Refactor mesh-gateway ACL flow

charts/consul/templates/api-gateway-controller-deployment.yaml

@@ -180,7 +180,7 @@ spec:
             {{- if .Values.global.adminPartitions.enabled }}
             -partition={{ .Values.global.adminPartitions.name }} \
             {{- end }}
-            -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
+            -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \
             -log-json={{ .Values.global.logJSON }}
         resources:
           requests:

charts/consul/templates/client-snapshot-agent-deployment.yaml

@@ -229,7 +229,7 @@ spec:
               {{- if .Values.global.adminPartitions.enabled }}
               -partition={{ .Values.global.adminPartitions.name }} \
               {{- end }}
-              -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
+              -log-level={{ default .Values.global.logLevel }} \
               -log-json={{ .Values.global.logJSON }}
         resources:
           requests:

charts/consul/templates/connect-inject-deployment.yaml

@@ -348,7 +348,7 @@ spec:
               {{- if .Values.global.adminPartitions.enabled }}
               -partition={{ .Values.global.adminPartitions.name }} \
               {{- end }}
-              -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
+              -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \
               -log-json={{ .Values.global.logJSON }}
         resources:
           requests:

charts/consul/templates/mesh-gateway-clusterrole.yaml

@@ -19,15 +19,6 @@ rules:
     verbs:
       - use
 {{- end }}
-{{- if .Values.global.acls.manageSystemACLs }}
-  - apiGroups: [""]
-    resources:
-      - secrets
-    resourceNames:
-      - {{ template "consul.fullname" . }}-mesh-gateway-acl-token
-    verbs:
-      - get
-{{- end }}
 {{- if eq .Values.meshGateway.wanAddress.source "Service" }}
   - apiGroups: [""]
     resources:

charts/consul/templates/mesh-gateway-deployment.yaml

@@ -121,36 +121,54 @@ spec:
         {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
         {{- include "consul.getAutoEncryptClientCA" . | nindent 8 }}
         {{- end }}
-        # service-init registers the mesh gateway service.
-        - name: service-init
-          image: {{ .Values.global.imageK8S }}
+        - name: mesh-gateway-init
           env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+          {{- if .Values.global.tls.enabled }}
+          - name: CONSUL_CACERT
+            value: /consul/tls/ca/tls.crt
+          {{- end }}
+          - name: CONSUL_HTTP_ADDR
             {{- if .Values.global.tls.enabled }}
-            - name: CONSUL_HTTP_ADDR
-              value: https://$(HOST_IP):8501
-            - name: CONSUL_CACERT
-              value: /consul/tls/ca/tls.crt
+            value: https://$(HOST_IP):8501
             {{- else }}
-            - name: CONSUL_HTTP_ADDR
-              value: http://$(HOST_IP):8500
+            value: http://$(HOST_IP):8500
             {{- end }}
+          image: {{ .Values.global.imageK8S }}
+          volumeMounts:
+          - mountPath: /consul/login
+            name: consul-data
+            readOnly: false
+          {{- if .Values.global.tls.enabled }}
+          {{- if .Values.global.tls.enableAutoEncrypt }}
+          - name: consul-auto-encrypt-ca-cert
+          {{- else }}
+          - name: consul-ca-cert
+          {{- end }}
+            mountPath: /consul/tls/ca
+            readOnly: true
+          {{- end }}
           command:
             - "/bin/sh"
             - "-ec"
             - |
                 {{- if .Values.global.acls.manageSystemACLs }}
                 consul-k8s-control-plane acl-init \
-                  -secret-name="{{ template "consul.fullname" . }}-mesh-gateway-acl-token" \
-                  -k8s-namespace={{ .Release.Namespace }} \
-                  -token-sink-file=/consul/service/acl-token
+                  -component-name=mesh-gateway \
+                  {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
+                  -acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \
+                  -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \
+                  {{- else }}
+                  -acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \
+                  {{- end }}
+                  {{- if .Values.global.adminPartitions.enabled }}
+                  -partition={{ .Values.global.adminPartitions.name }} \
+                  {{- end }}
+                  -log-level={{ default .Values.global.logLevel }} \
+                  -log-json={{ .Values.global.logJSON }}
                 {{ end }}
 
                 {{- $source := .Values.meshGateway.wanAddress.source }}
@@ -226,23 +244,9 @@ spec:
 
                 /consul-bin/consul services register \
                   {{- if .Values.global.acls.manageSystemACLs }}
-                  -token-file=/consul/service/acl-token \
+                  -token-file=/consul/login/acl-token \
                   {{- end }}
                   /consul/service/service.hcl
-          volumeMounts:
-            - name: consul-service
-              mountPath: /consul/service
-            - name: consul-bin
-              mountPath: /consul-bin
-            {{- if .Values.global.tls.enabled }}
-            {{- if .Values.global.tls.enableAutoEncrypt }}
-            - name: consul-auto-encrypt-ca-cert
-            {{- else }}
-            - name: consul-ca-cert
-            {{- end }}
-              mountPath: /consul/tls/ca
-              readOnly: true
-            {{- end }}
           {{- if .Values.meshGateway.initServiceInitContainer.resources }}
           resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 12 }}
           {{- end }}
@@ -258,6 +262,9 @@ spec:
             {{- end }}
           {{- end }}
           volumeMounts:
+          - mountPath: /consul/login
+            name: consul-data
+            readOnly: true
           - name: consul-bin
             mountPath: /consul-bin
           {{- if .Values.global.tls.enabled }}
@@ -285,12 +292,9 @@ spec:
                   fieldPath: spec.nodeName
             {{- end }}
             {{- if .Values.global.acls.manageSystemACLs }}
-            - name: CONSUL_HTTP_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ template "consul.fullname" . }}-mesh-gateway-acl-token"
-                  key: "token"
-            {{- end}}
+            - name: CONSUL_HTTP_TOKEN_FILE
+              value: /consul/login/acl-token
+            {{- end }}
             {{- if .Values.global.tls.enabled }}
             - name: CONSUL_HTTP_ADDR
               value: https://$(HOST_IP):8501
@@ -337,7 +341,7 @@ spec:
           lifecycle:
             preStop:
               exec:
-                command: ["/bin/sh", "-ec", "/consul-bin/consul services deregister -id=\"{{ .Values.meshGateway.consulServiceName }}\""]
+                command: ["/bin/sh", "-ec", "/consul-bin/consul logout -token-file=/consul/login/acl-token"]
 
         # consul-sidecar ensures the mesh gateway is always registered with
         # the local Consul agent, even if it loses the initial registration.
@@ -389,7 +393,7 @@ spec:
             - -service-config=/consul/service/service.hcl
             - -consul-binary=/consul-bin/consul
             {{- if .Values.global.acls.manageSystemACLs }}
-            - -token-file=/consul/service/acl-token
+            - -token-file=/consul/login/acl-token
             {{- end }}
       {{- if .Values.meshGateway.priorityClassName }}
       priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }}

charts/consul/templates/server-acl-init-job.yaml

@@ -194,7 +194,7 @@ spec:
                 {{- end }}
 
                 {{- if .Values.meshGateway.enabled }}
-                -create-mesh-gateway-token=true \
+                -mesh-gateway=true \
                 {{- end }}
 
                 {{- if .Values.ingressGateways.enabled }}

charts/consul/templates/sync-catalog-deployment.yaml

@@ -276,7 +276,7 @@ spec:
               {{- if .Values.global.adminPartitions.enabled }}
               -partition={{ .Values.global.adminPartitions.name }} \
               {{- end }}
-              -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
+              -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \
               -log-json={{ .Values.global.logJSON }}
         resources:
           requests:

charts/consul/test/unit/mesh-gateway-clusterrole.bats

@@ -32,18 +32,6 @@ load _helpers
   [ "${actual}" = "podsecuritypolicies" ]
 }
 
-@test "meshGateway/ClusterRole: rules for global.acls.manageSystemACLs=true" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/mesh-gateway-clusterrole.yaml  \
-      --set 'meshGateway.enabled=true' \
-      --set 'connectInject.enabled=true' \
-      --set 'global.acls.manageSystemACLs=true' \
-      . | tee /dev/stderr |
-      yq -r '.rules[0].resources[0]' | tee /dev/stderr)
-  [ "${actual}" = "secrets" ]
-}
-
 @test "meshGateway/ClusterRole: rules for meshGateway.wanAddress.source=Service" {
   cd `chart_dir`
   local actual=$(helm template \