Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync token acl refactor #1081

Merged
merged 5 commits into from
Mar 8, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions charts/consul/templates/auth-method-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-auth-method
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏

labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
rules:
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
39 changes: 39 additions & 0 deletions charts/consul/templates/auth-method-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-authdelegator
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:auth-delegator"
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-auth-method
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-auth-method
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
{{- end }}
19 changes: 19 additions & 0 deletions charts/consul/templates/auth-method-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-auth-method
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: auth-method
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}

This file was deleted.

17 changes: 6 additions & 11 deletions charts/consul/templates/connect-inject-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -11,14 +12,14 @@ metadata:
component: connect-injector
rules:
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "namespaces"]
- apiGroups: [ "" ]
resources: [ "pods", "endpoints", "services", "namespaces" ]
verbs:
- "get"
- "list"
Expand All @@ -33,17 +34,11 @@ rules:
- list
- update
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
resourceNames:
- {{ template "consul.fullname" . }}-connect-injector
verbs:
- use
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -16,3 +17,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
{{- end }}
4 changes: 3 additions & 1 deletion charts/consul/templates/connect-inject-serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -16,6 +17,7 @@ metadata:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/consul/templates/server-acl-init-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ spec:
{{- end }}
{{- if .Values.syncCatalog.enabled }}
-create-sync-token=true \
-sync-catalog=true \
{{- if .Values.syncCatalog.consulNodeName }}
-sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \
{{- end }}
Expand Down
38 changes: 19 additions & 19 deletions charts/consul/templates/server-acl-init-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,26 +13,26 @@ metadata:
release: {{ .Release.Name }}
component: server-acl-init
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- create
- get
- apiGroups: [""]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-connect-injector
verbs:
- get
- apiGroups: [ "" ]
resources:
- secrets
verbs:
- create
- get
- apiGroups: [ "" ]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-auth-method
verbs:
- get
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-server-acl-init
verbs:
- use
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
resourceNames:
- {{ template "consul.fullname" . }}-server-acl-init
verbs:
- use
{{- end }}
{{- end }}
{{- end }}
9 changes: 0 additions & 9 deletions charts/consul/templates/sync-catalog-clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,6 @@ rules:
- nodes
verbs:
- get
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-catalog-sync-acl-token
verbs:
- get
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
Expand Down
87 changes: 69 additions & 18 deletions charts/consul/templates/sync-catalog-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,11 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog
{{- if .Values.global.tls.enabled }}
volumes:
- name: consul-data
emptyDir:
medium: "Memory"
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
- name: consul-ca-cert
secret:
Expand All @@ -70,9 +73,13 @@ spec:
{{- end }}
{{- end }}
containers:
- name: consul-sync-catalog
- name: sync-catalog
image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}"
env:
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN_FILE
value: "/consul/login/acl-token"
{{- end }}
- name: HOST_IP
valueFrom:
fieldRef:
Expand All @@ -88,13 +95,6 @@ spec:
name: {{ .Values.syncCatalog.aclSyncToken.secretName }}
key: {{ .Values.syncCatalog.aclSyncToken.secretKey }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ template "consul.fullname" . }}-catalog-sync-acl-token"
key: "token"
{{- end}}
{{- if .Values.global.tls.enabled }}
{{- if .Values.client.enabled }}
- name: CONSUL_HTTP_ADDR
Expand All @@ -114,16 +114,19 @@ spec:
value: http://{{ template "consul.fullname" . }}-server:8500
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
volumeMounts:
{{- if (and .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
- mountPath: /consul/login
name: consul-data
readOnly: true
{{- if .Values.global.tls.enabled }}
{{- if and .Values.global.tls.enableAutoEncrypt $clientEnabled }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
Expand Down Expand Up @@ -188,6 +191,16 @@ spec:
-consul-cross-namespace-acl-policy=cross-namespace-policy \
{{- end }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane consul-logout
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
Expand All @@ -214,16 +227,57 @@ spec:
{{- end }}
{{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
initContainers:
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: sync-acl-init
- name: sync-catalog-acl-init
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
image: {{ .Values.global.imageK8S }}
volumeMounts:
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane acl-init \
-secret-name="{{ template "consul.fullname" . }}-catalog-sync-acl-token" \
-k8s-namespace={{ .Release.Namespace }}
-component-name=sync-catalog \
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \
-primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \
{{- else }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
-log-json={{ .Values.global.logJSON }}
resources:
requests:
memory: "25Mi"
Expand All @@ -232,9 +286,6 @@ spec:
memory: "25Mi"
cpu: "50m"
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.syncCatalog.priorityClassName }}
priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }}
Expand Down
Loading