Update envoy bootstrap config with partition name (#727)

hashicorp · Sep 17, 2021 · e8d10b1 · e8d10b1
1 parent df48563
commit e8d10b1
Show file tree

Hide file tree

Showing 9 changed files with 160 additions and 22 deletions.
diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml
@@ -133,6 +133,7 @@ spec:
                 {{- end }}
                 {{- if .Values.global.adminPartitions.enabled }}
                 -enable-partitions=true \
+                -partition-name={{ .Values.global.adminPartitions.name }} \
                 {{- end }}
                 {{- if .Values.global.enableConsulNamespaces }}
                 -enable-namespaces=true \

diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats
@@ -712,6 +712,18 @@ EOF
   [ "${actual}" = "true" ]
 }
 
+@test "connectInject/Deployment: partition name set with .global.adminPartitions.enabled=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'global.adminPartitions.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("partition-name=default"))' | tee /dev/stderr)
+
+  [ "${actual}" = "true" ]
+}
+
 #--------------------------------------------------------------------
 # namespaces
 

diff --git a/control-plane/connect-inject/container_init.go b/control-plane/connect-inject/container_init.go
@@ -22,6 +22,10 @@ type initContainerCommandData struct {
 	ServiceName        string
 	ServiceAccountName string
 	AuthMethod         string
+	// ConsulPartition is the Consul admin partition to register the service
+	// and proxy in. An empty string indicates partitions are not
+	// enabled in Consul (necessary for OSS).
+	ConsulPartition string
 	// ConsulNamespace is the Consul namespace to register the service
 	// and proxy in. An empty string indicates namespaces are not
 	// enabled in Consul (necessary for OSS).
@@ -105,6 +109,7 @@ func (h *Handler) containerInit(namespace corev1.Namespace, pod corev1.Pod) (cor
 
 	data := initContainerCommandData{
 		AuthMethod:                 h.AuthMethod,
+		ConsulPartition:            h.ConsulPartition,
 		ConsulNamespace:            h.consulNamespace(namespace.Name),
 		NamespaceMirroringEnabled:  h.EnableK8SNSMirroring,
 		ConsulCACert:               h.ConsulCACert,
@@ -284,6 +289,9 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   {{- end }}
   {{- end }}
   {{- end }}
+  {{- if .ConsulPartition }}
+  -partition="{{ .ConsulPartition }}" \
+  {{- end }}
   {{- if .ConsulNamespace }}
   -consul-service-namespace="{{ .ConsulNamespace }}" \
   {{- end }}
@@ -300,6 +308,9 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   {{- if .AuthMethod }}
   -token-file="/consul/connect-inject/acl-token" \
   {{- end }}
+  {{- if .ConsulPartition }}
+  -partition="{{ .ConsulPartition }}" \
+  {{- end }}
   {{- if .ConsulNamespace }}
   -namespace="{{ .ConsulNamespace }}" \
   {{- end }}
@@ -314,6 +325,9 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   {{- if .AuthMethod }}
   -token-file="/consul/connect-inject/acl-token" \
   {{- end }}
+  {{- if .ConsulPartition }}
+  -partition="{{ .ConsulPartition }}" \
+  {{- end }}
   {{- if .ConsulNamespace }}
   -namespace="{{ .ConsulNamespace }}" \
   {{- end }}

diff --git a/control-plane/connect-inject/container_init_test.go b/control-plane/connect-inject/container_init_test.go
@@ -310,7 +310,7 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 	}
 }
 
-func TestHandlerContainerInit_namespacesEnabled(t *testing.T) {
+func TestHandlerContainerInit_namespacesAndPartitionsEnabled(t *testing.T) {
 	minimal := func() *corev1.Pod {
 		return &corev1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
@@ -349,14 +349,15 @@ func TestHandlerContainerInit_namespacesEnabled(t *testing.T) {
 		Cmd     string // Strings.Contains test
 	}{
 		{
-			"whole template, default namespace",
+			"whole template, default namespace, no partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "default",
+				ConsulPartition:            "",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -370,16 +371,41 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -namespace="default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
+		{
+			"whole template, default namespace, default partition",
+			func(pod *corev1.Pod) *corev1.Pod {
+				pod.Annotations[annotationService] = "web"
+				return pod
+			},
+			Handler{
+				EnableNamespaces:           true,
+				ConsulDestinationNamespace: "default",
+				ConsulPartition:            "default",
+			},
+			`/bin/sh -ec 
+export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
+export CONSUL_GRPC_ADDR="${HOST_IP}:8502"
+consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \
+  -partition="default" \
+  -consul-service-namespace="default" \
 
+# Generate the envoy bootstrap code
+/consul/connect-inject/consul connect envoy \
+  -proxy-id="$(cat /consul/connect-inject/proxyid)" \
+  -partition="default" \
+  -namespace="default" \
+  -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
+		},
 		{
-			"whole template, non-default namespace",
+			"whole template, non-default namespace, no partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "non-default",
+				ConsulPartition:            "",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -393,9 +419,33 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -namespace="non-default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
+		{
+			"whole template, non-default namespace, non-default partition",
+			func(pod *corev1.Pod) *corev1.Pod {
+				pod.Annotations[annotationService] = "web"
+				return pod
+			},
+			Handler{
+				EnableNamespaces:           true,
+				ConsulDestinationNamespace: "non-default",
+				ConsulPartition:            "non-default-part",
+			},
+			`/bin/sh -ec 
+export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
+export CONSUL_GRPC_ADDR="${HOST_IP}:8502"
+consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \
+  -partition="non-default-part" \
+  -consul-service-namespace="non-default" \
 
+# Generate the envoy bootstrap code
+/consul/connect-inject/consul connect envoy \
+  -proxy-id="$(cat /consul/connect-inject/proxyid)" \
+  -partition="non-default-part" \
+  -namespace="non-default" \
+  -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
+		},
 		{
-			"Whole template, auth method, non-default namespace, mirroring disabled",
+			"Whole template, auth method, non-default namespace, mirroring disabled, default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = ""
 				return pod
@@ -404,6 +454,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 				AuthMethod:                 "auth-method",
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "non-default",
+				ConsulPartition:            "default",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -413,17 +464,19 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -service-account-name="web" \
   -service-name="" \
   -auth-method-namespace="non-default" \
+  -partition="default" \
   -consul-service-namespace="non-default" \
 
 # Generate the envoy bootstrap code
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -token-file="/consul/connect-inject/acl-token" \
+  -partition="default" \
   -namespace="non-default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
 		{
-			"Whole template, auth method, non-default namespace, mirroring enabled",
+			"Whole template, auth method, non-default namespace, mirroring enabled, non-default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = ""
 				return pod
@@ -433,6 +486,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "non-default", // Overridden by mirroring
 				EnableK8SNSMirroring:       true,
+				ConsulPartition:            "non-default",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -442,24 +496,27 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -service-account-name="web" \
   -service-name="" \
   -auth-method-namespace="default" \
+  -partition="non-default" \
   -consul-service-namespace="k8snamespace" \
 
 # Generate the envoy bootstrap code
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -token-file="/consul/connect-inject/acl-token" \
+  -partition="non-default" \
   -namespace="k8snamespace" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
 		{
-			"whole template, default namespace, tproxy enabled",
+			"whole template, default namespace, tproxy enabled, no partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "default",
+				ConsulPartition:            "",
 				EnableTransparentProxy:     true,
 			},
 			`/bin/sh -ec 
@@ -480,46 +537,50 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -proxy-uid=5995`,
 		},
-
 		{
-			"whole template, non-default namespace, tproxy enabled",
+			"whole template, non-default namespace, tproxy enabled, default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
+				ConsulPartition:            "default",
 				ConsulDestinationNamespace: "non-default",
 				EnableTransparentProxy:     true,
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
 export CONSUL_GRPC_ADDR="${HOST_IP}:8502"
 consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \
+  -partition="default" \
   -consul-service-namespace="non-default" \
 
 # Generate the envoy bootstrap code
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
+  -partition="default" \
   -namespace="non-default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml
 
 # Apply traffic redirection rules.
 /consul/connect-inject/consul connect redirect-traffic \
+  -partition="default" \
   -namespace="non-default" \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -proxy-uid=5995`,
 		},
 
 		{
-			"Whole template, auth method, non-default namespace, mirroring enabled, tproxy enabled",
+			"Whole template, auth method, non-default namespace, mirroring enabled, tproxy enabled, non-default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				AuthMethod:                 "auth-method",
 				EnableNamespaces:           true,
+				ConsulPartition:            "non-default",
 				ConsulDestinationNamespace: "non-default", // Overridden by mirroring
 				EnableK8SNSMirroring:       true,
 				EnableTransparentProxy:     true,
@@ -532,18 +593,21 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -service-account-name="web" \
   -service-name="web" \
   -auth-method-namespace="default" \
+  -partition="non-default" \
   -consul-service-namespace="k8snamespace" \
 
 # Generate the envoy bootstrap code
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -token-file="/consul/connect-inject/acl-token" \
+  -partition="non-default" \
   -namespace="k8snamespace" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml
 
 # Apply traffic redirection rules.
 /consul/connect-inject/consul connect redirect-traffic \
   -token-file="/consul/connect-inject/acl-token" \
+  -partition="non-default" \
   -namespace="k8snamespace" \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -proxy-uid=5995`,

diff --git a/control-plane/connect-inject/handler.go b/control-plane/connect-inject/handler.go
@@ -61,6 +61,11 @@ type Handler struct {
 	// If not set, will use HTTP.
 	ConsulCACert string
 
+	// ConsulPartition is the name of the Admin Partition that the controller
+	// is deployed in. It is an enterprise feature requiring Consul Enterprise 1.11+.
+	// Its value is an empty string if partitions aren't enabled.
+	ConsulPartition string
+
 	// EnableNamespaces indicates that a user is running Consul Enterprise
 	// with version 1.7+ which is namespace aware. It enables Consul namespaces,
 	// with injection into either a single Consul namespace or mirrored from

diff --git a/control-plane/subcommand/connect-init/command.go b/control-plane/subcommand/connect-init/command.go
@@ -32,6 +32,7 @@ type Command struct {
 	UI cli.Ui
 
 	flagACLAuthMethod          string // Auth Method to use for ACLs, if enabled.
+	flagPartition              string // Admin Partition name. Consul Enterprise 1.11+ feature.
 	flagPodName                string // Pod name.
 	flagPodNamespace           string // Pod namespace.
 	flagAuthMethodNamespace    string // Consul namespace the auth-method is defined in.
@@ -57,6 +58,7 @@ type Command struct {
 func (c *Command) init() {
 	c.flagSet = flag.NewFlagSet("", flag.ContinueOnError)
 	c.flagSet.StringVar(&c.flagACLAuthMethod, "acl-auth-method", "", "Name of the auth method to login to.")
+	c.flagSet.StringVar(&c.flagPartition, "partition", "", "Name of the Admin Partition of deployment.")
 	c.flagSet.StringVar(&c.flagPodName, "pod-name", "", "Name of the pod.")
 	c.flagSet.StringVar(&c.flagPodNamespace, "pod-namespace", "", "Name of the pod namespace.")
 	c.flagSet.StringVar(&c.flagAuthMethodNamespace, "auth-method-namespace", "", "Consul namespace the auth-method is defined in")
@@ -118,6 +120,7 @@ func (c *Command) Run(args []string) int {
 		}
 	}
 	cfg := api.DefaultConfig()
+	cfg.Partition = c.flagPartition
 	cfg.Namespace = c.flagConsulServiceNamespace
 	c.http.MergeOntoConfig(cfg)
 	consulClient, err := consul.NewClient(cfg)