├── .helmignore
├── assets
    └── icon.png
├── test
    ├── acceptance
    │   ├── tests
    │   │   ├── fixtures
    │   │   │   ├── bases
    │   │   │   │   ├── mesh-gateway
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   └── proxydefaults.yaml
    │   │   │   │   ├── static-metrics-app
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   ├── service.yaml
    │   │   │   │   │   └── deployment.yaml
    │   │   │   │   ├── static-client
    │   │   │   │   │   ├── serviceaccount.yaml
    │   │   │   │   │   ├── service.yaml
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   ├── psp-rolebinding.yaml
    │   │   │   │   │   ├── anyuid-scc-rolebinding.yaml
    │   │   │   │   │   ├── privileged-scc-rolebinding.yaml
    │   │   │   │   │   └── deployment.yaml
    │   │   │   │   └── static-server
    │   │   │   │   │   ├── serviceaccount.yaml
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   ├── service.yaml
    │   │   │   │   │   ├── psp-rolebinding.yaml
    │   │   │   │   │   ├── anyuid-scc-rolebinding.yaml
    │   │   │   │   │   ├── privileged-scc-rolebinding.yaml
    │   │   │   │   │   └── deployment.yaml
    │   │   │   ├── cases
    │   │   │   │   ├── static-client-inject
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   └── patch.yaml
    │   │   │   │   ├── static-client-tproxy
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   └── patch.yaml
    │   │   │   │   ├── static-server-inject
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   └── patch.yaml
    │   │   │   │   ├── static-client-multi-dc
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   └── patch.yaml
    │   │   │   │   └── static-client-namespaces
    │   │   │   │   │   ├── kustomization.yaml
    │   │   │   │   │   └── patch.yaml
    │   │   │   └── crds
    │   │   │   │   ├── mesh.yaml
    │   │   │   │   ├── serviceresolver.yaml
    │   │   │   │   ├── ingressgateway.yaml
    │   │   │   │   ├── terminatinggateway.yaml
    │   │   │   │   ├── servicerouter.yaml
    │   │   │   │   ├── proxydefaults.yaml
    │   │   │   │   ├── servicesplitter.yaml
    │   │   │   │   ├── servicedefaults.yaml
    │   │   │   │   └── serviceintentions.yaml
    │   │   ├── basic
    │   │   │   └── main_test.go
    │   │   ├── sync
    │   │   │   └── main_test.go
    │   │   ├── connect
    │   │   │   └── main_test.go
    │   │   ├── consul-dns
    │   │   │   └── main_test.go
    │   │   ├── controller
    │   │   │   └── main_test.go
    │   │   ├── metrics
    │   │   │   └── main_test.go
    │   │   ├── ingress-gateway
    │   │   │   └── main_test.go
    │   │   ├── terminating-gateway
    │   │   │   └── main_test.go
    │   │   ├── mesh-gateway
    │   │   │   └── main_test.go
    │   │   └── example
    │   │   │   └── main_test.go
    │   ├── go.mod
    │   └── framework
    │   │   ├── logger
    │   │       └── logger.go
    │   │   └── suite
    │   │       └── suite.go
    ├── terraform
    │   ├── aks
    │   │   ├── outputs.tf
    │   │   ├── variables.tf
    │   │   └── main.tf
    │   ├── eks
    │   │   ├── outputs.tf
    │   │   └── variables.tf
    │   ├── openshift
    │   │   ├── outputs.tf
    │   │   ├── variables.tf
    │   │   └── oc-login.sh
    │   └── gke
    │   │   ├── outputs.tf
    │   │   ├── variables.tf
    │   │   └── main.tf
    └── unit
    │   ├── _helpers.bash
    │   ├── prometheus.bats
    │   ├── test-runner.bats
    │   ├── controller-webhook-service.bats
    │   ├── controller-clusterrolebinding.bats
    │   ├── controller-leader-election-role.bats
    │   ├── controller-leader-election-rolebinding.bats
    │   ├── controller-mutatingwebhookconfiguration.bats
    │   ├── create-federation-secret-rolebinding.bats
    │   ├── crd-meshes.bats
    │   ├── crd-proxydefaults.bats
    │   ├── crd-ingressgateways.bats
    │   ├── crd-servicerouters.bats
    │   ├── crd-servicedefaults.bats
    │   ├── crd-serviceintentions.bats
    │   ├── crd-serviceresolvers.bats
    │   ├── crd-servicesplitters.bats
    │   ├── crd-terminatinggateway.bats
    │   ├── server-podsecuritypolicy.bats
    │   ├── controller-podsecuritypolicy.bats
    │   ├── connect-inject-clusterrolebinding.bats
    │   ├── server-securitycontextconstraints.bats
    │   ├── mesh-gateway-clusterrolebinding.bats
    │   ├── connect-inject-service.bats
    │   ├── client-snapshot-agent-podsecuritypolicy.bats
    │   ├── sync-catalog-podsecuritypolicy.bats
    │   ├── connect-inject-podsecuritypolicy.bats
    │   ├── client-snapshot-agent-rolebinding.bats
    │   ├── webhook-cert-manager-deployment.bats
    │   ├── client-rolebinding.bats
    │   ├── server-rolebinding.bats
    │   ├── connect-inject-authmethod-clusterrole.bats
    │   ├── create-federation-secret-podsecuritypolicy.bats
    │   ├── ingress-gateways-rolebinding.bats
    │   ├── webhook-cert-manager-clusterrolebinding.bats
    │   ├── sync-catalog-clusterrolebinding.bats
    │   ├── connect-inject-authmethod-clusterrolebinding.bats
    │   ├── terminating-gateways-rolebinding.bats
    │   ├── connect-inject-mutatingwebhook.bats
    │   ├── tls-init-podsecuritypolicy.bats
    │   ├── mesh-gateway-podsecuritypolicy.bats
    │   ├── server-acl-init-podsecuritypolicy.bats
    │   ├── tls-init-cleanup-podsecuritypolicy.bats
    │   ├── server-acl-init-cleanup-podsecuritypolicy.bats
    │   ├── create-federation-secret-serviceaccount.bats
    │   ├── server-acl-init-rolebinding.bats
    │   ├── ingress-gateways-podsecuritypolicy.bats
    │   ├── tls-init-cleanup-job.bats
    │   ├── tls-init-rolebinding.bats
    │   ├── terminating-gateways-podsecuritypolicy.bats
    │   └── server-acl-init-cleanup-rolebinding.bats
├── .gitignore
├── hack
    ├── helm-reference-gen
    │   ├── go.mod
    │   ├── parse_error.go
    │   └── go.sum
    └── aws-acceptance-test-cleanup
    │   └── go.mod
├── .github
    ├── pull_request_template.md
    └── ISSUE_TEMPLATE
    │   ├── config.yml
    │   ├── question.md
    │   └── feature_request.md
├── Makefile
├── addons
    ├── values
    │   └── prometheus.yaml
    └── gen.sh
├── templates
    ├── webhook-cert-manager-serviceaccount.yaml
    ├── controller-leader-election-rolebinding.yaml
    ├── controller-clusterrolebinding.yaml
    ├── controller-webhook-service.yaml
    ├── mesh-gateway-clusterrolebinding.yaml
    ├── NOTES.txt
    ├── connect-inject-authmethod-clusterrole.yaml
    ├── client-rolebinding.yaml
    ├── server-rolebinding.yaml
    ├── controller-serviceaccount.yaml
    ├── mesh-gateway-serviceaccount.yaml
    ├── create-federation-secret-serviceaccount.yaml
    ├── webhook-cert-manager-clusterrolebinding.yaml
    ├── connect-inject-authmethod-serviceaccount.yaml
    ├── connect-inject-service.yaml
    ├── server-acl-init-serviceaccount.yaml
    ├── client-serviceaccount.yaml
    ├── server-serviceaccount.yaml
    ├── server-acl-init-cleanup-serviceaccount.yaml
    ├── controller-leader-election-role.yaml
    ├── sync-catalog-clusterrolebinding.yaml
    ├── client-snapshot-agent-rolebinding.yaml
    ├── enterprise-license-serviceaccount.yaml
    ├── connect-inject-clusterrolebinding.yaml
    ├── tls-init-cleanup-serviceaccount.yaml
    ├── tls-init-serviceaccount.yaml
    ├── connect-inject-leader-election-rolebinding.yaml
    ├── connect-inject-serviceaccount.yaml
    ├── create-federation-secret-rolebinding.yaml
    ├── ingress-gateways-rolebinding.yaml
    ├── server-disruptionbudget.yaml
    ├── sync-catalog-serviceaccount.yaml
    ├── server-acl-init-rolebinding.yaml
    ├── client-snapshot-agent-serviceaccount.yaml
    ├── server-acl-init-cleanup-rolebinding.yaml
    ├── enterprise-license-rolebinding.yaml
    ├── terminating-gateways-rolebinding.yaml
    ├── tls-init-rolebinding.yaml
    ├── connect-inject-leader-election-role.yaml
    ├── tls-init-cleanup-rolebinding.yaml
    ├── server-acl-init-cleanup-role.yaml
    ├── client-config-configmap.yaml
    ├── tls-init-role.yaml
    ├── controller-podsecuritypolicy.yaml
    ├── server-role.yaml
    ├── webhook-cert-manager-podsecuritypolicy.yaml
    ├── mesh-gateway-service.yaml
    ├── webhook-cert-manager-clusterrole.yaml
    ├── client-snapshot-agent-role.yaml
    ├── sync-catalog-podsecuritypolicy.yaml
    ├── create-federation-secret-podsecuritypolicy.yaml
    ├── connect-inject-podsecuritypolicy.yaml
    ├── ingress-gateways-serviceaccount.yaml
    ├── server-acl-init-podsecuritypolicy.yaml
    ├── mesh-gateway-podsecuritypolicy.yaml
    ├── dns-service.yaml
    ├── terminating-gateways-serviceaccount.yaml
    ├── server-acl-init-cleanup-podsecuritypolicy.yaml
    ├── server-acl-init-role.yaml
    ├── client-snapshot-agent-podsecuritypolicy.yaml
    ├── enterprise-license-podsecuritypolicy.yaml
    ├── server-podsecuritypolicy.yaml
    ├── mesh-gateway-clusterrole.yaml
    ├── enterprise-license-role.yaml
    ├── ingress-gateways-podsecuritypolicy.yaml
    ├── tls-init-cleanup-podsecuritypolicy.yaml
    ├── tls-init-podsecuritypolicy.yaml
    ├── tls-init-cleanup-role.yaml
    ├── terminating-gateways-podsecuritypolicy.yaml
    ├── connect-inject-clusterrole.yaml
    ├── ingress-gateways-role.yaml
    ├── terminating-gateways-role.yaml
    ├── client-role.yaml
    ├── sync-catalog-clusterrole.yaml
    ├── server-securitycontextconstraints.yaml
    ├── connect-inject-authmethod-clusterrolebinding.yaml
    ├── create-federation-secret-role.yaml
    ├── client-securitycontextconstraints.yaml
    ├── connect-inject-mutatingwebhook.yaml
    ├── server-config-configmap.yaml
    ├── controller-clusterrole.yaml
    ├── ingress-gateways-service.yaml
    └── webhook-cert-manager-configmap.yaml
├── README.md
└── Chart.yaml


/.helmignore:
--------------------------------------------------------------------------------
1 | .git/
2 | .terraform/
3 | bin/
4 | test/
5 | 


--------------------------------------------------------------------------------
/assets/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hashicorp/consul-helm/HEAD/assets/icon.png


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/mesh-gateway/kustomization.yaml:
--------------------------------------------------------------------------------
1 | resources:
2 |   - proxydefaults.yaml
3 | 


--------------------------------------------------------------------------------
/test/terraform/aks/outputs.tf:
--------------------------------------------------------------------------------
1 | output "kubeconfigs" {
2 |   value = local_file.kubeconfigs.*.filename
3 | }
4 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | .terraform/
3 | .terraform.tfstate*
4 | terraform.tfstate*
5 | terraform.tfvars
6 | values.dev.yaml
7 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-metrics-app/kustomization.yaml:
--------------------------------------------------------------------------------
1 | resources:
2 |   - deployment.yaml
3 |   - service.yaml
4 | 


--------------------------------------------------------------------------------
/test/terraform/eks/outputs.tf:
--------------------------------------------------------------------------------
1 | output "kubeconfigs" {
2 |   value = [for cl in module.eks : pathexpand(format("~/.kube/%s", cl.cluster_id))]
3 | }
4 | 


--------------------------------------------------------------------------------
/test/terraform/openshift/outputs.tf:
--------------------------------------------------------------------------------
1 | output "kubeconfigs" {
2 |   value = [for rg in azurerm_resource_group.test : format("$HOME/.kube/%s", rg.name)]
3 | }


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-client/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 |   name: static-client
5 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-server/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 |   name: static-server
5 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-inject/kustomization.yaml:
--------------------------------------------------------------------------------
1 | bases:
2 |   - ../../bases/static-client
3 | 
4 | patchesStrategicMerge:
5 |   - patch.yaml


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-tproxy/kustomization.yaml:
--------------------------------------------------------------------------------
1 | bases:
2 |   - ../../bases/static-client
3 | 
4 | patchesStrategicMerge:
5 |   - patch.yaml


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-server-inject/kustomization.yaml:
--------------------------------------------------------------------------------
1 | bases:
2 |   - ../../bases/static-server
3 | 
4 | patchesStrategicMerge:
5 |   - patch.yaml


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-multi-dc/kustomization.yaml:
--------------------------------------------------------------------------------
1 | bases:
2 |   - ../../bases/static-client
3 | 
4 | patchesStrategicMerge:
5 |   - patch.yaml


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-namespaces/kustomization.yaml:
--------------------------------------------------------------------------------
1 | bases:
2 |   - ../../bases/static-client
3 | 
4 | patchesStrategicMerge:
5 |   - patch.yaml
6 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/mesh.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: consul.hashicorp.com/v1alpha1
2 | kind: Mesh
3 | metadata:
4 |   name: mesh
5 | spec:
6 |   transparentProxy:
7 |     meshDestinationsOnly: true


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/serviceresolver.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: consul.hashicorp.com/v1alpha1
2 | kind: ServiceResolver
3 | metadata:
4 |   name: resolver
5 | spec:
6 |   redirect:
7 |     service: bar
8 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/mesh-gateway/proxydefaults.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: consul.hashicorp.com/v1alpha1
2 | kind: ProxyDefaults
3 | metadata:
4 |   name: global
5 | spec:
6 |   meshGateway:
7 |     mode: local
8 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-client/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 |   name: static-client
5 | spec:
6 |   selector:
7 |     app: static-client
8 |   ports:
9 |     - port: 80


--------------------------------------------------------------------------------
/hack/helm-reference-gen/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/hashicorp/consul-helm/hack/helm-reference-gen
2 | 
3 | go 1.15
4 | 
5 | require (
6 | 	github.com/stretchr/testify v1.6.1
7 | 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
8 | )
9 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-client/kustomization.yaml:
--------------------------------------------------------------------------------
1 | resources:
2 |   - deployment.yaml
3 |   - service.yaml
4 |   - serviceaccount.yaml
5 |   - psp-rolebinding.yaml
6 |   - anyuid-scc-rolebinding.yaml
7 |   - privileged-scc-rolebinding.yaml


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-server/kustomization.yaml:
--------------------------------------------------------------------------------
1 | resources:
2 |   - deployment.yaml
3 |   - service.yaml
4 |   - serviceaccount.yaml
5 |   - psp-rolebinding.yaml
6 |   - anyuid-scc-rolebinding.yaml
7 |   - privileged-scc-rolebinding.yaml


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-tproxy/patch.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 |   name: static-client
5 | spec:
6 |   template:
7 |     metadata:
8 |       annotations:
9 |         "consul.hashicorp.com/connect-inject": "true"


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-metrics-app/service.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: static-metrics-app
 5 | spec:
 6 |   selector:
 7 |     app: static-metrics-app
 8 |   ports:
 9 |     - port: 80
10 |       targetPort: 9090
11 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-server/service.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: static-server
 5 | spec:
 6 |   selector:
 7 |     app: static-server
 8 |   ports:
 9 |     - name: http
10 |       port: 80
11 |       targetPort: 8080
12 | 


--------------------------------------------------------------------------------
/hack/aws-acceptance-test-cleanup/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/hashicorp/consul-helm/hack/aws-acceptance-test-cleanup
 2 | 
 3 | go 1.16
 4 | 
 5 | require (
 6 | 	github.com/aws/aws-sdk-go v1.38.63
 7 | 	github.com/cenkalti/backoff/v4 v4.1.1
 8 | 	github.com/davecgh/go-spew v1.1.1 // indirect
 9 | )
10 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/ingressgateway.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: consul.hashicorp.com/v1alpha1
 2 | kind: IngressGateway
 3 | metadata:
 4 |   name: ingress-gateway
 5 | spec:
 6 |   listeners:
 7 |     - port: 8080
 8 |       protocol: "tcp"
 9 |       services:
10 |         - name: "foo"
11 | 


--------------------------------------------------------------------------------
/.github/pull_request_template.md:
--------------------------------------------------------------------------------
 1 | Changes proposed in this PR:
 2 | -
 3 | -
 4 | 
 5 | How I've tested this PR:
 6 | 
 7 | How I expect reviewers to test this PR:
 8 | 
 9 | 
10 | Checklist:
11 | - [ ] Bats tests added
12 | - [ ] CHANGELOG entry added (*HashiCorp engineers only, community PRs should not add a changelog entry*)
13 | 
14 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/terminatinggateway.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: consul.hashicorp.com/v1alpha1
 2 | kind: TerminatingGateway
 3 | metadata:
 4 |   name: terminating-gateway
 5 | spec:
 6 |   services:
 7 |     - name: name
 8 |       caFile: "caFile"
 9 |       certFile: "certFile"
10 |       keyFile: "keyFile"
11 |       sni: "sni"
12 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/basic/main_test.go:
--------------------------------------------------------------------------------
 1 | package basic
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testsuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | }
16 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/sync/main_test.go:
--------------------------------------------------------------------------------
 1 | package sync
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testsuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | }
16 | 


--------------------------------------------------------------------------------
/test/terraform/gke/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "cluster_ids" {
 2 |   value = google_container_cluster.cluster.*.id
 3 | }
 4 | 
 5 | output "cluster_names" {
 6 |   value = google_container_cluster.cluster.*.name
 7 | }
 8 | 
 9 | output "kubeconfigs" {
10 |   value = [for cl in google_container_cluster.cluster : format("$HOME/.kube/%s", cl.name)]
11 | }
12 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/connect/main_test.go:
--------------------------------------------------------------------------------
 1 | package connect
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testsuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | }
16 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-client/psp-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1
 2 | kind: RoleBinding
 3 | metadata:
 4 |   name: static-client
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: test-psp
 9 | subjects:
10 |   - kind: ServiceAccount
11 |     name: static-client


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-server/psp-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1
 2 | kind: RoleBinding
 3 | metadata:
 4 |   name: static-server
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: test-psp
 9 | subjects:
10 |   - kind: ServiceAccount
11 |     name: static-server


--------------------------------------------------------------------------------
/test/acceptance/tests/consul-dns/main_test.go:
--------------------------------------------------------------------------------
 1 | package consuldns
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testsuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | }
16 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/controller/main_test.go:
--------------------------------------------------------------------------------
 1 | package controller
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testSuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testSuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testSuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | }
16 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/metrics/main_test.go:
--------------------------------------------------------------------------------
 1 | package metrics
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testsuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | 
16 | }
17 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-inject/patch.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: static-client
 5 | spec:
 6 |   template:
 7 |     metadata:
 8 |       annotations:
 9 |         "consul.hashicorp.com/connect-inject": "true"
10 |         "consul.hashicorp.com/connect-service-upstreams": "static-server:1234"


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-multi-dc/patch.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: static-client
 5 | spec:
 6 |   template:
 7 |     metadata:
 8 |       annotations:
 9 |         "consul.hashicorp.com/connect-inject": "true"
10 |         "consul.hashicorp.com/connect-service-upstreams": "static-server:1234:dc2"


--------------------------------------------------------------------------------
/test/acceptance/tests/ingress-gateway/main_test.go:
--------------------------------------------------------------------------------
 1 | package ingressgateway
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testsuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | }
16 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/terminating-gateway/main_test.go:
--------------------------------------------------------------------------------
 1 | package terminatinggateway
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	suite = testsuite.NewSuite(m)
14 | 	os.Exit(suite.Run())
15 | }
16 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-client/anyuid-scc-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1
 2 | kind: RoleBinding
 3 | metadata:
 4 |   name: static-client-openshift-anyuid
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: system:openshift:scc:anyuid
 9 | subjects:
10 |   - kind: ServiceAccount
11 |     name: static-client


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-server/anyuid-scc-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1
 2 | kind: RoleBinding
 3 | metadata:
 4 |   name: static-server-openshift-anyuid
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: system:openshift:scc:anyuid
 9 | subjects:
10 |   - kind: ServiceAccount
11 |     name: static-server


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | TEST_IMAGE?=consul-helm-test
 2 | 
 3 | test-docker:
 4 | 	@docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
 5 | 
 6 | # Generate Helm reference docs from values.yaml and update Consul website.
 7 | # Usage: make gen-docs consul=<path-to-consul-repo>
 8 | gen-docs:
 9 | 	@cd hack/helm-reference-gen; go run ./... $(consul)
10 | 
11 | .PHONY: test-docker
12 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-client/privileged-scc-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1
 2 | kind: RoleBinding
 3 | metadata:
 4 |   name: static-client-openshift-privileged
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: system:openshift:scc:privileged
 9 | subjects:
10 |   - kind: ServiceAccount
11 |     name: static-client


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-server/privileged-scc-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1
 2 | kind: RoleBinding
 3 | metadata:
 4 |   name: static-server-openshift-privileged
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: system:openshift:scc:privileged
 9 | subjects:
10 |   - kind: ServiceAccount
11 |     name: static-server


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/servicerouter.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: consul.hashicorp.com/v1alpha1
 2 | kind: ServiceDefaults
 3 | metadata:
 4 |   name: router
 5 | spec:
 6 |   protocol: http
 7 | ---
 8 | apiVersion: consul.hashicorp.com/v1alpha1
 9 | kind: ServiceRouter
10 | metadata:
11 |   name: router
12 | spec:
13 |   routes:
14 |     - match:
15 |         http:
16 |           pathPrefix: "/foo"
17 | 


--------------------------------------------------------------------------------
/test/acceptance/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/hashicorp/consul-helm/test/acceptance
 2 | 
 3 | go 1.14
 4 | 
 5 | require (
 6 | 	github.com/gruntwork-io/terratest v0.31.2
 7 | 	github.com/hashicorp/consul/api v1.9.0
 8 | 	github.com/hashicorp/consul/sdk v0.8.0
 9 | 	github.com/stretchr/testify v1.5.1
10 | 	gopkg.in/yaml.v2 v2.2.8
11 | 	k8s.io/api v0.19.3
12 | 	k8s.io/apimachinery v0.19.3
13 | 	k8s.io/client-go v0.19.3
14 | )
15 | 


--------------------------------------------------------------------------------
/test/unit/_helpers.bash:
--------------------------------------------------------------------------------
 1 | # chart_dir returns the directory for the chart
 2 | chart_dir() {
 3 |     echo ${BATS_TEST_DIRNAME}/../..
 4 | }
 5 | 
 6 | # Usage: assert_empty helm template -s <template> [flags] .
 7 | # assert_empty makes it possible to test that a template is not rendered.
 8 | assert_empty() {
 9 |     run helm "${@:2}"
10 |     [ "$status" -eq 1 ]
11 |     [[ "$output" =~ "Error: could not find template" ]]
12 | }
13 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-client-namespaces/patch.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: static-client
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       app: static-client
 9 |   template:
10 |     metadata:
11 |       annotations:
12 |         "consul.hashicorp.com/connect-inject": "true"
13 |         "consul.hashicorp.com/connect-service-upstreams": "static-server.ns1:1234"
14 | 


--------------------------------------------------------------------------------
/test/terraform/openshift/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "location" {
 2 |   default     = "westus2"
 3 |   description = "The Azure Region to create all resources in."
 4 | }
 5 | 
 6 | variable "cluster_count" {
 7 |   default     = 1
 8 |   description = "The number of OpenShift clusters to create."
 9 | }
10 | 
11 | variable "tags" {
12 |   type        = map
13 |   default     = {}
14 |   description = "Tags to attach to the created resources."
15 | }
16 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/proxydefaults.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: consul.hashicorp.com/v1alpha1
 2 | kind: ProxyDefaults
 3 | metadata:
 4 |   name: global
 5 | spec:
 6 |   config:
 7 |     protocol: "tcp"
 8 |     number: 3
 9 |     bool: true
10 |     array:
11 |       - item1
12 |       - item2
13 |     map:
14 |       key: value
15 |   meshGateway:
16 |     mode: local
17 |   expose:
18 |     paths:
19 |       - path: /health
20 |         listenerPort: 22000
21 |         localPathPort: 8080
22 | 


--------------------------------------------------------------------------------
/addons/values/prometheus.yaml:
--------------------------------------------------------------------------------
 1 | # Disable non-essential components
 2 | alertmanager:
 3 |   enabled: false
 4 | pushgateway:
 5 |   enabled: false
 6 | kubeStateMetrics:
 7 |   enabled: false
 8 | nodeExporter:
 9 |   enabled: false
10 | server:
11 |   podAnnotations:
12 |     "consul.hashicorp.com/connect-inject": "false"
13 |   persistentVolume:
14 |     enabled: false
15 |   readinessProbeInitialDelay: 0
16 |   # Speed up scraping a bit from the default
17 |   global:
18 |     scrape_interval: 15s
19 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/servicesplitter.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: consul.hashicorp.com/v1alpha1
 2 | kind: ServiceDefaults
 3 | metadata:
 4 |   name: splitter
 5 | spec:
 6 |   protocol: http
 7 | ---
 8 | apiVersion: consul.hashicorp.com/v1alpha1
 9 | kind: ServiceDefaults
10 | metadata:
11 |   name: other-splitter
12 | spec:
13 |   protocol: http
14 | ---
15 | apiVersion: consul.hashicorp.com/v1alpha1
16 | kind: ServiceSplitter
17 | metadata:
18 |   name: splitter
19 | spec:
20 |   splits:
21 |   - weight: 100
22 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/mesh-gateway/main_test.go:
--------------------------------------------------------------------------------
 1 | package meshgateway
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"os"
 6 | 	"testing"
 7 | 
 8 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 9 | )
10 | 
11 | var suite testsuite.Suite
12 | 
13 | func TestMain(m *testing.M) {
14 | 	suite = testsuite.NewSuite(m)
15 | 
16 | 	if suite.Config().EnableMultiCluster {
17 | 		os.Exit(suite.Run())
18 | 	} else {
19 | 		fmt.Println("Skipping mesh gateway tests because -enable-multi-cluster is not set")
20 | 		os.Exit(0)
21 | 	}
22 | }
23 | 


--------------------------------------------------------------------------------
/test/terraform/eks/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "region" {
 2 |   default     = "us-west-2"
 3 |   description = "AWS region"
 4 | }
 5 | 
 6 | variable "cluster_count" {
 7 |   default     = 1
 8 |   description = "The number of Kubernetes clusters to create."
 9 | }
10 | 
11 | variable "role_arn" {
12 |   default     = ""
13 |   description = "AWS role for the AWS provider to assume when running these templates."
14 | }
15 | 
16 | variable "tags" {
17 |   type = map
18 |   default = {}
19 |   description = "Tags to attach to the created resources."
20 | }
21 | 


--------------------------------------------------------------------------------
/test/unit/prometheus.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "prometheus: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/prometheus.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "prometheus: enabled with prometheus.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/prometheus.yaml  \
16 |       --set 'prometheus.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [[ "${actual}" == *"true"* ]]
20 | }
21 | 


--------------------------------------------------------------------------------
/hack/helm-reference-gen/parse_error.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import "fmt"
 4 | 
 5 | // ParseError is an error that occurs during parsing.
 6 | // It's used to include information about which node failed to parse.
 7 | type ParseError struct {
 8 | 	ParentAnchor string
 9 | 	CurrAnchor   string
10 | 	FullAnchor   string
11 | 	Err          string
12 | }
13 | 
14 | func (p *ParseError) Error() string {
15 | 	anchor := p.FullAnchor
16 | 	if anchor == "" {
17 | 		anchor = fmt.Sprintf("%s-%s", p.ParentAnchor, p.CurrAnchor)
18 | 	}
19 | 	return fmt.Sprintf("%s: %s", anchor, p.Err)
20 | }
21 | 


--------------------------------------------------------------------------------
/test/unit/test-runner.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "testRunner/Pod: enabled by default" {
 6 |   cd `chart_dir`
 7 |   local actual=$(helm template \
 8 |       -s templates/tests/test-runner.yaml  \
 9 |       . | tee /dev/stderr |
10 |       yq 'length > 0' | tee /dev/stderr)
11 |   [ "${actual}" = "true" ]
12 | }
13 | 
14 | @test "testRunner/Pod: disabled when tests.enabled=false" {
15 |   cd `chart_dir`
16 |   assert_empty helm template \
17 |       -s templates/tests/test-runner.yaml  \
18 |       --set 'tests.enabled=false' \
19 |       .
20 | }
21 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/config.yml:
--------------------------------------------------------------------------------
1 | blank_issues_enabled: false
2 | contact_links:
3 |   - name: Consul on Kubernetes GitHub Issues
4 |     url: https://github.com/hashicorp/consul-k8s/issues
5 |     about: Are you submitting an issue or feature enhancement for the consul-k8s binary? Please create an issue in the consul-k8s repository.
6 |   - name: Consul on Kubernetes Learn Tutorials
7 |     url: https://learn.hashicorp.com/collections/consul/kubernetes
8 |     about: Please check out our Learn Tutorials. These hands on tutorials deal with many of the tasks common to using Consul on Kubernetes.
9 | 


--------------------------------------------------------------------------------
/test/unit/controller-webhook-service.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "controllerWebhook/Service: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/controller-webhook-service.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "controllerWebhook/Service: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/controller-webhook-service.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 


--------------------------------------------------------------------------------
/test/unit/controller-clusterrolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "controller/ClusterRoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/controller-clusterrolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "controller/ClusterRoleBinding: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/controller-clusterrolebinding.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 


--------------------------------------------------------------------------------
/test/unit/controller-leader-election-role.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "controllerLeaderElection/Role: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/controller-leader-election-role.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "controllerLeaderElection/Role: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/controller-leader-election-role.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 


--------------------------------------------------------------------------------
/templates/webhook-cert-manager-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or .Values.connectInject.enabled .Values.controller.enabled}}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-webhook-cert-manager
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: webhook-cert-manager
13 |   {{- with .Values.global.imagePullSecrets }}
14 | imagePullSecrets:
15 |   {{- range . }}
16 | - name: {{ .name }}
17 |   {{- end }}
18 |   {{- end }}
19 | {{- end }}
20 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/question.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Question
 3 | about: If you have a question.
 4 | labels: question
 5 | 
 6 | ---
 7 | Please search the existing issues for relevant questions, and use the reaction feature (https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to add upvotes to pre-existing questions.
 8 | 
 9 | #### Question
10 | 
11 | Please provide as many details as you can, including but not limited to
12 | - Helm command you're running
13 | - Any values you've configured
14 | - Your current understanding, and what you're trying to figure out
15 | 
16 | More details will help us answer questions more accurately and with less delay :)
17 | 
18 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/servicedefaults.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: consul.hashicorp.com/v1alpha1
 2 | kind: ServiceDefaults
 3 | metadata:
 4 |   name: defaults
 5 | spec:
 6 |   protocol: "http"
 7 |   upstreamConfig:
 8 |     defaults:
 9 |       limits:
10 |         maxConnections: 3
11 |       passiveHealthCheck:
12 |         interval: 3s
13 |         maxFailures: 5
14 |     overrides:
15 |     - name: "foo"
16 |       limits:
17 |         maxConnections: 3
18 |       passiveHealthCheck:
19 |         interval: 1s
20 |         maxFailures: 10
21 |     - name: "bar"
22 |       limits:
23 |         maxConnections: 5
24 |       passiveHealthCheck:
25 |         interval: 10s
26 |         maxFailures: 2


--------------------------------------------------------------------------------
/test/unit/controller-leader-election-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "controllerLeaderElection/RoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/controller-leader-election-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "controllerLeaderElection/RoleBinding: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/controller-leader-election-rolebinding.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 


--------------------------------------------------------------------------------
/test/unit/controller-mutatingwebhookconfiguration.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "controller/MutatingWebhookConfiguration: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/controller-mutatingwebhookconfiguration.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "controller/MutatingWebhookConfiguration: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/controller-mutatingwebhookconfiguration.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 


--------------------------------------------------------------------------------
/templates/controller-leader-election-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.controller.enabled }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: RoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-controller-leader-election
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: controller
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: Role
15 |   name: {{ template "consul.fullname" . }}-controller-leader-election
16 | subjects:
17 | - kind: ServiceAccount
18 |   name: {{ template "consul.fullname" . }}-controller
19 | {{- end }}
20 | 


--------------------------------------------------------------------------------
/templates/controller-clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.controller.enabled }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-controller
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: controller
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: ClusterRole
15 |   name: {{ template "consul.fullname" . }}-controller
16 | subjects:
17 | - kind: ServiceAccount
18 |   name: {{ template "consul.fullname" . }}-controller
19 |   namespace: {{ .Release.Namespace }}
20 | {{- end }}
21 | 


--------------------------------------------------------------------------------
/templates/controller-webhook-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.controller.enabled }}
 2 | apiVersion: v1
 3 | kind: Service
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-controller-webhook
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: controller
13 | spec:
14 |   ports:
15 |   - port: 443
16 |     targetPort: 9443
17 |   selector:
18 |     app: {{ template "consul.name" . }}
19 |     chart: {{ template "consul.chart" . }}
20 |     heritage: {{ .Release.Service }}
21 |     release: {{ .Release.Name }}
22 |     component: controller
23 | {{- end }}
24 | 


--------------------------------------------------------------------------------
/templates/mesh-gateway-clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.meshGateway.enabled }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-mesh-gateway
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: mesh-gateway
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: ClusterRole
15 |   name: {{ template "consul.fullname" . }}-mesh-gateway
16 | subjects:
17 |   - kind: ServiceAccount
18 |     name: {{ template "consul.fullname" . }}-mesh-gateway
19 |     namespace: {{ .Release.Namespace }}
20 | {{- end }}
21 | 


--------------------------------------------------------------------------------
/templates/NOTES.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | Thank you for installing HashiCorp Consul!
 3 | 
 4 | Now that you have deployed Consul, you should look over the docs on using 
 5 | Consul with Kubernetes available here: 
 6 | 
 7 | https://www.consul.io/docs/platform/k8s/index.html
 8 | 
 9 | 
10 | Your release is named {{ .Release.Name }}.
11 | 
12 | To learn more about the release, run:
13 | 
14 |   $ helm status {{ .Release.Name }}
15 |   $ helm get all {{ .Release.Name }}
16 | 
17 | 
18 | {{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }}
19 | Warning: Defining server extraConfig potentially disrupts the automatic ACL
20 |          bootstrapping required settings. This may cause future issues if
21 |          there are conflicts.
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/templates/connect-inject-authmethod-clusterrole.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | {{- if .Values.global.acls.manageSystemACLs }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: ClusterRole
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | rules:
13 |   - apiGroups: [""]
14 |     resources:
15 |       - serviceaccounts
16 |     verbs:
17 |       - get
18 | {{- end }}
19 | {{- end }}
20 | 


--------------------------------------------------------------------------------
/templates/client-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: RoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-client
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: Role
15 |   name: {{ template "consul.fullname" . }}-client
16 | subjects:
17 |   - kind: ServiceAccount
18 |     name: {{ template "consul.fullname" . }}-client
19 | {{- end }}
20 | 


--------------------------------------------------------------------------------
/templates/server-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: RoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-server
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: Role
15 |   name: {{ template "consul.fullname" . }}-server
16 | subjects:
17 |   - kind: ServiceAccount
18 |     name: {{ template "consul.fullname" . }}-server
19 | {{- end }}
20 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-metrics-app/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   labels:
 5 |     app: static-metrics-app
 6 |   name: static-metrics-app
 7 | spec:
 8 |   replicas: 1
 9 |   selector:
10 |     matchLabels:
11 |       app: static-metrics-app
12 |   template:
13 |     metadata:
14 |       annotations:
15 |         'consul.hashicorp.com/connect-inject': 'true'
16 |         'consul.hashicorp.com/connect-service': 'server'
17 |       labels:
18 |         app: static-metrics-app
19 |     spec:
20 |       containers:
21 |       - name: static-metrics-app
22 |         image: ishustava/fake-service:0.7.0
23 |         env:
24 |         - name: METRICS_ENABLE_PROMETHEUS
25 |           value: "true"
26 |         ports:
27 |         - containerPort: 9090


--------------------------------------------------------------------------------
/templates/controller-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.controller.enabled }}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-controller
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: controller
13 |   {{- if .Values.controller.serviceAccount.annotations }}
14 |   annotations:
15 |     {{ tpl .Values.controller.serviceAccount.annotations . | nindent 4 | trim }}
16 |   {{- end }}
17 |   {{- with .Values.global.imagePullSecrets }}
18 | imagePullSecrets:
19 |   {{- range . }}
20 | - name: {{ .name }}
21 |   {{- end }}
22 |   {{- end }}
23 |   {{- end }}
24 | 


--------------------------------------------------------------------------------
/templates/mesh-gateway-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.meshGateway.enabled }}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-mesh-gateway
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: mesh-gateway
13 |   {{- if .Values.meshGateway.serviceAccount.annotations }}
14 |   annotations:
15 |     {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }}
16 |   {{- end }}
17 | {{- with .Values.global.imagePullSecrets }}
18 | imagePullSecrets:
19 | {{- range . }}
20 |   - name: {{ .name }}
21 | {{- end }}
22 | {{- end }}
23 | {{- end }}
24 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-server/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: static-server
 5 | spec:
 6 |   replicas: 1
 7 |   selector:
 8 |     matchLabels:
 9 |       app: static-server
10 |   template:
11 |     metadata:
12 |       name: static-server
13 |       labels:
14 |         app: static-server
15 |     spec:
16 |       containers:
17 |         - name: static-server
18 |           image: docker.mirror.hashicorp.services/hashicorp/http-echo:latest
19 |           args:
20 |             - -text="hello world"
21 |             - -listen=:8080
22 |           ports:
23 |             - containerPort: 8080
24 |               name: http
25 |       serviceAccountName: static-server
26 |       terminationGracePeriodSeconds: 0 # so deletion is quick
27 | 


--------------------------------------------------------------------------------
/templates/create-federation-secret-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.global.federation.createFederationSecret }}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-create-federation-secret
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: create-federation-secret
13 |   annotations:
14 |     "helm.sh/hook": post-install,post-upgrade
15 |     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
16 | {{- with .Values.global.imagePullSecrets }}
17 | imagePullSecrets:
18 | {{- range . }}
19 |   - name: {{ .name }}
20 | {{- end }}
21 | {{- end }}
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/templates/webhook-cert-manager-clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or .Values.connectInject.enabled .Values.controller.enabled}}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-webhook-cert-manager
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: webhook-cert-manager
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: ClusterRole
15 |   name: {{ template "consul.fullname" . }}-webhook-cert-manager
16 | subjects:
17 | - kind: ServiceAccount
18 |   name: {{ template "consul.fullname" . }}-webhook-cert-manager
19 |   namespace: {{ .Release.Namespace }}
20 | {{- end }}
21 | 


--------------------------------------------------------------------------------
/templates/connect-inject-authmethod-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | {{- if .Values.global.acls.manageSystemACLs }}
 3 | apiVersion: v1
 4 | kind: ServiceAccount
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | {{- with .Values.global.imagePullSecrets }}
14 | imagePullSecrets:
15 | {{- range . }}
16 |   - name: {{ .name }}
17 | {{- end }}
18 | {{- end }}
19 | {{- end }}
20 | {{- end }}
21 | 


--------------------------------------------------------------------------------
/test/terraform/aks/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "location" {
 2 |   default     = "West US 2"
 3 |   description = "The location to launch this AKS cluster in."
 4 | }
 5 | 
 6 | variable "client_id" {
 7 |   default     = ""
 8 |   description = "The client ID of the service principal to be used by Kubernetes when creating Azure resources like load balancers."
 9 | }
10 | 
11 | variable "client_secret" {
12 |   default     = ""
13 |   description = "The client secret of the service principal to be used by Kubernetes when creating Azure resources like load balancers."
14 | }
15 | 
16 | variable "cluster_count" {
17 |   default     = 1
18 |   description = "The number of Kubernetes clusters to create."
19 | }
20 | 
21 | variable "tags" {
22 |   type = map
23 |   default = {}
24 |   description = "Tags to attach to the created resources."
25 | }
26 | 


--------------------------------------------------------------------------------
/test/terraform/gke/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "project" {
 2 |   description = <<EOF
 3 | Google Cloud Project to launch resources in. This project must have GKE
 4 | enabled and billing activated. We can't use the GOOGLE_PROJECT environment
 5 | variable since we need to access the project for other uses.
 6 | EOF
 7 | }
 8 | 
 9 | variable "zone" {
10 |   default     = "us-central1-a"
11 |   description = "The zone to launch all the GKE nodes in."
12 | }
13 | 
14 | variable "init_cli" {
15 |   default     = false
16 |   description = "Whether to init kubectl."
17 | }
18 | 
19 | variable "cluster_count" {
20 |   default     = 1
21 |   description = "The number of Kubernetes clusters to create."
22 | }
23 | 
24 | variable "labels" {
25 |   type = map
26 |   default = {}
27 |   description = "Labels to attach to the created resources."
28 | }
29 | 


--------------------------------------------------------------------------------
/templates/connect-inject-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
 2 | # The service for the Connect sidecar injector
 3 | apiVersion: v1
 4 | kind: Service
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-connect-injector-svc
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | spec:
14 |   ports:
15 |   - port: 443
16 |     targetPort: 8080
17 |   selector:
18 |     app: {{ template "consul.name" . }}
19 |     release: "{{ .Release.Name }}"
20 |     component: connect-injector
21 | {{- end }}
22 | 
23 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/crds/serviceintentions.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: consul.hashicorp.com/v1alpha1
 2 | kind: ServiceDefaults
 3 | metadata:
 4 |   name: svc1
 5 | spec:
 6 |   protocol: http
 7 | ---
 8 | apiVersion: consul.hashicorp.com/v1alpha1
 9 | kind: ServiceDefaults
10 | metadata:
11 |   name: svc2
12 | ---
13 | apiVersion: consul.hashicorp.com/v1alpha1
14 | kind: ServiceDefaults
15 | metadata:
16 |   name: svc3
17 | spec:
18 |   protocol: http
19 | ---
20 | apiVersion: consul.hashicorp.com/v1alpha1
21 | kind: ServiceIntentions
22 | metadata:
23 |   name: intentions
24 | spec:
25 |   destination:
26 |     name: svc1
27 |   sources:
28 |   - name: svc2
29 |     action: allow
30 |   - name: svc3
31 |     permissions:
32 |     - action: allow
33 |       http:
34 |         methods:
35 |         - GET
36 |         - PUT
37 |         pathExact: "/foo"
38 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | apiVersion: v1
 5 | kind: ServiceAccount
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-server-acl-init
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | {{- with .Values.global.imagePullSecrets }}
15 | imagePullSecrets:
16 | {{- range . }}
17 |   - name: {{ .name }}
18 | {{- end }}
19 | {{- end }}
20 | {{- end }}
21 | {{- end }}
22 | 


--------------------------------------------------------------------------------
/templates/client-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-client
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |   {{- if .Values.client.serviceAccount.annotations }}
13 |   annotations:
14 |     {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }}
15 |   {{- end }}
16 | {{- with .Values.global.imagePullSecrets }}
17 | imagePullSecrets:
18 | {{- range . }}
19 |   - name: {{ .name }}
20 | {{- end }}
21 | {{- end }}
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/templates/server-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-server
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |   {{- if .Values.server.serviceAccount.annotations }}
13 |   annotations:
14 |     {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }}
15 |   {{- end }}
16 | {{- with .Values.global.imagePullSecrets }}
17 | imagePullSecrets:
18 | {{- range . }}
19 |   - name: {{ .name }}
20 | {{- end }}
21 | {{- end }}
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/bases/static-client/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: static-client
 5 | spec:
 6 |   replicas: 1
 7 |   selector:
 8 |     matchLabels:
 9 |       app: static-client
10 |   template:
11 |     metadata:
12 |       name: static-client
13 |       labels:
14 |         app: static-client
15 |     spec:
16 |       containers:
17 |         - name: static-client
18 |           image: docker.mirror.hashicorp.services/curlimages/curl:latest
19 |           command: [ "/bin/sh", "-c", "--" ]
20 |           args: [ "while true; do sleep 30; done;" ]
21 |           env:
22 |           - name: HOST_IP
23 |             valueFrom:
24 |               fieldRef:
25 |                 fieldPath: status.hostIP
26 |       serviceAccountName: static-client
27 |       terminationGracePeriodSeconds: 0 # so deletion is quick
28 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-cleanup-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | apiVersion: v1
 5 | kind: ServiceAccount
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-server-acl-init-cleanup
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | {{- with .Values.global.imagePullSecrets }}
15 | imagePullSecrets:
16 | {{- range . }}
17 |   - name: {{ .name }}
18 | {{- end }}
19 | {{- end }}
20 | {{- end }}
21 | {{- end }}
22 | 


--------------------------------------------------------------------------------
/templates/controller-leader-election-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.controller.enabled }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: Role
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-controller-leader-election
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: controller
12 | rules:
13 | - apiGroups:
14 |   - ""
15 |   resources:
16 |   - configmaps
17 |   verbs:
18 |   - get
19 |   - list
20 |   - watch
21 |   - create
22 |   - update
23 |   - patch
24 |   - delete
25 | - apiGroups:
26 |   - ""
27 |   resources:
28 |   - configmaps/status
29 |   verbs:
30 |   - get
31 |   - update
32 |   - patch
33 | - apiGroups:
34 |   - ""
35 |   resources:
36 |   - events
37 |   verbs:
38 |   - create
39 |   - patch
40 | {{- end }}
41 | 


--------------------------------------------------------------------------------
/templates/sync-catalog-clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if $syncEnabled }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: ClusterRoleBinding
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-sync-catalog
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: ClusterRole
15 |   name: {{ template "consul.fullname" . }}-sync-catalog
16 | subjects:
17 |   - kind: ServiceAccount
18 |     name: {{ template "consul.fullname" . }}-sync-catalog
19 |     namespace: {{ .Release.Namespace }}
20 | {{- end }}
21 | 


--------------------------------------------------------------------------------
/templates/client-snapshot-agent-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if .Values.client.snapshotAgent.enabled }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: RoleBinding
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-snapshot-agent
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | roleRef:
14 |   apiGroup: rbac.authorization.k8s.io
15 |   kind: Role
16 |   name: {{ template "consul.fullname" . }}-snapshot-agent
17 | subjects:
18 |   - kind: ServiceAccount
19 |     name: {{ template "consul.fullname" . }}-snapshot-agent
20 | {{- end }}
21 | {{- end }}
22 | 


--------------------------------------------------------------------------------
/templates/enterprise-license-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey (not .Values.server.enterpriseLicense.enableLicenseAutoload)) }}
 3 | apiVersion: v1
 4 | kind: ServiceAccount
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-enterprise-license
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | {{- with .Values.global.imagePullSecrets }}
14 | imagePullSecrets:
15 | {{- range . }}
16 |   - name: {{ .name }}
17 | {{- end }}
18 | {{- end }}
19 | {{- end }}
20 | {{- end }}
21 | 


--------------------------------------------------------------------------------
/test/unit/create-federation-secret-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "createFederationSecret/RoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/create-federation-secret-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "createFederationSecret/RoleBinding: enabled with global.createFederationSecret=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/create-federation-secret-rolebinding.yaml  \
16 |       --set 'global.federation.createFederationSecret=true' \
17 |       --set 'global.federation.enabled=true' \
18 |       --set 'global.tls.enabled=true' \
19 |       --set 'meshGateway.enabled=true' \
20 |       --set 'connectInject.enabled=true' \
21 |       . | tee /dev/stderr |
22 |       yq 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/templates/connect-inject-clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-connect-injector-webhook-admin-role-binding
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 | roleRef:
12 |   apiGroup: rbac.authorization.k8s.io
13 |   kind: ClusterRole
14 |   name: {{ template "consul.fullname" . }}-connect-injector-webhook
15 | subjects:
16 | - kind: ServiceAccount
17 |   name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
18 |   namespace: {{ .Release.Namespace }}
19 | {{- end }}
20 | 


--------------------------------------------------------------------------------
/templates/tls-init-cleanup-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: v1
 4 | kind: ServiceAccount
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init-cleanup
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   annotations:
14 |     "helm.sh/hook": pre-delete
15 |     "helm.sh/hook-delete-policy": hook-succeeded
16 | {{- with .Values.global.imagePullSecrets }}
17 | imagePullSecrets:
18 | {{- range . }}
19 |   - name: {{ .name }}
20 | {{- end }}
21 | {{- end }}
22 | {{- end }}
23 | {{- end }}
24 | 


--------------------------------------------------------------------------------
/test/unit/crd-meshes.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "mesh/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-meshes.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "mesh/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-meshes.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/templates/tls-init-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: v1
 4 | kind: ServiceAccount
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   annotations:
14 |     "helm.sh/hook": pre-install,pre-upgrade
15 |     "helm.sh/hook-delete-policy": before-hook-creation
16 | {{- with .Values.global.imagePullSecrets }}
17 | imagePullSecrets:
18 | {{- range . }}
19 |   - name: {{ .name }}
20 | {{- end }}
21 | {{- end }}
22 | {{- end }}
23 | {{- end }}
24 | 


--------------------------------------------------------------------------------
/templates/connect-inject-leader-election-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: RoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-connect-inject-leader-election
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: controller
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: Role
15 |   name: {{ template "consul.fullname" . }}-connect-inject-leader-election
16 | subjects:
17 | - kind: ServiceAccount
18 |   name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
19 |   namespace: {{ .Release.Namespace }}
20 | {{- end }}
21 | 


--------------------------------------------------------------------------------
/templates/connect-inject-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | apiVersion: v1
 3 | kind: ServiceAccount
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |   {{- if .Values.connectInject.serviceAccount.annotations }}
13 |   annotations:
14 |     {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }}
15 |   {{- end }}
16 | {{- with .Values.global.imagePullSecrets }}
17 | imagePullSecrets:
18 | {{- range . }}
19 |   - name: {{ .name }}
20 | {{- end }}
21 | {{- end }}
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/templates/create-federation-secret-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.global.federation.createFederationSecret }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: RoleBinding
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-create-federation-secret
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: create-federation-secret
13 |   annotations:
14 |     "helm.sh/hook": post-install,post-upgrade
15 |     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
16 | roleRef:
17 |   apiGroup: rbac.authorization.k8s.io
18 |   kind: Role
19 |   name: {{ template "consul.fullname" . }}-create-federation-secret
20 | subjects:
21 | - kind: ServiceAccount
22 |   name: {{ template "consul.fullname" . }}-create-federation-secret
23 | {{- end }}
24 | 


--------------------------------------------------------------------------------
/templates/ingress-gateways-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.ingressGateways.enabled }}
 2 | {{- $root := . }}
 3 | {{- range .Values.ingressGateways.gateways }}
 4 | apiVersion: rbac.authorization.k8s.io/v1
 5 | kind: RoleBinding
 6 | metadata:
 7 |   name: {{ template "consul.fullname" $root }}-{{ .name }}
 8 |   namespace: {{ $root.Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" $root }}
11 |     chart: {{ template "consul.chart" $root }}
12 |     heritage: {{ $root.Release.Service }}
13 |     release: {{ $root.Release.Name }}
14 |     component: ingress-gateway
15 |     ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
16 | roleRef:
17 |   apiGroup: rbac.authorization.k8s.io
18 |   kind: Role
19 |   name: {{ template "consul.fullname" $root }}-{{ .name }}
20 | subjects:
21 |   - kind: ServiceAccount
22 |     name: {{ template "consul.fullname" $root }}-{{ .name }}
23 | ---
24 | {{- end }}
25 | {{- end }}
26 | 


--------------------------------------------------------------------------------
/templates/server-disruptionbudget.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }}
 2 | # PodDisruptionBudget to prevent degrading the server cluster through
 3 | # voluntary cluster changes.
 4 | apiVersion: policy/v1beta1
 5 | kind: PodDisruptionBudget
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-server
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | spec:
15 |   maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }}
16 |   selector:
17 |     matchLabels:
18 |       app: {{ template "consul.name" . }}
19 |       release: "{{ .Release.Name }}"
20 |       component: server
21 | {{- end }}
22 | 


--------------------------------------------------------------------------------
/templates/sync-catalog-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if $syncEnabled }}
 3 | apiVersion: v1
 4 | kind: ServiceAccount
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-sync-catalog
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   {{- if .Values.syncCatalog.serviceAccount.annotations }}
14 |   annotations:
15 |     {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }}
16 |   {{- end }}
17 | {{- with .Values.global.imagePullSecrets }}
18 | imagePullSecrets:
19 | {{- range . }}
20 |   - name: {{ .name }}
21 | {{- end }}
22 | {{- end }}
23 | {{- end }}
24 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Consul Helm Chart
 2 | 
 3 | ⚠️ The Consul Helm chart has been moved to [`hashicorp/consul-k8s`](https://github.com/hashicorp/consul-k8s) under the [`charts/consul`](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul) directory. ⚠️
 4 | 
 5 | Please direct all pull requests and issues to that repository.
 6 | 
 7 | ### Why We Moved consul-helm
 8 | 
 9 | For users, the separate repositories lead to difficulty on new releases and confusion surrounding versioning. Most of the time new releases that include changes to `consul-k8s` also change `consul-helm`. But separate repositories mean separate GitHub PR's and added confusion in opening new Github Issues. In addition, we maintain separate versions of the `consul-k8s` binary and the Consul Helm chart, which in most cases are more tightly coupled together with dependencies. This versioning strategy has also led to confusion as to which Helm charts are compatible with which versions of `consul-k8s`.
10 | 


--------------------------------------------------------------------------------
/test/unit/crd-proxydefaults.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "proxyDefaults/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-proxydefaults.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "proxyDefaults/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-proxydefaults.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/test/unit/crd-ingressgateways.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "ingressGateway/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-ingressgateways.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "ingressGateway/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-ingressgateways.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/test/unit/crd-servicerouters.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serviceRouters/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-servicerouters.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serviceRouters/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-servicerouters.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | apiVersion: rbac.authorization.k8s.io/v1
 5 | kind: RoleBinding
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-server-acl-init
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | roleRef:
15 |   apiGroup: rbac.authorization.k8s.io
16 |   kind: Role
17 |   name: {{ template "consul.fullname" . }}-server-acl-init
18 | subjects:
19 |   - kind: ServiceAccount
20 |     name: {{ template "consul.fullname" . }}-server-acl-init
21 | {{- end }}
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/test/unit/crd-servicedefaults.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serviceDefaults/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-servicedefaults.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serviceDefaults/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-servicedefaults.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/test/unit/crd-serviceintentions.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serviceintentions/CustomResourceDefinitions: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-serviceintentions.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serviceintentions/CustomResourceDefinitions: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-serviceintentions.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/test/unit/crd-serviceresolvers.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serviceResolvers/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-serviceresolvers.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serviceResolvers/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-serviceresolvers.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/test/unit/crd-servicesplitters.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serviceSplitters/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-servicesplitters.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serviceSplitters/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-servicesplitters.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/templates/client-snapshot-agent-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if .Values.client.snapshotAgent.enabled }}
 3 | apiVersion: v1
 4 | kind: ServiceAccount
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-snapshot-agent
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   {{- if .Values.client.snapshotAgent.serviceAccount.annotations }}
14 |   annotations:
15 |     {{ tpl .Values.client.snapshotAgent.serviceAccount.annotations . | nindent 4 | trim }}
16 |   {{- end }}
17 | {{- with .Values.global.imagePullSecrets }}
18 | imagePullSecrets:
19 | {{- range . }}
20 |   - name: {{ .name }}
21 | {{- end }}
22 | {{- end }}
23 | {{- end }}
24 | {{- end }}
25 | 


--------------------------------------------------------------------------------
/test/unit/crd-terminatinggateway.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "terminatingGateway/CustomerResourceDefinition: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/crd-terminatinggateways.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "terminatingGateway/CustomerResourceDefinition: enabled with controller.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/crd-terminatinggateways.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       # The generated CRDs have "---" at the top which results in two objects
19 |       # being detected by yq, the first of which is null. We must therefore use
20 |       # yq -s so that length operates on both objects at once rather than
21 |       # individually, which would output false\ntrue and fail the test.
22 |       yq -s 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-cleanup-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | apiVersion: rbac.authorization.k8s.io/v1
 5 | kind: RoleBinding
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-server-acl-init-cleanup
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | roleRef:
15 |   apiGroup: rbac.authorization.k8s.io
16 |   kind: Role
17 |   name: {{ template "consul.fullname" . }}-server-acl-init-cleanup
18 | subjects:
19 |   - kind: ServiceAccount
20 |     name: {{ template "consul.fullname" . }}-server-acl-init-cleanup
21 | {{- end }}
22 | {{- end }}
23 | 


--------------------------------------------------------------------------------
/test/unit/server-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "server/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/server-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "server/PodSecurityPolicy: disabled with server disabled and global.enablePodSecurityPolicies=true" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/server-podsecuritypolicy.yaml  \
16 |       --set 'server.enabled=false' \
17 |       --set 'global.enablePodSecurityPolicies=true' \
18 |       .
19 | }
20 | 
21 | @test "server/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" {
22 |   cd `chart_dir`
23 |   local actual=$(helm template \
24 |       -s templates/server-podsecuritypolicy.yaml  \
25 |       --set 'global.enablePodSecurityPolicies=true' \
26 |       . | tee /dev/stderr |
27 |       yq -s 'length > 0' | tee /dev/stderr)
28 |   [ "${actual}" = "true" ]
29 | }
30 | 


--------------------------------------------------------------------------------
/templates/enterprise-license-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey (not .Values.server.enterpriseLicense.enableLicenseAutoload)) }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: RoleBinding
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-enterprise-license
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | roleRef:
14 |   apiGroup: rbac.authorization.k8s.io
15 |   kind: Role
16 |   name: {{ template "consul.fullname" . }}-enterprise-license
17 | subjects:
18 |   - kind: ServiceAccount
19 |     name: {{ template "consul.fullname" . }}-enterprise-license
20 | {{- end }}
21 | {{- end }}
22 | 


--------------------------------------------------------------------------------
/templates/terminating-gateways-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.terminatingGateways.enabled }}
 2 | {{- $root := . }}
 3 | {{- range .Values.terminatingGateways.gateways }}
 4 | apiVersion: rbac.authorization.k8s.io/v1
 5 | kind: RoleBinding
 6 | metadata:
 7 |   name:  {{ template "consul.fullname" $root }}-{{ .name }}
 8 |   namespace: {{ $root.Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" $root }}
11 |     chart: {{ template "consul.chart" $root }}
12 |     heritage: {{ $root.Release.Service }}
13 |     release: {{ $root.Release.Name }}
14 |     component: terminating-gateway
15 |     terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
16 | roleRef:
17 |   apiGroup: rbac.authorization.k8s.io
18 |   kind: Role
19 |   name:  {{ template "consul.fullname" $root }}-{{ .name }}
20 | subjects:
21 |   - kind: ServiceAccount
22 |     name:  {{ template "consul.fullname" $root }}-{{ .name }}
23 |     namespace: {{ $root.Release.Namespace }}
24 | ---
25 | {{- end }}
26 | {{- end }}
27 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/example/main_test.go:
--------------------------------------------------------------------------------
 1 | // Rename package to your test package.
 2 | package example
 3 | 
 4 | import (
 5 | 	"testing"
 6 | 
 7 | 	testsuite "github.com/hashicorp/consul-helm/test/acceptance/framework/suite"
 8 | )
 9 | 
10 | var suite testsuite.Suite
11 | 
12 | func TestMain(m *testing.M) {
13 | 	// First, uncomment the line below to create a new suite so that all flags are parsed.
14 | 	/*
15 | 		suite = framework.NewSuite(m)
16 | 	*/
17 | 
18 | 	// If the test suite needs to run only when certain test flags are passed,
19 | 	// you need to handle that in the TestMain function.
20 | 	// Uncomment and modify example code below if that is the case.
21 | 	/*
22 | 		if suite.Config().EnableExampleFeature {
23 | 			os.Exit(suite.Run())
24 | 		} else {
25 | 			fmt.Println("Skipping example feature tests because -enable-example-feature is not set")
26 | 			os.Exit(0)
27 | 		}
28 | 	*/
29 | 
30 | 	// If the test suite should run in every case, uncomment the line below.
31 | 	/*
32 | 		os.Exit(suite.Run())
33 | 	*/
34 | }
35 | 


--------------------------------------------------------------------------------
/test/unit/controller-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "controller/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/controller-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "controller/PodSecurityPolicy: disabled by default with controller enabled" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/controller-podsecuritypolicy.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       .
18 | }
19 | 
20 | @test "controller/PodSecurityPolicy: enabled with controller enabled and global.enablePodSecurityPolicies=true" {
21 |   cd `chart_dir`
22 |   local actual=$(helm template \
23 |       -s templates/controller-podsecuritypolicy.yaml  \
24 |       --set 'controller.enabled=true' \
25 |       --set 'global.enablePodSecurityPolicies=true' \
26 |       . | tee /dev/stderr |
27 |       yq -s 'length > 0' | tee /dev/stderr)
28 |   [ "${actual}" = "true" ]
29 | }
30 | 


--------------------------------------------------------------------------------
/templates/tls-init-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: RoleBinding
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   annotations:
14 |     "helm.sh/hook": pre-install,pre-upgrade
15 |     "helm.sh/hook-delete-policy": before-hook-creation
16 | roleRef:
17 |   apiGroup: rbac.authorization.k8s.io
18 |   kind: Role
19 |   name: {{ template "consul.fullname" . }}-tls-init
20 | subjects:
21 | - kind: ServiceAccount
22 |   name: {{ template "consul.fullname" . }}-tls-init
23 | {{- end }}
24 | {{- end }}
25 | 


--------------------------------------------------------------------------------
/test/terraform/openshift/oc-login.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | resource_group=$1
 4 | cluster_name=$2
 5 | 
 6 | apiServer=$(az aro show -g "$resource_group" -n "$cluster_name" --query apiserverProfile.url -o tsv)
 7 | kubeUser=$(az aro list-credentials -g "$resource_group" -n "$cluster_name" | jq -r .kubeadminUsername)
 8 | kubePassword=$(az aro list-credentials -g "$resource_group" -n "$cluster_name" | jq -r .kubeadminPassword)
 9 | 
10 | echo "Logging in"
11 | for i in {1..20}; do KUBECONFIG="$HOME/.kube/$cluster_name" oc login "$apiServer" -u "$kubeUser" -p "$kubePassword" && break; sleep 5; done
12 | 
13 | echo "Creating the 'consul' project"
14 | # Idempotently, create and use the 'consul' project
15 | KUBECONFIG="$HOME/.kube/$cluster_name" oc new-project consul
16 | KUBECONFIG="$HOME/.kube/$cluster_name" oc project consul
17 | 
18 | echo "Disabling auto-update of the worker nodes based on config changes"
19 | KUBECONFIG="$HOME/.kube/$cluster_name" kubectl patch --type=merge --patch='{"spec":{"paused":true}}' machineconfigpool/worker


--------------------------------------------------------------------------------
/templates/connect-inject-leader-election-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: Role
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-connect-inject-leader-election
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: controller
12 | rules:
13 | - apiGroups:
14 |   - ""
15 |   resources:
16 |   - configmaps
17 |   verbs:
18 |   - get
19 |   - list
20 |   - watch
21 |   - create
22 |   - update
23 |   - patch
24 |   - delete
25 | - apiGroups:
26 |   - ""
27 |   resources:
28 |   - configmaps/status
29 |   verbs:
30 |   - get
31 |   - update
32 |   - patch
33 | - apiGroups:
34 |   - ""
35 |   resources:
36 |   - events
37 |   verbs:
38 |   - create
39 |   - patch
40 | {{- end }}
41 | 


--------------------------------------------------------------------------------
/templates/tls-init-cleanup-rolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: RoleBinding
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init-cleanup
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   annotations:
14 |     "helm.sh/hook": pre-delete
15 |     "helm.sh/hook-delete-policy": hook-succeeded
16 | roleRef:
17 |   apiGroup: rbac.authorization.k8s.io
18 |   kind: Role
19 |   name: {{ template "consul.fullname" . }}-tls-init-cleanup
20 | subjects:
21 | - kind: ServiceAccount
22 |   name: {{ template "consul.fullname" . }}-tls-init-cleanup
23 | {{- end }}
24 | {{- end }}
25 | 


--------------------------------------------------------------------------------
/test/unit/connect-inject-clusterrolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "connectInject/ClusterRoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/connect-inject-clusterrolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "connectInject/ClusterRoleBinding: enabled with global.enabled false" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/connect-inject-clusterrolebinding.yaml  \
16 |       --set 'global.enabled=false' \
17 |       --set 'client.enabled=true' \
18 |       --set 'connectInject.enabled=true' \
19 |       . | tee /dev/stderr |
20 |       yq -s 'length > 0' | tee /dev/stderr)
21 |   [ "${actual}" = "true" ]
22 | }
23 | 
24 | @test "connectInject/ClusterRoleBinding: disabled with connectInject.enabled false" {
25 |   cd `chart_dir`
26 |   assert_empty helm template \
27 |       -s templates/connect-inject-clusterrolebinding.yaml  \
28 |       --set 'connectInject.enabled=false' \
29 |       .
30 | }
31 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-cleanup-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | apiVersion: rbac.authorization.k8s.io/v1
 5 | kind: Role
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-server-acl-init-cleanup
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | rules:
15 |   - apiGroups: ["batch"]
16 |     resources: ["jobs"]
17 |     verbs: ["get", "delete"]
18 | {{- if .Values.global.enablePodSecurityPolicies }}
19 |   - apiGroups: ["policy"]
20 |     resources: ["podsecuritypolicies"]
21 |     resourceNames:
22 |       - {{ template "consul.fullname" . }}-server-acl-init-cleanup
23 |     verbs:
24 |       - use
25 | {{- end }}
26 | {{- end }}
27 | {{- end }}
28 | 


--------------------------------------------------------------------------------
/templates/client-config-configmap.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 2 | # ConfigMap with extra configuration specified directly to the chart
 3 | # for client agents only.
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-client-config
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | data:
15 |   extra-from-values.json: |-
16 | {{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }}
17 |   central-config.json: |-
18 |     {
19 |       "enable_central_service_config": true
20 |     }
21 | 
22 |   {{- if .Values.connectInject.enabled }}
23 |   {{/* We set check_update_interval to 0s so that check output is immediately viewable
24 |        in the UI. */}}
25 |   config.json: |-
26 |     {
27 |       "check_update_interval": "0s"
28 |     }
29 |   {{- end }}
30 | {{- end }}
31 | 


--------------------------------------------------------------------------------
/test/unit/server-securitycontextconstraints.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "server/SecurityContextConstraints: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/server-securitycontextconstraints.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "server/SecurityContextConstraints: disabled with server disabled and global.openshift.enabled=true" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/server-securitycontextconstraints.yaml  \
16 |       --set 'server.enabled=false' \
17 |       --set 'global.openshift.enabled=true' \
18 |       .
19 | }
20 | 
21 | @test "server/SecurityContextConstraints: enabled with global.openshift.enabled=true and server.exposeGossipAndRPCPorts=true" {
22 |   cd `chart_dir`
23 |   local actual=$(helm template \
24 |       -s templates/server-securitycontextconstraints.yaml  \
25 |       --set 'global.openshift.enabled=true' \
26 |       --set 'server.exposeGossipAndRPCPorts=true' \
27 |       . | tee /dev/stderr |
28 |       yq -s 'length > 0' | tee /dev/stderr)
29 |   [ "${actual}" = "true" ]
30 | }
31 | 


--------------------------------------------------------------------------------
/Chart.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v2
 2 | name: consul
 3 | version: 0.32.1
 4 | appVersion: 1.10.0
 5 | kubeVersion: ">=1.17.0-0"
 6 | description: Official HashiCorp Consul Chart
 7 | home: https://www.consul.io
 8 | icon: https://raw.githubusercontent.com/hashicorp/consul-helm/master/assets/icon.png
 9 | sources:
10 |   - https://github.com/hashicorp/consul
11 |   - https://github.com/hashicorp/consul-helm
12 |   - https://github.com/hashicorp/consul-k8s
13 | annotations:
14 |   artifacthub.io/prerelease: false
15 |   artifacthub.io/images: |
16 |     - name: consul
17 |       image: hashicorp/consul:1.10.0
18 |     - name: consul-k8s
19 |       image: hashicorp/consul-k8s:0.26.0
20 |     - name: envoy
21 |       image: envoyproxy/envoy-alpine:v1.18.3
22 |   artifacthub.io/license: MPL-2.0
23 |   artifacthub.io/links: |
24 |     - name: Documentation
25 |       url: https://www.consul.io/docs/k8s
26 |     - name: hashicorp/consul-helm
27 |       url: https://github.com/hashicorp/consul-helm
28 |     - name: hashicorp/consul
29 |       url: https://github.com/hashicorp/consul
30 |     - name: hashicorp/consul-k8s
31 |       url: https://github.com/hashicorp/consul-k8s
32 | 


--------------------------------------------------------------------------------
/test/unit/mesh-gateway-clusterrolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "meshGateway/ClusterRoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/mesh-gateway-clusterrolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "meshGateway/ClusterRoleBinding: enabled with meshGateway, connectInject enabled" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/mesh-gateway-clusterrolebinding.yaml  \
16 |       --set 'meshGateway.enabled=true' \
17 |       --set 'connectInject.enabled=true' \
18 |       . | tee /dev/stderr |
19 |       yq 'length > 0' | tee /dev/stderr)
20 |   [ "${actual}" = "true" ]
21 | }
22 | 
23 | @test "meshGateway/ClusterRoleBinding: subject name is correct" {
24 |   cd `chart_dir`
25 |   local actual=$(helm template \
26 |       -s templates/mesh-gateway-clusterrolebinding.yaml  \
27 |       --set 'meshGateway.enabled=true' \
28 |       --set 'connectInject.enabled=true' \
29 |       . | tee /dev/stderr |
30 |       yq -r '.subjects[0].name' | tee /dev/stderr)
31 |   [ "${actual}" = "RELEASE-NAME-consul-mesh-gateway" ]
32 | }
33 | 
34 | 


--------------------------------------------------------------------------------
/hack/helm-reference-gen/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 2 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 3 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 4 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 5 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 6 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 7 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 8 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 9 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
10 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
11 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
12 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
13 | 


--------------------------------------------------------------------------------
/templates/tls-init-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: Role
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   annotations:
14 |     "helm.sh/hook": pre-install,pre-upgrade
15 |     "helm.sh/hook-delete-policy": before-hook-creation
16 | rules:
17 | - apiGroups: [""]
18 |   resources:
19 |     - secrets
20 |   verbs:
21 |     - create
22 |     - update
23 |     - get
24 |     - list
25 | {{- if .Values.global.enablePodSecurityPolicies }}
26 | - apiGroups: ["policy"]
27 |   resources:
28 |   - podsecuritypolicies
29 |   verbs:
30 |     - use
31 |   resourceNames:
32 |     - {{ template "consul.fullname" . }}-tls-init
33 | {{- end }}
34 | {{- end }}
35 | {{- end }}
36 | 


--------------------------------------------------------------------------------
/test/unit/connect-inject-service.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "connectInject/Service: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/connect-inject-service.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "connectInject/Service: enable with global.enabled false" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/connect-inject-service.yaml  \
16 |       --set 'global.enabled=false' \
17 |       --set 'client.enabled=true' \
18 |       --set 'connectInject.enabled=true' \
19 |       . | tee /dev/stderr |
20 |       yq 'length > 0' | tee /dev/stderr)
21 |   [ "${actual}" = "true" ]
22 | }
23 | 
24 | @test "connectInject/Service: disable with connectInject.enabled" {
25 |   cd `chart_dir`
26 |   assert_empty helm template \
27 |       -s templates/connect-inject-service.yaml  \
28 |       --set 'connectInject.enabled=false' \
29 |       .
30 | }
31 | 
32 | @test "connectInject/Service: disable with global.enabled" {
33 |   cd `chart_dir`
34 |   assert_empty helm template \
35 |       -s templates/connect-inject-service.yaml  \
36 |       --set 'global.enabled=false' \
37 |       .
38 | }
39 | 


--------------------------------------------------------------------------------
/test/unit/client-snapshot-agent-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "client/SnapshotAgentPodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/client-snapshot-agent-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "client/SnapshotAgentPodSecurityPolicy: disabled with snapshot agent disabled and global.enablePodSecurityPolicies=true" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/client-snapshot-agent-podsecuritypolicy.yaml  \
16 |       --set 'client.snapshotAgent.enabled=false' \
17 |       --set 'global.enablePodSecurityPolicies=true' \
18 |       .
19 | }
20 | 
21 | @test "client/SnapshotAgentPodSecurityPolicy: enabled with snapshot agent enabled global.enablePodSecurityPolicies=true" {
22 |   cd `chart_dir`
23 |   local actual=$(helm template \
24 |       -s templates/client-snapshot-agent-podsecuritypolicy.yaml  \
25 |       --set 'client.snapshotAgent.enabled=true' \
26 |       --set 'global.enablePodSecurityPolicies=true' \
27 |       . | tee /dev/stderr |
28 |       yq -s 'length > 0' | tee /dev/stderr)
29 |   [ "${actual}" = "true" ]
30 | }
31 | 


--------------------------------------------------------------------------------
/templates/controller-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.controller.enabled .Values.global.enablePodSecurityPolicies }}
 2 | apiVersion: policy/v1beta1
 3 | kind: PodSecurityPolicy
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-controller
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: controller
12 | spec:
13 |   privileged: false
14 |   # Required to prevent escalations to root.
15 |   allowPrivilegeEscalation: false
16 |   # This is redundant with non-root + disallow privilege escalation,
17 |   # but we can provide it for defense in depth.
18 |   requiredDropCapabilities:
19 |     - ALL
20 |   # Allow core volume types.
21 |   volumes:
22 |     - 'configMap'
23 |     - 'emptyDir'
24 |     - 'projected'
25 |     - 'secret'
26 |     - 'downwardAPI'
27 |   hostNetwork: false
28 |   hostIPC: false
29 |   hostPID: false
30 |   runAsUser:
31 |     rule: 'RunAsAny'
32 |   seLinux:
33 |     rule: 'RunAsAny'
34 |   supplementalGroups:
35 |     rule: 'RunAsAny'
36 |   fsGroup:
37 |     rule: 'RunAsAny'
38 |   readOnlyRootFilesystem: false
39 | {{- end }}
40 | 


--------------------------------------------------------------------------------
/test/acceptance/framework/logger/logger.go:
--------------------------------------------------------------------------------
 1 | package logger
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"testing"
 6 | 	"time"
 7 | 
 8 | 	terratestTesting "github.com/gruntwork-io/terratest/modules/testing"
 9 | )
10 | 
11 | // TestLogger implements terratest's TestLogger interface
12 | // so that we can pass it to terratest objects to have consistent logging
13 | // across all tests.
14 | type TestLogger struct{}
15 | 
16 | // Logf takes a format string and args and calls Logf function.
17 | func (tl TestLogger) Logf(t terratestTesting.TestingT, format string, args ...interface{}) {
18 | 	tt, ok := t.(*testing.T)
19 | 	if !ok {
20 | 		t.Error("failed to cast")
21 | 	}
22 | 	tt.Helper()
23 | 
24 | 	Logf(tt, format, args...)
25 | }
26 | 
27 | // Logf takes a format string and args and logs
28 | // formatted string with a timestamp.
29 | func Logf(t *testing.T, format string, args ...interface{}) {
30 | 	t.Helper()
31 | 
32 | 	log := fmt.Sprintf(format, args...)
33 | 	Log(t, log)
34 | }
35 | 
36 | // Log calls t.Log, adding an RFC3339 timestamp to the beginning of the log line.
37 | func Log(t *testing.T, args ...interface{}) {
38 | 	t.Helper()
39 | 
40 | 	allArgs := []interface{}{time.Now().Format(time.RFC3339)}
41 | 	allArgs = append(allArgs, args...)
42 | 	t.Log(allArgs...)
43 | }
44 | 


--------------------------------------------------------------------------------
/test/acceptance/tests/fixtures/cases/static-server-inject/patch.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: static-server
 5 | spec:
 6 |   template:
 7 |     metadata:
 8 |       annotations:
 9 |         "consul.hashicorp.com/connect-inject": "true"
10 |     spec:
11 |       containers:
12 |         - name: static-server
13 |           image: docker.mirror.hashicorp.services/kschoche/http-echo:latest
14 |           args:
15 |             - -text="hello world"
16 |             - -listen=:8080
17 |           ports:
18 |             - containerPort: 8080
19 |               name: http
20 |           livenessProbe:
21 |             httpGet:
22 |               port: 8080
23 |             initialDelaySeconds: 1
24 |             failureThreshold: 1
25 |             periodSeconds: 1
26 |           startupProbe:
27 |             httpGet:
28 |               port: 8080
29 |             initialDelaySeconds: 1
30 |             failureThreshold: 30
31 |             periodSeconds: 1
32 |           readinessProbe:
33 |             exec:
34 |               command: ['sh', '-c', 'test ! -f /tmp/unhealthy']
35 |             initialDelaySeconds: 1
36 |             failureThreshold: 1
37 |             periodSeconds: 1
38 |       serviceAccountName: static-server
39 | 


--------------------------------------------------------------------------------
/templates/server-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: Role
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-server
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | {{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }}
13 | rules:
14 | {{- if .Values.global.enablePodSecurityPolicies }}
15 | - apiGroups: ["policy"]
16 |   resources: ["podsecuritypolicies"]
17 |   resourceNames:
18 |   - {{ template "consul.fullname" . }}-server
19 |   verbs:
20 |   - use
21 | {{- end }}
22 | {{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }}
23 | - apiGroups: ["security.openshift.io"]
24 |   resources: ["securitycontextconstraints"]
25 |   resourceNames:
26 |   - {{ template "consul.fullname" . }}-server
27 |   verbs:
28 |   - use
29 | {{- end }}
30 | {{- else}}
31 | rules: []
32 | {{- end }}
33 | {{- end }}
34 | 


--------------------------------------------------------------------------------
/templates/webhook-cert-manager-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and (or .Values.controller.enabled .Values.connectInject.enabled) .Values.global.enablePodSecurityPolicies }}
 2 | apiVersion: policy/v1beta1
 3 | kind: PodSecurityPolicy
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-webhook-cert-manager
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: webhook-cert-manager
12 | spec:
13 |   privileged: false
14 |   # Required to prevent escalations to root.
15 |   allowPrivilegeEscalation: false
16 |   # This is redundant with non-root + disallow privilege escalation,
17 |   # but we can provide it for defense in depth.
18 |   requiredDropCapabilities:
19 |     - ALL
20 |   # Allow core volume types.
21 |   volumes:
22 |     - 'configMap'
23 |     - 'emptyDir'
24 |     - 'projected'
25 |     - 'secret'
26 |     - 'downwardAPI'
27 |   hostNetwork: false
28 |   hostIPC: false
29 |   hostPID: false
30 |   runAsUser:
31 |     rule: 'RunAsAny'
32 |   seLinux:
33 |     rule: 'RunAsAny'
34 |   supplementalGroups:
35 |     rule: 'RunAsAny'
36 |   fsGroup:
37 |     rule: 'RunAsAny'
38 |   readOnlyRootFilesystem: false
39 | {{- end }}
40 | 


--------------------------------------------------------------------------------
/templates/mesh-gateway-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.meshGateway.enabled .Values.meshGateway.service.enabled }}
 2 | apiVersion: v1
 3 | kind: Service
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-mesh-gateway
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: mesh-gateway
13 |   {{- if .Values.meshGateway.service.annotations }}
14 |   annotations:
15 |     {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }}
16 |   {{- end }}
17 | spec:
18 |   selector:
19 |     app: {{ template "consul.name" . }}
20 |     release: "{{ .Release.Name }}"
21 |     component: mesh-gateway
22 |   ports:
23 |     - name: gateway
24 |       port: {{ .Values.meshGateway.service.port }}
25 |       targetPort: {{ .Values.meshGateway.containerPort }}
26 |       {{- if .Values.meshGateway.service.nodePort }}
27 |       nodePort: {{ .Values.meshGateway.service.nodePort }}
28 |       {{- end}}
29 |   type: {{ .Values.meshGateway.service.type }}
30 |   {{- if .Values.meshGateway.service.additionalSpec }}
31 |   {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }}
32 |   {{- end }}
33 | {{- end }}
34 | 


--------------------------------------------------------------------------------
/templates/webhook-cert-manager-clusterrole.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or .Values.connectInject.enabled .Values.controller.enabled}}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRole
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-webhook-cert-manager
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: webhook-cert-manager
12 | rules:
13 | - apiGroups:
14 |   - ""
15 |   resources:
16 |   - secrets
17 |   verbs:
18 |   - create
19 |   - delete
20 |   - get
21 |   - list
22 |   - patch
23 |   - update
24 |   - watch
25 | - apiGroups:
26 |   - admissionregistration.k8s.io
27 |   resources:
28 |   - mutatingwebhookconfigurations
29 |   verbs:
30 |   - get
31 |   - list
32 |   - watch
33 |   - patch
34 | - apiGroups:
35 |   - apps
36 |   resources:
37 |   - deployments
38 |   resourceNames:
39 |   - {{ template "consul.fullname" . }}-webhook-cert-manager
40 |   verbs:
41 |   - get
42 | {{- if .Values.global.enablePodSecurityPolicies }}
43 | - apiGroups:
44 |   - policy
45 |   resources:
46 |   - podsecuritypolicies
47 |   resourceNames:
48 |   - {{ template "consul.fullname" . }}-connect-injector-webhook
49 |   verbs:
50 |   - use
51 | {{- end }}
52 | {{- end }}


--------------------------------------------------------------------------------
/templates/client-snapshot-agent-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if .Values.client.snapshotAgent.enabled }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: Role
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-snapshot-agent
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | {{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies) }}
14 | rules:
15 | {{- if .Values.global.enablePodSecurityPolicies }}
16 |   - apiGroups: ["policy"]
17 |     resources: ["podsecuritypolicies"]
18 |     resourceNames:
19 |     - {{ template "consul.fullname" . }}-snapshot-agent
20 |     verbs:
21 |     - use
22 | {{- end }}
23 | {{- if .Values.global.acls.manageSystemACLs }}
24 |   - apiGroups: [""]
25 |     resources:
26 |       - secrets
27 |     resourceNames:
28 |       - {{ template "consul.fullname" . }}-client-snapshot-agent-acl-token
29 |     verbs:
30 |       - get
31 | {{- end }}
32 | {{- else }}
33 | rules: []
34 | {{- end }}
35 | {{- end }}
36 | {{- end }}
37 | 


--------------------------------------------------------------------------------
/templates/sync-catalog-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }}
 2 | apiVersion: policy/v1beta1
 3 | kind: PodSecurityPolicy
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-sync-catalog
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 | spec:
12 |   privileged: false
13 |   # Required to prevent escalations to root.
14 |   allowPrivilegeEscalation: false
15 |   # This is redundant with non-root + disallow privilege escalation,
16 |   # but we can provide it for defense in depth.
17 |   requiredDropCapabilities:
18 |     - ALL
19 |   # Allow core volume types.
20 |   volumes:
21 |     - 'configMap'
22 |     - 'emptyDir'
23 |     - 'projected'
24 |     - 'secret'
25 |     - 'downwardAPI'
26 |   hostNetwork: false
27 |   hostIPC: false
28 |   hostPID: false
29 |   runAsUser:
30 |     rule: 'RunAsAny'
31 |   seLinux:
32 |     rule: 'RunAsAny'
33 |   supplementalGroups:
34 |     rule: 'RunAsAny'
35 |   fsGroup:
36 |     rule: 'RunAsAny'
37 |   readOnlyRootFilesystem: false
38 | {{- end }}
39 | 


--------------------------------------------------------------------------------
/templates/create-federation-secret-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.global.enablePodSecurityPolicies }}
 2 | {{- if .Values.global.federation.createFederationSecret }}
 3 | apiVersion: policy/v1beta1
 4 | kind: PodSecurityPolicy
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-create-federation-secret
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |   annotations:
13 |     "helm.sh/hook": post-install,post-upgrade
14 |     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
15 | spec:
16 |   privileged: false
17 |   # Required to prevent escalations to root.
18 |   allowPrivilegeEscalation: false
19 |   # This is redundant with non-root + disallow privilege escalation,
20 |   # but we can provide it for defense in depth.
21 |   requiredDropCapabilities:
22 |     - ALL
23 |   # Allow core volume types.
24 |   volumes:
25 |     - 'secret'
26 |     - 'emptyDir'
27 |   hostNetwork: false
28 |   hostIPC: false
29 |   hostPID: false
30 |   runAsUser:
31 |     rule: 'RunAsAny'
32 |   seLinux:
33 |     rule: 'RunAsAny'
34 |   supplementalGroups:
35 |     rule: 'RunAsAny'
36 |   fsGroup:
37 |     rule: 'RunAsAny'
38 |   readOnlyRootFilesystem: false
39 | {{- end }}
40 | {{- end }}
41 | 


--------------------------------------------------------------------------------
/templates/connect-inject-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }}
 2 | apiVersion: policy/v1beta1
 3 | kind: PodSecurityPolicy
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-connect-injector-webhook
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 | spec:
12 |   privileged: false
13 |   # Required to prevent escalations to root.
14 |   allowPrivilegeEscalation: false
15 |   # This is redundant with non-root + disallow privilege escalation,
16 |   # but we can provide it for defense in depth.
17 |   requiredDropCapabilities:
18 |     - ALL
19 |   # Allow core volume types.
20 |   volumes:
21 |     - 'configMap'
22 |     - 'emptyDir'
23 |     - 'projected'
24 |     - 'secret'
25 |     - 'downwardAPI'
26 |   hostNetwork: false
27 |   hostIPC: false
28 |   hostPID: false
29 |   runAsUser:
30 |     rule: 'RunAsAny'
31 |   seLinux:
32 |     rule: 'RunAsAny'
33 |   supplementalGroups:
34 |     rule: 'RunAsAny'
35 |   fsGroup:
36 |     rule: 'RunAsAny'
37 |   readOnlyRootFilesystem: false
38 | {{- end }}
39 | 


--------------------------------------------------------------------------------
/templates/ingress-gateways-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.ingressGateways.enabled }}
 2 | {{- $root := . }}
 3 | {{- $defaults := .Values.ingressGateways.defaults }}
 4 | {{- range .Values.ingressGateways.gateways }}
 5 | {{- $serviceAccount := .serviceAccount }}
 6 | apiVersion: v1
 7 | kind: ServiceAccount
 8 | metadata:
 9 |   name: {{ template "consul.fullname" $root }}-{{ .name }}
10 |   namespace: {{ $root.Release.Namespace }}
11 |   labels:
12 |     app: {{ template "consul.name" $root }}
13 |     chart: {{ template "consul.chart" $root }}
14 |     heritage: {{ $root.Release.Service }}
15 |     release: {{ $root.Release.Name }}
16 |     component: ingress-gateway
17 |     ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
18 |   {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }}
19 |   annotations:
20 |     {{- if $defaults.serviceAccount.annotations }}
21 |     {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }}
22 |     {{- end }}
23 |     {{- if $serviceAccount.annotations }}
24 |     {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }}
25 |     {{- end }}
26 |   {{- end }}
27 | {{- with $root.Values.global.imagePullSecrets }}
28 | imagePullSecrets:
29 | {{- range . }}
30 |   - name: {{ .name }}
31 | {{- end }}
32 | {{- end }}
33 | ---
34 | {{- end }}
35 | {{- end }}
36 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | {{- if .Values.global.enablePodSecurityPolicies }}
 5 | apiVersion: policy/v1beta1
 6 | kind: PodSecurityPolicy
 7 | metadata:
 8 |   name: {{ template "consul.fullname" . }}-server-acl-init
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | spec:
15 |   privileged: false
16 |   # Allow core volume types.
17 |   volumes:
18 |     - 'secret'
19 |   allowPrivilegeEscalation: false
20 |   # This is redundant with non-root + disallow privilege escalation,
21 |   # but we can provide it for defense in depth.
22 |   requiredDropCapabilities:
23 |     - ALL
24 |   hostNetwork: false
25 |   hostIPC: false
26 |   hostPID: false
27 |   runAsUser:
28 |     rule: 'RunAsAny'
29 |   seLinux:
30 |     rule: 'RunAsAny'
31 |   supplementalGroups:
32 |     rule: 'RunAsAny'
33 |   fsGroup:
34 |     rule: 'RunAsAny'
35 |   readOnlyRootFilesystem: false
36 |   {{- end }}
37 |   {{- end }}
38 |   {{- end }}
39 | 


--------------------------------------------------------------------------------
/templates/mesh-gateway-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }}
 2 | apiVersion: policy/v1beta1
 3 | kind: PodSecurityPolicy
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-mesh-gateway
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: mesh-gateway
12 | spec:
13 |   privileged: false
14 |   # Required to prevent escalations to root.
15 |   allowPrivilegeEscalation: false
16 |   # This is redundant with non-root + disallow privilege escalation,
17 |   # but we can provide it for defense in depth.
18 |   requiredDropCapabilities:
19 |     - ALL
20 |   # Allow core volume types.
21 |   volumes:
22 |     - 'configMap'
23 |     - 'emptyDir'
24 |     - 'projected'
25 |     - 'secret'
26 |     - 'downwardAPI'
27 |   {{- if .Values.meshGateway.hostNetwork }}
28 |   hostNetwork: {{ .Values.meshGateway.hostNetwork }}
29 |   {{- else }}
30 |   hostNetwork: false
31 |   {{- end }}
32 |   hostIPC: false
33 |   hostPID: false
34 |   runAsUser:
35 |     rule: 'RunAsAny'
36 |   seLinux:
37 |     rule: 'RunAsAny'
38 |   supplementalGroups:
39 |     rule: 'RunAsAny'
40 |   fsGroup:
41 |     rule: 'RunAsAny'
42 |   readOnlyRootFilesystem: false
43 | {{- end }}
44 | 


--------------------------------------------------------------------------------
/templates/dns-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
 2 | # Service for Consul DNS.
 3 | apiVersion: v1
 4 | kind: Service
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-dns
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |     component: dns
14 |   {{- if .Values.dns.annotations }}
15 |   annotations:
16 |     {{ tpl .Values.dns.annotations . | nindent 4 | trim }}
17 |   {{- end }}
18 | spec:
19 | {{- if .Values.dns.type }}
20 |   type: {{ .Values.dns.type }}
21 | {{- end }}
22 | {{- if .Values.dns.clusterIP }}
23 |   clusterIP: {{ .Values.dns.clusterIP }}
24 | {{- end }}
25 |   ports:
26 |     - name: dns-tcp
27 |       port: 53
28 |       protocol: "TCP"
29 |       targetPort: dns-tcp
30 |     - name: dns-udp
31 |       port: 53
32 |       protocol: "UDP"
33 |       targetPort: dns-udp
34 |   selector:
35 |     app: {{ template "consul.name" . }}
36 |     release: "{{ .Release.Name }}"
37 |     hasDNS: "true"
38 |   {{- if .Values.dns.additionalSpec }}
39 |   {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }}
40 |   {{- end }}
41 | {{- end }}
42 | 


--------------------------------------------------------------------------------
/templates/terminating-gateways-serviceaccount.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.terminatingGateways.enabled }}
 2 | {{- $root := . }}
 3 | {{- $defaults := .Values.terminatingGateways.defaults }}
 4 | {{- range .Values.terminatingGateways.gateways }}
 5 | {{- $serviceAccount := .serviceAccount }}
 6 | apiVersion: v1
 7 | kind: ServiceAccount
 8 | metadata:
 9 |   name:  {{ template "consul.fullname" $root }}-{{ .name }}
10 |   namespace: {{ $root.Release.Namespace }}
11 |   labels:
12 |     app: {{ template "consul.name" $root }}
13 |     chart: {{ template "consul.chart" $root }}
14 |     heritage: {{ $root.Release.Service }}
15 |     release: {{ $root.Release.Name }}
16 |     component: terminating-gateway
17 |     terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
18 |   {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }}
19 |   annotations:
20 |     {{- if $defaults.serviceAccount.annotations }}
21 |     {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }}
22 |     {{- end }}
23 |     {{- if $serviceAccount.annotations }}
24 |     {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }}
25 |     {{- end }}
26 |   {{- end }}
27 | {{- with $root.Values.global.imagePullSecrets }}
28 | imagePullSecrets:
29 | {{- range . }}
30 |   - name: {{ .name }}
31 | {{- end }}
32 | {{- end }}
33 | ---
34 | {{- end }}
35 | {{- end }}
36 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-cleanup-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | {{- if .Values.global.enablePodSecurityPolicies }}
 5 | apiVersion: policy/v1beta1
 6 | kind: PodSecurityPolicy
 7 | metadata:
 8 |   name: {{ template "consul.fullname" . }}-server-acl-init-cleanup
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | spec:
15 |   privileged: false
16 |   # Allow core volume types.
17 |   volumes:
18 |     - 'secret'
19 |   allowPrivilegeEscalation: false
20 |   # This is redundant with non-root + disallow privilege escalation,
21 |   # but we can provide it for defense in depth.
22 |   requiredDropCapabilities:
23 |     - ALL
24 |   hostNetwork: false
25 |   hostIPC: false
26 |   hostPID: false
27 |   runAsUser:
28 |     rule: 'RunAsAny'
29 |   seLinux:
30 |     rule: 'RunAsAny'
31 |   supplementalGroups:
32 |     rule: 'RunAsAny'
33 |   fsGroup:
34 |     rule: 'RunAsAny'
35 |   readOnlyRootFilesystem: false
36 |   {{- end }}
37 |   {{- end }}
38 |   {{- end }}
39 | 


--------------------------------------------------------------------------------
/templates/server-acl-init-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 2 | {{- if (or $serverEnabled .Values.externalServers.enabled) }}
 3 | {{- if .Values.global.acls.manageSystemACLs }}
 4 | apiVersion: rbac.authorization.k8s.io/v1
 5 | kind: Role
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-server-acl-init
 8 |   namespace: {{ .Release.Namespace }}
 9 |   labels:
10 |     app: {{ template "consul.name" . }}
11 |     chart: {{ template "consul.chart" . }}
12 |     heritage: {{ .Release.Service }}
13 |     release: {{ .Release.Name }}
14 | rules:
15 |   - apiGroups: [""]
16 |     resources:
17 |       - secrets
18 |     verbs:
19 |       - create
20 |       - get
21 | {{- if .Values.connectInject.enabled }}
22 |   - apiGroups: [""]
23 |     resources:
24 |       - serviceaccounts
25 |     resourceNames:
26 |       - {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account
27 |     verbs:
28 |       - get
29 | {{- end }}
30 | {{- if .Values.global.enablePodSecurityPolicies }}
31 |   - apiGroups: ["policy"]
32 |     resources: ["podsecuritypolicies"]
33 |     resourceNames:
34 |       - {{ template "consul.fullname" . }}-server-acl-init
35 |     verbs:
36 |       - use
37 | {{- end }}
38 | {{- end }}
39 | {{- end }}
40 | 


--------------------------------------------------------------------------------
/templates/client-snapshot-agent-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }}
 2 | {{- if .Values.client.snapshotAgent.enabled }}
 3 | apiVersion: policy/v1beta1
 4 | kind: PodSecurityPolicy
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-snapshot-agent
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | spec:
13 |   privileged: false
14 |   # Required to prevent escalations to root.
15 |   allowPrivilegeEscalation: false
16 |   # This is redundant with non-root + disallow privilege escalation,
17 |   # but we can provide it for defense in depth.
18 |   requiredDropCapabilities:
19 |     - ALL
20 |   # Allow core volume types.
21 |   volumes:
22 |     - 'configMap'
23 |     - 'emptyDir'
24 |     - 'projected'
25 |     - 'secret'
26 |     - 'downwardAPI'
27 |   hostNetwork: false
28 |   hostIPC: false
29 |   hostPID: false
30 |   runAsUser:
31 |     rule: 'RunAsAny'
32 |   seLinux:
33 |     rule: 'RunAsAny'
34 |   supplementalGroups:
35 |     rule: 'RunAsAny'
36 |   fsGroup:
37 |     rule: 'RunAsAny'
38 |   readOnlyRootFilesystem: false
39 | {{- end }}
40 | {{- end }}
41 | 


--------------------------------------------------------------------------------
/templates/enterprise-license-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey (not .Values.server.enterpriseLicense.enableLicenseAutoload)) }}
 3 | {{- if .Values.global.enablePodSecurityPolicies }}
 4 | apiVersion: policy/v1beta1
 5 | kind: PodSecurityPolicy
 6 | metadata:
 7 |   name: {{ template "consul.fullname" . }}-enterprise-license
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | spec:
14 |   privileged: false
15 |   # Allow core volume types.
16 |   volumes:
17 |     - 'secret'
18 |   allowPrivilegeEscalation: false
19 |   # This is redundant with non-root + disallow privilege escalation,
20 |   # but we can provide it for defense in depth.
21 |   requiredDropCapabilities:
22 |     - ALL
23 |   hostNetwork: false
24 |   hostIPC: false
25 |   hostPID: false
26 |   runAsUser:
27 |     rule: 'RunAsAny'
28 |   seLinux:
29 |     rule: 'RunAsAny'
30 |   supplementalGroups:
31 |     rule: 'RunAsAny'
32 |   fsGroup:
33 |     rule: 'RunAsAny'
34 |   readOnlyRootFilesystem: false
35 | {{- end }}
36 | {{- end }}
37 | {{- end }}
38 | 


--------------------------------------------------------------------------------
/templates/server-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }}
 2 | apiVersion: policy/v1beta1
 3 | kind: PodSecurityPolicy
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-server
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 | spec:
12 |   privileged: false
13 |   # Required to prevent escalations to root.
14 |   allowPrivilegeEscalation: false
15 |   # This is redundant with non-root + disallow privilege escalation,
16 |   # but we can provide it for defense in depth.
17 |   requiredDropCapabilities:
18 |     - ALL
19 |   # Allow core volume types.
20 |   volumes:
21 |     - 'configMap'
22 |     - 'emptyDir'
23 |     - 'projected'
24 |     - 'secret'
25 |     - 'downwardAPI'
26 |     - 'persistentVolumeClaim'
27 |   hostNetwork: false
28 |   hostIPC: false
29 |   hostPID: false
30 |   runAsUser:
31 |     # Require the container to run without root privileges.
32 |     rule: 'RunAsAny'
33 |   seLinux:
34 |     rule: 'RunAsAny'
35 |   supplementalGroups:
36 |     rule: 'RunAsAny'
37 |   fsGroup:
38 |     rule: 'RunAsAny'
39 |   readOnlyRootFilesystem: false
40 | {{- end }}
41 | 


--------------------------------------------------------------------------------
/test/unit/sync-catalog-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "syncCatalog/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/sync-catalog-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "syncCatalog/PodSecurityPolicy: disabled by default with syncCatalog enabled" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/sync-catalog-podsecuritypolicy.yaml  \
16 |       --set 'syncCatalog.enabled=true' \
17 |       .
18 | }
19 | 
20 | @test "syncCatalog/PodSecurityPolicy: disabled with syncCatalog disabled and global.enablePodSecurityPolicies=true" {
21 |   cd `chart_dir`
22 |   assert_empty helm template \
23 |       -s templates/sync-catalog-podsecuritypolicy.yaml  \
24 |       --set 'syncCatalog.enabled=false' \
25 |       --set 'global.enablePodSecurityPolicies=true' \
26 |       .
27 | }
28 | 
29 | @test "syncCatalog/PodSecurityPolicy: enabled with syncCatalog enabled and global.enablePodSecurityPolicies=true" {
30 |   cd `chart_dir`
31 |   local actual=$(helm template \
32 |       -s templates/sync-catalog-podsecuritypolicy.yaml  \
33 |       --set 'syncCatalog.enabled=true' \
34 |       --set 'global.enablePodSecurityPolicies=true' \
35 |       . | tee /dev/stderr |
36 |       yq -s 'length > 0' | tee /dev/stderr)
37 |   [ "${actual}" = "true" ]
38 | }
39 | 


--------------------------------------------------------------------------------
/templates/mesh-gateway-clusterrole.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.meshGateway.enabled }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRole
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-mesh-gateway
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: mesh-gateway
12 | {{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }}
13 | rules:
14 | {{- if .Values.global.enablePodSecurityPolicies }}
15 |   - apiGroups: ["policy"]
16 |     resources: ["podsecuritypolicies"]
17 |     resourceNames:
18 |       - {{ template "consul.fullname" . }}-mesh-gateway
19 |     verbs:
20 |       - use
21 | {{- end }}
22 | {{- if .Values.global.acls.manageSystemACLs }}
23 |   - apiGroups: [""]
24 |     resources:
25 |       - secrets
26 |     resourceNames:
27 |       - {{ template "consul.fullname" . }}-mesh-gateway-acl-token
28 |     verbs:
29 |       - get
30 | {{- end }}
31 | {{- if eq .Values.meshGateway.wanAddress.source "Service" }}
32 |   - apiGroups: [""]
33 |     resources:
34 |       - services
35 |     resourceNames:
36 |       - {{ template "consul.fullname" . }}-mesh-gateway
37 |     verbs:
38 |       - get
39 |   {{- end }}
40 | {{- else }}
41 | rules: []
42 | {{- end }}
43 | {{- end }}
44 | 


--------------------------------------------------------------------------------
/templates/enterprise-license-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey (not .Values.server.enterpriseLicense.enableLicenseAutoload)) }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: Role
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-enterprise-license
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | {{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }}
14 | rules:
15 | {{- if .Values.global.acls.manageSystemACLs }}
16 |   - apiGroups: [""]
17 |     resources:
18 |       - secrets
19 |     resourceNames:
20 |       - {{ template "consul.fullname" . }}-enterprise-license-acl-token
21 |     verbs:
22 |       - get
23 | {{- end }}
24 | {{- if .Values.global.enablePodSecurityPolicies }}
25 |   - apiGroups: ["policy"]
26 |     resources: ["podsecuritypolicies"]
27 |     resourceNames:
28 |       - {{ template "consul.fullname" . }}-enterprise-license
29 |     verbs:
30 |       - use
31 | {{- end }}
32 | {{- else }}
33 | rules: []
34 | {{- end }}
35 | {{- end }}
36 | {{- end }}
37 | 


--------------------------------------------------------------------------------
/templates/ingress-gateways-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }}
 2 | {{- $root := . }}
 3 | {{- range .Values.ingressGateways.gateways }}
 4 | apiVersion: policy/v1beta1
 5 | kind: PodSecurityPolicy
 6 | metadata:
 7 |   name: {{ template "consul.fullname" $root }}-{{ .name }}
 8 |   labels:
 9 |     app: {{ template "consul.name" $root }}
10 |     chart: {{ template "consul.chart" $root }}
11 |     heritage: {{ $root.Release.Service }}
12 |     release: {{ $root.Release.Name }}
13 |     component: ingress-gateway
14 |     ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
15 | spec:
16 |   privileged: false
17 |   # Required to prevent escalations to root.
18 |   allowPrivilegeEscalation: false
19 |   # This is redundant with non-root + disallow privilege escalation,
20 |   # but we can provide it for defense in depth.
21 |   requiredDropCapabilities:
22 |     - ALL
23 |   # Allow core volume types.
24 |   volumes:
25 |     - 'configMap'
26 |     - 'emptyDir'
27 |     - 'projected'
28 |     - 'secret'
29 |     - 'downwardAPI'
30 |   hostNetwork: false
31 |   hostIPC: false
32 |   hostPID: false
33 |   runAsUser:
34 |     rule: 'RunAsAny'
35 |   seLinux:
36 |     rule: 'RunAsAny'
37 |   supplementalGroups:
38 |     rule: 'RunAsAny'
39 |   fsGroup:
40 |     rule: 'RunAsAny'
41 |   readOnlyRootFilesystem: false
42 | ---
43 | {{- end }}
44 | {{- end }}
45 | 


--------------------------------------------------------------------------------
/test/unit/connect-inject-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "connectInject/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/connect-inject-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "connectInject/PodSecurityPolicy: disabled by default with connectInject enabled" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/connect-inject-podsecuritypolicy.yaml  \
16 |       --set 'connectInject.enabled=true' \
17 |       .
18 | }
19 | 
20 | @test "connectInject/PodSecurityPolicy: disabled with connectInject disabled and global.enablePodSecurityPolicies=true" {
21 |   cd `chart_dir`
22 |   assert_empty helm template \
23 |       -s templates/connect-inject-podsecuritypolicy.yaml  \
24 |       --set 'connectInject.enabled=false' \
25 |       --set 'global.enablePodSecurityPolicies=true' \
26 |       .
27 | }
28 | 
29 | @test "connectInject/PodSecurityPolicy: enabled with connectInject enabled and global.enablePodSecurityPolicies=true" {
30 |   cd `chart_dir`
31 |   local actual=$(helm template \
32 |       -s templates/connect-inject-podsecuritypolicy.yaml  \
33 |       --set 'connectInject.enabled=true' \
34 |       --set 'global.enablePodSecurityPolicies=true' \
35 |       . | tee /dev/stderr |
36 |       yq -s 'length > 0' | tee /dev/stderr)
37 |   [ "${actual}" = "true" ]
38 | }
39 | 


--------------------------------------------------------------------------------
/templates/tls-init-cleanup-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: policy/v1beta1
 4 | kind: PodSecurityPolicy
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init-cleanup
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |   annotations:
13 |     "helm.sh/hook": pre-delete
14 |     "helm.sh/hook-delete-policy": hook-succeeded
15 | spec:
16 |   privileged: false
17 |   # Required to prevent escalations to root.
18 |   allowPrivilegeEscalation: false
19 |   # This is redundant with non-root + disallow privilege escalation,
20 |   # but we can provide it for defense in depth.
21 |   requiredDropCapabilities:
22 |     - ALL
23 |   # Allow core volume types.
24 |   volumes:
25 |     - 'secret'
26 |   hostNetwork: false
27 |   hostIPC: false
28 |   hostPID: false
29 |   runAsUser:
30 |     rule: 'RunAsAny'
31 |   seLinux:
32 |     rule: 'RunAsAny'
33 |   supplementalGroups:
34 |     rule: 'RunAsAny'
35 |   fsGroup:
36 |     rule: 'RunAsAny'
37 |   readOnlyRootFilesystem: false
38 | {{- end }}
39 | {{- end }}
40 | 


--------------------------------------------------------------------------------
/templates/tls-init-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: policy/v1beta1
 4 | kind: PodSecurityPolicy
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |   annotations:
13 |     "helm.sh/hook": pre-install,pre-upgrade
14 |     "helm.sh/hook-delete-policy": before-hook-creation
15 | spec:
16 |   privileged: false
17 |   # Required to prevent escalations to root.
18 |   allowPrivilegeEscalation: false
19 |   # This is redundant with non-root + disallow privilege escalation,
20 |   # but we can provide it for defense in depth.
21 |   requiredDropCapabilities:
22 |     - ALL
23 |   # Allow core volume types.
24 |   volumes:
25 |     - 'secret'
26 |   hostNetwork: false
27 |   hostIPC: false
28 |   hostPID: false
29 |   runAsUser:
30 |     rule: 'RunAsAny'
31 |   seLinux:
32 |     rule: 'RunAsAny'
33 |   supplementalGroups:
34 |     rule: 'RunAsAny'
35 |   fsGroup:
36 |     rule: 'RunAsAny'
37 |   readOnlyRootFilesystem: false
38 | {{- end }}
39 | {{- end }}
40 | 


--------------------------------------------------------------------------------
/templates/tls-init-cleanup-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: Role
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-tls-init-cleanup
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 |   annotations:
14 |     "helm.sh/hook": pre-delete
15 |     "helm.sh/hook-delete-policy": hook-succeeded
16 | rules:
17 | - apiGroups: [""]
18 |   resources:
19 |     - secrets
20 |   resourceNames:
21 |     {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }}
22 |     - {{ template "consul.fullname" . }}-ca-cert
23 |     - {{ template "consul.fullname" . }}-ca-key
24 |     {{- end }}
25 |     - {{ template "consul.fullname" . }}-server-cert
26 |   verbs:
27 |     - delete
28 | {{- if .Values.global.enablePodSecurityPolicies }}
29 | - apiGroups: ["policy"]
30 |   resources:
31 |     - podsecuritypolicies
32 |   verbs:
33 |     - use
34 |   resourceNames:
35 |     - {{ template "consul.fullname" . }}-tls-init-cleanup
36 | {{- end }}
37 | {{- end }}
38 | {{- end }}
39 | 


--------------------------------------------------------------------------------
/templates/terminating-gateways-podsecuritypolicy.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }}
 2 | {{- $root := . }}
 3 | {{- range .Values.terminatingGateways.gateways }}
 4 | apiVersion: policy/v1beta1
 5 | kind: PodSecurityPolicy
 6 | metadata:
 7 |   name:  {{ template "consul.fullname" $root }}-{{ .name }}
 8 |   labels:
 9 |     app: {{ template "consul.name" $root }}
10 |     chart: {{ template "consul.chart" $root }}
11 |     heritage: {{ $root.Release.Service }}
12 |     release: {{ $root.Release.Name }}
13 |     component: terminating-gateway
14 |     terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
15 | spec:
16 |   privileged: false
17 |   # Required to prevent escalations to root.
18 |   allowPrivilegeEscalation: false
19 |   # This is redundant with non-root + disallow privilege escalation,
20 |   # but we can provide it for defense in depth.
21 |   requiredDropCapabilities:
22 |     - ALL
23 |   # Allow core volume types.
24 |   volumes:
25 |     - 'configMap'
26 |     - 'emptyDir'
27 |     - 'projected'
28 |     - 'secret'
29 |     - 'downwardAPI'
30 |   hostNetwork: false
31 |   hostIPC: false
32 |   hostPID: false
33 |   runAsUser:
34 |     rule: 'RunAsAny'
35 |   seLinux:
36 |     rule: 'RunAsAny'
37 |   supplementalGroups:
38 |     rule: 'RunAsAny'
39 |   fsGroup:
40 |     rule: 'RunAsAny'
41 |   readOnlyRootFilesystem: false
42 | ---
43 | {{- end }}
44 | {{- end }}
45 | 


--------------------------------------------------------------------------------
/templates/connect-inject-clusterrole.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | # The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: ClusterRole
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-connect-injector-webhook
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | rules:
13 | - apiGroups: [""]
14 |   resources: ["pods", "endpoints", "services", "namespaces"]
15 |   verbs:
16 |   - "get"
17 |   - "list"
18 |   - "watch"
19 | - apiGroups:
20 |   - coordination.k8s.io
21 |   resources:
22 |   - leases
23 |   verbs:
24 |   - create
25 |   - get
26 |   - list
27 |   - update
28 | {{- if .Values.global.enablePodSecurityPolicies }}
29 | - apiGroups: ["policy"]
30 |   resources: ["podsecuritypolicies"]
31 |   resourceNames:
32 |   - {{ template "consul.fullname" . }}-connect-injector-webhook
33 |   verbs:
34 |   - use
35 | {{- end }}
36 | {{- if .Values.global.acls.manageSystemACLs }}
37 | - apiGroups: [""]
38 |   resources:
39 |   - secrets
40 |   resourceNames:
41 |   - {{ template "consul.fullname" . }}-connect-inject-acl-token
42 |   verbs:
43 |   - get
44 | {{- end }}
45 | {{- end }}
46 | 


--------------------------------------------------------------------------------
/addons/gen.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | WD=$(dirname "$0")
 4 | WD=$(cd "$WD"; pwd)
 5 | 
 6 | set -eux
 7 | 
 8 | TEMPLATES="${WD}/../templates"
 9 | DASHBOARDS="${WD}/dashboards"
10 | TMP=$(mktemp -d)
11 | 
12 | # create Prometheus template
13 | helm template prometheus prometheus \
14 |   --repo https://prometheus-community.github.io/helm-charts \
15 |   --namespace "replace-me-namespace" \
16 |   --version 13.2.1 \
17 |   -f "${WD}/values/prometheus.yaml" \
18 |   > "${TEMPLATES}/prometheus.yaml"
19 | 
20 | # Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template.
21 | sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml"
22 | # Add a comment to the top of the template file mentioning that the file is auto-generated.
23 | sed -i'.orig' '1i\
24 | # This file is auto-generated, see addons/gen.sh
25 | ' "${TEMPLATES}/prometheus.yaml"
26 | # Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled.
27 | sed -i'.orig' '1i\
28 | {{- if .Values.prometheus.enabled }}
29 | ' "${TEMPLATES}/prometheus.yaml"
30 | # Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement).
31 | sed -i'.orig' -e '$a\
32 | {{- end }}' "${TEMPLATES}/prometheus.yaml"
33 | # Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X.
34 | rm "${TEMPLATES}/prometheus.yaml.orig"


--------------------------------------------------------------------------------
/templates/ingress-gateways-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.ingressGateways.enabled }}
 2 | 
 3 | {{- $root := . }}
 4 | {{- $defaults := .Values.ingressGateways.defaults }}
 5 | 
 6 | {{- range .Values.ingressGateways.gateways }}
 7 | apiVersion: rbac.authorization.k8s.io/v1
 8 | kind: Role
 9 | metadata:
10 |   name: {{ template "consul.fullname" $root }}-{{ .name }}
11 |   namespace: {{ $root.Release.Namespace }}
12 |   labels:
13 |     app: {{ template "consul.name" $root }}
14 |     chart: {{ template "consul.chart" $root }}
15 |     heritage: {{ $root.Release.Service }}
16 |     release: {{ $root.Release.Name }}
17 |     component: ingress-gateway
18 |     ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
19 | rules:
20 |   - apiGroups: [""]
21 |     resources:
22 |       - services
23 |     resourceNames:
24 |       - {{ template "consul.fullname" $root }}-{{ .name }}
25 |     verbs:
26 |       - get
27 | {{- if $root.Values.global.enablePodSecurityPolicies }}
28 |   - apiGroups: ["policy"]
29 |     resources: ["podsecuritypolicies"]
30 |     resourceNames:
31 |       - {{ template "consul.fullname" $root }}-{{ .name }}
32 |     verbs:
33 |       - use
34 | {{- end }}
35 | {{- if $root.Values.global.acls.manageSystemACLs }}
36 |   - apiGroups: [""]
37 |     resources:
38 |       - secrets
39 |     resourceNames:
40 |       - {{ template "consul.fullname" $root }}-{{ .name }}-ingress-gateway-acl-token
41 |     verbs:
42 |       - get
43 | {{- end }}
44 | ---
45 | {{- end }}
46 | {{- end }}
47 | 


--------------------------------------------------------------------------------
/templates/terminating-gateways-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.terminatingGateways.enabled }}
 2 | 
 3 | {{- $root := . }}
 4 | {{- $defaults := .Values.terminatingGateways.defaults }}
 5 | 
 6 | {{- range .Values.terminatingGateways.gateways }}
 7 | apiVersion: rbac.authorization.k8s.io/v1
 8 | kind: Role
 9 | metadata:
10 |   name:  {{ template "consul.fullname" $root }}-{{ .name }}
11 |   namespace: {{ $root.Release.Namespace }}
12 |   labels:
13 |     app: {{ template "consul.name" $root }}
14 |     chart: {{ template "consul.chart" $root }}
15 |     heritage: {{ $root.Release.Service }}
16 |     release: {{ $root.Release.Name }}
17 |     component: terminating-gateway
18 |     terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
19 | {{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }}
20 | rules:
21 | {{- if $root.Values.global.enablePodSecurityPolicies }}
22 |   - apiGroups: ["policy"]
23 |     resources: ["podsecuritypolicies"]
24 |     resourceNames:
25 |       -  {{ template "consul.fullname" $root }}-{{ .name }}
26 |     verbs:
27 |       - use
28 | {{- end }}
29 | {{- if $root.Values.global.acls.manageSystemACLs }}
30 |   - apiGroups: [""]
31 |     resources:
32 |       - secrets
33 |     resourceNames:
34 |       -  {{ template "consul.fullname" $root }}-{{ .name }}-terminating-gateway-acl-token
35 |     verbs:
36 |       - get
37 | {{- end }}
38 | {{- else }}
39 | rules: []
40 | {{- end }}
41 | ---
42 | {{- end }}
43 | {{- end }}
44 | 


--------------------------------------------------------------------------------
/test/unit/client-snapshot-agent-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "client/SnapshotAgentRoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/client-snapshot-agent-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "client/SnapshotAgentRoleBinding: enabled with client.snapshotAgent.enabled=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/client-snapshot-agent-rolebinding.yaml  \
16 |       --set 'client.snapshotAgent.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 
22 | @test "client/SnapshotAgentRoleBinding: enabled with client.enabled=true and client.snapshotAgent.enabled=true" {
23 |   cd `chart_dir`
24 |   local actual=$(helm template \
25 |       -s templates/client-snapshot-agent-rolebinding.yaml  \
26 |       --set 'client.enabled=true' \
27 |       --set 'client.snapshotAgent.enabled=true' \
28 |       . | tee /dev/stderr |
29 |       yq 'length > 0' | tee /dev/stderr)
30 |   [ "${actual}" = "true" ]
31 | }
32 | 
33 | @test "client/SnapshotAgentRoleBinding: disabled with client=false and client.snapshotAgent.enabled=true" {
34 |   cd `chart_dir`
35 |   assert_empty helm template \
36 |       -s templates/client-snapshot-agent-rolebinding.yaml  \
37 |       --set 'client.snapshotAgent.enabled=true' \
38 |       --set 'client.enabled=false' \
39 |       .
40 | }
41 | 


--------------------------------------------------------------------------------
/templates/client-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: Role
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-client
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | {{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }}
13 | rules:
14 | {{- if .Values.global.enablePodSecurityPolicies }}
15 |   - apiGroups: ["policy"]
16 |     resources: ["podsecuritypolicies"]
17 |     resourceNames:
18 |     - {{ template "consul.fullname" . }}-client
19 |     verbs:
20 |     - use
21 | {{- end }}
22 | {{- if .Values.global.acls.manageSystemACLs }}
23 |   - apiGroups: [""]
24 |     resources:
25 |       - secrets
26 |     resourceNames:
27 |       - {{ template "consul.fullname" . }}-client-acl-token
28 |     verbs:
29 |       - get
30 | {{- end }}
31 | {{- if .Values.global.openshift.enabled}}
32 |   - apiGroups: ["security.openshift.io"]
33 |     resources: ["securitycontextconstraints"]
34 |     resourceNames:
35 |       - {{ template "consul.fullname" . }}-client
36 |     verbs:
37 |       - use
38 | {{- end}}
39 | {{- else}}
40 | rules: []
41 | {{- end }}
42 | {{- end }}
43 | 


--------------------------------------------------------------------------------
/templates/sync-catalog-clusterrole.yaml:
--------------------------------------------------------------------------------
 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
 2 | {{- if $syncEnabled }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: ClusterRole
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-sync-catalog
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | rules:
13 |   - apiGroups: [""]
14 |     resources:
15 |       - services
16 |       - endpoints
17 |     verbs:
18 |       - get
19 |       - list
20 |       - watch
21 | {{- if .Values.syncCatalog.toK8S }}
22 |       - update
23 |       - patch
24 |       - delete
25 |       - create
26 | {{- end }}
27 |   - apiGroups: [""]
28 |     resources:
29 |       - nodes
30 |     verbs:
31 |       - get
32 | {{- if .Values.global.acls.manageSystemACLs }}
33 |   - apiGroups: [""]
34 |     resources:
35 |       - secrets
36 |     resourceNames:
37 |       - {{ template "consul.fullname" . }}-catalog-sync-acl-token
38 |     verbs:
39 |       - get
40 | {{- end }}
41 | {{- if .Values.global.enablePodSecurityPolicies }}
42 |   - apiGroups: ["policy"]
43 |     resources: ["podsecuritypolicies"]
44 |     verbs:
45 |       - use
46 |     resourceNames:
47 |       - {{ template "consul.fullname" . }}-sync-catalog
48 | {{- end }}
49 | {{- end }}
50 | 


--------------------------------------------------------------------------------
/templates/server-securitycontextconstraints.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }}
 2 | apiVersion: security.openshift.io/v1
 3 | kind: SecurityContextConstraints
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-server
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |   annotations:
12 |     kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required
13 |       to run the consul server.
14 | allowHostPorts: true
15 | allowHostDirVolumePlugin: false
16 | allowHostIPC: false
17 | allowHostPID: false
18 | allowHostNetwork: false
19 | allowPrivilegeEscalation: false
20 | allowPrivilegedContainer: false
21 | allowedCapabilities: null
22 | defaultAddCapabilities: null
23 | fsGroup:
24 |   type: MustRunAs
25 | groups: []
26 | priority: null
27 | readOnlyRootFilesystem: false
28 | requiredDropCapabilities:
29 | - KILL
30 | - MKNOD
31 | - SETUID
32 | - SETGID
33 | runAsUser:
34 |   type: MustRunAsRange
35 | seLinuxContext:
36 |   type: MustRunAs
37 | supplementalGroups:
38 |   type: MustRunAs
39 | users: []
40 | volumes:
41 | - configMap
42 | - downwardAPI
43 | - emptyDir
44 | - persistentVolumeClaim
45 | - projected
46 | - secret
47 | {{- end -}}
48 | 


--------------------------------------------------------------------------------
/test/unit/webhook-cert-manager-deployment.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "webhookCertManager/Deployment: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/webhook-cert-manager-deployment.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "webhookCertManager/Deployment: enabled with controller.enabled=true and connectInject.enabled=false" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/webhook-cert-manager-deployment.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 
22 | @test "webhookCertManager/Deployment: enabled with connectInject.enabled=true and controller.enabled=false" {
23 |   cd `chart_dir`
24 |   local actual=$(helm template \
25 |       -s templates/webhook-cert-manager-deployment.yaml  \
26 |       --set 'connectInject.enabled=true' \
27 |       . | tee /dev/stderr |
28 |       yq 'length > 0' | tee /dev/stderr)
29 |   [ "${actual}" = "true" ]
30 | }
31 | 
32 | @test "webhookCertManager/Deployment: enabled with connectInject.enabled=true and controller.enabled=true" {
33 |   cd `chart_dir`
34 |   local actual=$(helm template \
35 |       -s templates/webhook-cert-manager-deployment.yaml  \
36 |       --set 'controller.enabled=true' \
37 |       --set 'connectInject.enabled=true' \
38 |       . | tee /dev/stderr |
39 |       yq 'length > 0' | tee /dev/stderr)
40 |   [ "${actual}" = "true" ]
41 | }
42 | 


--------------------------------------------------------------------------------
/test/unit/client-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "client/RoleBinding: enabled by default" {
 6 |   cd `chart_dir`
 7 |   local actual=$(helm template \
 8 |       -s templates/client-rolebinding.yaml  \
 9 |       . | tee /dev/stderr |
10 |       yq 'length > 0' | tee /dev/stderr)
11 |   [ "${actual}" = "true" ]
12 | }
13 | 
14 | @test "client/RoleBinding: disabled with global.enabled=false" {
15 |   cd `chart_dir`
16 |   assert_empty helm template \
17 |       -s templates/client-rolebinding.yaml  \
18 |       --set 'global.enabled=false' \
19 |       .
20 | }
21 | 
22 | @test "client/RoleBinding: disabled with client disabled" {
23 |   cd `chart_dir`
24 |   assert_empty helm template \
25 |       -s templates/client-rolebinding.yaml  \
26 |       --set 'client.enabled=false' \
27 |       .
28 | }
29 | 
30 | @test "client/RoleBinding: enabled with client enabled" {
31 |   cd `chart_dir`
32 |   local actual=$(helm template \
33 |       -s templates/client-rolebinding.yaml  \
34 |       --set 'client.enabled=true' \
35 |       . | tee /dev/stderr |
36 |       yq -s 'length > 0' | tee /dev/stderr)
37 |   [ "${actual}" = "true" ]
38 | }
39 | 
40 | @test "client/RoleBinding: enabled with client enabled and global.enabled=false" {
41 |   cd `chart_dir`
42 |   local actual=$(helm template \
43 |       -s templates/client-rolebinding.yaml  \
44 |       --set 'global.enabled=false' \
45 |       --set 'client.enabled=true' \
46 |       . | tee /dev/stderr |
47 |       yq -s 'length > 0' | tee /dev/stderr)
48 |   [ "${actual}" = "true" ]
49 | }
50 | 


--------------------------------------------------------------------------------
/test/unit/server-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "server/RoleBinding: enabled by default" {
 6 |   cd `chart_dir`
 7 |   local actual=$(helm template \
 8 |       -s templates/server-rolebinding.yaml  \
 9 |       . | tee /dev/stderr |
10 |       yq 'length > 0' | tee /dev/stderr)
11 |   [ "${actual}" = "true" ]
12 | }
13 | 
14 | @test "server/RoleBinding: disabled with global.enabled=false" {
15 |   cd `chart_dir`
16 |   assert_empty helm template \
17 |       -s templates/server-rolebinding.yaml  \
18 |       --set 'global.enabled=false' \
19 |       .
20 | }
21 | 
22 | @test "server/RoleBinding: disabled with server disabled" {
23 |   cd `chart_dir`
24 |   assert_empty helm template \
25 |       -s templates/server-rolebinding.yaml  \
26 |       --set 'server.enabled=false' \
27 |       .
28 | }
29 | 
30 | @test "server/RoleBinding: enabled with server enabled" {
31 |   cd `chart_dir`
32 |   local actual=$(helm template \
33 |       -s templates/server-rolebinding.yaml  \
34 |       --set 'server.enabled=true' \
35 |       . | tee /dev/stderr |
36 |       yq -s 'length > 0' | tee /dev/stderr)
37 |   [ "${actual}" = "true" ]
38 | }
39 | 
40 | @test "server/RoleBinding: enabled with server enabled and global.enabled=false" {
41 |   cd `chart_dir`
42 |   local actual=$(helm template \
43 |       -s templates/server-rolebinding.yaml  \
44 |       --set 'global.enabled=false' \
45 |       --set 'server.enabled=true' \
46 |       . | tee /dev/stderr |
47 |       yq -s 'length > 0' | tee /dev/stderr)
48 |   [ "${actual}" = "true" ]
49 | }
50 | 


--------------------------------------------------------------------------------
/test/unit/connect-inject-authmethod-clusterrole.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "connectInjectAuthMethod/ClusterRole: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/connect-inject-authmethod-clusterrole.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "connectInjectAuthMethod/ClusterRole: enabled with global.enabled false" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/connect-inject-authmethod-clusterrole.yaml  \
16 |       --set 'global.enabled=false' \
17 |       --set 'client.enabled=true' \
18 |       --set 'connectInject.enabled=true' \
19 |       --set 'global.acls.manageSystemACLs=true' \
20 |       . | tee /dev/stderr |
21 |       yq -s 'length > 0' | tee /dev/stderr)
22 |   [ "${actual}" = "true" ]
23 | }
24 | 
25 | @test "connectInjectAuthMethod/ClusterRole: disabled with connectInject.enabled" {
26 |   cd `chart_dir`
27 |   assert_empty helm template \
28 |       -s templates/connect-inject-authmethod-clusterrole.yaml  \
29 |       --set 'connectInject.enabled=true' \
30 |       .
31 | }
32 | 
33 | @test "connectInjectAuthMethod/ClusterRole: enabled with global.acls.manageSystemACLs.enabled=true" {
34 |   cd `chart_dir`
35 |   local actual=$(helm template \
36 |       -s templates/connect-inject-authmethod-clusterrole.yaml  \
37 |       --set 'connectInject.enabled=true' \
38 |       --set 'global.acls.manageSystemACLs=true' \
39 |       . | tee /dev/stderr |
40 |       yq -s 'length > 0' | tee /dev/stderr)
41 |   [ "${actual}" = "true" ]
42 | }
43 | 


--------------------------------------------------------------------------------
/test/unit/create-federation-secret-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "createFederationSecret/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/create-federation-secret-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "createFederationSecret/PodSecurityPolicy: disabled when global.federation.createFederationSecret=true" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/create-federation-secret-podsecuritypolicy.yaml  \
16 |       --set 'global.federation.createFederationSecret=true' \
17 |       --set 'global.federation.enabled=true' \
18 |       --set 'global.tls.enabled=true' \
19 |       --set 'meshGateway.enabled=true' \
20 |       --set 'connectInject.enabled=true' \
21 |       .
22 | }
23 | 
24 | @test "createFederationSecret/PodSecurityPolicy: enabled with global.federation.createFederationSecret=true and global.enablePodSecurityPolicies=true" {
25 |   cd `chart_dir`
26 |   local actual=$(helm template \
27 |       -s templates/create-federation-secret-podsecuritypolicy.yaml  \
28 |       --set 'global.federation.createFederationSecret=true' \
29 |       --set 'global.federation.enabled=true' \
30 |       --set 'global.tls.enabled=true' \
31 |       --set 'meshGateway.enabled=true' \
32 |       --set 'connectInject.enabled=true' \
33 |       --set 'global.enablePodSecurityPolicies=true' \
34 |       . | tee /dev/stderr |
35 |       yq -s 'length > 0' | tee /dev/stderr)
36 |   [ "${actual}" = "true" ]
37 | }
38 | 


--------------------------------------------------------------------------------
/test/unit/ingress-gateways-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "ingressGateway/RoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/ingress-gateways-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "ingressGateway/RoleBinding: enabled with ingressGateways, connectInject enabled" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/ingress-gateways-rolebinding.yaml  \
16 |       --set 'ingressGateways.enabled=true' \
17 |       --set 'connectInject.enabled=true' \
18 |       . | tee /dev/stderr |
19 |       yq -s 'length > 0' | tee /dev/stderr)
20 |   [ "${actual}" = "true" ]
21 | }
22 | 
23 | @test "ingressGateways/RoleBinding: multiple gateways" {
24 |   cd `chart_dir`
25 |   local object=$(helm template \
26 |       -s templates/ingress-gateways-role.yaml  \
27 |       --set 'ingressGateways.enabled=true' \
28 |       --set 'connectInject.enabled=true' \
29 |       --set 'ingressGateways.gateways[0].name=gateway1' \
30 |       --set 'ingressGateways.gateways[1].name=gateway2' \
31 |       . | tee /dev/stderr |
32 |       yq -s -r '.' | tee /dev/stderr)
33 | 
34 |   local actual=$(echo $object | yq -r '.[0].metadata.name' | tee /dev/stderr)
35 |   [ "${actual}" = "RELEASE-NAME-consul-gateway1" ]
36 | 
37 |   local actual=$(echo $object | yq -r '.[1].metadata.name' | tee /dev/stderr)
38 |   [ "${actual}" = "RELEASE-NAME-consul-gateway2" ]
39 | 
40 |   local actual=$(echo $object | yq '.[2] | length > 0' | tee /dev/stderr)
41 |   [ "${actual}" = "false" ]
42 | }
43 | 


--------------------------------------------------------------------------------
/test/unit/webhook-cert-manager-clusterrolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "webhookCertManager/ClusterRoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/webhook-cert-manager-clusterrolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "webhookCertManager/ClusterRoleBinding: enabled with controller.enabled=true and connectInject.enabled=false" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/webhook-cert-manager-clusterrolebinding.yaml  \
16 |       --set 'controller.enabled=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 
22 | @test "webhookCertManager/ClusterRoleBinding: enabled with connectInject.enabled=true and controller.enabled=false" {
23 |   cd `chart_dir`
24 |   local actual=$(helm template \
25 |       -s templates/webhook-cert-manager-clusterrolebinding.yaml  \
26 |       --set 'connectInject.enabled=true' \
27 |       . | tee /dev/stderr |
28 |       yq 'length > 0' | tee /dev/stderr)
29 |   [ "${actual}" = "true" ]
30 | }
31 | 
32 | @test "webhookCertManager/ClusterRoleBinding: enabled with connectInject.enabled=true and controller.enabled=true" {
33 |   cd `chart_dir`
34 |   local actual=$(helm template \
35 |       -s templates/webhook-cert-manager-clusterrolebinding.yaml  \
36 |       --set 'controller.enabled=true' \
37 |       --set 'connectInject.enabled=true' \
38 |       . | tee /dev/stderr |
39 |       yq 'length > 0' | tee /dev/stderr)
40 |   [ "${actual}" = "true" ]
41 | }
42 | 


--------------------------------------------------------------------------------
/test/unit/sync-catalog-clusterrolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "syncCatalog/ClusterRoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/sync-catalog-clusterrolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "syncCatalog/ClusterRoleBinding: disabled with global.enabled=false" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/sync-catalog-clusterrolebinding.yaml  \
16 |       --set 'global.enabled=false' \
17 |       .
18 | }
19 | 
20 | @test "syncCatalog/ClusterRoleBinding: disabled with sync disabled" {
21 |   cd `chart_dir`
22 |   assert_empty helm template \
23 |       -s templates/sync-catalog-clusterrolebinding.yaml  \
24 |       --set 'syncCatalog.enabled=false' \
25 |       .
26 | }
27 | 
28 | @test "syncCatalog/ClusterRoleBinding: enabled with sync enabled" {
29 |   cd `chart_dir`
30 |   local actual=$(helm template \
31 |       -s templates/sync-catalog-clusterrolebinding.yaml  \
32 |       --set 'syncCatalog.enabled=true' \
33 |       . | tee /dev/stderr |
34 |       yq -s 'length > 0' | tee /dev/stderr)
35 |   [ "${actual}" = "true" ]
36 | }
37 | 
38 | @test "syncCatalog/ClusterRoleBinding: enabled with sync enabled and global.enabled=false" {
39 |   cd `chart_dir`
40 |   local actual=$(helm template \
41 |       -s templates/sync-catalog-clusterrolebinding.yaml  \
42 |       --set 'global.enabled=false' \
43 |       --set 'syncCatalog.enabled=true' \
44 |       . | tee /dev/stderr |
45 |       yq -s 'length > 0' | tee /dev/stderr)
46 |   [ "${actual}" = "true" ]
47 | }
48 | 


--------------------------------------------------------------------------------
/test/terraform/aks/main.tf:
--------------------------------------------------------------------------------
 1 | provider "azurerm" {
 2 |   version = "~> 2.0"
 3 |   features {}
 4 | }
 5 | 
 6 | provider "local" {}
 7 | 
 8 | resource "random_id" "suffix" {
 9 |   count       = var.cluster_count
10 |   byte_length = 4
11 | }
12 | 
13 | resource "azurerm_resource_group" "default" {
14 |   count    = var.cluster_count
15 |   name     = "consul-k8s-${random_id.suffix[count.index].dec}"
16 |   location = var.location
17 | 
18 |   tags = var.tags
19 | }
20 | 
21 | resource "azurerm_kubernetes_cluster" "default" {
22 |   count               = var.cluster_count
23 |   name                = "consul-k8s-${random_id.suffix[count.index].dec}"
24 |   location            = azurerm_resource_group.default[count.index].location
25 |   resource_group_name = azurerm_resource_group.default[count.index].name
26 |   dns_prefix          = "consul-k8s-${random_id.suffix[count.index].dec}"
27 |   kubernetes_version  = "1.19.9"
28 | 
29 |   default_node_pool {
30 |     name            = "default"
31 |     node_count      = 3
32 |     vm_size         = "Standard_D2_v2"
33 |     os_disk_size_gb = 30
34 |   }
35 | 
36 |   service_principal {
37 |     client_id     = var.client_id
38 |     client_secret = var.client_secret
39 |   }
40 | 
41 |   role_based_access_control {
42 |     enabled = true
43 |   }
44 | 
45 |   tags = var.tags
46 | }
47 | 
48 | resource "local_file" "kubeconfigs" {
49 |   count           = var.cluster_count
50 |   content         = azurerm_kubernetes_cluster.default[count.index].kube_config_raw
51 |   filename        = pathexpand("~/.kube/consul-k8s-${random_id.suffix[count.index].dec}")
52 |   file_permission = "0600"
53 | }
54 | 


--------------------------------------------------------------------------------
/test/unit/connect-inject-authmethod-clusterrolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "connectInjectAuthMethod/ClusterRoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/connect-inject-authmethod-clusterrolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.enabled false" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/connect-inject-authmethod-clusterrolebinding.yaml  \
16 |       --set 'global.enabled=false' \
17 |       --set 'client.enabled=true' \
18 |       --set 'connectInject.enabled=true' \
19 |       --set 'global.acls.manageSystemACLs=true' \
20 |       . | tee /dev/stderr |
21 |       yq -s 'length > 0' | tee /dev/stderr)
22 |   [ "${actual}" = "true" ]
23 | }
24 | 
25 | @test "connectInjectAuthMethod/ClusterRoleBinding: disabled with connectInject.enabled" {
26 |   cd `chart_dir`
27 |   assert_empty helm template \
28 |       -s templates/connect-inject-authmethod-clusterrolebinding.yaml  \
29 |       --set 'connectInject.enabled=true' \
30 |       .
31 | }
32 | 
33 | @test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.acls.manageSystemACLs.enabled=true" {
34 |   cd `chart_dir`
35 |   local actual=$(helm template \
36 |       -s templates/connect-inject-authmethod-clusterrolebinding.yaml  \
37 |       --set 'connectInject.enabled=true' \
38 |       --set 'global.acls.manageSystemACLs=true' \
39 |       . | tee /dev/stderr |
40 |       yq -s 'length > 0' | tee /dev/stderr)
41 |   [ "${actual}" = "true" ]
42 | }
43 | 


--------------------------------------------------------------------------------
/test/unit/terminating-gateways-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "terminatingGateways/RoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/terminating-gateways-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "terminatingGateways/RoleBinding: enabled with terminatingGateways, connectInject and client.grpc enabled" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/terminating-gateways-rolebinding.yaml  \
16 |       --set 'terminatingGateways.enabled=true' \
17 |       --set 'connectInject.enabled=true' \
18 |       . | tee /dev/stderr |
19 |       yq -s 'length > 0' | tee /dev/stderr)
20 |   [ "${actual}" = "true" ]
21 | }
22 | 
23 | @test "terminatingGateways/RoleBinding: multiple gateways" {
24 |   cd `chart_dir`
25 |   local object=$(helm template \
26 |       -s templates/terminating-gateways-role.yaml  \
27 |       --set 'terminatingGateways.enabled=true' \
28 |       --set 'connectInject.enabled=true' \
29 |       --set 'terminatingGateways.gateways[0].name=gateway1' \
30 |       --set 'terminatingGateways.gateways[1].name=gateway2' \
31 |       . | tee /dev/stderr |
32 |       yq -s -r '.' | tee /dev/stderr)
33 | 
34 |   local actual=$(echo $object | yq -r '.[0].metadata.name' | tee /dev/stderr)
35 |   [ "${actual}" = "RELEASE-NAME-consul-gateway1" ]
36 | 
37 |   local actual=$(echo $object | yq -r '.[1].metadata.name' | tee /dev/stderr)
38 |   [ "${actual}" = "RELEASE-NAME-consul-gateway2" ]
39 | 
40 |   local actual=$(echo $object | yq '.[2] | length > 0' | tee /dev/stderr)
41 |   [ "${actual}" = "false" ]
42 | }
43 | 


--------------------------------------------------------------------------------
/test/acceptance/framework/suite/suite.go:
--------------------------------------------------------------------------------
 1 | package suite
 2 | 
 3 | import (
 4 | 	"flag"
 5 | 	"fmt"
 6 | 	"io/ioutil"
 7 | 	"testing"
 8 | 
 9 | 	"github.com/hashicorp/consul-helm/test/acceptance/framework/config"
10 | 	"github.com/hashicorp/consul-helm/test/acceptance/framework/environment"
11 | 	"github.com/hashicorp/consul-helm/test/acceptance/framework/flags"
12 | )
13 | 
14 | type suite struct {
15 | 	m     *testing.M
16 | 	env   *environment.KubernetesEnvironment
17 | 	cfg   *config.TestConfig
18 | 	flags *flags.TestFlags
19 | }
20 | 
21 | type Suite interface {
22 | 	Run() int
23 | 	Environment() environment.TestEnvironment
24 | 	Config() *config.TestConfig
25 | }
26 | 
27 | func NewSuite(m *testing.M) Suite {
28 | 	flags := flags.NewTestFlags()
29 | 
30 | 	flag.Parse()
31 | 
32 | 	testConfig := flags.TestConfigFromFlags()
33 | 
34 | 	return &suite{
35 | 		m:     m,
36 | 		env:   environment.NewKubernetesEnvironmentFromConfig(testConfig),
37 | 		cfg:   testConfig,
38 | 		flags: flags,
39 | 	}
40 | }
41 | 
42 | func (s *suite) Run() int {
43 | 	err := s.flags.Validate()
44 | 	if err != nil {
45 | 		fmt.Printf("Flag validation failed: %s\n", err)
46 | 		return 1
47 | 	}
48 | 
49 | 	// Create test debug directory if it doesn't exist
50 | 	if s.cfg.DebugDirectory == "" {
51 | 		var err error
52 | 		s.cfg.DebugDirectory, err = ioutil.TempDir("", "consul-test")
53 | 		if err != nil {
54 | 			fmt.Printf("Failed to create debug directory: %s\n", err)
55 | 			return 1
56 | 		}
57 | 	}
58 | 
59 | 	return s.m.Run()
60 | }
61 | 
62 | func (s *suite) Environment() environment.TestEnvironment {
63 | 	return s.env
64 | }
65 | 
66 | func (s *suite) Config() *config.TestConfig {
67 | 	return s.cfg
68 | }
69 | 


--------------------------------------------------------------------------------
/templates/connect-inject-authmethod-clusterrolebinding.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
 2 | {{- if .Values.global.acls.manageSystemACLs }}
 3 | apiVersion: rbac.authorization.k8s.io/v1
 4 | kind: ClusterRoleBinding
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-connect-injector-authmethod-authdelegator-role-binding
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 | roleRef:
13 |   apiGroup: rbac.authorization.k8s.io
14 |   kind: ClusterRole
15 |   name: "system:auth-delegator"
16 | subjects:
17 |   - kind: ServiceAccount
18 |     name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account
19 |     namespace: {{ .Release.Namespace }}
20 | ---
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | kind: ClusterRoleBinding
23 | metadata:
24 |   name: {{ template "consul.fullname" . }}-connect-injector-authmethod-serviceaccount-role-binding
25 |   labels:
26 |     app: {{ template "consul.name" . }}
27 |     chart: {{ template "consul.chart" . }}
28 |     heritage: {{ .Release.Service }}
29 |     release: {{ .Release.Name }}
30 | roleRef:
31 |   apiGroup: rbac.authorization.k8s.io
32 |   kind: ClusterRole
33 |   name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role
34 | subjects:
35 |   - kind: ServiceAccount
36 |     name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account
37 |     namespace: {{ .Release.Namespace }}
38 | {{- end }}
39 | {{- end }}
40 | 


--------------------------------------------------------------------------------
/templates/create-federation-secret-role.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.global.federation.createFederationSecret }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: Role
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-create-federation-secret
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: create-federation-secret
13 |   annotations:
14 |     "helm.sh/hook": post-install,post-upgrade
15 |     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
16 | rules:
17 |   {{/* Must have separate rule for create secret permissions vs update because
18 |     can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}}
19 |   - apiGroups: [""]
20 |     resources:
21 |       - secrets
22 |     verbs:
23 |       - create
24 |   - apiGroups: [""]
25 |     resources:
26 |       - secrets
27 |     resourceNames:
28 |       - {{ template "consul.fullname" . }}-federation
29 |     verbs:
30 |       - update
31 |   {{- if .Values.global.acls.manageSystemACLs }}
32 |   - apiGroups: [""]
33 |     resources:
34 |       - secrets
35 |     resourceNames:
36 |       - {{ template "consul.fullname" . }}-acl-replication-acl-token
37 |     verbs:
38 |       - get
39 |   {{- end }}
40 |   {{- if .Values.global.enablePodSecurityPolicies }}
41 |   - apiGroups: ["policy"]
42 |     resources:
43 |       - podsecuritypolicies
44 |     verbs:
45 |       - use
46 |     resourceNames:
47 |       - {{ template "consul.fullname" . }}-create-federation-secret
48 |   {{- end }}
49 | {{- end }}
50 | 


--------------------------------------------------------------------------------
/templates/client-securitycontextconstraints.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }}
 2 | apiVersion: security.openshift.io/v1
 3 | kind: SecurityContextConstraints
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-client
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |   annotations:
12 |     kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required
13 |       to run the consul client.
14 | {{- if .Values.client.dataDirectoryHostPath }}
15 | allowHostDirVolumePlugin: true
16 | {{- else }}
17 | allowHostDirVolumePlugin: false
18 | {{- end}}
19 | allowHostIPC: false
20 | allowHostNetwork: {{ .Values.client.hostNetwork }}
21 | allowHostPID: false
22 | allowHostPorts: true
23 | allowPrivilegeEscalation: true
24 | allowPrivilegedContainer: false
25 | allowedCapabilities: null
26 | defaultAddCapabilities: null
27 | fsGroup:
28 |   type: MustRunAs
29 | groups: []
30 | priority: null
31 | readOnlyRootFilesystem: false
32 | requiredDropCapabilities:
33 | - KILL
34 | - MKNOD
35 | - SETUID
36 | - SETGID
37 | runAsUser:
38 |   type: MustRunAsRange
39 | seLinuxContext:
40 |   type: MustRunAs
41 | supplementalGroups:
42 |   type: MustRunAs
43 | users: []
44 | volumes:
45 | - configMap
46 | - downwardAPI
47 | - emptyDir
48 | - persistentVolumeClaim
49 | - projected
50 | - secret
51 | {{- if .Values.client.dataDirectoryHostPath }}
52 | - hostPath
53 | {{- end }}
54 | {{- end}}


--------------------------------------------------------------------------------
/templates/connect-inject-mutatingwebhook.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
 2 | # The MutatingWebhookConfiguration to enable the Connect injector.
 3 | apiVersion: admissionregistration.k8s.io/v1
 4 | kind: MutatingWebhookConfiguration
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-connect-injector-cfg
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | webhooks:
14 |   - name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com
15 |     # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy.
16 |     objectSelector:
17 |       matchExpressions:
18 |       - key: app
19 |         operator: NotIn
20 |         values: [ {{ template "consul.name" . }} ]
21 |     failurePolicy: {{ .Values.connectInject.failurePolicy }}
22 |     sideEffects: None
23 |     admissionReviewVersions:
24 |     - "v1beta1"
25 |     - "v1"
26 |     clientConfig:
27 |       service:
28 |         name: {{ template "consul.fullname" . }}-connect-injector-svc
29 |         namespace: {{ .Release.Namespace }}
30 |         path: "/mutate"
31 |     rules:
32 |     - operations: [ "CREATE" ]
33 |       apiGroups: [""]
34 |       apiVersions: ["v1"]
35 |       resources: ["pods"]
36 | {{- if .Values.connectInject.namespaceSelector }}
37 |     namespaceSelector:
38 | {{ tpl .Values.connectInject.namespaceSelector . | indent 6 }}
39 | {{- end }}
40 | {{- end }}
41 | 


--------------------------------------------------------------------------------
/test/unit/connect-inject-mutatingwebhook.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "connectInject/MutatingWebhookConfiguration: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/connect-inject-mutatingwebhook.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "connectInject/MutatingWebhookConfiguration: enable with global.enabled false" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/connect-inject-mutatingwebhook.yaml  \
16 |       --set 'global.enabled=false' \
17 |       --set 'client.enabled=true' \
18 |       --set 'connectInject.enabled=true' \
19 |       . | tee /dev/stderr |
20 |       yq 'length > 0' | tee /dev/stderr)
21 |   [ "${actual}" = "true" ]
22 | }
23 | 
24 | @test "connectInject/MutatingWebhookConfiguration: disable with connectInject.enabled" {
25 |   cd `chart_dir`
26 |   assert_empty helm template \
27 |       -s templates/connect-inject-mutatingwebhook.yaml  \
28 |       --set 'connectInject.enabled=false' \
29 |       .
30 | }
31 | 
32 | @test "connectInject/MutatingWebhookConfiguration: disable with global.enabled" {
33 |   cd `chart_dir`
34 |   assert_empty helm template \
35 |       -s templates/connect-inject-mutatingwebhook.yaml  \
36 |       --set 'global.enabled=false' \
37 |       .
38 | }
39 | 
40 | @test "connectInject/MutatingWebhookConfiguration: namespace is set" {
41 |   cd `chart_dir`
42 |   local actual=$(helm template \
43 |       -s templates/connect-inject-mutatingwebhook.yaml  \
44 |       --set 'connectInject.enabled=true' \
45 |       --namespace foo \
46 |       . | tee /dev/stderr |
47 |       yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr)
48 |   [ "${actual}" = "\"foo\"" ]
49 | }
50 | 


--------------------------------------------------------------------------------
/templates/server-config-configmap.yaml:
--------------------------------------------------------------------------------
 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 2 | # StatefulSet to run the actual Consul server cluster.
 3 | apiVersion: v1
 4 | kind: ConfigMap
 5 | metadata:
 6 |   name: {{ template "consul.fullname" . }}-server-config
 7 |   namespace: {{ .Release.Namespace }}
 8 |   labels:
 9 |     app: {{ template "consul.name" . }}
10 |     chart: {{ template "consul.chart" . }}
11 |     heritage: {{ .Release.Service }}
12 |     release: {{ .Release.Name }}
13 | data:
14 |   extra-from-values.json: |-
15 | {{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }}
16 |   {{- if .Values.global.acls.manageSystemACLs }}
17 |   acl-config.json: |-
18 |     {
19 |       "acl": {
20 |         "enabled": true,
21 |         "default_policy": "deny",
22 |         "down_policy": "extend-cache",
23 |         {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }}
24 |         "enable_token_replication": true,
25 |         {{- end }}
26 |         "enable_token_persistence": true
27 |       }
28 |     }
29 |   {{- end }}
30 |   {{- if (and .Values.ui.enabled (or .Values.ui.metrics.enabled (and .Values.global.metrics.enabled (eq (.Values.ui.metrics.enabled | toString) "-")))) }}
31 |   ui-config.json: |-
32 |     {
33 |       "ui_config": {
34 |         "enabled": true,
35 |         "metrics_provider": "{{ .Values.ui.metrics.provider }}",
36 |         "metrics_proxy": {
37 |           "base_url": "{{ .Values.ui.metrics.baseURL }}"
38 |         }
39 |       }
40 |     }
41 |   {{- end }}
42 |   central-config.json: |-
43 |     {
44 |       "enable_central_service_config": true
45 |     }
46 | {{- end }}
47 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature Request
 3 | about: If you have something you think Consul Helm could improve or add support for.
 4 | labels: enhancement
 5 | 
 6 | ---
 7 | 
 8 | <!--- Please keep this note for the community --->
 9 | 
10 | ### Community Note
11 | 
12 | * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
13 | * Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
14 | * If you are interested in working on this issue or have submitted a pull request, please leave a comment.
15 | 
16 | <!--- Thank you for keeping this note for the community --->
17 | 
18 | ---
19 | 
20 | #### Is your feature request related to a problem? Please describe.
21 | 
22 | <!--- A clear and concise description of the problem you are facing. Describe what workarounds, if any, that you have tried prior to creating this feature request. --->
23 | 
24 | #### Feature Description
25 | 
26 | <!--- A description what this feature is and how it addresses the problem you are having. Describe potential UX for the feature if possible. --->
27 | 
28 | #### Use Case(s)
29 | 
30 | <!--- Use cases where this feature is applicable for Consul on Kubernetes (i.e. type of application, type of Consul use case i.e. Service Mesh, Service Disovery). --->
31 | 
32 | #### Contributions
33 | 
34 | <!--- Are you able to contribute the changes to make this feature work? --->
35 | 


--------------------------------------------------------------------------------
/test/unit/tls-init-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "tlsInit/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/tls-init-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "tlsInit/PodSecurityPolicy: disabled with global.tls.enabled=true and server.serverCert.secretName!=null" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/tls-init-podsecuritypolicy.yaml  \
16 |       --set 'global.enabled=true' \
17 |       --set 'global.tls.enabled=true' \
18 |       --set 'global.tls.caCert.secretName=test' \
19 |       --set 'server.serverCert.secretName=test' \
20 |       .
21 | }
22 | 
23 | @test "tlsInit/PodSecurityPolicy: disabled by default with TLS enabled" {
24 |   cd `chart_dir`
25 |   assert_empty helm template \
26 |       -s templates/tls-init-podsecuritypolicy.yaml  \
27 |       --set 'global.tls.enabled=true' \
28 |       .
29 | }
30 | 
31 | @test "tlsInit/PodSecurityPolicy: disabled with TLS disabled and global.enablePodSecurityPolicies=true" {
32 |   cd `chart_dir`
33 |   assert_empty helm template \
34 |       -s templates/tls-init-podsecuritypolicy.yaml  \
35 |       --set 'global.tls.enabled=false' \
36 |       --set 'global.enablePodSecurityPolicies=true' \
37 |       .
38 | }
39 | 
40 | @test "tlsInit/PodSecurityPolicy: enabled with TLS enabled and global.enablePodSecurityPolicies=true" {
41 |   cd `chart_dir`
42 |   local actual=$(helm template \
43 |       -s templates/tls-init-podsecuritypolicy.yaml  \
44 |       --set 'global.tls.enabled=true' \
45 |       --set 'global.enablePodSecurityPolicies=true' \
46 |       . | tee /dev/stderr |
47 |       yq -s 'length > 0' | tee /dev/stderr)
48 |   [ "${actual}" = "true" ]
49 | }
50 | 


--------------------------------------------------------------------------------
/test/unit/mesh-gateway-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "meshGateway/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/mesh-gateway-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "meshGateway/PodSecurityPolicy: enabled with meshGateway, connectInject enabled and global.enablePodSecurityPolicies=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/mesh-gateway-podsecuritypolicy.yaml  \
16 |       --set 'meshGateway.enabled=true' \
17 |       --set 'connectInject.enabled=true' \
18 |       --set 'global.enablePodSecurityPolicies=true' \
19 |       . | tee /dev/stderr |
20 |       yq 'length > 0' | tee /dev/stderr)
21 |   [ "${actual}" = "true" ]
22 | }
23 | 
24 | @test "meshGateway/PodSecurityPolicy: hostNetwork defaults to false" {
25 |   cd `chart_dir`
26 |   local actual=$(helm template \
27 |       -s templates/mesh-gateway-podsecuritypolicy.yaml  \
28 |       --set 'meshGateway.enabled=true' \
29 |       --set 'connectInject.enabled=true' \
30 |       --set 'global.enablePodSecurityPolicies=true' \
31 |       . | tee /dev/stderr |
32 |       yq '.spec.hostNetwork' | tee /dev/stderr)
33 |   [ "${actual}" = "false" ]
34 | }
35 | 
36 | @test "meshGateway/PodSecurityPolicy: hostNetwork allowed if set to true" {
37 |   cd `chart_dir`
38 |   local actual=$(helm template \
39 |       -s templates/mesh-gateway-podsecuritypolicy.yaml  \
40 |       --set 'meshGateway.enabled=true' \
41 |       --set 'connectInject.enabled=true' \
42 |       --set 'global.enablePodSecurityPolicies=true' \
43 |       --set 'meshGateway.hostNetwork=true' \
44 |       . | tee /dev/stderr |
45 |       yq '.spec.hostNetwork' | tee /dev/stderr)
46 |   [ "${actual}" = "true" ]
47 | }
48 | 


--------------------------------------------------------------------------------
/test/unit/server-acl-init-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serverACLInit/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/server-acl-init-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serverACLInit/PodSecurityPolicy: disabled with global.acls.manageSystemACLs=true and global.enablePodSecurityPolicies=false" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/server-acl-init-podsecuritypolicy.yaml  \
16 |       --set 'global.acls.manageSystemACLs=true' \
17 |       --set 'global.enablePodSecurityPolicies=false' \
18 |       .
19 | }
20 | 
21 | @test "serverACLInit/PodSecurityPolicy: enabled with global.acls.manageSystemACLs=true and global.enablePodSecurityPolicies=true" {
22 |   cd `chart_dir`
23 |   local actual=$(helm template \
24 |       -s templates/server-acl-init-podsecuritypolicy.yaml  \
25 |       --set 'global.acls.manageSystemACLs=true' \
26 |       --set 'global.enablePodSecurityPolicies=true' \
27 |       . | tee /dev/stderr |
28 |       yq 'length > 0' | tee /dev/stderr)
29 |   [ "${actual}" = "true" ]
30 | }
31 | 
32 | @test "serverACLInit/PodSecurityPolicy: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled=false" {
33 |   cd `chart_dir`
34 |   local actual=$(helm template \
35 |       -s templates/server-acl-init-podsecuritypolicy.yaml  \
36 |       --set 'server.enabled=false' \
37 |       --set 'global.acls.manageSystemACLs=true' \
38 |       --set 'global.enablePodSecurityPolicies=true' \
39 |       --set 'externalServers.enabled=true' \
40 |       --set 'externalServers.hosts[0]=foo.com' \
41 |       . | tee /dev/stderr |
42 |       yq 'length > 0' | tee /dev/stderr)
43 |   [ "${actual}" = "true" ]
44 | }
45 | 


--------------------------------------------------------------------------------
/test/unit/tls-init-cleanup-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "tlsInitCleanup/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/tls-init-cleanup-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "tlsInitCleanup/PodSecurityPolicy: disabled with global.tls.enabled=true and server.serverCert.secretName!=null" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/tls-init-cleanup-podsecuritypolicy.yaml  \
16 |       --set 'global.enabled=true' \
17 |       --set 'global.tls.enabled=true' \
18 |       --set 'global.tls.caCert.secretName=test' \
19 |       --set 'server.serverCert.secretName=test' \
20 |       .
21 | }
22 | 
23 | @test "tlsInitCleanup/PodSecurityPolicy: disabled by default with TLS enabled" {
24 |   cd `chart_dir`
25 |   assert_empty helm template \
26 |       -s templates/tls-init-cleanup-podsecuritypolicy.yaml  \
27 |       --set 'global.tls.enabled=true' \
28 |       .
29 | }
30 | 
31 | @test "tlsInitCleanup/PodSecurityPolicy: disabled with TLS disabled and global.enablePodSecurityPolicies=true" {
32 |   cd `chart_dir`
33 |   assert_empty helm template \
34 |       -s templates/tls-init-cleanup-podsecuritypolicy.yaml  \
35 |       --set 'global.tls.enabled=false' \
36 |       --set 'global.enablePodSecurityPolicies=true' \
37 |       .
38 | }
39 | 
40 | @test "tlsInitCleanup/PodSecurityPolicy: enabled with TLS enabled and global.enablePodSecurityPolicies=true" {
41 |   cd `chart_dir`
42 |   local actual=$(helm template \
43 |       -s templates/tls-init-cleanup-podsecuritypolicy.yaml  \
44 |       --set 'global.tls.enabled=true' \
45 |       --set 'global.enablePodSecurityPolicies=true' \
46 |       . | tee /dev/stderr |
47 |       yq -s 'length > 0' | tee /dev/stderr)
48 |   [ "${actual}" = "true" ]
49 | }
50 | 


--------------------------------------------------------------------------------
/templates/controller-clusterrole.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.controller.enabled }}
 2 | apiVersion: rbac.authorization.k8s.io/v1
 3 | kind: ClusterRole
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-controller
 6 |   labels:
 7 |     app: {{ template "consul.name" . }}
 8 |     chart: {{ template "consul.chart" . }}
 9 |     heritage: {{ .Release.Service }}
10 |     release: {{ .Release.Name }}
11 |     component: controller
12 | rules:
13 | - apiGroups:
14 |   - consul.hashicorp.com
15 |   resources:
16 |   - servicedefaults
17 |   - serviceresolvers
18 |   - proxydefaults
19 |   - meshes
20 |   - servicerouters
21 |   - servicesplitters
22 |   - serviceintentions
23 |   - ingressgateways
24 |   - terminatinggateways
25 |   verbs:
26 |   - create
27 |   - delete
28 |   - get
29 |   - list
30 |   - patch
31 |   - update
32 |   - watch
33 | - apiGroups:
34 |   - consul.hashicorp.com
35 |   resources:
36 |   - servicedefaults/status
37 |   - serviceresolvers/status
38 |   - proxydefaults/status
39 |   - meshes/status
40 |   - servicerouters/status
41 |   - servicesplitters/status
42 |   - serviceintentions/status
43 |   - ingressgateways/status
44 |   - terminatinggateways/status
45 |   verbs:
46 |   - get
47 |   - patch
48 |   - update
49 | - apiGroups:
50 |   - coordination.k8s.io
51 |   resources:
52 |   - leases
53 |   verbs:
54 |   - create
55 |   - get
56 |   - list
57 |   - update
58 | {{- if .Values.global.acls.manageSystemACLs }}
59 | - apiGroups: [""]
60 |   resources:
61 |   - secrets
62 |   resourceNames:
63 |   - {{ template "consul.fullname" . }}-controller-acl-token
64 |   verbs:
65 |   - get
66 | {{- end }}
67 | {{- if .Values.global.enablePodSecurityPolicies }}
68 | - apiGroups: ["policy"]
69 |   resources: ["podsecuritypolicies"]
70 |   resourceNames:
71 |     - {{ template "consul.fullname" . }}-controller
72 |   verbs:
73 |     - use
74 | {{- end }}
75 | {{- end }}
76 | 


--------------------------------------------------------------------------------
/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serverACLInitCleanup/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/server-acl-init-cleanup-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serverACLInitCleanup/PodSecurityPolicy: disabled with global.acls.manageSystemACLs=true and global.enablePodSecurityPolicies=false" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/server-acl-init-cleanup-podsecuritypolicy.yaml  \
16 |       --set 'global.acls.manageSystemACLs=true' \
17 |       --set 'global.enablePodSecurityPolicies=false' \
18 |       .
19 | }
20 | 
21 | @test "serverACLInitCleanup/PodSecurityPolicy: enabled with global.acls.manageSystemACLs=true and global.enablePodSecurityPolicies=true" {
22 |   cd `chart_dir`
23 |   local actual=$(helm template \
24 |       -s templates/server-acl-init-cleanup-podsecuritypolicy.yaml  \
25 |       --set 'global.acls.manageSystemACLs=true' \
26 |       --set 'global.enablePodSecurityPolicies=true' \
27 |       . | tee /dev/stderr |
28 |       yq 'length > 0' | tee /dev/stderr)
29 |   [ "${actual}" = "true" ]
30 | }
31 | 
32 | @test "serverACLInitCleanup/PodSecurityPolicy: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" {
33 |   cd `chart_dir`
34 |   local actual=$(helm template \
35 |       -s templates/server-acl-init-cleanup-podsecuritypolicy.yaml  \
36 |       --set 'server.enabled=false' \
37 |       --set 'global.acls.manageSystemACLs=true' \
38 |       --set 'global.enablePodSecurityPolicies=true' \
39 |       --set 'externalServers.enabled=true' \
40 |       --set 'externalServers.hosts[0]=foo.com' \
41 |       . | tee /dev/stderr |
42 |       yq 'length > 0' | tee /dev/stderr)
43 |   [ "${actual}" = "true" ]
44 | }
45 | 


--------------------------------------------------------------------------------
/test/unit/create-federation-secret-serviceaccount.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "createFederationSecret/ServiceAccount: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/create-federation-secret-serviceaccount.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "createFederationSecret/ServiceAccount: enabled with global.federation.createFederationSecret=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/create-federation-secret-serviceaccount.yaml  \
16 |       --set 'global.federation.createFederationSecret=true' \
17 |       --set 'global.federation.enabled=true' \
18 |       --set 'global.tls.enabled=true' \
19 |       --set 'meshGateway.enabled=true' \
20 |       --set 'connectInject.enabled=true' \
21 |       . | tee /dev/stderr |
22 |       yq 'length > 0' | tee /dev/stderr)
23 |   [ "${actual}" = "true" ]
24 | }
25 | 
26 | #--------------------------------------------------------------------
27 | # global.imagePullSecrets
28 | 
29 | @test "createFederationSecret/ServiceAccount: can set image pull secrets" {
30 |   cd `chart_dir`
31 |   local object=$(helm template \
32 |       -s templates/create-federation-secret-serviceaccount.yaml  \
33 |       --set 'global.federation.createFederationSecret=true' \
34 |       --set 'global.federation.enabled=true' \
35 |       --set 'global.tls.enabled=true' \
36 |       --set 'meshGateway.enabled=true' \
37 |       --set 'connectInject.enabled=true' \
38 |       --set 'global.imagePullSecrets[0].name=my-secret' \
39 |       --set 'global.imagePullSecrets[1].name=my-secret2' \
40 |       . | tee /dev/stderr)
41 | 
42 |   local actual=$(echo "$object" |
43 |       yq -r '.imagePullSecrets[0].name' | tee /dev/stderr)
44 |   [ "${actual}" = "my-secret" ]
45 | 
46 |   local actual=$(echo "$object" |
47 |       yq -r '.imagePullSecrets[1].name' | tee /dev/stderr)
48 |   [ "${actual}" = "my-secret2" ]
49 | }
50 | 


--------------------------------------------------------------------------------
/test/unit/server-acl-init-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serverACLInit/RoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/server-acl-init-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serverACLInit/RoleBinding: enabled with global.acls.manageSystemACLs=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/server-acl-init-rolebinding.yaml  \
16 |       --set 'global.acls.manageSystemACLs=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 
22 | @test "serverACLInit/RoleBinding: disabled with server=false and global.acls.manageSystemACLs=true" {
23 |   cd `chart_dir`
24 |   assert_empty helm template \
25 |       -s templates/server-acl-init-rolebinding.yaml  \
26 |       --set 'global.acls.manageSystemACLs=true' \
27 |       --set 'server.enabled=false' \
28 |       .
29 | }
30 | 
31 | @test "serverACLInit/RoleBinding: enabled with client=false and global.acls.manageSystemACLs=true" {
32 |   cd `chart_dir`
33 |   local actual=$(helm template \
34 |       -s templates/server-acl-init-rolebinding.yaml  \
35 |       --set 'global.acls.manageSystemACLs=true' \
36 |       --set 'client.enabled=false' \
37 |       . | tee /dev/stderr |
38 |       yq 'length > 0' | tee /dev/stderr)
39 |   [ "${actual}" = "true" ]
40 | }
41 | 
42 | @test "serverACLInit/RoleBinding: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" {
43 |   cd `chart_dir`
44 |   local actual=$(helm template \
45 |       -s templates/server-acl-init-rolebinding.yaml \
46 |       --set 'server.enabled=false' \
47 |       --set 'global.acls.manageSystemACLs=true' \
48 |       --set 'externalServers.enabled=true' \
49 |       --set 'externalServers.hosts[0]=foo.com' \
50 |       . | tee /dev/stderr |
51 |       yq 'length > 0' | tee /dev/stderr)
52 |   [ "${actual}" = "true" ]
53 | }
54 | 


--------------------------------------------------------------------------------
/test/unit/ingress-gateways-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "ingressGateways/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/ingress-gateways-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "ingressGateways/PodSecurityPolicy: enabled with ingressGateways, connectInject enabled and global.enablePodSecurityPolicies=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/ingress-gateways-podsecuritypolicy.yaml  \
16 |       --set 'ingressGateways.enabled=true' \
17 |       --set 'connectInject.enabled=true' \
18 |       --set 'global.enablePodSecurityPolicies=true' \
19 |       . | tee /dev/stderr |
20 |       yq -s 'length > 0' | tee /dev/stderr)
21 |   [ "${actual}" = "true" ]
22 | }
23 | 
24 | @test "ingressGateways/PodSecurityPolicy: multiple gateways" {
25 |   cd `chart_dir`
26 |   local object=$(helm template \
27 |       -s templates/ingress-gateways-podsecuritypolicy.yaml  \
28 |       --set 'ingressGateways.enabled=true' \
29 |       --set 'connectInject.enabled=true' \
30 |       --set 'global.enablePodSecurityPolicies=true' \
31 |       --set 'ingressGateways.gateways[0].name=gateway1' \
32 |       --set 'ingressGateways.gateways[1].name=gateway2' \
33 |       . | tee /dev/stderr |
34 |       yq -s -r '.' | tee /dev/stderr)
35 | 
36 |   local actual=$(echo $object | yq '.[0] | length > 0' | tee /dev/stderr)
37 |   [ "${actual}" = "true" ]
38 | 
39 |   local actual=$(echo $object | yq '.[1] | length > 0' | tee /dev/stderr)
40 |   [ "${actual}" = "true" ]
41 | 
42 |   local actual=$(echo $object | yq '.[2] | length > 0' | tee /dev/stderr)
43 |   [ "${actual}" = "false" ]
44 | 
45 |   local actual=$(echo $object | yq -r '.[0].metadata.name' | tee /dev/stderr)
46 |   [ "${actual}" = "RELEASE-NAME-consul-gateway1" ]
47 | 
48 |   local actual=$(echo $object | yq -r '.[1].metadata.name' | tee /dev/stderr)
49 |   [ "${actual}" = "RELEASE-NAME-consul-gateway2" ]
50 | }
51 | 


--------------------------------------------------------------------------------
/test/unit/tls-init-cleanup-job.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "tlsInitCleanup/Job: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/tls-init-cleanup-job.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "tlsInitCleanup/Job: disabled with global.tls.enabled=true and server.serverCert.secretName!=null" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/tls-init-cleanup-job.yaml  \
16 |       --set 'global.enabled=true' \
17 |       --set 'global.tls.enabled=true' \
18 |       --set 'global.tls.caCert.secretName=test' \
19 |       --set 'server.serverCert.secretName=test' \
20 |       .
21 | }
22 | 
23 | @test "tlsInitCleanup/Job: disabled with global.enabled=false" {
24 |   cd `chart_dir`
25 |   assert_empty helm template \
26 |       -s templates/tls-init-cleanup-job.yaml  \
27 |       --set 'global.tls.enabled=true' \
28 |       --set 'global.enabled=false' \
29 |       .
30 | }
31 | 
32 | @test "tlsInitCleanup/Job: enabled with global.tls.enabled=true" {
33 |   cd `chart_dir`
34 |   local actual=$(helm template \
35 |       -s templates/tls-init-cleanup-job.yaml  \
36 |       --set 'global.tls.enabled=true' \
37 |       . | tee /dev/stderr |
38 |       yq 'length > 0' | tee /dev/stderr)
39 |   [ "${actual}" = "true" ]
40 | }
41 | 
42 | @test "tlsInitCleanup/Job: disabled when server.enabled=false" {
43 |   cd `chart_dir`
44 |   assert_empty helm template \
45 |       -s templates/tls-init-cleanup-job.yaml  \
46 |       --set 'global.tls.enabled=true' \
47 |       --set 'server.enabled=false' \
48 |       .
49 | }
50 | 
51 | @test "tlsInitCleanup/Job: enabled when global.tls.enabled=true and server.enabled=true" {
52 |   cd `chart_dir`
53 |   local actual=$(helm template \
54 |       -s templates/tls-init-cleanup-job.yaml  \
55 |       --set 'global.tls.enabled=true' \
56 |       --set 'server.enabled=true' \
57 |       . | tee /dev/stderr |
58 |       yq 'length > 0' | tee /dev/stderr)
59 |   [ "${actual}" = "true" ]
60 | }
61 | 


--------------------------------------------------------------------------------
/test/unit/tls-init-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "tlsInit/RoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/tls-init-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "tlsInit/RoleBinding: disabled with global.tls.enabled=true and server.serverCert.secretName!=null" {
13 |   cd `chart_dir`
14 |   assert_empty helm template \
15 |       -s templates/tls-init-rolebinding.yaml  \
16 |       --set 'global.enabled=true' \
17 |       --set 'global.tls.enabled=true' \
18 |       --set 'global.tls.caCert.secretName=test' \
19 |       --set 'server.serverCert.secretName=test' \
20 |       .
21 | }
22 | 
23 | @test "tlsInit/RoleBinding: disabled with global.enabled=false" {
24 |   cd `chart_dir`
25 |   assert_empty helm template \
26 |       -s templates/tls-init-rolebinding.yaml  \
27 |       --set 'global.tls.enabled=true' \
28 |       --set 'global.enabled=false' \
29 |       .
30 | }
31 | 
32 | @test "tlsInit/RoleBinding: enabled with global.tls.enabled" {
33 |   cd `chart_dir`
34 |   local actual=$(helm template \
35 |       -s templates/tls-init-rolebinding.yaml  \
36 |       --set 'global.tls.enabled=true' \
37 |       . | tee /dev/stderr |
38 |       yq 'length > 0' | tee /dev/stderr)
39 |   [ "${actual}" = "true" ]
40 | }
41 | 
42 | @test "tlsInit/RoleBinding: disabled when server.enabled=false" {
43 |   cd `chart_dir`
44 |   assert_empty helm template \
45 |       -s templates/tls-init-rolebinding.yaml  \
46 |       --set 'global.tls.enabled=true' \
47 |       --set 'server.enabled=false' \
48 |       .
49 | }
50 | 
51 | @test "tlsInit/RoleBinding: enabled when global.tls.enabled=true and server.enabled=true" {
52 |   cd `chart_dir`
53 |   local actual=$(helm template \
54 |       -s templates/tls-init-rolebinding.yaml  \
55 |       --set 'global.tls.enabled=true' \
56 |       --set 'server.enabled=true' \
57 |       . | tee /dev/stderr |
58 |       yq 'length > 0' | tee /dev/stderr)
59 |   [ "${actual}" = "true" ]
60 | }
61 | 


--------------------------------------------------------------------------------
/templates/ingress-gateways-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.ingressGateways.enabled }}
 2 | 
 3 | {{- $root := . }}
 4 | {{- $defaults := .Values.ingressGateways.defaults }}
 5 | 
 6 | {{- range .Values.ingressGateways.gateways }}
 7 | 
 8 | {{- $service := .service }}
 9 | apiVersion: v1
10 | kind: Service
11 | metadata:
12 |   name: {{ template "consul.fullname" $root }}-{{ .name }}
13 |   namespace: {{ $root.Release.Namespace }}
14 |   labels:
15 |     app: {{ template "consul.name" $root }}
16 |     chart: {{ template "consul.chart" $root }}
17 |     heritage: {{ $root.Release.Service }}
18 |     release: {{ $root.Release.Name }}
19 |     component: ingress-gateway
20 |     ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
21 |   {{- if (or $defaults.service.annotations $service.annotations) }}
22 |   # We allow both default annotations and gateway-specific annotations
23 |   annotations:
24 |     {{- if $defaults.service.annotations }}
25 |     {{ tpl $defaults.service.annotations $root | nindent 4 | trim }}
26 |     {{- end }}
27 |     {{- if $service.annotations }}
28 |     {{ tpl $service.annotations $root | nindent 4 | trim }}
29 |     {{- end }}
30 |   {{- end }}
31 | spec:
32 |   selector:
33 |     app: {{ template "consul.name" $root }}
34 |     release: "{{ $root.Release.Name }}"
35 |     component: ingress-gateway
36 |     ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
37 |   ports:
38 |     {{- range $index, $ports := (default $defaults.service.ports $service.ports) }}
39 |     - name: gateway-{{ $index }}
40 |       port: {{ $ports.port }}
41 |       {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }}
42 |       nodePort: {{ $ports.nodePort }}
43 |       {{- end}}
44 |     {{- end }}
45 |   type: {{ default $defaults.service.type $service.type }}
46 |   {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }}
47 |   {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }}
48 |   {{- end }}
49 | ---
50 | {{- end }}
51 | {{- end }}
52 | 


--------------------------------------------------------------------------------
/test/unit/terminating-gateways-podsecuritypolicy.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "terminatingGateways/PodSecurityPolicy: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/terminating-gateways-podsecuritypolicy.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "terminatingGateways/PodSecurityPolicy: enabled with terminatingGateways, connectInject and client.grpc enabled and global.enablePodSecurityPolicies=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/terminating-gateways-podsecuritypolicy.yaml  \
16 |       --set 'terminatingGateways.enabled=true' \
17 |       --set 'connectInject.enabled=true' \
18 |       --set 'global.enablePodSecurityPolicies=true' \
19 |       . | tee /dev/stderr |
20 |       yq -s 'length > 0' | tee /dev/stderr)
21 |   [ "${actual}" = "true" ]
22 | }
23 | 
24 | @test "terminatingGateways/PodSecurityPolicy: multiple gateways" {
25 |   cd `chart_dir`
26 |   local object=$(helm template \
27 |       -s templates/terminating-gateways-podsecuritypolicy.yaml  \
28 |       --set 'terminatingGateways.enabled=true' \
29 |       --set 'connectInject.enabled=true' \
30 |       --set 'global.enablePodSecurityPolicies=true' \
31 |       --set 'terminatingGateways.gateways[0].name=gateway1' \
32 |       --set 'terminatingGateways.gateways[1].name=gateway2' \
33 |       . | tee /dev/stderr |
34 |       yq -s -r '.' | tee /dev/stderr)
35 | 
36 |   local actual=$(echo $object | yq '.[0] | length > 0' | tee /dev/stderr)
37 |   [ "${actual}" = "true" ]
38 | 
39 |   local actual=$(echo $object | yq '.[1] | length > 0' | tee /dev/stderr)
40 |   [ "${actual}" = "true" ]
41 | 
42 |   local actual=$(echo $object | yq '.[2] | length > 0' | tee /dev/stderr)
43 |   [ "${actual}" = "false" ]
44 | 
45 |   local actual=$(echo $object | yq -r '.[0].metadata.name' | tee /dev/stderr)
46 |   [ "${actual}" = "RELEASE-NAME-consul-gateway1" ]
47 | 
48 |   local actual=$(echo $object | yq -r '.[1].metadata.name' | tee /dev/stderr)
49 |   [ "${actual}" = "RELEASE-NAME-consul-gateway2" ]
50 | }
51 | 


--------------------------------------------------------------------------------
/test/unit/server-acl-init-cleanup-rolebinding.bats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bats
 2 | 
 3 | load _helpers
 4 | 
 5 | @test "serverACLInitCleanup/RoleBinding: disabled by default" {
 6 |   cd `chart_dir`
 7 |   assert_empty helm template \
 8 |       -s templates/server-acl-init-cleanup-rolebinding.yaml  \
 9 |       .
10 | }
11 | 
12 | @test "serverACLInitCleanup/RoleBinding: enabled with global.acls.manageSystemACLs=true" {
13 |   cd `chart_dir`
14 |   local actual=$(helm template \
15 |       -s templates/server-acl-init-cleanup-rolebinding.yaml  \
16 |       --set 'global.acls.manageSystemACLs=true' \
17 |       . | tee /dev/stderr |
18 |       yq 'length > 0' | tee /dev/stderr)
19 |   [ "${actual}" = "true" ]
20 | }
21 | 
22 | @test "serverACLInitCleanup/RoleBinding: disabled with server=false and global.acls.manageSystemACLs=true" {
23 |   cd `chart_dir`
24 |   assert_empty helm template \
25 |       -s templates/server-acl-init-cleanup-rolebinding.yaml  \
26 |       --set 'global.acls.manageSystemACLs=true' \
27 |       --set 'server.enabled=false' \
28 |       .
29 | }
30 | 
31 | @test "serverACLInitCleanup/RoleBinding: enabled with client=false and global.acls.manageSystemACLs=true" {
32 |   cd `chart_dir`
33 |   local actual=$(helm template \
34 |       -s templates/server-acl-init-cleanup-rolebinding.yaml  \
35 |       --set 'global.acls.manageSystemACLs=true' \
36 |       --set 'client.enabled=false' \
37 |       . | tee /dev/stderr |
38 |       yq 'length > 0' | tee /dev/stderr)
39 |   [ "${actual}" = "true" ]
40 | }
41 | 
42 | @test "serverACLInitCleanup/RoleBinding: enabled with externalServers.enabled=true and global.acls.manageSystemACLs=true, but server.enabled set to false" {
43 |   cd `chart_dir`
44 |   local actual=$(helm template \
45 |       -s templates/server-acl-init-cleanup-rolebinding.yaml  \
46 |       --set 'server.enabled=false' \
47 |       --set 'global.acls.manageSystemACLs=true' \
48 |       --set 'externalServers.enabled=true' \
49 |       --set 'externalServers.hosts[0]=foo.com' \
50 |       . | tee /dev/stderr |
51 |       yq 'length > 0' | tee /dev/stderr)
52 |   [ "${actual}" = "true" ]
53 | }
54 | 


--------------------------------------------------------------------------------
/test/terraform/gke/main.tf:
--------------------------------------------------------------------------------
 1 | provider "google-beta" {
 2 |   project = var.project
 3 |   version = "~> 3.49.0"
 4 | }
 5 | 
 6 | resource "random_id" "suffix" {
 7 |   count       = var.cluster_count
 8 |   byte_length = 4
 9 | }
10 | 
11 | data "google_container_engine_versions" "main" {
12 |   location       = var.zone
13 |   version_prefix = "1.17."
14 | }
15 | 
16 | resource "google_container_cluster" "cluster" {
17 |   provider = "google-beta"
18 | 
19 |   count = var.cluster_count
20 | 
21 |   name               = "consul-k8s-${random_id.suffix[count.index].dec}"
22 |   project            = var.project
23 |   initial_node_count = 3
24 |   location           = var.zone
25 |   min_master_version = data.google_container_engine_versions.main.latest_master_version
26 |   node_version       = data.google_container_engine_versions.main.latest_master_version
27 | 
28 |   pod_security_policy_config {
29 |     enabled = false # Helm does not currently work with pod security policies enabled, the acceptance tests fail with this enabled. Re-enable after fixing.
30 |   }
31 | 
32 |   resource_labels = var.labels
33 | }
34 | 
35 | resource "null_resource" "kubectl" {
36 |   count = var.init_cli ? var.cluster_count : 0
37 | 
38 |   triggers = {
39 |     cluster = google_container_cluster.cluster[count.index].id
40 |   }
41 | 
42 |   # On creation, we want to setup the kubectl credentials. The easiest way
43 |   # to do this is to shell out to gcloud.
44 |   provisioner "local-exec" {
45 |     command = "KUBECONFIG=$HOME/.kube/${google_container_cluster.cluster[count.index].name} gcloud container clusters get-credentials --zone=${var.zone} ${google_container_cluster.cluster[count.index].name}"
46 |   }
47 | 
48 |   # On destroy we want to try to clean up the kubectl credentials. This
49 |   # might fail if the credentials are already cleaned up or something so we
50 |   # want this to continue on failure. Generally, this works just fine since
51 |   # it only operates on local data.
52 |   provisioner "local-exec" {
53 |     when       = destroy
54 |     on_failure = continue
55 |     command    = "rm $HOME/.kube/consul-k8s*"
56 |   }
57 | }
58 | 


--------------------------------------------------------------------------------
/templates/webhook-cert-manager-configmap.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or .Values.connectInject.enabled .Values.controller.enabled}}
 2 | apiVersion: v1
 3 | kind: ConfigMap
 4 | metadata:
 5 |   name: {{ template "consul.fullname" . }}-webhook-cert-manager-config
 6 |   namespace: {{ .Release.Namespace }}
 7 |   labels:
 8 |     app: {{ template "consul.name" . }}
 9 |     chart: {{ template "consul.chart" . }}
10 |     heritage: {{ .Release.Service }}
11 |     release: {{ .Release.Name }}
12 |     component: webhook-cert-manager
13 | data:
14 |   webhook-config.json: |-
15 |     [
16 |     {{- if .Values.connectInject.enabled }}
17 |       {
18 |         "name": "{{ template "consul.fullname" . }}-connect-injector-cfg",
19 |         "tlsAutoHosts": [
20 |           "{{ template "consul.fullname" . }}-connect-injector-svc",
21 |           "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}",
22 |           "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}.svc",
23 |           "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}.svc.cluster.local"
24 |         ],
25 |         "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert",
26 |         "secretNamespace": "{{ .Release.Namespace }}"
27 |       }{{- if and .Values.controller.enabled }},{{- end }}{{- end }}
28 |     {{- if and .Values.controller.enabled }}
29 |       {
30 |         "name": "{{ template "consul.fullname" . }}-controller-mutating-webhook-configuration",
31 |         "tlsAutoHosts": [
32 |           "{{ template "consul.fullname" . }}-controller-webhook",
33 |           "{{ template "consul.fullname" . }}-controller-webhook.{{ .Release.Namespace }}",
34 |           "{{ template "consul.fullname" . }}-controller-webhook.{{ .Release.Namespace }}.svc",
35 |           "{{ template "consul.fullname" . }}-controller-webhook.{{ .Release.Namespace }}.svc.cluster.local"
36 |         ],
37 |         "secretName": "{{ template "consul.fullname" . }}-controller-webhook-cert",
38 |         "secretNamespace": "{{ .Release.Namespace }}"
39 |       }
40 |     {{- end }}
41 |     ]
42 |   {{- end }}


--------------------------------------------------------------------------------