hashicorp · kschoche · Aug 31, 2020 · Aug 26, 2020 · Aug 28, 2020 · Aug 28, 2020
diff --git a/templates/connect-inject-deployment.yaml b/templates/connect-inject-deployment.yaml
@@ -1,6 +1,7 @@
 {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
 {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled for connect injection" }}{{ end }}
 {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for connect injection" }}{{ end }}
+{{ if .Values.connectInject.imageEnvoy -}} {{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" -}} {{ end }}
 # The deployment for running the Connect sidecar injector
 apiVersion: apps/v1
 kind: Deployment
@@ -80,8 +81,8 @@ spec:
               consul-k8s inject-connect \
                 -default-inject={{ .Values.connectInject.default }} \
                 -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \
-                {{ if .Values.connectInject.imageEnvoy -}}
-                -envoy-image="{{ .Values.connectInject.imageEnvoy }}" \
+                {{ if .Values.global.imageEnvoy -}}
+                -envoy-image="{{ .Values.global.imageEnvoy }}" \
                 {{ end -}}
                 -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \
                 -listen=:8080 \

diff --git a/templates/mesh-gateway-deployment.yaml b/templates/mesh-gateway-deployment.yaml
@@ -2,6 +2,7 @@
 {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
 {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true" }}{{ end -}}
 {{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}}
+{{ if .Values.meshGateway.imageEnvoy -}} {{ fail "meshGateway.imageEnvoy must be specified in global.imageEnvoy" -}} {{ end }}
 {{- /* The below test checks if clients are disabled (and if so, fails). We use the conditional from other client files and prepend 'not' */ -}}
 {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled" }}{{ end -}}
 apiVersion: apps/v1
@@ -221,7 +222,7 @@ spec:
               cpu: "50m"
       containers:
         - name: mesh-gateway
-          image: {{ .Values.meshGateway.imageEnvoy | quote }}
+          image: {{ .Values.global.imageEnvoy | quote }}
           {{- if .Values.meshGateway.resources }}
           resources:
             {{- if eq (typeOf .Values.meshGateway.resources) "string" }}

diff --git a/test/unit/connect-inject-deployment.bats b/test/unit/connect-inject-deployment.bats
@@ -128,27 +128,28 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "connectInject/Deployment: envoy-image is not set" {
+@test "connectInject/Deployment: envoy-image can be set via global" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/connect-inject-deployment.yaml  \
       --set 'connectInject.enabled=true' \
+      --set 'global.imageEnvoy=foo' \
       . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-envoy-image"))' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+      yq '.spec.template.spec.containers[0].command | any(contains("-envoy-image=\"foo\""))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
 }
 
-@test "connectInject/Deployment: envoy-image can be set" {
+@test "connectInject/Deployment: setting connectInject.imageEnvoy fails" {
   cd `chart_dir`
-  local actual=$(helm template \
+  run helm template \
       -s templates/connect-inject-deployment.yaml  \
       --set 'connectInject.enabled=true' \
-      --set 'connectInject.imageEnvoy=foo' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-envoy-image=\"foo\""))' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
+      --set 'connectInject.imageEnvoy=new/image' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "connectInject.imageEnvoy must be specified in global" ]]
 }
 
+
 #--------------------------------------------------------------------
 # cert secrets
 

diff --git a/test/unit/mesh-gateway-deployment.bats b/test/unit/mesh-gateway-deployment.bats
@@ -239,16 +239,15 @@ key2: value2' \
   [ "${actual}" = "envoyproxy/envoy-alpine:v1.14.2" ]
 }
 
-@test "meshGateway/Deployment: envoy image can be set" {
+@test "meshGateway/Deployment: setting meshGateway.imageEnvoy fails" {
   cd `chart_dir`
-  local actual=$(helm template \
+  run helm template \
       -s templates/mesh-gateway-deployment.yaml  \
       --set 'meshGateway.enabled=true' \
       --set 'connectInject.enabled=true' \
-      --set 'meshGateway.imageEnvoy=new/image' \
-      . | tee /dev/stderr |
-      yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
-  [ "${actual}" = "new/image" ]
+      --set 'meshGateway.imageEnvoy=new/image' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "meshGateway.imageEnvoy must be specified in global" ]]
 }
 
 #--------------------------------------------------------------------

diff --git a/values.yaml b/values.yaml
@@ -55,10 +55,6 @@ global:
   # If using Consul Enterprise namespaces, must be >= 0.12.
   imageK8S: "hashicorp/consul-k8s:0.18.1"
 
-  # imageEnvoy defines the default envoy image to use for ingress and
-  # terminating gateways.
-  imageEnvoy: "envoyproxy/envoy-alpine:v1.14.2"
-
   # datacenter is the name of the datacenter that the agents should register
   # as. This can't be changed once the Consul cluster is up and running
   # since Consul doesn't support an automatic way to change this value
@@ -232,6 +228,13 @@ global:
         memory: "50Mi"
         cpu: "20m"
 
+  # imageEnvoy is the name (and tag) of the Envoy Docker image used for the
+  # connect-injected sidecar proxies and the mesh, terminating, and ingress gateways.
+  #. If using Consul 1.7+, the envoy version must be 1.13+.
+  # If not set, the image used depends on the consul-k8s version. For
+  # consul-k8s 0.12.0 the default is envoyproxy/envoy-alpine:v1.13.0.
+  imageEnvoy: "envoyproxy/envoy-alpine:v1.14.2"
+
 # Server, when enabled, configures a server cluster to run. This should
 # be disabled if you plan on connecting to a Consul cluster external to
 # the Kube cluster.
@@ -803,12 +806,6 @@ connectInject:
       memory: "50Mi"
       cpu: "50m"
 
-  # The Docker image for envoy to use as the proxy sidecar when performing
-  # Connect injection. If using Consul 1.7+, the envoy version must be 1.13+.
-  # If not set, the image used depends on the consul-k8s version. For
-  # consul-k8s 0.12.0 the default is envoyproxy/envoy-alpine:v1.13.0.
-  imageEnvoy: null
-
   # namespaceSelector is the selector for restricting the webhook to only
   # specific namespaces. This should be set to a multiline string.
   # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@@ -1072,9 +1069,6 @@ meshGateway:
     # Optional YAML string that will be appended to the Service spec.
     additionalSpec: null
 
-  # Envoy image to use. For Consul v1.7+, Envoy version 1.13+ is required.
-  imageEnvoy: envoyproxy/envoy-alpine:v1.14.2
-
   # If set to true, gateway Pods will run on the host network.
   hostNetwork: false