diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml index 3ac7a29fd4..2fa1842048 100644 --- a/charts/consul/templates/server-config-configmap.yaml +++ b/charts/consul/templates/server-config-configmap.yaml @@ -12,6 +12,24 @@ metadata: release: {{ .Release.Name }} component: server data: + server.json: | + { + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + "domain": "{{ .Values.global.domain }}", + "ports": { + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + "server": true + } {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} {{- with .Values.global.secretsBackend.vault }} @@ -62,15 +80,52 @@ data: } } {{- end }} - {{- if (and .Values.ui.enabled (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString))))) }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key", + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key", + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + {{- if .Values.global.tls.verify }} + "verify_incoming_rpc": true, + "verify_outgoing": true, + "verify_server_hostname": true, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} ui-config.json: |- { "ui_config": { - "enabled": true, + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} "metrics_provider": "{{ .Values.ui.metrics.provider }}", "metrics_proxy": { "base_url": "{{ .Values.ui.metrics.baseURL }}" - } + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true } } {{- end }} @@ -82,7 +137,18 @@ data: federation-config.json: |- { "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", - "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }} + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } } {{- end }} {{- end }} diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index d83e9d5c50..56a1904cd9 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -205,10 +205,6 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - name: CONSUL_DISABLE_PERM_MGMT value: "true" {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} @@ -262,8 +258,6 @@ spec: - "/bin/sh" - "-ec" - | - CONSUL_FULLNAME="{{template "consul.fullname" . }}" - {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} GOSSIP_KEY=`cat /vault/secrets/gossip.txt` {{- end }} @@ -276,48 +270,10 @@ spec: exec /usr/local/bin/docker-entrypoint.sh consul agent \ -advertise="${ADVERTISE_IP}" \ - -bind=0.0.0.0 \ - -bootstrap-expect={{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }} \ - {{- if .Values.global.tls.enabled }} - {{- if .Values.global.secretsBackend.vault.enabled }} - -hcl='ca_file = "/vault/secrets/serverca.crt"' \ - -hcl='cert_file = "/vault/secrets/servercert.crt"' \ - -hcl='key_file = "/vault/secrets/servercert.key"' \ - {{- else }} - -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ - -hcl='cert_file = "/consul/tls/server/tls.crt"' \ - -hcl='key_file = "/consul/tls/server/tls.key"' \ - {{- end }} - {{- if .Values.global.tls.enableAutoEncrypt }} - -hcl='auto_encrypt = {allow_tls = true}' \ - {{- end }} - {{- if .Values.global.tls.verify }} - -hcl='verify_incoming_rpc = true' \ - -hcl='verify_outgoing = true' \ - -hcl='verify_server_hostname = true' \ - {{- end }} - -hcl='ports { https = 8501 }' \ - {{- if .Values.global.tls.httpsOnly }} - -hcl='ports { http = -1 }' \ - {{- end }} - {{- end }} - -client=0.0.0.0 \ -config-dir=/consul/config \ - -datacenter={{ .Values.global.datacenter }} \ - -data-dir=/consul/data \ - -domain={{ .Values.global.domain }} \ {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} -encrypt="${GOSSIP_KEY}" \ {{- end }} - {{- if .Values.server.connect }} - -hcl="connect { enabled = true }" \ - {{- end }} - {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} - -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ - {{- end }} - {{- if .Values.global.federation.enabled }} - -hcl="connect { enable_mesh_gateway_wan_federation = true }" \ - {{- end }} {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} -config-file=/vault/secrets/replication-token-config.hcl \ @@ -325,20 +281,6 @@ spec: -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ {{- end }} {{- end }} - {{- if .Values.ui.enabled }} - -ui \ - {{- if .Values.ui.dashboardURLTemplates.service }} - -hcl='ui_config { dashboard_url_templates { service = "{{ .Values.ui.dashboardURLTemplates.service }}" } }' \ - {{- end }} - {{- end }} - {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} - {{- range $index := until (.Values.server.replicas | int) }} - -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ - {{- end }} - -serf-lan-port={{ .Values.server.ports.serflan.port }} \ - {{- range $value := .Values.global.recursors }} - -recursor={{ quote $value }} \ - {{- end }} {{- if (and .Values.dns.enabled .Values.dns.enableRedirection) }} $recursor_flags \ {{- end }} @@ -355,8 +297,7 @@ spec: -config-dir=/consul/userconfig/{{ .name }} \ {{- end }} {{- end }} - -config-file=/consul/extra-config/extra-from-values.json \ - -server + -config-file=/consul/extra-config/extra-from-values.json volumeMounts: - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} mountPath: /consul/data diff --git a/charts/consul/test/unit/server-config-configmap.bats b/charts/consul/test/unit/server-config-configmap.bats index 6fddfe7be2..c7a250ffa3 100755 --- a/charts/consul/test/unit/server-config-configmap.bats +++ b/charts/consul/test/unit/server-config-configmap.bats @@ -48,6 +48,89 @@ load _helpers [ ! -z "${actual}" ] } +#-------------------------------------------------------------------- +# retry-join + +@test "server/ConfigMap: retry join gets populated" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'server.replicas=3' \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq -r .retry_join[0] | tee /dev/stderr) + + [ "${actual}" = "RELEASE-NAME-consul-server.default.svc:8301" ] +} + +#-------------------------------------------------------------------- +# serflan + +@test "server/ConfigMap: server.ports.serflan.port is set to 8301 by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq -r .ports.serf_lan | tee /dev/stderr) + + [ "${actual}" = "8301" ] +} + +@test "server/ConfigMap: server.ports.serflan.port can be customized" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'server.ports.serflan.port=9301' \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq -r .ports.serf_lan | tee /dev/stderr) + + [ "${actual}" = "9301" ] +} + +@test "server/ConfigMap: retry join uses server.ports.serflan.port" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'server.replicas=3' \ + --set 'server.ports.serflan.port=9301' \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq -r .retry_join[0] | tee /dev/stderr) + + [ "${actual}" = "RELEASE-NAME-consul-server.default.svc:9301" ] +} + +@test "server/ConfigMap: recursors can be set by global.recursors" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.recursors[0]=1.1.1.1' \ + --set 'global.recursors[1]=2.2.2.2' \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq -c .recursors | tee /dev/stderr) + [ "${actual}" = '["1.1.1.1","2.2.2.2"]' ] +} + +#-------------------------------------------------------------------- +# bootstrap_expect + +@test "server/ConfigMap: bootstrap_expect defaults to replicas" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq .bootstrap_expect | tee /dev/stderr) + [ "${actual}" = "3" ] +} + +@test "server/ConfigMap: bootstrap_expect can be set by server.bootstrapExpect" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'server.bootstrapExpect=5' \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq .bootstrap_expect | tee /dev/stderr) + [ "${actual}" = "5" ] +} + #-------------------------------------------------------------------- # global.acls.manageSystemACLs @@ -62,61 +145,84 @@ load _helpers } #-------------------------------------------------------------------- -# global.metrics.enabled & ui.enabled +# ui.enabled -@test "server/ConfigMap: creates ui config with .ui.enabled=true and .global.metrics.enabled=true" { +@test "server/ConfigMap: creates ui config with .ui.enabled=true" { cd `chart_dir` local actual=$(helm template \ -s templates/server-config-configmap.yaml \ - --set 'global.metrics.enabled=true' \ --set 'ui.enabled=true' \ . | tee /dev/stderr | - yq '.data["ui-config.json"] | length > 0' | tee /dev/stderr) + yq -r '.data["ui-config.json"]' | jq -c .ui_config | tee /dev/stderr) + [ "${actual}" = '{"enabled":true}' ] +} + +@test "server/ConfigMap: does not create ui config with .ui.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'ui.enabled=false' \ + . | tee /dev/stderr | + yq '.data["ui-config.json"] | length == 0' | tee /dev/stderr) [ "${actual}" = "true" ] } -@test "server/ConfigMap: creates ui config with .ui.enabled=true and .ui.metrics.enabled=true" { +@test "server/ConfigMap: adds metrics ui config with .global.metrics.enabled=true and ui.metrics.enabled=-" { cd `chart_dir` local actual=$(helm template \ -s templates/server-config-configmap.yaml \ - --set 'ui.metrics.enabled=true' \ + --set 'global.metrics.enabled=true' \ --set 'ui.enabled=true' \ . | tee /dev/stderr | - yq '.data["ui-config.json"] | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] + yq -r '.data["ui-config.json"]' | jq -c .ui_config | tee /dev/stderr) + [ "${actual}" = '{"metrics_provider":"prometheus","metrics_proxy":{"base_url":"http://prometheus-server"},"enabled":true}' ] } -@test "server/ConfigMap: does not create ui config when .ui.enabled=false and .ui.metrics.enabled=true" { +@test "server/ConfigMap: adds metrics ui config with .global.metrics.enabled=false and .ui.metrics.enabled=true" { cd `chart_dir` local actual=$(helm template \ -s templates/server-config-configmap.yaml \ - --set 'ui.enabled=false' \ - --set 'ui.metrics.enabled=false' \ + --set 'ui.metrics.enabled=true' \ + --set 'ui.enabled=true' \ . | tee /dev/stderr | - yq -r '.data["ui-config.json"] | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + yq -r '.data["ui-config.json"]' | jq -c .ui_config | tee /dev/stderr) + [ "${actual}" = '{"metrics_provider":"prometheus","metrics_proxy":{"base_url":"http://prometheus-server"},"enabled":true}' ] } -@test "server/ConfigMap: does not create ui config when .ui.enabled=true and .global.metrics.enabled=false" { +@test "server/ConfigMap: adds metrics ui config with .global.metrics.enabled=true and .ui.metrics.enabled=true" { cd `chart_dir` local actual=$(helm template \ -s templates/server-config-configmap.yaml \ + --set 'global.metrics.enabled=true' \ + --set 'ui.metrics.enabled=true' \ --set 'ui.enabled=true' \ - --set 'global.metrics.enabled=false' \ . | tee /dev/stderr | - yq -r '.data["ui-config.json"] | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + yq -r '.data["ui-config.json"]' | jq -c .ui_config | tee /dev/stderr) + [ "${actual}" = '{"metrics_provider":"prometheus","metrics_proxy":{"base_url":"http://prometheus-server"},"enabled":true}' ] } -@test "server/ConfigMap: does not create ui config when .ui.enabled=true and .ui.metrics.enabled=false" { +@test "server/ConfigMap: doesn't add metrics ui config with .global.metrics.enabled=true and .ui.metrics.enabled=false" { cd `chart_dir` local actual=$(helm template \ -s templates/server-config-configmap.yaml \ + --set 'global.metrics.enabled=true' \ + --set 'ui.metrics.enabled=false' \ --set 'ui.enabled=true' \ + . | tee /dev/stderr | + yq -r '.data["ui-config.json"]' | jq -c .ui_config | tee /dev/stderr) + [ "${actual}" = '{"enabled":true}' ] +} + +@test "server/ConfigMap: doesn't add metrics ui config with .global.metrics.enabled=false and .ui.metrics.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.metrics.enabled=false' \ --set 'ui.metrics.enabled=false' \ + --set 'ui.enabled=true' \ . | tee /dev/stderr | - yq -r '.data["ui-config.json"] | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] + yq -r '.data["ui-config.json"]' | jq -c .ui_config | tee /dev/stderr) + [ "${actual}" = '{"enabled":true}' ] } @test "server/ConfigMap: updates ui config with .ui.metrics.provider" { @@ -143,6 +249,34 @@ load _helpers [ "${actual}" = "http://foo.bar" ] } +#-------------------------------------------------------------------- +# ui.dashboardURLTemplates.service + +@test "server/ConfigMap: dashboard_url_templates not set by default" { + cd `chart_dir` + + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + . | tee /dev/stderr | + yq -r '.data["ui-config.json"]' | jq .dashboard_url_templates | tee /dev/stderr) + + [ "${actual}" = "null" ] +} + +@test "server/ConfigMap: ui.dashboardURLTemplates.service sets the template" { + cd `chart_dir` + + local expected='-hcl='\''ui_config { dashboard_url_templates { service = \"http://localhost:3000/d/WkFEBmF7z/services?orgId=1&var-Service={{Service.Name}}\" } }' + + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'ui.dashboardURLTemplates.service=http://localhost:3000/d/WkFEBmF7z/services?orgId=1&var-Service={{Service.Name}}' \ + . | tee /dev/stderr | + yq -r '.data["ui-config.json"]' | jq -c .ui_config.dashboard_url_templates | tee /dev/stderr) + + [ "${actual}" = '{"service":"http://localhost:3000/d/WkFEBmF7z/services?orgId=1&var-Service={{Service.Name}}"}' ] +} + #-------------------------------------------------------------------- # connectInject.centralConfig [DEPRECATED] @@ -494,7 +628,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/ConfigMap: doesn't add federation config by default" { +@test "server/ConfigMap: doesn't add federation config when global.federation.enabled is false (default)" { cd `chart_dir` local actual=$(helm template \ -s templates/server-config-configmap.yaml \ @@ -503,23 +637,23 @@ load _helpers [ "${actual}" = "false" ] } -@test "server/ConfigMap: adds empty federation config when global.federation.enabled is true" { +@test "server/ConfigMap: adds default federation config when global.federation.enabled is true" { cd `chart_dir` local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ + -s templates/server-config-configmap.yaml \ --set 'global.federation.enabled=true' \ --set 'global.tls.enabled=true' \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq '.data["federation-config.json"]' | tee /dev/stderr) - [ "${actual}" = '"{\n \"primary_datacenter\": \"\",\n \"primary_gateways\": []\n}"' ] + yq -r '.data["federation-config.json"]' | jq -c . | tee /dev/stderr) + [ "${actual}" = '{"primary_datacenter":"","primary_gateways":[],"connect":{"enable_mesh_gateway_wan_federation":true}}' ] } @test "server/ConfigMap: can set primary dc and gateways when global.federation.enabled is true" { cd `chart_dir` local actual=$(helm template \ - -s templates/server-config-configmap.yaml \ + -s templates/server-config-configmap.yaml \ --set 'global.federation.enabled=true' \ --set 'global.federation.primaryDatacenter=dc1' \ --set 'global.federation.primaryGateways[0]=1.1.1.1:443' \ @@ -528,6 +662,139 @@ load _helpers --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq '.data["federation-config.json"]' | tee /dev/stderr) - [ "${actual}" = '"{\n \"primary_datacenter\": \"dc1\",\n \"primary_gateways\": [\"1.1.1.1:443\",\"2.2.2.2:443\"]\n}"' ] + yq -r '.data["federation-config.json"]' | jq -c . | tee /dev/stderr) + [ "${actual}" = '{"primary_datacenter":"dc1","primary_gateways":["1.1.1.1:443","2.2.2.2:443"],"connect":{"enable_mesh_gateway_wan_federation":true}}' ] +} + +#-------------------------------------------------------------------- +# TLS + +@test "server/ConfigMap: sets correct default configuration when global.tls.enabled" { + cd `chart_dir` + local config=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq -r '.data["tls-config.json"]' | tee /dev/stderr) + + local actual + actual=$(echo $config | jq -r .ca_file | tee /dev/stderr) + [ "${actual}" = "/consul/tls/ca/tls.crt" ] + + actual=$(echo $config | jq -r .cert_file | tee /dev/stderr) + [ "${actual}" = "/consul/tls/server/tls.crt" ] + + actual=$(echo $config | jq -r .key_file | tee /dev/stderr) + [ "${actual}" = "/consul/tls/server/tls.key" ] + + actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr) + [ "${actual}" = "true" ] + + actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr) + [ "${actual}" = "true" ] + + actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr) + [ "${actual}" = "true" ] + + actual=$(echo $config | jq -c .ports | tee /dev/stderr) + [ "${actual}" = '{"http":-1,"https":8501}' ] +} + +@test "server/ConfigMap: doesn't set verify_* configuration to true when global.tls.enabled and global.tls.verify is false" { + cd `chart_dir` + local config=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.verify=false' \ + . | tee /dev/stderr | + yq -r '.data["tls-config.json"]' | tee /dev/stderr) + + local actual + actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr) + [ "${actual}" = "null" ] + + actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr) + [ "${actual}" = "null" ] + + actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ConfigMap: HTTP port is not set in when httpsOnly is false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.httpsOnly=false' \ + . | tee /dev/stderr | + yq -r '.data["tls-config.json"]' | jq -c .ports | tee /dev/stderr) + [ "${actual}" = '{"https":8501}' ] +} + +#-------------------------------------------------------------------- +# global.tls.enableAutoEncrypt + +@test "server/ConfigMap: enables auto-encrypt for the servers when global.tls.enableAutoEncrypt is true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq -r '.data["tls-config.json"]' | jq -c .auto_encrypt | tee /dev/stderr) + [ "${actual}" = '{"allow_tls":true}' ] +} + +#-------------------------------------------------------------------- +# TLS + Vault + +@test "server/ConfigMap: sets TLS file paths point to vault secrets when Vault is enabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc2' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulClientRole=test' \ + --set 'global.secretsBackend.vault.consulServerRole=foo' \ + --set 'global.secretsBackend.vault.consulCARole=test' \ + --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ + --set 'server.serverCert.secretName=pki_int/issue/test' \ + . | tee /dev/stderr | + yq -r '.data["tls-config.json"]' | tee /dev/stderr) + + local actual=$(echo $object | jq -r .ca_file | tee /dev/stderr) + [ "${actual}" = "/vault/secrets/serverca.crt" ] + + local actual=$(echo $object | jq -r .cert_file | tee /dev/stderr) + [ "${actual}" = "/vault/secrets/servercert.crt" ] + + local actual=$(echo $object | jq -r .key_file | tee /dev/stderr) + [ "${actual}" = "/vault/secrets/servercert.key" ] +} + +@test "server/ConfigMap: when global.metrics.enableAgentMetrics=true, sets telemetry config" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.metrics.enabled=true' \ + --set 'global.metrics.enableAgentMetrics=true' \ + . | tee /dev/stderr | + yq -r '.data["telemetry-config.json"]' | jq -r .telemetry.prometheus_retention_time | tee /dev/stderr) + + [ "${actual}" = "1m" ] +} + +@test "server/ConfigMap: when global.metrics.enableAgentMetrics=true and global.metrics.agentMetricsRetentionTime is set, sets telemetry config with updated retention time" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + --set 'global.metrics.enabled=true' \ + --set 'global.metrics.enableAgentMetrics=true' \ + --set 'global.metrics.agentMetricsRetentionTime=5m' \ + . | tee /dev/stderr | + yq -r '.data["telemetry-config.json"]' | jq -r .telemetry.prometheus_retention_time | tee /dev/stderr) + + [ "${actual}" = "5m" ] } \ No newline at end of file diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index 24b811e19f..51fc130261 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -39,17 +39,15 @@ load _helpers } #-------------------------------------------------------------------- -# retry-join +# server.replicas and server.bootstrapExpect -@test "server/StatefulSet: retry join gets populated" { +@test "server/StatefulSet: errors if bootstrapExpect < replicas" { cd `chart_dir` - local actual=$(helm template \ + run helm template \ -s templates/server-statefulset.yaml \ - --set 'server.replicas=3' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command | any(contains("-retry-join"))' | tee /dev/stderr) - - [ "${actual}" = "true" ] + --set 'server.bootstrapExpect=1' . + [ "$status" -eq 1 ] + [[ "$output" =~ "server.bootstrapExpect cannot be less than server.replicas" ]] } #-------------------------------------------------------------------- @@ -329,9 +327,6 @@ load _helpers local command=$(echo "$object" | yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - - local actual=$(echo $command | jq -r ' . | any(contains("-serf-lan-port=8301"))' | tee /dev/stderr) - [ "${actual}" = "true" ] } @test "server/StatefulSet: server.ports.serflan.port can be customized" { @@ -351,28 +346,6 @@ load _helpers local command=$(echo "$object" | yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - - local actual=$(echo $command | jq -r ' . | any(contains("-serf-lan-port=9301"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/StatefulSet: retry join uses server.ports.serflan.port" { - cd `chart_dir` - local command=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.replicas=3' \ - --set 'server.ports.serflan.port=9301' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-0.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:9301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-1.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:9301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-retry-join=\"${CONSUL_FULLNAME}-server-2.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:9301\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] } #-------------------------------------------------------------------- @@ -675,31 +648,6 @@ load _helpers [ "${actual}" = "/v1/agent/metrics" ] } -@test "server/StatefulSet: when global.metrics.enableAgentMetrics=true, sets telemetry flag" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.metrics.enabled=true' \ - --set 'global.metrics.enableAgentMetrics=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("telemetry { prometheus_retention_time = \"1m\" }")' | tee /dev/stderr) - - [ "${actual}" = "true" ] -} - -@test "server/StatefulSet: when global.metrics.enableAgentMetrics=true and global.metrics.agentMetricsRetentionTime is set, sets telemetry flag with updated retention time" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.metrics.enabled=true' \ - --set 'global.metrics.enableAgentMetrics=true' \ - --set 'global.metrics.agentMetricsRetentionTime=5m' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("telemetry { prometheus_retention_time = \"5m\" }")' | tee /dev/stderr) - - [ "${actual}" = "true" ] -} - @test "server/StatefulSet: when global.metrics.enableAgentMetrics=true, global.tls.enabled=true and global.tls.httpsOnly=true, fail" { cd `chart_dir` run helm template \ @@ -723,7 +671,7 @@ load _helpers -s templates/server-statefulset.yaml \ . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) - [ "${actual}" = 2c5397272acdc6fe5b079bf25c846c5a17f474603c794c64e7226ce0690625f7 ] + [ "${actual}" = 0413362d01133dcd9c1da159e01c20143fb1fe4e2e2ade27bd3b85645653d7cf ] } @test "server/StatefulSet: adds config-checksum annotation when extraConfig is provided" { @@ -733,7 +681,7 @@ load _helpers --set 'server.extraConfig="{\"hello\": \"world\"}"' \ . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) - [ "${actual}" = b0d22cb051216505edc0e61b57f9eacc0d7e15b24719d815842df88f06f1abe0 ] + [ "${actual}" = 7394f1cb933e3501be41dd0225d8d2248f2d592e0241876035127e5b9540ec31 ] } @test "server/StatefulSet: adds config-checksum annotation when config is updated" { @@ -743,7 +691,7 @@ load _helpers --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | yq -r '.spec.template.metadata.annotations."consul.hashicorp.com/config-checksum"' | tee /dev/stderr) - [ "${actual}" = 7772975be982e25cc8df101375374e2ba672a55737f8f1580011e0d88d8752a8 ] + [ "${actual}" = 62db9fd78a8dd95db274586c7d372af85c899b8c9db942a2a0bb691b25c87f55 ] } #-------------------------------------------------------------------- @@ -769,7 +717,7 @@ load _helpers } #-------------------------------------------------------------------- -# tolerations +# topologySpreadConstraints @test "server/StatefulSet: topologySpreadConstraints not set by default" { cd `chart_dir` @@ -994,7 +942,7 @@ load _helpers [ "${actual}" != "" ] } -@test "server/StatefulSet: server volume present when TLS is enabled" { +@test "server/StatefulSet: server cert volume present when TLS is enabled" { cd `chart_dir` local actual=$(helm template \ -s templates/server-statefulset.yaml \ @@ -1086,17 +1034,6 @@ load _helpers [ "${actual}" = "true" ] } -@test "server/StatefulSet: HTTP is disabled in agent when httpsOnly is enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.httpsOnly=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("ports { http = -1 }")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - @test "server/StatefulSet: sets Consul environment variables when global.tls.enabled" { cd `chart_dir` local env=$(helm template \ @@ -1132,45 +1069,6 @@ load _helpers [ "${actual}" = "/vault/secrets/serverca.crt" ] } -@test "server/StatefulSet: sets verify_* flags to true by default when global.tls.enabled" { - cd `chart_dir` - local command=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr) - - local actual - actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr) - [ "${actual}" = "true" ] - - actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr) - [ "${actual}" = "true" ] - - actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/StatefulSet: doesn't set the verify_* flags by default when global.tls.enabled and global.tls.verify is false" { - cd `chart_dir` - local command=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.verify=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr) - - local actual - actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr) - [ "${actual}" = "false" ] - - actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr) - [ "${actual}" = "false" ] - - actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - @test "server/StatefulSet: can overwrite CA secret with the provided one" { cd `chart_dir` local ca_cert_volume=$(helm template \ @@ -1205,29 +1103,6 @@ load _helpers [[ "$output" =~ "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" ]] } -@test "server/StatefulSet: mesh gateway federation enabled when federation.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.federation.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("connect { enable_mesh_gateway_wan_federation = true }")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/StatefulSet: mesh gateway federation not enabled when federation.enabled=false" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.federation.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("connect { enable_mesh_gateway_wan_federation = true }")' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - #-------------------------------------------------------------------- # global.acls.bootstrapToken @@ -1365,51 +1240,6 @@ load _helpers [ "${actual}" = '[{"name":"ACL_REPLICATION_TOKEN","valueFrom":{"secretKeyRef":{"name":"name","key":"key"}}}]' ] } -#-------------------------------------------------------------------- -# global.tls.enableAutoEncrypt - -@test "server/StatefulSet: enables auto-encrypt for the servers when global.tls.enableAutoEncrypt is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("auto_encrypt = {allow_tls = true}")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# -bootstrap-expect - -@test "server/StatefulSet: -bootstrap-expect defaults to replicas" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("-bootstrap-expect=3")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/StatefulSet: -bootstrap-expect can be set by server.bootstrapExpect" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.bootstrapExpect=5' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("-bootstrap-expect=5")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "server/StatefulSet: errors if bootstrapExpect < replicas" { - cd `chart_dir` - run helm template \ - -s templates/server-statefulset.yaml \ - --set 'server.bootstrapExpect=1' . - [ "$status" -eq 1 ] - [[ "$output" =~ "server.bootstrapExpect cannot be less than server.replicas" ]] -} - #-------------------------------------------------------------------- # license-autoload @@ -1446,16 +1276,6 @@ load _helpers [ "${actual}" = '{"name":"CONSUL_LICENSE_PATH","value":"/consul/license/bar"}' ] } -@test "server/StatefulSet: -recursor can be set by global.recursors" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.recursors[0]=1.2.3.4' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].command | join(" ") | contains("-recursor=\"1.2.3.4\"")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - @test "server/StatefulSet: when global.enterpriseLicense.secretKey!=null and global.enterpriseLicense.secretName=null, fail" { cd `chart_dir` run helm template \ @@ -1859,10 +1679,6 @@ load _helpers yq -r '.metadata.annotations["vault.hashicorp.com/agent-inject-template-servercert.key"]' | tee /dev/stderr)" local expected=$'{{- with secret \"pki_int/issue/test\" \"common_name=server.dc2.consul\"\n\"alt_names=localhost,RELEASE-NAME-consul-server,*.RELEASE-NAME-consul-server,*.RELEASE-NAME-consul-server.default,RELEASE-NAME-consul-server.default,*.RELEASE-NAME-consul-server.default.svc,RELEASE-NAME-consul-server.default.svc,*.server.dc2.consul\" \"ip_sans=127.0.0.1\" -}}\n{{- .Data.private_key -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] - - local actual=$(echo $object | - yq -r '.spec.containers[0].command | any(contains("ca_file = \"/vault/secrets/serverca.crt\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] } @test "server/StatefulSet: tls related volumes not attached when tls is enabled on vault" { @@ -2108,31 +1924,3 @@ load _helpers local actual="$(echo $object | yq -r '.spec.containers[] | select(.name=="consul").command | any(contains("-config-file=/vault/secrets/replication-token-config.hcl"))' | tee /dev/stderr)" [ "${actual}" = "true" ] } - -#-------------------------------------------------------------------- -# ui.dashboardURLTemplates.service - -@test "server/StatefulSet: dashboard_url_templates not set by default" { - cd `chart_dir` - - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - . | tee /dev/stderr | - yq -r ".spec.template.spec.containers[0].command | any(contains(\"dashboard_url_templates\"))" | tee /dev/stderr) - - [ "${actual}" = "false" ] -} - -@test "server/StatefulSet: ui.dashboardURLTemplates.service sets the template" { - cd `chart_dir` - - local expected='-hcl='\''ui_config { dashboard_url_templates { service = \"http://localhost:3000/d/WkFEBmF7z/services?orgId=1&var-Service={{Service.Name}}\" } }' - - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'ui.dashboardURLTemplates.service=http://localhost:3000/d/WkFEBmF7z/services?orgId=1&var-Service={{Service.Name}}' \ - . | tee /dev/stderr | - yq -r ".spec.template.spec.containers[0].command | any(contains(\"$expected\"))" | tee /dev/stderr) - - [ "${actual}" = "true" ] -}