diff --git a/subcommand/server-acl-init/command.go b/subcommand/server-acl-init/command.go index 3f210a9a1e..92f54038c7 100644 --- a/subcommand/server-acl-init/command.go +++ b/subcommand/server-acl-init/command.go @@ -27,10 +27,7 @@ type Command struct { flags *flag.FlagSet k8s *k8sflags.K8SFlags - flagReleaseName string - flagServerLabelSelector string flagResourcePrefix string - flagReplicas int flagK8sNamespace string flagAllowDNS bool flagCreateClientToken bool @@ -46,6 +43,8 @@ type Command struct { flagConsulCACert string flagConsulTLSServerName string flagUseHTTPS bool + flagServerAddresses []string + flagServerPort uint // Flags to support namespaces flagEnableNamespaces bool // Use namespacing on all components @@ -57,7 +56,7 @@ type Command struct { flagInjectK8SNSMirroringPrefix string // Prefix added to Consul namespaces created when mirroring injected services flagLogLevel string - flagTimeout string + flagTimeout time.Duration clientset kubernetes.Interface // cmdTimeout is cancelled when the command timeout is reached. @@ -73,14 +72,11 @@ type Command struct { func (c *Command) init() { c.flags = flag.NewFlagSet("", flag.ContinueOnError) - c.flags.StringVar(&c.flagReleaseName, "release-name", "", - "Name of Consul Helm release. Deprecated: Use -server-label-selector=component=server,app=consul,release= instead") - c.flags.StringVar(&c.flagServerLabelSelector, "server-label-selector", "", - "Selector (label query) to select Consul server statefulset pods, supports '=', '==', and '!='. (e.g. -l key1=value1,key2=value2)") c.flags.StringVar(&c.flagResourcePrefix, "resource-prefix", "", "Prefix to use for Kubernetes resources. If not set, the \"-consul\" prefix is used, where is the value set by the -release-name flag.") - c.flags.IntVar(&c.flagReplicas, "expected-replicas", 1, - "Number of expected Consul server replicas") + c.flags.Var((*flags.AppendSliceValue)(&c.flagServerAddresses), "server-address", + "The IP or DNS name of the Consul server(s), may be provided multiple times. At least one value is required.") + c.flags.UintVar(&c.flagServerPort, "server-port", 8500, "The HTTP or HTTPS port of the Consul server. Defaults to 8500.") c.flags.StringVar(&c.flagK8sNamespace, "k8s-namespace", "", "Name of Kubernetes namespace where the servers are deployed") c.flags.BoolVar(&c.flagAllowDNS, "allow-dns", false, @@ -131,7 +127,7 @@ func (c *Command) init() { "if mirroring is enabled.") c.flags.StringVar(&c.flagACLReplicationTokenFile, "acl-replication-token-file", "", "Path to file containing ACL token to be used for ACL replication. If set, ACL replication is enabled.") - c.flags.StringVar(&c.flagTimeout, "timeout", "10m", + c.flags.DurationVar(&c.flagTimeout, "timeout", 10*time.Minute, "How long we'll try to bootstrap ACLs for before timing out, e.g. 1ms, 2s, 3m") c.flags.StringVar(&c.flagLogLevel, "log-level", "info", "Log verbosity level. Supported values (in order of detail) are \"trace\", "+ @@ -164,30 +160,17 @@ func (c *Command) Run(args []string) int { return 1 } if len(c.flags.Args()) > 0 { - c.UI.Error(fmt.Sprintf("Should have no non-flag arguments.")) + c.UI.Error("Should have no non-flag arguments.") return 1 } - timeout, err := time.ParseDuration(c.flagTimeout) - if err != nil { - c.UI.Error(fmt.Sprintf("%q is not a valid timeout: %s", c.flagTimeout, err)) - return 1 - } - if c.flagReleaseName != "" && c.flagServerLabelSelector != "" { - c.UI.Error("-release-name and -server-label-selector cannot both be set") - return 1 - } - if c.flagServerLabelSelector != "" && c.flagResourcePrefix == "" { - c.UI.Error("if -server-label-selector is set -resource-prefix must also be set") + if len(c.flagServerAddresses) == 0 { + c.UI.Error("-server-address must be set at least once") return 1 } - if c.flagReleaseName == "" && c.flagServerLabelSelector == "" { - c.UI.Error("-release-name or -server-label-selector must be set") + if c.flagResourcePrefix == "" { + c.UI.Error("-resource-prefix must be set") return 1 } - // If only the -release-name is set, we use it as the label selector. - if c.flagReleaseName != "" { - c.flagServerLabelSelector = fmt.Sprintf("app=consul,component=server,release=%s", c.flagReleaseName) - } var aclReplicationToken string if c.flagACLReplicationTokenFile != "" { // Load the ACL replication token from file. @@ -204,7 +187,7 @@ func (c *Command) Run(args []string) int { } var cancel context.CancelFunc - c.cmdTimeout, cancel = context.WithTimeout(context.Background(), timeout) + c.cmdTimeout, cancel = context.WithTimeout(context.Background(), c.flagTimeout) // The context will only ever be intentionally ended by the timeout. defer cancel() @@ -231,27 +214,6 @@ func (c *Command) Run(args []string) int { if c.flagUseHTTPS { scheme = "https" } - // Wait if there's a rollout of servers. - ssName := c.withPrefix("server") - err = c.untilSucceeds(fmt.Sprintf("waiting for rollout of statefulset %s", ssName), func() error { - // Note: We can't use the -server-label-selector flag to find the statefulset - // because in older versions of consul-helm it wasn't labeled with - // component: server. We also can't drop that label because it's required - // for targeting the right server Pods. - statefulset, err := c.clientset.AppsV1().StatefulSets(c.flagK8sNamespace).Get(ssName, metav1.GetOptions{}) - if err != nil { - return err - } - if statefulset.Status.CurrentRevision == statefulset.Status.UpdateRevision { - return nil - } - return fmt.Errorf("rollout is in progress (CurrentRevision=%s UpdateRevision=%s)", - statefulset.Status.CurrentRevision, statefulset.Status.UpdateRevision) - }) - if err != nil { - c.Log.Error(err.Error()) - return 1 - } var updateServerPolicy bool var bootstrapToken string @@ -265,6 +227,7 @@ func (c *Command) Run(args []string) int { bootstrapToken = aclReplicationToken } else { // Check if we've already been bootstrapped. + var err error bootTokenSecretName := c.withPrefix("bootstrap-acl-token") bootstrapToken, err = c.getBootstrapToken(bootTokenSecretName) if err != nil { @@ -291,12 +254,7 @@ func (c *Command) Run(args []string) int { } // For all of the next operations we'll need a Consul client. - serverPods, err := c.getConsulServers(1, scheme) - if err != nil { - c.Log.Error(err.Error()) - return 1 - } - serverAddr := serverPods[0].Addr + serverAddr := fmt.Sprintf("%s:%d", c.flagServerAddresses[0], c.flagServerPort) consulClient, err := api.NewClient(&api.Config{ Address: serverAddr, Scheme: scheme, @@ -544,15 +502,9 @@ func (c *Command) untilSucceeds(opName string, op func() error) error { } // withPrefix returns the name of resource with the correct prefix based -// on the -release-name or -resource-prefix flags. +// on the -resource-prefix flag. func (c *Command) withPrefix(resource string) string { - if c.flagResourcePrefix != "" { - return fmt.Sprintf("%s-%s", c.flagResourcePrefix, resource) - } - // This is to support an older version of the Helm chart that only specified - // the -release-name flag. We ensure that this is set if -resource-prefix - // is not set when parsing the flags. - return fmt.Sprintf("%s-consul-%s", c.flagReleaseName, resource) + return fmt.Sprintf("%s-%s", c.flagResourcePrefix, resource) } const synopsis = "Initialize ACLs on Consul servers and other components." diff --git a/subcommand/server-acl-init/command_ent_test.go b/subcommand/server-acl-init/command_ent_test.go index c152af2900..7acc9f9007 100644 --- a/subcommand/server-acl-init/command_ent_test.go +++ b/subcommand/server-acl-init/command_ent_test.go @@ -3,6 +3,7 @@ package serveraclinit import ( + "strings" "testing" "github.com/hashicorp/consul/api" @@ -21,7 +22,7 @@ func TestRun_ConnectInject_SingleDestinationNamespace(t *testing.T) { consulDestNamespaces := []string{"default", "destination"} for _, consulDestNamespace := range consulDestNamespaces { t.Run(consulDestNamespace, func(tt *testing.T) { - k8s, testAgent := completeEnterpriseSetup(tt, resourcePrefix, ns) + k8s, testAgent := completeEnterpriseSetup(tt) defer testAgent.Stop() setUpK8sServiceAccount(tt, k8s) require := require.New(tt) @@ -33,10 +34,10 @@ func TestRun_ConnectInject_SingleDestinationNamespace(t *testing.T) { } cmd.init() args := []string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address=" + strings.Split(testAgent.HTTPAddr, ":")[0], + "-server-port=" + strings.Split(testAgent.HTTPAddr, ":")[1], "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", "-create-inject-auth-method", "-enable-namespaces", "-consul-inject-destination-namespace", consulDestNamespace, @@ -62,7 +63,7 @@ func TestRun_ConnectInject_SingleDestinationNamespace(t *testing.T) { require.Len(methods, 1) // Check the ACL auth method is created in the expected namespace. - authMethodName := releaseName + "-consul-k8s-auth-method" + authMethodName := resourcePrefix + "-k8s-auth-method" actMethod, _, err := consul.ACL().AuthMethodRead(authMethodName, namespaceQuery) require.NoError(err) require.NotNil(actMethod) @@ -141,7 +142,7 @@ func TestRun_ConnectInject_NamespaceMirroring(t *testing.T) { for name, c := range cases { t.Run(name, func(tt *testing.T) { - k8s, testAgent := completeEnterpriseSetup(t, resourcePrefix, ns) + k8s, testAgent := completeEnterpriseSetup(t) defer testAgent.Stop() setUpK8sServiceAccount(tt, k8s) require := require.New(tt) @@ -153,10 +154,10 @@ func TestRun_ConnectInject_NamespaceMirroring(t *testing.T) { } cmd.init() args := []string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address=" + strings.Split(testAgent.HTTPAddr, ":")[0], + "-server-port=" + strings.Split(testAgent.HTTPAddr, ":")[1], "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", "-create-inject-auth-method", "-enable-namespaces", "-enable-inject-k8s-namespace-mirroring", @@ -175,7 +176,7 @@ func TestRun_ConnectInject_NamespaceMirroring(t *testing.T) { require.NoError(err) // Check the ACL auth method is as expected. - authMethodName := releaseName + "-consul-k8s-auth-method" + authMethodName := resourcePrefix + "-k8s-auth-method" method, _, err := consul.ACL().AuthMethodRead(authMethodName, nil) require.NoError(err) require.NotNil(method, authMethodName+" not found") @@ -208,13 +209,14 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { k8sNamespaceFlags := []string{"default", "other"} for _, k8sNamespaceFlag := range k8sNamespaceFlags { t.Run(k8sNamespaceFlag, func(t *testing.T) { - k8s, testAgent := completeEnterpriseSetup(t, resourcePrefix, k8sNamespaceFlag) + k8s, testAgent := completeEnterpriseSetup(t) defer testAgent.Stop() require := require.New(t) ui := cli.NewMockUi() firstRunArgs := []string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address=" + strings.Split(testAgent.HTTPAddr, ":")[0], + "-server-port=" + strings.Split(testAgent.HTTPAddr, ":")[1], "-resource-prefix=" + resourcePrefix, "-k8s-namespace", k8sNamespaceFlag, "-create-client-token", @@ -224,7 +226,6 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { "-create-inject-namespace-token", "-create-snapshot-agent-token", "-create-enterprise-license-token", - "-expected-replicas=1", } // Our second run, we're going to update from namespaces disabled to // namespaces enabled with a single destination ns. @@ -501,16 +502,16 @@ func TestRun_ConnectInject_Updates(t *testing.T) { for name, c := range cases { t.Run(name, func(tt *testing.T) { require := require.New(tt) - k8s, testAgent := completeEnterpriseSetup(tt, resourcePrefix, ns) + k8s, testAgent := completeEnterpriseSetup(tt) defer testAgent.Stop() setUpK8sServiceAccount(tt, k8s) ui := cli.NewMockUi() defaultArgs := []string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address=" + strings.Split(testAgent.HTTPAddr, ":")[0], + "-server-port=" + strings.Split(testAgent.HTTPAddr, ":")[1], "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", "-create-inject-auth-method", } @@ -543,7 +544,7 @@ func TestRun_ConnectInject_Updates(t *testing.T) { require.NoError(err) // Check the ACL auth method is as expected. - authMethodName := releaseName + "-consul-k8s-auth-method" + authMethodName := resourcePrefix + "-k8s-auth-method" method, _, err := consul.ACL().AuthMethodRead(authMethodName, &api.QueryOptions{ Namespace: c.AuthMethodExpectedNS, }) @@ -632,7 +633,7 @@ func TestRun_TokensWithNamespacesEnabled(t *testing.T) { } for testName, c := range cases { t.Run(testName, func(t *testing.T) { - k8s, testSvr := completeEnterpriseSetup(t, resourcePrefix, ns) + k8s, testSvr := completeEnterpriseSetup(t) defer testSvr.Stop() require := require.New(t) @@ -644,10 +645,10 @@ func TestRun_TokensWithNamespacesEnabled(t *testing.T) { } cmd.init() cmdArgs := []string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address", strings.Split(testSvr.HTTPAddr, ":")[0], + "-server-port", strings.Split(testSvr.HTTPAddr, ":")[1], "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", "-enable-namespaces", c.TokenFlag, } @@ -693,7 +694,7 @@ func TestRun_TokensWithNamespacesEnabled(t *testing.T) { } // Set up test consul agent and kubernetes cluster. -func completeEnterpriseSetup(t *testing.T, prefix string, k8sNamespace string) (*fake.Clientset, *testutil.TestServer) { +func completeEnterpriseSetup(t *testing.T) (*fake.Clientset, *testutil.TestServer) { k8s := fake.NewSimpleClientset() svr, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { @@ -701,7 +702,5 @@ func completeEnterpriseSetup(t *testing.T, prefix string, k8sNamespace string) ( }) require.NoError(t, err) - createTestK8SResources(t, k8s, svr.HTTPAddr, prefix, "http", k8sNamespace) - return k8s, svr } diff --git a/subcommand/server-acl-init/command_test.go b/subcommand/server-acl-init/command_test.go index 8459ca6658..4be4bd87d1 100644 --- a/subcommand/server-acl-init/command_test.go +++ b/subcommand/server-acl-init/command_test.go @@ -10,24 +10,23 @@ import ( "net/url" "os" "strconv" + "strings" "testing" "time" "github.com/hashicorp/consul-k8s/helper/cert" - "github.com/hashicorp/consul/agent" "github.com/hashicorp/consul/api" + "github.com/hashicorp/consul/sdk/freeport" "github.com/hashicorp/consul/sdk/testutil" "github.com/hashicorp/consul/sdk/testutil/retry" "github.com/mitchellh/cli" "github.com/stretchr/testify/require" - appv1 "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" ) var ns = "default" -var releaseName = "release-name" var resourcePrefix = "release-name-consul" func TestRun_FlagValidation(t *testing.T) { @@ -37,18 +36,14 @@ func TestRun_FlagValidation(t *testing.T) { }{ { Flags: []string{}, - ExpErr: "-release-name or -server-label-selector must be set", + ExpErr: "-server-address must be set at least once", }, { - Flags: []string{"-release-name=name", "-server-label-selector=hi"}, - ExpErr: "-release-name and -server-label-selector cannot both be set", + Flags: []string{"-server-address=localhost"}, + ExpErr: "-resource-prefix must be set", }, { - Flags: []string{"-server-label-selector=hi"}, - ExpErr: "if -server-label-selector is set -resource-prefix must also be set", - }, - { - Flags: []string{"-acl-replication-token-file=/notexist", "-server-label-selector=hi", "-resource-prefix=prefix"}, + Flags: []string{"-acl-replication-token-file=/notexist", "-server-address=localhost", "-resource-prefix=prefix"}, ExpErr: "Unable to read ACL replication token from file \"/notexist\": open /notexist: no such file or directory", }, } @@ -71,203 +66,116 @@ func TestRun_FlagValidation(t *testing.T) { // flags. func TestRun_Defaults(t *testing.T) { t.Parallel() - for _, flags := range [][]string{ - {"-release-name=" + releaseName}, - { - "-server-label-selector=component=server,app=consul,release=" + releaseName, - "-resource-prefix=" + resourcePrefix, - }, - } { - t.Run(flags[0], func(t *testing.T) { - k8s, testSvr := completeSetup(t, resourcePrefix) - defer testSvr.Stop() - require := require.New(t) - - // Run the command. - ui := cli.NewMockUi() - cmd := Command{ - UI: ui, - clientset: k8s, - } - args := append([]string{ - "-k8s-namespace=" + ns, - "-expected-replicas=1", - }, flags...) - responseCode := cmd.Run(args) - require.Equal(0, responseCode, ui.ErrorWriter.String()) - // Test that the bootstrap kube secret is created. - bootToken := getBootToken(t, k8s, resourcePrefix, ns) + k8s, testSvr := completeSetup(t) + defer testSvr.Stop() + require := require.New(t) - // Check that it has the right policies. - consul, err := api.NewClient(&api.Config{ - Address: testSvr.HTTPAddr, - Token: bootToken, - }) - require.NoError(err) - tokenData, _, err := consul.ACL().TokenReadSelf(nil) - require.NoError(err) - require.Equal("global-management", tokenData.Policies[0].Name) - - // Check that the agent policy was created. - agentPolicy := policyExists(t, "agent-token", consul) - // Should be a global policy. - require.Len(agentPolicy.Datacenters, 0) - - // We should also test that the server's token was updated, however I - // couldn't find a way to test that with the test agent. Instead we test - // that in another test when we're using an httptest server instead of - // the test agent and we can assert that the /v1/agent/token/agent - // endpoint was called. - }) + // Run the command. + ui := cli.NewMockUi() + cmd := Command{ + UI: ui, + clientset: k8s, + } + args := []string{ + "-k8s-namespace=" + ns, + "-server-address", strings.Split(testSvr.HTTPAddr, ":")[0], + "-server-port", strings.Split(testSvr.HTTPAddr, ":")[1], + "-resource-prefix=" + resourcePrefix, } + responseCode := cmd.Run(args) + require.Equal(0, responseCode, ui.ErrorWriter.String()) + + // Test that the bootstrap kube secret is created. + bootToken := getBootToken(t, k8s, resourcePrefix, ns) + + // Check that it has the right policies. + consul, err := api.NewClient(&api.Config{ + Address: testSvr.HTTPAddr, + Token: bootToken, + }) + require.NoError(err) + tokenData, _, err := consul.ACL().TokenReadSelf(nil) + require.NoError(err) + require.Equal("global-management", tokenData.Policies[0].Name) + + // Check that the agent policy was created. + agentPolicy := policyExists(t, "agent-token", consul) + // Should be a global policy. + require.Len(agentPolicy.Datacenters, 0) + + // We should also test that the server's token was updated, however I + // couldn't find a way to test that with the test agent. Instead we test + // that in another test when we're using an httptest server instead of + // the test agent and we can assert that the /v1/agent/token/agent + // endpoint was called. } // Test the different flags that should create tokens and save them as -// Kubernetes secrets. We test using the -release-name flag vs using the -// -resource-prefix flag. +// Kubernetes secrets. func TestRun_TokensPrimaryDC(t *testing.T) { t.Parallel() - cases := map[string]struct { - TokenFlag string - ResourcePrefixFlag string - ReleaseNameFlag string - PolicyName string - PolicyDCs []string - SecretName string - LocalToken bool + cases := []struct { + TokenFlag string + PolicyName string + PolicyDCs []string + SecretName string + LocalToken bool }{ - "client token -release-name": { - TokenFlag: "-create-client-token", - ResourcePrefixFlag: "", - ReleaseNameFlag: "release-name", - PolicyName: "client-token", - PolicyDCs: []string{"dc1"}, - SecretName: "release-name-consul-client-acl-token", - LocalToken: true, - }, - "client token -resource-prefix": { - TokenFlag: "-create-client-token", - ResourcePrefixFlag: "my-prefix", - PolicyName: "client-token", - PolicyDCs: []string{"dc1"}, - SecretName: "my-prefix-client-acl-token", - LocalToken: true, - }, - "catalog-sync token -release-name": { - TokenFlag: "-create-sync-token", - ResourcePrefixFlag: "", - ReleaseNameFlag: "release-name", - PolicyName: "catalog-sync-token", - PolicyDCs: []string{"dc1"}, - SecretName: "release-name-consul-catalog-sync-acl-token", - LocalToken: true, - }, - "catalog-sync token -resource-prefix": { - TokenFlag: "-create-sync-token", - ResourcePrefixFlag: "my-prefix", - PolicyName: "catalog-sync-token", - PolicyDCs: []string{"dc1"}, - SecretName: "my-prefix-catalog-sync-acl-token", - LocalToken: true, - }, - "connect-inject-namespace token -release-name": { - TokenFlag: "-create-inject-namespace-token", - ResourcePrefixFlag: "", - ReleaseNameFlag: "release-name", - PolicyName: "connect-inject-token", - PolicyDCs: []string{"dc1"}, - SecretName: "release-name-consul-connect-inject-acl-token", - LocalToken: true, - }, - "connect-inject-namespace token -resource-prefix": { - TokenFlag: "-create-inject-namespace-token", - ResourcePrefixFlag: "my-prefix", - PolicyName: "connect-inject-token", - PolicyDCs: []string{"dc1"}, - SecretName: "my-prefix-connect-inject-acl-token", - LocalToken: true, - }, - "enterprise-license token -release-name": { - TokenFlag: "-create-enterprise-license-token", - ResourcePrefixFlag: "", - ReleaseNameFlag: "release-name", - PolicyName: "enterprise-license-token", - PolicyDCs: []string{"dc1"}, - SecretName: "release-name-consul-enterprise-license-acl-token", - LocalToken: true, - }, - "enterprise-license token -resource-prefix": { - TokenFlag: "-create-enterprise-license-token", - ResourcePrefixFlag: "my-prefix", - PolicyName: "enterprise-license-token", - PolicyDCs: []string{"dc1"}, - SecretName: "my-prefix-enterprise-license-acl-token", - LocalToken: true, + { + TokenFlag: "-create-client-token", + PolicyName: "client-token", + PolicyDCs: []string{"dc1"}, + SecretName: resourcePrefix + "-client-acl-token", + LocalToken: true, }, - "client-snapshot-agent token -release-name": { - TokenFlag: "-create-snapshot-agent-token", - ResourcePrefixFlag: "", - ReleaseNameFlag: "release-name", - PolicyName: "client-snapshot-agent-token", - PolicyDCs: []string{"dc1"}, - SecretName: "release-name-consul-client-snapshot-agent-acl-token", - LocalToken: true, + { + TokenFlag: "-create-sync-token", + PolicyName: "catalog-sync-token", + PolicyDCs: []string{"dc1"}, + SecretName: resourcePrefix + "-catalog-sync-acl-token", + LocalToken: true, }, - "client-snapshot-agent token -resource-prefix": { - TokenFlag: "-create-snapshot-agent-token", - ResourcePrefixFlag: "my-prefix", - ReleaseNameFlag: "release-name", - PolicyName: "client-snapshot-agent-token", - PolicyDCs: []string{"dc1"}, - SecretName: "my-prefix-client-snapshot-agent-acl-token", - LocalToken: true, + { + TokenFlag: "-create-inject-namespace-token", + PolicyName: "connect-inject-token", + PolicyDCs: []string{"dc1"}, + SecretName: resourcePrefix + "-connect-inject-acl-token", + LocalToken: true, }, - "mesh-gateway token -release-name": { - TokenFlag: "-create-mesh-gateway-token", - ResourcePrefixFlag: "", - ReleaseNameFlag: "release-name", - PolicyName: "mesh-gateway-token", - PolicyDCs: nil, - SecretName: "release-name-consul-mesh-gateway-acl-token", - LocalToken: false, + { + TokenFlag: "-create-enterprise-license-token", + PolicyName: "enterprise-license-token", + PolicyDCs: []string{"dc1"}, + SecretName: resourcePrefix + "-enterprise-license-acl-token", + LocalToken: true, }, - "mesh-gateway token -resource-prefix": { - TokenFlag: "-create-mesh-gateway-token", - ResourcePrefixFlag: "my-prefix", - ReleaseNameFlag: "release-name", - PolicyName: "mesh-gateway-token", - PolicyDCs: nil, - SecretName: "my-prefix-mesh-gateway-acl-token", - LocalToken: false, + { + TokenFlag: "-create-snapshot-agent-token", + PolicyName: "client-snapshot-agent-token", + PolicyDCs: []string{"dc1"}, + SecretName: resourcePrefix + "-client-snapshot-agent-acl-token", + LocalToken: true, }, - "acl-replication token -release-name": { - TokenFlag: "-create-acl-replication-token", - ResourcePrefixFlag: "", - ReleaseNameFlag: "release-name", - PolicyName: "acl-replication-token", - PolicyDCs: nil, - SecretName: "release-name-consul-acl-replication-acl-token", - LocalToken: false, + { + TokenFlag: "-create-mesh-gateway-token", + PolicyName: "mesh-gateway-token", + PolicyDCs: nil, + SecretName: resourcePrefix + "-mesh-gateway-acl-token", + LocalToken: false, }, - "acl-replication token -resource-prefix": { - TokenFlag: "-create-acl-replication-token", - ResourcePrefixFlag: "my-prefix", - ReleaseNameFlag: "release-name", - PolicyName: "acl-replication-token", - PolicyDCs: nil, - SecretName: "my-prefix-acl-replication-acl-token", - LocalToken: false, + { + TokenFlag: "-create-acl-replication-token", + PolicyName: "acl-replication-token", + PolicyDCs: nil, + SecretName: resourcePrefix + "-acl-replication-acl-token", + LocalToken: false, }, } - for testName, c := range cases { - t.Run(testName, func(t *testing.T) { - prefix := c.ResourcePrefixFlag - if c.ResourcePrefixFlag == "" { - prefix = releaseName + "-consul" - } - k8s, testSvr := completeSetup(t, prefix) + for _, c := range cases { + t.Run(c.TokenFlag, func(t *testing.T) { + k8s, testSvr := completeSetup(t) defer testSvr.Stop() require := require.New(t) @@ -280,22 +188,16 @@ func TestRun_TokensPrimaryDC(t *testing.T) { cmd.init() cmdArgs := []string{ "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address", strings.Split(testSvr.HTTPAddr, ":")[0], + "-server-port", strings.Split(testSvr.HTTPAddr, ":")[1], + "-resource-prefix=" + resourcePrefix, c.TokenFlag, } - if c.ResourcePrefixFlag != "" { - // If using the -resource-prefix flag, we expect the -server-label-selector - // flag to also be set. - labelSelector := fmt.Sprintf("release=%s,component=server,app=consul", releaseName) - cmdArgs = append(cmdArgs, "-resource-prefix="+c.ResourcePrefixFlag, "-server-label-selector="+labelSelector) - } else { - cmdArgs = append(cmdArgs, "-release-name="+c.ReleaseNameFlag) - } responseCode := cmd.Run(cmdArgs) require.Equal(0, responseCode, ui.ErrorWriter.String()) // Check that the expected policy was created. - bootToken := getBootToken(t, k8s, prefix, ns) + bootToken := getBootToken(t, k8s, resourcePrefix, ns) consul, err := api.NewClient(&api.Config{ Address: testSvr.HTTPAddr, Token: bootToken, @@ -318,7 +220,7 @@ func TestRun_TokensPrimaryDC(t *testing.T) { require.Equal(c.LocalToken, tokenData.Local) // Test that if the same command is run again, it doesn't error. - t.Run(testName+"-retried", func(t *testing.T) { + t.Run(c.TokenFlag+"-retried", func(t *testing.T) { ui := cli.NewMockUi() cmd := Command{ UI: ui, @@ -347,42 +249,42 @@ func TestRun_TokensReplicatedDC(t *testing.T) { TokenFlag: "-create-client-token", PolicyName: "client-token-dc2", PolicyDCs: []string{"dc2"}, - SecretName: "release-name-consul-client-acl-token", + SecretName: resourcePrefix + "-client-acl-token", LocalToken: true, }, { TokenFlag: "-create-sync-token", PolicyName: "catalog-sync-token-dc2", PolicyDCs: []string{"dc2"}, - SecretName: "release-name-consul-catalog-sync-acl-token", + SecretName: resourcePrefix + "-catalog-sync-acl-token", LocalToken: true, }, { TokenFlag: "-create-inject-namespace-token", PolicyName: "connect-inject-token-dc2", PolicyDCs: []string{"dc2"}, - SecretName: "release-name-consul-connect-inject-acl-token", + SecretName: resourcePrefix + "-connect-inject-acl-token", LocalToken: true, }, { TokenFlag: "-create-enterprise-license-token", PolicyName: "enterprise-license-token-dc2", PolicyDCs: []string{"dc2"}, - SecretName: "release-name-consul-enterprise-license-acl-token", + SecretName: resourcePrefix + "-enterprise-license-acl-token", LocalToken: true, }, { TokenFlag: "-create-snapshot-agent-token", PolicyName: "client-snapshot-agent-token-dc2", PolicyDCs: []string{"dc2"}, - SecretName: "release-name-consul-client-snapshot-agent-acl-token", + SecretName: resourcePrefix + "-client-snapshot-agent-acl-token", LocalToken: true, }, { TokenFlag: "-create-mesh-gateway-token", PolicyName: "mesh-gateway-token-dc2", PolicyDCs: nil, - SecretName: "release-name-consul-mesh-gateway-acl-token", + SecretName: resourcePrefix + "-mesh-gateway-acl-token", LocalToken: false, }, } @@ -392,7 +294,7 @@ func TestRun_TokensReplicatedDC(t *testing.T) { tokenFile, fileCleanup := writeTempFile(t, bootToken) defer fileCleanup() - k8s, consul, cleanup := mockReplicatedSetup(t, resourcePrefix, bootToken) + k8s, consul, secondaryAddr, cleanup := mockReplicatedSetup(t, bootToken) defer cleanup() // Run the command. @@ -404,9 +306,9 @@ func TestRun_TokensReplicatedDC(t *testing.T) { cmd.init() cmdArgs := []string{ "-k8s-namespace=" + ns, - "-expected-replicas=1", "-acl-replication-token-file", tokenFile, - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address", strings.Split(secondaryAddr, ":")[0], + "-server-port", strings.Split(secondaryAddr, ":")[1], "-resource-prefix=" + resourcePrefix, c.TokenFlag, } @@ -483,8 +385,7 @@ func TestRun_AnonymousTokenPolicy(t *testing.T) { if c.SecondaryDC { var cleanup func() bootToken := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" - k8s, consul, cleanup = mockReplicatedSetup(t, resourcePrefix, - bootToken) + k8s, consul, consulHTTPAddr, cleanup = mockReplicatedSetup(t, bootToken) defer cleanup() tmp, err := ioutil.TempFile("", "") @@ -494,7 +395,7 @@ func TestRun_AnonymousTokenPolicy(t *testing.T) { flags = append(flags, "-acl-replication-token-file", tmp.Name()) } else { var testSvr *testutil.TestServer - k8s, testSvr = completeSetup(t, resourcePrefix) + k8s, testSvr = completeSetup(t) defer testSvr.Stop() consulHTTPAddr = testSvr.HTTPAddr } @@ -508,10 +409,10 @@ func TestRun_AnonymousTokenPolicy(t *testing.T) { } cmd.init() cmdArgs := append([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address", strings.Split(consulHTTPAddr, ":")[0], + "-server-port", strings.Split(consulHTTPAddr, ":")[1], }, flags...) responseCode := cmd.Run(cmdArgs) require.Equal(t, 0, responseCode, ui.ErrorWriter.String()) @@ -577,7 +478,7 @@ func TestRun_ConnectInjectAuthMethod(t *testing.T) { for testName, c := range cases { t.Run(testName, func(tt *testing.T) { - k8s, testSvr := completeSetup(tt, resourcePrefix) + k8s, testSvr := completeSetup(tt) defer testSvr.Stop() caCert, jwtToken := setUpK8sServiceAccount(tt, k8s) require := require.New(tt) @@ -591,10 +492,10 @@ func TestRun_ConnectInjectAuthMethod(t *testing.T) { cmd.init() bindingRuleSelector := "serviceaccount.name!=default" cmdArgs := []string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address", strings.Split(testSvr.HTTPAddr, ":")[0], + "-server-port", strings.Split(testSvr.HTTPAddr, ":")[1], "-acl-binding-rule-selector=" + bindingRuleSelector, } cmdArgs = append(cmdArgs, c.AuthMethodFlag) @@ -644,7 +545,7 @@ func TestRun_ConnectInjectAuthMethod(t *testing.T) { // Test that ACL binding rules are updated if the rule selector changes. func TestRun_BindingRuleUpdates(t *testing.T) { t.Parallel() - k8s, testSvr := completeSetup(t, resourcePrefix) + k8s, testSvr := completeSetup(t) setUpK8sServiceAccount(t, k8s) defer testSvr.Stop() require := require.New(t) @@ -656,10 +557,10 @@ func TestRun_BindingRuleUpdates(t *testing.T) { ui := cli.NewMockUi() commonArgs := []string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address", strings.Split(testSvr.HTTPAddr, ":")[0], + "-server-port", strings.Split(testSvr.HTTPAddr, ":")[1], "-create-inject-auth-method", } firstRunArgs := append(commonArgs, @@ -681,7 +582,7 @@ func TestRun_BindingRuleUpdates(t *testing.T) { // Validate the binding rule. { queryOpts := &api.QueryOptions{Token: getBootToken(t, k8s, resourcePrefix, ns)} - authMethodName := releaseName + "-consul-k8s-auth-method" + authMethodName := resourcePrefix + "-k8s-auth-method" rules, _, err := consul.ACL().BindingRuleList(authMethodName, queryOpts) require.NoError(err) require.Len(rules, 1) @@ -707,7 +608,7 @@ func TestRun_BindingRuleUpdates(t *testing.T) { // Check the binding rule is changed expected. { queryOpts := &api.QueryOptions{Token: getBootToken(t, k8s, resourcePrefix, ns)} - authMethodName := releaseName + "-consul-k8s-auth-method" + authMethodName := resourcePrefix + "-k8s-auth-method" rules, _, err := consul.ACL().BindingRuleList(authMethodName, queryOpts) require.NoError(err) require.Len(rules, 1) @@ -721,318 +622,92 @@ func TestRun_BindingRuleUpdates(t *testing.T) { } } -// Test that if the server pods aren't available at first that bootstrap +// Test that if the servers aren't available at first that bootstrap // still succeeds. -func TestRun_DelayedServerPods(t *testing.T) { +func TestRun_DelayedServers(t *testing.T) { t.Parallel() require := require.New(t) k8s := fake.NewSimpleClientset() - type APICall struct { - Method string - Path string - } - var consulAPICalls []APICall - consulServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // Record all the API calls made. - consulAPICalls = append(consulAPICalls, APICall{ - Method: r.Method, - Path: r.URL.Path, - }) - - switch r.URL.Path { - case "/v1/agent/self": - fmt.Fprintln(w, `{"Config": {"Datacenter": "dc1"}}`) - default: - // Send an empty JSON response with code 200 to all calls. - fmt.Fprintln(w, "{}") - } - })) - defer consulServer.Close() - serverURL, err := url.Parse(consulServer.URL) - require.NoError(err) - port, err := strconv.Atoi(serverURL.Port()) - require.NoError(err) + randomPorts := freeport.MustTake(6) ui := cli.NewMockUi() cmd := Command{ UI: ui, clientset: k8s, } - cmd.init() - // Start the command before the Pod exist. - // Run in a goroutine so we can create the Pods asynchronously + // Start the command before the server is up. + // Run in a goroutine so we can start the server asynchronously done := make(chan bool) var responseCode int go func() { responseCode = cmd.Run([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address=127.0.0.1", + "-server-port=" + strconv.Itoa(randomPorts[1]), }) close(done) }() - // Asynchronously create the server Pod after a delay. + // Asynchronously start the test server after a delay. + testServerReady := make(chan bool) + var srv *testutil.TestServer go func() { // Create the Pods after a delay between 100 and 500ms. // It's randomized to ensure we're not relying on specific timing. delay := 100 + rand.Intn(400) time.Sleep(time.Duration(delay) * time.Millisecond) - pods := k8s.CoreV1().Pods(ns) - _, err = pods.Create(&v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server-0", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: v1.PodStatus{ - PodIP: serverURL.Hostname(), - }, - Spec: v1.PodSpec{ - Containers: []v1.Container{ - { - Name: "consul", - Ports: []v1.ContainerPort{ - { - Name: "http", - ContainerPort: int32(port), - }, - }, - }, - }, - }, - }) - require.NoError(err) - _, err = k8s.AppsV1().StatefulSets(ns).Create(&appv1.StatefulSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: appv1.StatefulSetStatus{ - UpdateRevision: "current", - CurrentRevision: "current", - }, + var err error + srv, err = testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { + c.ACL.Enabled = true + + c.Ports = &testutil.TestPortConfig{ + DNS: randomPorts[0], + HTTP: randomPorts[1], + HTTPS: randomPorts[2], + SerfLan: randomPorts[3], + SerfWan: randomPorts[4], + Server: randomPorts[5], + } }) require.NoError(err) + close(testServerReady) }() + // Wait for server to come up + select { + case <-testServerReady: + defer srv.Stop() + case <-time.After(5 * time.Second): + require.FailNow("test server took longer than 5s to come up") + } + // Wait for the command to exit. select { case <-done: require.Equal(0, responseCode, ui.ErrorWriter.String()) - case <-time.After(2 * time.Second): - require.FailNow("command did not exit after 2s") + case <-time.After(5 * time.Second): + require.FailNow("command did not exit after 5s") } // Test that the bootstrap kube secret is created. - getBootToken(t, k8s, resourcePrefix, ns) - - // Test that the expected API calls were made. - require.Equal([]APICall{ - { - "PUT", - "/v1/acl/bootstrap", - }, - { - "PUT", - "/v1/acl/policy", - }, - { - "PUT", - "/v1/acl/token", - }, - { - "PUT", - "/v1/agent/token/agent", - }, - { - "GET", - "/v1/agent/self", - }, - { - "PUT", - "/v1/acl/policy", - }, - { - "PUT", - "/v1/acl/token", - }, - }, consulAPICalls) -} - -// Test that if a deployment of the statefulset is in progress we wait. -func TestRun_InProgressDeployment(t *testing.T) { - t.Parallel() - require := require.New(t) - k8s := fake.NewSimpleClientset() + bootToken := getBootToken(t, k8s, resourcePrefix, ns) - type APICall struct { - Method string - Path string - } - var consulAPICalls []APICall - consulServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // Record all the API calls made. - consulAPICalls = append(consulAPICalls, APICall{ - Method: r.Method, - Path: r.URL.Path, - }) - switch r.URL.Path { - case "/v1/agent/self": - fmt.Fprintln(w, `{"Config": {"Datacenter": "dc1"}}`) - default: - // Send an empty JSON response with code 200 to all calls. - fmt.Fprintln(w, "{}") - } - })) - defer consulServer.Close() - serverURL, err := url.Parse(consulServer.URL) - require.NoError(err) - port, err := strconv.Atoi(serverURL.Port()) - require.NoError(err) - - // The pods and statefulset are created but as an in-progress deployment - pods := k8s.CoreV1().Pods(ns) - _, err = pods.Create(&v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server-0", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: v1.PodStatus{ - PodIP: serverURL.Hostname(), - }, - Spec: v1.PodSpec{ - Containers: []v1.Container{ - { - Name: "consul", - Ports: []v1.ContainerPort{ - { - Name: "http", - ContainerPort: int32(port), - }, - }, - }, - }, - }, + // Check that it has the right policies. + consul, err := api.NewClient(&api.Config{ + Address: srv.HTTPAddr, + Token: bootToken, }) require.NoError(err) - _, err = k8s.AppsV1().StatefulSets(ns).Create(&appv1.StatefulSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: appv1.StatefulSetStatus{ - UpdateRevision: "updated", - CurrentRevision: "current", - }, - }) + tokenData, _, err := consul.ACL().TokenReadSelf(nil) require.NoError(err) + require.Equal("global-management", tokenData.Policies[0].Name) - ui := cli.NewMockUi() - cmd := Command{ - UI: ui, - clientset: k8s, - } - cmd.init() - - // Start the command before the Pod exist. - // Run in a goroutine so we can create the Pods asynchronously - done := make(chan bool) - var responseCode int - go func() { - responseCode = cmd.Run([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, - "-resource-prefix=" + resourcePrefix, - "-k8s-namespace=" + ns, - "-expected-replicas=1", - }) - close(done) - }() - - // Asynchronously update the deployment status after a delay. - go func() { - // Update after a delay between 100 and 500ms. - // It's randomized to ensure we're not relying on specific timing. - delay := 100 + rand.Intn(400) - time.Sleep(time.Duration(delay) * time.Millisecond) - _, err = k8s.AppsV1().StatefulSets(ns).Update(&appv1.StatefulSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: appv1.StatefulSetStatus{ - UpdateRevision: "updated", - CurrentRevision: "updated", - }, - }) - require.NoError(err) - }() - - // Wait for the command to exit. - select { - case <-done: - require.Equal(0, responseCode, ui.ErrorWriter.String()) - case <-time.After(2 * time.Second): - require.FailNow("command did not exit after 2s") - } - - // Test that the bootstrap kube secret is created. - getBootToken(t, k8s, resourcePrefix, ns) - - // Test that the expected API calls were made. - require.Equal([]APICall{ - { - "PUT", - "/v1/acl/bootstrap", - }, - { - "PUT", - "/v1/acl/policy", - }, - { - "PUT", - "/v1/acl/token", - }, - { - "PUT", - "/v1/agent/token/agent", - }, - { - "GET", - "/v1/agent/self", - }, - { - "PUT", - "/v1/acl/policy", - }, - { - "PUT", - "/v1/acl/token", - }, - }, consulAPICalls) + // Check that the agent policy was created. + policyExists(t, "agent-token", consul) } // Test that if there's no leader, we retry until one is elected. @@ -1078,51 +753,6 @@ func TestRun_NoLeader(t *testing.T) { // Create the Server Pods. serverURL, err := url.Parse(consulServer.URL) require.NoError(err) - port, err := strconv.Atoi(serverURL.Port()) - require.NoError(err) - pods := k8s.CoreV1().Pods(ns) - _, err = pods.Create(&v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server-0", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: v1.PodStatus{ - PodIP: serverURL.Hostname(), - }, - Spec: v1.PodSpec{ - Containers: []v1.Container{ - { - Name: "consul", - Ports: []v1.ContainerPort{ - { - Name: "http", - ContainerPort: int32(port), - }, - }, - }, - }, - }, - }) - require.NoError(err) - // Create Consul server Statefulset. - _, err = k8s.AppsV1().StatefulSets(ns).Create(&appv1.StatefulSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: appv1.StatefulSetStatus{ - UpdateRevision: "current", - CurrentRevision: "current", - }, - }) // Run the command. ui := cli.NewMockUi() @@ -1130,16 +760,15 @@ func TestRun_NoLeader(t *testing.T) { UI: ui, clientset: k8s, } - cmd.init() done := make(chan bool) var responseCode int go func() { responseCode = cmd.Run([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address=" + serverURL.Hostname(), + "-server-port=" + serverURL.Port(), }) close(done) }() @@ -1236,55 +865,8 @@ func TestRun_ClientTokensRetry(t *testing.T) { })) defer consulServer.Close() - // Create the Server Pods. serverURL, err := url.Parse(consulServer.URL) require.NoError(err) - port, err := strconv.Atoi(serverURL.Port()) - require.NoError(err) - pods := k8s.CoreV1().Pods(ns) - _, err = pods.Create(&v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server-0", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: v1.PodStatus{ - PodIP: serverURL.Hostname(), - }, - Spec: v1.PodSpec{ - Containers: []v1.Container{ - { - Name: "consul", - Ports: []v1.ContainerPort{ - { - Name: "http", - ContainerPort: int32(port), - }, - }, - }, - }, - }, - }) - require.NoError(err) - // Create the server statefulset. - _, err = k8s.AppsV1().StatefulSets(ns).Create(&appv1.StatefulSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: appv1.StatefulSetStatus{ - UpdateRevision: "current", - CurrentRevision: "current", - }, - }) - require.NoError(err) // Run the command. ui := cli.NewMockUi() @@ -1292,12 +874,11 @@ func TestRun_ClientTokensRetry(t *testing.T) { UI: ui, clientset: k8s, } - cmd.init() responseCode := cmd.Run([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address=" + serverURL.Hostname(), + "-server-port=" + serverURL.Port(), }) require.Equal(0, responseCode, ui.ErrorWriter.String()) @@ -1369,55 +950,8 @@ func TestRun_AlreadyBootstrapped(t *testing.T) { })) defer consulServer.Close() - // Create the Server Pods. serverURL, err := url.Parse(consulServer.URL) require.NoError(err) - port, err := strconv.Atoi(serverURL.Port()) - require.NoError(err) - pods := k8s.CoreV1().Pods(ns) - _, err = pods.Create(&v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server-0", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: v1.PodStatus{ - PodIP: serverURL.Hostname(), - }, - Spec: v1.PodSpec{ - Containers: []v1.Container{ - { - Name: "consul", - Ports: []v1.ContainerPort{ - { - Name: "http", - ContainerPort: int32(port), - }, - }, - }, - }, - }, - }) - require.NoError(err) - // Create the server statefulset. - _, err = k8s.AppsV1().StatefulSets(ns).Create(&appv1.StatefulSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourcePrefix + "-server", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: appv1.StatefulSetStatus{ - UpdateRevision: "current", - CurrentRevision: "current", - }, - }) - require.NoError(err) // Create the bootstrap secret. _, err = k8s.CoreV1().Secrets(ns).Create(&v1.Secret{ @@ -1436,12 +970,12 @@ func TestRun_AlreadyBootstrapped(t *testing.T) { UI: ui, clientset: k8s, } - cmd.init() + responseCode := cmd.Run([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address=" + serverURL.Hostname(), + "-server-port=" + serverURL.Port(), }) require.Equal(0, responseCode, ui.ErrorWriter.String()) @@ -1484,19 +1018,18 @@ func TestRun_Timeout(t *testing.T) { UI: ui, clientset: k8s, } - cmd.init() + responseCode := cmd.Run([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, - "-expected-replicas=1", + "-server-address=foo", "-timeout=500ms", }) require.Equal(1, responseCode, ui.ErrorWriter.String()) } // Test that the bootstrapping process can make calls to Consul API over HTTPS -// when the consul agent is configured with HTTPS only (HTTP disabled). +// when the consul agent is configured with HTTPS. func TestRun_HTTPS(t *testing.T) { t.Parallel() require := require.New(t) @@ -1505,27 +1038,15 @@ func TestRun_HTTPS(t *testing.T) { caFile, certFile, keyFile, cleanup := generateServerCerts(t) defer cleanup() - agentConfig := fmt.Sprintf(` - primary_datacenter = "dc1" - acl { - enabled = true - } - ca_file = "%s" - cert_file = "%s" - key_file = "%s"`, caFile, certFile, keyFile) - - // NOTE: We can't use testutil.TestServer for this test because the HTTP - // port can't be disabled (causes a seg fault). - a := &agent.TestAgent{ - Name: t.Name(), - HCL: agentConfig, - UseTLS: true, // this also disables HTTP port - } - - a.Start() - defer a.Shutdown() + srv, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { + c.ACL.Enabled = true - createTestK8SResources(t, k8s, a.HTTPAddr(), resourcePrefix, "https", ns) + c.CAFile = caFile + c.CertFile = certFile + c.KeyFile = keyFile + }) + require.NoError(err) + defer srv.Stop() // Run the command. ui := cli.NewMockUi() @@ -1533,15 +1054,15 @@ func TestRun_HTTPS(t *testing.T) { UI: ui, clientset: k8s, } - cmd.init() + responseCode := cmd.Run([]string{ - "-server-label-selector=component=server,app=consul,release=" + releaseName, "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, "-use-https", "-consul-tls-server-name", "server.dc1.consul", "-consul-ca-cert", caFile, - "-expected-replicas=1", + "-server-address=" + strings.Split(srv.HTTPSAddr, ":")[0], + "-server-port=" + strings.Split(srv.HTTPSAddr, ":")[1], }) require.Equal(0, responseCode, ui.ErrorWriter.String()) @@ -1559,7 +1080,7 @@ func TestRun_HTTPS(t *testing.T) { func TestRun_ACLReplicationTokenValid(t *testing.T) { t.Parallel() - secondaryK8s, secondaryConsulClient, aclReplicationToken, clean := completeReplicatedSetup(t, resourcePrefix) + secondaryK8s, secondaryConsulClient, secondaryAddr, aclReplicationToken, clean := completeReplicatedSetup(t) defer clean() // completeReplicatedSetup ran the command in our primary dc so now we @@ -1574,8 +1095,8 @@ func TestRun_ACLReplicationTokenValid(t *testing.T) { secondaryCmd.init() secondaryCmdArgs := []string{ "-k8s-namespace=" + ns, - "-expected-replicas=1", - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address", strings.Split(secondaryAddr, ":")[0], + "-server-port", strings.Split(secondaryAddr, ":")[1], "-resource-prefix=" + resourcePrefix, "-acl-replication-token-file", tokenFile, "-create-client-token", @@ -1615,7 +1136,7 @@ func TestRun_AnonPolicy_IgnoredWithReplication(t *testing.T) { bootToken := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" tokenFile, fileCleanup := writeTempFile(t, bootToken) defer fileCleanup() - k8s, consul, cleanup := mockReplicatedSetup(t, resourcePrefix, bootToken) + k8s, consul, serverAddr, cleanup := mockReplicatedSetup(t, bootToken) setUpK8sServiceAccount(t, k8s) defer cleanup() @@ -1628,9 +1149,9 @@ func TestRun_AnonPolicy_IgnoredWithReplication(t *testing.T) { cmd.init() cmdArgs := append([]string{ "-k8s-namespace=" + ns, - "-expected-replicas=1", "-acl-replication-token-file", tokenFile, - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address", strings.Split(serverAddr, ":")[0], + "-server-port", strings.Split(serverAddr, ":")[1], "-resource-prefix=" + resourcePrefix, }, flag) responseCode := cmd.Run(cmdArgs) @@ -1649,7 +1170,7 @@ func TestRun_AnonPolicy_IgnoredWithReplication(t *testing.T) { } // Set up test consul agent and kubernetes cluster. -func completeSetup(t *testing.T, prefix string) (*fake.Clientset, *testutil.TestServer) { +func completeSetup(t *testing.T) (*fake.Clientset, *testutil.TestServer) { k8s := fake.NewSimpleClientset() svr, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { @@ -1657,19 +1178,18 @@ func completeSetup(t *testing.T, prefix string) (*fake.Clientset, *testutil.Test }) require.NoError(t, err) - createTestK8SResources(t, k8s, svr.HTTPAddr, prefix, "http", ns) - return k8s, svr } // completeReplicatedSetup sets up two Consul servers with ACL replication // using the server-acl-init command to start the replication. // Returns the Kubernetes client for the secondary DC, -// a Consul API client initialized for the secondary DC, the replication token -// generated and a cleanup function that should be called at the end of the -// test that cleans up resources. -func completeReplicatedSetup(t *testing.T, prefix string) (*fake.Clientset, *api.Client, string, func()) { - return replicatedSetup(t, prefix, "") +// a Consul API client initialized for the secondary DC, +// the address of the secondary Consul server, +// the replication token generated and a cleanup function +// that should be called at the end of the test that cleans up resources. +func completeReplicatedSetup(t *testing.T) (*fake.Clientset, *api.Client, string, string, func()) { + return replicatedSetup(t, "") } // mockReplicatedSetup sets up two Consul servers with ACL replication. @@ -1677,18 +1197,24 @@ func completeReplicatedSetup(t *testing.T, prefix string) (*fake.Clientset, *api // command to set up replication but do it in config using the bootstrap // token. See completeReplicatedSetup for a complete setup using the command. // Returns the Kubernetes client for the secondary DC, -// a Consul API client initialized for the secondary DC and a +// a Consul API client initialized for the secondary DC, +// the address of the secondary Consul server, and a // cleanup function that should be called at the end of the test that cleans // up resources. -func mockReplicatedSetup(t *testing.T, prefix string, bootToken string) (*fake.Clientset, *api.Client, func()) { - k8sClient, consulClient, _, cleanup := replicatedSetup(t, prefix, bootToken) - return k8sClient, consulClient, cleanup +func mockReplicatedSetup(t *testing.T, bootToken string) (*fake.Clientset, *api.Client, string, func()) { + k8sClient, consulClient, serverAddr, _, cleanup := replicatedSetup(t, bootToken) + return k8sClient, consulClient, serverAddr, cleanup } // replicatedSetup is a helper function for completeReplicatedSetup and // mockReplicatedSetup. If bootToken is empty, it will run the server-acl-init // command to set up replication. Otherwise it will do it through config. -func replicatedSetup(t *testing.T, prefix string, bootToken string) (*fake.Clientset, *api.Client, string, func()) { +// Returns the Kubernetes client for the secondary DC, +// a Consul API client initialized for the secondary DC, +// the address of the secondary Consul server, ACL replication token, and a +// cleanup function that should be called at the end of the test that cleans +// up resources. +func replicatedSetup(t *testing.T, bootToken string) (*fake.Clientset, *api.Client, string, string, func()) { primarySvr, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { c.ACL.Enabled = true if bootToken != "" { @@ -1700,7 +1226,6 @@ func replicatedSetup(t *testing.T, prefix string, bootToken string) (*fake.Clien var aclReplicationToken string if bootToken == "" { primaryK8s := fake.NewSimpleClientset() - createTestK8SResources(t, primaryK8s, primarySvr.HTTPAddr, resourcePrefix, "http", ns) require.NoError(t, err) // Run the command to bootstrap ACLs @@ -1712,8 +1237,8 @@ func replicatedSetup(t *testing.T, prefix string, bootToken string) (*fake.Clien primaryCmd.init() primaryCmdArgs := []string{ "-k8s-namespace=" + ns, - "-expected-replicas=1", - "-server-label-selector=component=server,app=consul,release=" + releaseName, + "-server-address", strings.Split(primarySvr.HTTPAddr, ":")[0], + "-server-port", strings.Split(primarySvr.HTTPAddr, ":")[1], "-resource-prefix=" + resourcePrefix, "-create-acl-replication-token", } @@ -1762,69 +1287,13 @@ func replicatedSetup(t *testing.T, prefix string, bootToken string) (*fake.Clien // Finally, set up our kube cluster. It will use the secondary dc. k8s := fake.NewSimpleClientset() - createTestK8SResources(t, k8s, secondarySvr.HTTPAddr, prefix, "http", ns) - return k8s, consul, aclReplicationToken, func() { + return k8s, consul, secondarySvr.HTTPAddr, aclReplicationToken, func() { primarySvr.Stop() secondarySvr.Stop() } } -// Create test k8s resources (server pods and server stateful set) -func createTestK8SResources(t *testing.T, k8s *fake.Clientset, consulHTTPAddr, prefix, scheme, k8sNamespace string) { - require := require.New(t) - consulURL, err := url.Parse("http://" + consulHTTPAddr) - require.NoError(err) - port, err := strconv.Atoi(consulURL.Port()) - require.NoError(err) - - // Create Consul server Pod. - _, err = k8s.CoreV1().Pods(k8sNamespace).Create(&v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: prefix + "-server-0", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: v1.PodStatus{ - PodIP: consulURL.Hostname(), - }, - Spec: v1.PodSpec{ - Containers: []v1.Container{ - { - Name: "consul", - Ports: []v1.ContainerPort{ - { - Name: scheme, - ContainerPort: int32(port), - }, - }, - }, - }, - }, - }) - require.NoError(err) - - // Create Consul server Statefulset. - _, err = k8s.AppsV1().StatefulSets(k8sNamespace).Create(&appv1.StatefulSet{ - ObjectMeta: metav1.ObjectMeta{ - Name: prefix + "-server", - Labels: map[string]string{ - "component": "server", - "app": "consul", - "release": releaseName, - }, - }, - Status: appv1.StatefulSetStatus{ - UpdateRevision: "current", - CurrentRevision: "current", - }, - }) - require.NoError(err) -} - // getBootToken gets the bootstrap token from the Kubernetes secret. It will // cause a test failure if the Secret doesn't exist or is malformed. func getBootToken(t *testing.T, k8s *fake.Clientset, prefix string, k8sNamespace string) string { diff --git a/subcommand/server-acl-init/servers.go b/subcommand/server-acl-init/servers.go index 3ae1d9fdf7..14f81fd7e8 100644 --- a/subcommand/server-acl-init/servers.go +++ b/subcommand/server-acl-init/servers.go @@ -10,76 +10,10 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -// podAddr is a convenience struct for passing around pod names and -// addresses for Consul servers. -type podAddr struct { - // Name is the name of the pod. - Name string - // Addr is in the form ":". - Addr string -} - -// getConsulServers returns n Consul server pods with their http addresses. -// If there are less server pods than 'n' then the function will wait. -func (c *Command) getConsulServers(n int, scheme string) ([]podAddr, error) { - var serverPods *apiv1.PodList - err := c.untilSucceeds("discovering Consul server pods", - func() error { - var err error - serverPods, err = c.clientset.CoreV1().Pods(c.flagK8sNamespace).List(metav1.ListOptions{LabelSelector: c.flagServerLabelSelector}) - if err != nil { - return err - } - - if len(serverPods.Items) == 0 { - return fmt.Errorf("no server pods with labels %q found", c.flagServerLabelSelector) - } - - if len(serverPods.Items) < n { - return fmt.Errorf("found %d servers, require %d", len(serverPods.Items), n) - } - - for _, pod := range serverPods.Items { - if pod.Status.PodIP == "" { - return fmt.Errorf("pod %s has no IP", pod.Name) - } - } - return nil - }) - if err != nil { - return nil, err - } - - var podAddrs []podAddr - for _, pod := range serverPods.Items { - var httpPort int32 - for _, p := range pod.Spec.Containers[0].Ports { - if p.Name == scheme { - httpPort = p.ContainerPort - } - } - if httpPort == 0 { - return nil, fmt.Errorf("pod %s has no port labeled '%s'", pod.Name, scheme) - } - addr := fmt.Sprintf("%s:%d", pod.Status.PodIP, httpPort) - podAddrs = append(podAddrs, podAddr{ - Name: pod.Name, - Addr: addr, - }) - } - return podAddrs, nil -} - // bootstrapServers bootstraps ACLs and ensures each server has an ACL token. func (c *Command) bootstrapServers(bootTokenSecretName, scheme string) (string, error) { - serverPods, err := c.getConsulServers(c.flagReplicas, scheme) - if err != nil { - return "", err - } - c.Log.Info(fmt.Sprintf("Found %d Consul server Pods", len(serverPods))) - - // Pick the first pod to connect to for bootstrapping and set up connection. - firstServerAddr := serverPods[0].Addr + // Pick the first server address to connect to for bootstrapping and set up connection. + firstServerAddr := fmt.Sprintf("%s:%d", c.flagServerAddresses[0], c.flagServerPort) consulClient, err := api.NewClient(&api.Config{ Address: firstServerAddr, Scheme: scheme, @@ -159,7 +93,7 @@ func (c *Command) bootstrapServers(bootTokenSecretName, scheme string) (string, } // Create new tokens for each server and apply them. - if err := c.setServerTokens(consulClient, serverPods, string(bootstrapToken), scheme); err != nil { + if err := c.setServerTokens(consulClient, string(bootstrapToken), scheme); err != nil { return "", err } return string(bootstrapToken), nil @@ -167,40 +101,20 @@ func (c *Command) bootstrapServers(bootTokenSecretName, scheme string) (string, // setServerTokens creates policies and associated ACL token for each server // and then provides the token to the server. -func (c *Command) setServerTokens(consulClient *api.Client, - serverPods []podAddr, bootstrapToken, scheme string) error { - +func (c *Command) setServerTokens(consulClient *api.Client, bootstrapToken, scheme string) error { agentPolicy, err := c.setServerPolicy(consulClient) if err != nil { return err } // Create agent token for each server agent. - var serverTokens []api.ACLToken - for _, pod := range serverPods { + for _, host := range c.flagServerAddresses { var token *api.ACLToken - err := c.untilSucceeds(fmt.Sprintf("creating server token for %s - PUT /v1/acl/token", pod.Name), - func() error { - tokenReq := api.ACLToken{ - Description: fmt.Sprintf("Server Token for %s", pod.Name), - Policies: []*api.ACLTokenPolicyLink{{Name: agentPolicy.Name}}, - } - var err error - token, _, err = consulClient.ACL().TokenCreate(&tokenReq, nil) - return err - }) - if err != nil { - return err - } - serverTokens = append(serverTokens, *token) - } - // Pass out agent tokens to servers. - for i, pod := range serverPods { // We create a new client for each server because we need to call each // server specifically. serverClient, err := api.NewClient(&api.Config{ - Address: pod.Addr, + Address: fmt.Sprintf("%s:%d", host, c.flagServerPort), Scheme: scheme, Token: bootstrapToken, TLSConfig: api.TLSConfig{ @@ -208,21 +122,34 @@ func (c *Command) setServerTokens(consulClient *api.Client, CAFile: c.flagConsulCACert, }, }) + + // Create token for the server + err = c.untilSucceeds(fmt.Sprintf("creating server token for %s - PUT /v1/acl/token", host), + func() error { + tokenReq := api.ACLToken{ + Description: fmt.Sprintf("Server Token for %s", host), + Policies: []*api.ACLTokenPolicyLink{{Name: agentPolicy.Name}}, + } + var err error + token, _, err = serverClient.ACL().TokenCreate(&tokenReq, nil) + return err + }) if err != nil { - return fmt.Errorf(" creating Consul client for address %q: %s", pod.Addr, err) + return err } - podName := pod.Name + // Pass out agent tokens to servers. // Update token. - err = c.untilSucceeds(fmt.Sprintf("updating server token for %s - PUT /v1/agent/token/agent", podName), + err = c.untilSucceeds(fmt.Sprintf("updating server token for %s - PUT /v1/agent/token/agent", host), func() error { - _, err := serverClient.Agent().UpdateAgentACLToken(serverTokens[i].SecretID, nil) + _, err := serverClient.Agent().UpdateAgentACLToken(token.SecretID, nil) return err }) if err != nil { return err } } + return nil }