Merge branch 'main' into peering

hashicorp · Nov 17, 2022 · 811cd3e · 811cd3e
2 parents 9d53165 + bd58c9d
commit 811cd3e
Show file tree

Hide file tree

Showing 112 changed files with 1,344 additions and 12,521 deletions.
diff --git a/.changelog/433.txt b/.changelog/433.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+Add optional `podSecurityPolicy` to GatewayClassConfig CRD. If set and "managed" ServiceAccounts are being used, a Role and RoleBinding are created to attach the named `PodSecurityPolicy` to the managed ServiceAccount.
+```
diff --git a/.changelog/449.txt b/.changelog/449.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+Integrate consul-server-connection-manager to support Agentless consul server discovery
+```
diff --git a/.changelog/450.txt b/.changelog/450.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+Add optional `consul.partition` and `consul.serverName` to GatewayClassConfig CRD. If set these will be used to initialize the partition and server name used in TLS verification for communicating with Consul in a deployment.
+```
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,12 +36,10 @@ jobs:
     strategy:
       matrix:
         consul-version:
-        - 1.11.11
-        - 1.11.11+ent
-        - 1.12.6
-        - 1.12.6+ent
         - 1.13.3
         - 1.13.3+ent
+        - 1.14.0-beta1
+        - 1.14.0-beta1+ent
     runs-on: ubuntu-latest
     env:
       TEST_RESULTS_DIR: /tmp/test-results/consul@${{ matrix.consul-version }}
@@ -91,10 +89,6 @@ jobs:
       fail-fast: false
       matrix:
         consul-image:
-        - 'hashicorp/consul:1.11.11'
-        - 'hashicorp/consul-enterprise:1.11.11-ent'
-        - 'hashicorp/consul:1.12.6'
-        - 'hashicorp/consul-enterprise:1.12.6-ent'
         - 'hashicorp/consul:1.13.3'
         - 'hashicorp/consul-enterprise:1.13.3-ent'
         - 'hashicorppreview/consul:1.14-dev'

diff --git a/.github/workflows/conformance_with_build.yml b/.github/workflows/conformance_with_build.yml
@@ -50,7 +50,7 @@ jobs:
             api-gateway-image: "hashicorppreview/consul-api-gateway:0.4-dev"
             consul-image: "hashicorppreview/consul:1.14-dev"
             envoy-image: "envoyproxy/envoy:v1.22-latest"
-            consul-k8s-version: "v0.49.0"
+            consul-k8s-version: "main"
       fail-fast: true
     name: "${{ matrix.config.name }}"
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,6 @@
+FROM golang:1.19.1-alpine as go-discover
+RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@49f60c093101c9c5f6b04d5b1c80164251a761a6
+
 # ===================================
 #
 #   Non-release images.
@@ -24,6 +27,8 @@ ARG BIN_NAME
 # Export BIN_NAME for the CMD below, it can't see ARGs directly.
 ENV BIN_NAME=$BIN_NAME
 COPY --from=devbuild /build/$BIN_NAME /bin/
+COPY --from=go-discover /go/bin/discover /bin/
+
 ENTRYPOINT /bin/$BIN_NAME
 CMD ["version"]
 
@@ -56,6 +61,7 @@ RUN addgroup $PRODUCT_NAME && \
     adduser -S -G $PRODUCT_NAME 100
 
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
+COPY --from=go-discover /go/bin/discover /bin/
 
 USER 100
 ENTRYPOINT /bin/$BIN_NAME
@@ -84,6 +90,7 @@ RUN addgroup $PRODUCT_NAME && \
     adduser --system --uid 101 --group $PRODUCT_NAME
 
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
+COPY --from=go-discover /go/bin/discover /bin/
 
 USER 101
 ENTRYPOINT /bin/$BIN_NAME

diff --git a/Dockerfile.local b/Dockerfile.local
@@ -1,5 +1,9 @@
+FROM golang:1.19.1-alpine as go-discover
+RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@49f60c093101c9c5f6b04d5b1c80164251a761a6
+
 FROM alpine:latest
 
+COPY --from=go-discover /go/bin/discover /bin/
 COPY ./consul-api-gateway /bin/consul-api-gateway
 ENTRYPOINT ["/bin/consul-api-gateway"]
 CMD ["version"]
diff --git a/config/crd/bases/api-gateway.consul.hashicorp.com_gatewayclassconfigs.yaml b/config/crd/bases/api-gateway.consul.hashicorp.com_gatewayclassconfigs.yaml
@@ -59,12 +59,12 @@ spec:
                     description: Consul authentication information
                     properties:
                       account:
-                        description: The Kubernetes service account to authenticate
-                          as.
+                        description: The name of an existing Kubernetes ServiceAccount
+                          to authenticate as. Ignored if managed is true.
                         type: string
                       managed:
                         description: Whether deployments should be run with "managed"
-                          service accounts created by the gateway controller.
+                          Kubernetes ServiceAccounts created by the gateway controller.
                         type: boolean
                       method:
                         description: The Consul auth method used for initial authentication
@@ -73,7 +73,15 @@ spec:
                       namespace:
                         description: The Consul namespace to use for authentication.
                         type: string
+                      podSecurityPolicy:
+                        description: The name of an existing Kubernetes PodSecurityPolicy
+                          to bind to the managed ServiceAccount if managed is true.
+                        type: string
                     type: object
+                  partition:
+                    description: The Consul admin partition in which the gateway is
+                      registered. https://developer.hashicorp.com/consul/tutorials/enterprise/consul-admin-partitions
+                    type: string
                   ports:
                     description: The information about Consul's ports
                     properties:
@@ -90,6 +98,11 @@ spec:
                     - http
                     - https
                     type: string
+                  serverName:
+                    description: The server name presented by the server's TLS certificate.
+                      This is useful when attempting to talk to a Consul server over
+                      TLS while referencing it via ip address.
+                    type: string
                 type: object
               copyAnnotations:
                 description: Annotation Information to copy to services or deployments

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -238,3 +238,19 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - watch
diff --git a/dev/config/helm/consul.yaml b/dev/config/helm/consul.yaml
@@ -1,6 +1,5 @@
 global:
   name: consul
-  image: "hashicorpdev/consul:581357c32"
   tls:
     enabled: true
     serverAdditionalDNSSANs:

diff --git a/dev/config/k8s/service-account-secret.yaml b/dev/config/k8s/service-account-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: consul-api-gateway
+  annotations:
+    kubernetes.io/service-account.name: consul-api-gateway
+type: kubernetes.io/service-account-token
diff --git a/dev/config/k8s/service-account.yaml b/dev/config/k8s/service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: consul-api-gateway
diff --git a/dev/run b/dev/run
@@ -1,5 +1,8 @@
 #!/bin/bash
 
+K8S_VERSION=1.24.7
+CONSUL_K8S_VERSION=0.49.0
+
 enableHelmRepo() {
   echo "Enabling Hashicorp Helm repo"
   (helm repo add hashicorp https://helm.releases.hashicorp.com && helm repo update) 2>&1 > /dev/null
@@ -20,7 +23,7 @@ createCluster() {
     echo "consul-api-gateway cluster already exists"
     exit 1
   fi
-  kind create cluster --name consul-api-gateway --config=dev/config/kind/cluster.yaml
+  kind create cluster --name consul-api-gateway --config=dev/config/kind/cluster.yaml --image kindest/node:v$K8S_VERSION
 }
 
 installGatewayCRDs() {
@@ -30,7 +33,8 @@ installGatewayCRDs() {
 
 createServiceAccountForRBAC() {
   echo "Creating consul-api-gateway Service Account"
-  kubectl create serviceaccount consul-api-gateway 2>&1 > /dev/null
+  kubectl apply -f dev/config/k8s/service-account.yaml 2>&1 > /dev/null
+  kubectl apply -f dev/config/k8s/service-account-secret.yaml 2>&1 > /dev/null
   kubectl apply -f dev/config/k8s/rbac.yaml 2>&1 > /dev/null
 }
 
@@ -44,7 +48,7 @@ createNginxIngress() {
 
 installConsul() {
   echo "Installing consul helm chart"
-  helm install consul hashicorp/consul --version 0.41.1 -f dev/config/helm/consul.yaml 2>&1 > /dev/null
+  helm install consul hashicorp/consul --version $CONSUL_K8S_VERSION -f dev/config/helm/consul.yaml 2>&1 > /dev/null
   echo "Waiting for consul to stabilize"
   sleep 10
   kubectl wait --for=condition=ready pod --selector=app=consul,component=server,release=consul --timeout=90s
@@ -53,7 +57,7 @@ installConsul() {
 
 setupAuthMethod() {
   echo "Importing Kubernetes Configuration"
-  export K8S_JWT=$(kubectl get secret $(kubectl get serviceaccounts consul-api-gateway -o json | jq '.secrets[0].name' -r) -o json | jq '.data.token' -r | base64 -d)
+  export K8S_JWT=$(kubectl get secret consul-api-gateway -o json | jq '.data.token' -r | base64 -d)
   export K8S_HOST=$(kind get kubeconfig --name consul-api-gateway --internal | grep server | tr -s ' '| cut -d' ' -f3)
   export K8S_CERT=$(kubectl config view -o jsonpath='{.clusters[].cluster.certificate-authority-data}' --raw | base64 -d)