bug in Consul where there isn't a partitioned policy that allows namespace creation. That is being worked on but this PR should have the changes required to work once those changes have been made to Consul.

@thisisnotashwin thisisnotashwin marked this pull request as ready for review October 7, 2021 19:02
@thisisnotashwin thisisnotashwin force-pushed the partition-acls branch 5 times, most recently from 9f4e8bb to c91a5f7 Compare October 9, 2021 02:14
ishustava
ishustava reviewed Oct 12, 2021
View reviewed changes
control-plane/subcommand/server-acl-init/command.go Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/command.go Outdated Show resolved Hide resolved
charts/consul/templates/partition-init-job.yaml Outdated Show resolved Hide resolved
charts/consul/templates/partition-init-job.yaml Show resolved Hide resolved
charts/consul/test/acceptance/tests/partitions/partitions_test.go Outdated Show resolved Hide resolved
charts/consul/test/acceptance/tests/partitions/partitions_test.go Outdated Show resolved Hide resolved
charts/consul/test/unit/partition-init-job.bats Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/command_ent_test.go Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/command_ent_test.go Show resolved Hide resolved
control-plane/subcommand/server-acl-init/rules.go Outdated Show resolved Hide resolved
@thisisnotashwin thisisnotashwin force-pushed the partition-acls branch 2 times, most recently from f94899a to dcb2d87 Compare October 15, 2021 16:05
@thisisnotashwin
Add ACL support
7df533a 
- Update server-acl-init job to create tokens that are partition aware
  when Admin Partitions are enabled.
- server-acl-init creates a partition-token that is used by
  partition-init and server-acl-init in non-default-partitions.
- Update partition-init to use provided partition-token when ACLs are
  enabled.
- Update license-policy to be acl:write when created in a partition.
@thisisnotashwin
Add connect style acceptance tests to test namespace and connect within
f8b74c7 
partitions
@thisisnotashwin thisisnotashwin force-pushed the partition-acls branch 2 times, most recently from 8382bc9 to a1931c4 Compare October 15, 2021 16:20
lkysow
lkysow approved these changes Oct 15, 2021
View reviewed changes
control-plane/subcommand/server-acl-init/command.go
@@ -169,6 +173,11 @@ func (c *Command) init() {
c.flags.BoolVar(&c.flagUseHTTPS, "use-https", false,
"Toggle for using HTTPS for all API calls to Consul.")

c.flags.BoolVar(&c.flagEnablePartitions, "enable-partitions", false,
"[Enterprise Only] Enables Admin Partitions [Enterprise only feature]")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably don't need both Enterprise warnings, I think just the [Enterprise Only] will do

control-plane/subcommand/server-acl-init/command.go Outdated
@@ -382,19 +396,33 @@ func (c *Command) Run(args []string) int {
}
}

if c.flagEnablePartitions && c.flagPartitionName == "default" && isPrimary {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

const defaultPartitionName?

control-plane/subcommand/server-acl-init/command.go
@@ -382,19 +396,33 @@ func (c *Command) Run(args []string) int {
}
}

if c.flagEnablePartitions && c.flagPartitionName == "default" && isPrimary {
// Partition token must be local because only the Primary datacenter can have Admin Partitions.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

must be local or can be local? It would still work if it was global, no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense. It can be local. It would still work, but given Admin Partitions are not supported in non-primary DCs, it could be confusing for it to be global. I'll reword this.

control-plane/subcommand/server-acl-init/command.go Show resolved Hide resolved
control-plane/subcommand/server-acl-init/rules.go Show resolved Hide resolved
control-plane/subcommand/server-acl-init/rules.go Outdated Show resolved Hide resolved
control-plane/subcommand/server-acl-init/rules.go
mesh = "write"
}`

func (c *Command) crossNamespaceRule() (string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why singular when the rest are plural?

@thisisnotashwin thisisnotashwin merged commit 14ce739 into main Oct 15, 2021
@thisisnotashwin thisisnotashwin deleted the partition-acls branch October 15, 2021 20:18
ottaviohartman pushed a commit to ottaviohartman/consul-k8s that referenced this pull request Nov 3, 2021
@lkysow
Re-enabled openshift tests (hashicorp#766)
e38981f 
* Use new HashiCorp Docker mirror
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lkysow lkysow lkysow approved these changes

@ishustava ishustava ishustava approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@thisisnotashwin @lkysow @ishustava