From 6fdd05ac98950a5a36f2e29f44db5104251492ec Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Mon, 7 Mar 2022 09:47:46 -0500 Subject: [PATCH] Use a single serviceaccount and rolebinding for all authmethods. --- .../templates/authmethod-clusterrole.yaml | 18 ++++++++ .../authmethod-clusterrolebinding.yaml | 39 +++++++++++++++++ ...nt.yaml => authmethod-serviceaccount.yaml} | 4 +- ...mponent-authmethod-clusterrolebinding.yaml | 20 --------- ...-inject-authmethod-clusterrolebinding.yaml | 22 ---------- .../templates/connect-inject-clusterrole.yaml | 14 ------- .../templates/server-acl-init-role.yaml | 13 +----- .../test/unit/authmethod-clusterrole.bats | 20 +++++++++ .../unit/authmethod-clusterrolebinding.bats | 20 +++++++++ ...nt.bats => authmethod-serviceaccount.bats} | 12 +++--- ...mponent-authmethod-clusterrolebinding.bats | 20 --------- ...-inject-authmethod-clusterrolebinding.bats | 42 ------------------- .../test/unit/server-acl-init-role.bats | 14 ------- .../subcommand/server-acl-init/command.go | 4 +- .../server-acl-init/command_test.go | 6 +-- .../server-acl-init/connect_inject.go | 6 +-- .../server-acl-init/connect_inject_test.go | 6 +-- 17 files changed, 117 insertions(+), 163 deletions(-) create mode 100644 charts/consul/templates/authmethod-clusterrole.yaml create mode 100644 charts/consul/templates/authmethod-clusterrolebinding.yaml rename charts/consul/templates/{component-authmethod-serviceaccount.yaml => authmethod-serviceaccount.yaml} (80%) delete mode 100644 charts/consul/templates/component-authmethod-clusterrolebinding.yaml delete mode 100644 charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml create mode 100644 charts/consul/test/unit/authmethod-clusterrole.bats create mode 100644 charts/consul/test/unit/authmethod-clusterrolebinding.bats rename charts/consul/test/unit/{component-authmethod-serviceaccount.bats => authmethod-serviceaccount.bats} (67%) delete mode 100644 charts/consul/test/unit/component-authmethod-clusterrolebinding.bats delete mode 100644 charts/consul/test/unit/connect-inject-authmethod-clusterrolebinding.bats diff --git a/charts/consul/templates/authmethod-clusterrole.yaml b/charts/consul/templates/authmethod-clusterrole.yaml new file mode 100644 index 0000000000..30385aa25f --- /dev/null +++ b/charts/consul/templates/authmethod-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-authmethod + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: authmethod +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/consul/templates/authmethod-clusterrolebinding.yaml b/charts/consul/templates/authmethod-clusterrolebinding.yaml new file mode 100644 index 0000000000..89bc44dea4 --- /dev/null +++ b/charts/consul/templates/authmethod-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: authmethod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-authmethod + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authmethod + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: authmethod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-authmethod +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-authmethod + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/consul/templates/component-authmethod-serviceaccount.yaml b/charts/consul/templates/authmethod-serviceaccount.yaml similarity index 80% rename from charts/consul/templates/component-authmethod-serviceaccount.yaml rename to charts/consul/templates/authmethod-serviceaccount.yaml index 0efd4b26f8..bfb50dc0dd 100644 --- a/charts/consul/templates/component-authmethod-serviceaccount.yaml +++ b/charts/consul/templates/authmethod-serviceaccount.yaml @@ -2,14 +2,14 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "consul.fullname" . }}-component-authmethod + name: {{ template "consul.fullname" . }}-authmethod namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} - component: component-authmethod + component: authmethod {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- range . }} diff --git a/charts/consul/templates/component-authmethod-clusterrolebinding.yaml b/charts/consul/templates/component-authmethod-clusterrolebinding.yaml deleted file mode 100644 index 3e80bf6800..0000000000 --- a/charts/consul/templates/component-authmethod-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.global.acls.manageSystemACLs }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "consul.fullname" . }}-component-authdelegator - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: component-authmethod -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "system:auth-delegator" -subjects: -- kind: ServiceAccount - name: {{ template "consul.fullname" . }}-component-authmethod - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml b/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml deleted file mode 100644 index 2867c256b7..0000000000 --- a/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} -{{- if .Values.global.acls.manageSystemACLs }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authdelegator - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: connect-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "system:auth-delegator" -subjects: -- kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index 8dd9d80ae7..0844f8b61b 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -11,13 +11,6 @@ metadata: release: {{ .Release.Name }} component: connect-injector rules: -{{- if .Values.global.acls.manageSystemACLs }} -- apiGroups: [ "" ] - resources: - - serviceaccounts - verbs: - - get -{{- end }} - apiGroups: [ "" ] resources: [ "pods", "endpoints", "services", "namespaces" ] verbs: @@ -41,11 +34,4 @@ rules: verbs: - use {{- end }} -{{- if .Values.global.acls.manageSystemACLs }} -- apiGroups: [ "" ] - resources: - - serviceaccounts - verbs: - - get -{{- end }} {{- end }} diff --git a/charts/consul/templates/server-acl-init-role.yaml b/charts/consul/templates/server-acl-init-role.yaml index 3b5987f01d..9e38f55310 100644 --- a/charts/consul/templates/server-acl-init-role.yaml +++ b/charts/consul/templates/server-acl-init-role.yaml @@ -19,24 +19,13 @@ rules: verbs: - create - get -{{- if .Values.connectInject.enabled }} - apiGroups: [ "" ] resources: - serviceaccounts resourceNames: - - {{ template "consul.fullname" . }}-connect-injector + - {{ template "consul.fullname" . }}-authmethod verbs: - get -{{- end }} -{{- if .Values.global.acls.manageSystemACLs }} -- apiGroups: [ "" ] - resources: - - serviceaccounts - resourceNames: - - {{ template "consul.fullname" . }}-component-authmethod - verbs: - - get -{{- end }} {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: [ "policy" ] resources: [ "podsecuritypolicies" ] diff --git a/charts/consul/test/unit/authmethod-clusterrole.bats b/charts/consul/test/unit/authmethod-clusterrole.bats new file mode 100644 index 0000000000..0888ea373b --- /dev/null +++ b/charts/consul/test/unit/authmethod-clusterrole.bats @@ -0,0 +1,20 @@ +#!/usr/bin/env bats + +load _helpers + +@test "authmethod/ClusterRole: disabled by default" { + cd `chart_dir` + assert_empty helm template \ + -s templates/authmethod-clusterrole.yaml \ + . +} + +@test "authmethod/ClusterRole: enabled with global.acls.manageSystemACLs true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/authmethod-clusterrole.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -s 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/charts/consul/test/unit/authmethod-clusterrolebinding.bats b/charts/consul/test/unit/authmethod-clusterrolebinding.bats new file mode 100644 index 0000000000..21b96d0bbb --- /dev/null +++ b/charts/consul/test/unit/authmethod-clusterrolebinding.bats @@ -0,0 +1,20 @@ +#!/usr/bin/env bats + +load _helpers + +@test "authmethod/ClusterRoleBinding: disabled by default" { + cd `chart_dir` + assert_empty helm template \ + -s templates/authmethod-clusterrolebinding.yaml \ + . +} + +@test "authmethod/ClusterRoleBinding: enabled with global.acls.manageSystemACLs true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/authmethod-clusterrolebinding.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -s 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/charts/consul/test/unit/component-authmethod-serviceaccount.bats b/charts/consul/test/unit/authmethod-serviceaccount.bats similarity index 67% rename from charts/consul/test/unit/component-authmethod-serviceaccount.bats rename to charts/consul/test/unit/authmethod-serviceaccount.bats index 7635e8cc1d..8cf9633cae 100644 --- a/charts/consul/test/unit/component-authmethod-serviceaccount.bats +++ b/charts/consul/test/unit/authmethod-serviceaccount.bats @@ -2,17 +2,17 @@ load _helpers -@test "componentAuthMethod/ServiceAccount: disabled by default" { +@test "authMethod/ServiceAccount: disabled by default" { cd `chart_dir` assert_empty helm template \ - -s templates/component-authmethod-serviceaccount.yaml \ + -s templates/authmethod-serviceaccount.yaml \ . } -@test "componentAuthMethod/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" { +@test "authMethod/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" { cd `chart_dir` local actual=$(helm template \ - -s templates/component-authmethod-serviceaccount.yaml \ + -s templates/authmethod-serviceaccount.yaml \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | yq -s 'length > 0' | tee /dev/stderr) @@ -22,10 +22,10 @@ load _helpers #-------------------------------------------------------------------- # global.imagePullSecrets -@test "componentAuthMethod/ServiceAccount: can set image pull secrets" { +@test "authMethod/ServiceAccount: can set image pull secrets" { cd `chart_dir` local object=$(helm template \ - -s templates/component-authmethod-serviceaccount.yaml \ + -s templates/authmethod-serviceaccount.yaml \ --set 'global.acls.manageSystemACLs=true' \ --set 'global.imagePullSecrets[0].name=my-secret' \ --set 'global.imagePullSecrets[1].name=my-secret2' \ diff --git a/charts/consul/test/unit/component-authmethod-clusterrolebinding.bats b/charts/consul/test/unit/component-authmethod-clusterrolebinding.bats deleted file mode 100644 index 7d07185573..0000000000 --- a/charts/consul/test/unit/component-authmethod-clusterrolebinding.bats +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "componentAuthmethod/ClusterRoleBinding: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/component-authmethod-clusterrolebinding.yaml \ - . -} - -@test "componentAuthmethod/ClusterRoleBinding: enabled with global.acls.manageSystemACLs true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/component-authmethod-clusterrolebinding.yaml \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -s 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} \ No newline at end of file diff --git a/charts/consul/test/unit/connect-inject-authmethod-clusterrolebinding.bats b/charts/consul/test/unit/connect-inject-authmethod-clusterrolebinding.bats deleted file mode 100644 index 7a70293f16..0000000000 --- a/charts/consul/test/unit/connect-inject-authmethod-clusterrolebinding.bats +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "connectInjectAuthMethod/ClusterRoleBinding: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/connect-inject-authmethod-clusterrolebinding.yaml \ - . -} - -@test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.enabled false" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-authmethod-clusterrolebinding.yaml \ - --set 'global.enabled=false' \ - --set 'client.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -s 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "connectInjectAuthMethod/ClusterRoleBinding: disabled with connectInject.enabled" { - cd `chart_dir` - assert_empty helm template \ - -s templates/connect-inject-authmethod-clusterrolebinding.yaml \ - --set 'connectInject.enabled=true' \ - . -} - -@test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.acls.manageSystemACLs.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-authmethod-clusterrolebinding.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -s 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/charts/consul/test/unit/server-acl-init-role.bats b/charts/consul/test/unit/server-acl-init-role.bats index 99cc610b41..92cdd78d16 100644 --- a/charts/consul/test/unit/server-acl-init-role.bats +++ b/charts/consul/test/unit/server-acl-init-role.bats @@ -52,20 +52,6 @@ load _helpers [ "${actual}" = "true" ] } -#-------------------------------------------------------------------- -# connectInject.enabled - -@test "serverACLInit/Role: allows service accounts when connectInject.enabled is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-acl-init-role.yaml \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq -r '.rules | map(select(.resources[0] == "serviceaccounts")) | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - #-------------------------------------------------------------------- # manageSystemACLs.enabled diff --git a/control-plane/subcommand/server-acl-init/command.go b/control-plane/subcommand/server-acl-init/command.go index b60f44cace..09c626b913 100644 --- a/control-plane/subcommand/server-acl-init/command.go +++ b/control-plane/subcommand/server-acl-init/command.go @@ -768,7 +768,7 @@ func (c *Command) Run(args []string) int { // that the Consul components will use to issue global ACL tokens with. func (c *Command) configureGlobalComponentAuthMethod(consulClient *api.Client, authMethodName, primaryDC string) error { // Create the auth method template. This requires calls to the kubernetes environment. - authMethod, err := c.createAuthMethodTmpl(authMethodName, c.withPrefix("component-authmethod"), false) + authMethod, err := c.createAuthMethodTmpl(authMethodName, false) if err != nil { return err } @@ -781,7 +781,7 @@ func (c *Command) configureGlobalComponentAuthMethod(consulClient *api.Client, a // that the Consul components will use to issue local ACL tokens with. func (c *Command) configureLocalComponentAuthMethod(consulClient *api.Client, authMethodName string) error { // Create the auth method template. This requires calls to the kubernetes environment. - authMethod, err := c.createAuthMethodTmpl(authMethodName, c.withPrefix("component-authmethod"), false) + authMethod, err := c.createAuthMethodTmpl(authMethodName, false) if err != nil { return err } diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 70f1793126..42bb4fec03 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -2842,7 +2842,7 @@ func getBootToken(t *testing.T, k8s *fake.Clientset, prefix string, k8sNamespace func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) (string, string) { // Create ServiceAccount for the kubernetes auth method if it doesn't exist, // otherwise, do nothing. - serviceAccountName := resourcePrefix + "-connect-injector" + serviceAccountName := resourcePrefix + "-authmethod" sa, _ := k8s.CoreV1().ServiceAccounts(namespace).Get(context.Background(), serviceAccountName, metav1.GetOptions{}) if sa == nil { // Create a service account that references two secrets. @@ -2859,7 +2859,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) Name: resourcePrefix + "-some-other-secret", }, { - Name: resourcePrefix + "-connect-injector", + Name: resourcePrefix + "-authmethod", }, }, }, @@ -2874,7 +2874,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) require.NoError(t, err) // Create a Kubernetes secret if it doesn't exist, otherwise update it - secretName := resourcePrefix + "-connect-injector" + secretName := resourcePrefix + "-authmethod" secret := &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, diff --git a/control-plane/subcommand/server-acl-init/connect_inject.go b/control-plane/subcommand/server-acl-init/connect_inject.go index 8becfd5248..5f7d9a4c47 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject.go +++ b/control-plane/subcommand/server-acl-init/connect_inject.go @@ -21,7 +21,7 @@ func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client, aut // Create the auth method template. This requires calls to the // kubernetes environment. - authMethodTmpl, err := c.createAuthMethodTmpl(authMethodName, c.withPrefix("connect-injector"), true) + authMethodTmpl, err := c.createAuthMethodTmpl(authMethodName, true) if err != nil { return err } @@ -80,10 +80,10 @@ func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client, aut // createAuthMethodTmpl sets up the auth method template based on the connect-injector's service account // jwt token. It is common for both the connect inject auth method and the component auth method // with the option to add namespace specific configuration to the auth method template via `useNS`. -func (c *Command) createAuthMethodTmpl(authMethodName, serviceAccountName string, useNS bool) (api.ACLAuthMethod, error) { +func (c *Command) createAuthMethodTmpl(authMethodName string, useNS bool) (api.ACLAuthMethod, error) { // Get the Secret name for the auth method ServiceAccount. var authMethodServiceAccount *apiv1.ServiceAccount - + serviceAccountName := c.withPrefix("authmethod") err := c.untilSucceeds(fmt.Sprintf("getting %s ServiceAccount", serviceAccountName), func() error { var err error diff --git a/control-plane/subcommand/server-acl-init/connect_inject_test.go b/control-plane/subcommand/server-acl-init/connect_inject_test.go index c82900cf94..8a9793610b 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject_test.go +++ b/control-plane/subcommand/server-acl-init/connect_inject_test.go @@ -30,7 +30,7 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { ctx: ctx, } - serviceAccountName := resourcePrefix + "-connect-injector" + serviceAccountName := resourcePrefix + "-authmethod" secretName := resourcePrefix + "-connect-injector" // Create a service account referencing secretName @@ -64,6 +64,6 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { _, err := k8s.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{}) require.NoError(t, err) - _, err = cmd.createAuthMethodTmpl("test", serviceAccountName, true) - require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-connect-injector service account") + _, err = cmd.createAuthMethodTmpl("test", true) + require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-authmethod service account") }