Merge pull request hashicorp#1024 from hashicorp/apigateway-namespace…

…-mirroring

Add support for api gateway + consul namespaces

CHANGELOG.md

@@ -4,6 +4,7 @@ IMPROVEMENTS:
   * Vault: Allow passing arbitrary annotations to the vault agent. [[GH-1015](https://github.com/hashicorp/consul-k8s/pull/1015)]
   * Vault: Add support for customized IP and DNS SANs for server cert in Vault. [[GH-1020](https://github.com/hashicorp/consul-k8s/pull/1020)]
   * Vault: Add support for Enterprise License to be configured in Vault. [[GH-1032](https://github.com/hashicorp/consul-k8s/pull/1032)]
+  * API Gateway: Allow Kubernetes namespace to Consul enterprise namespace mapping for deployed gateways and mesh services. [[GH-1024](https://github.com/hashicorp/consul-k8s/pull/1024)]
 
 BUG FIXES:
 * API Gateway

charts/consul/templates/api-gateway-controller-deployment.yaml

@@ -79,6 +79,17 @@ spec:
             consul-api-gateway server \
               -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \
               -k8s-namespace {{ .Release.Namespace }} \
+              {{- if .Values.global.enableConsulNamespaces }}
+              {{- if .Values.apiGateway.consulNamespaces.consulDestinationNamespace }}
+              -consul-destination-namespace={{ .Values.apiGateway.consulNamespaces.consulDestinationNamespace }} \
+              {{- end }}
+              {{- if .Values.apiGateway.consulNamespaces.mirroringK8S }}
+              -mirroring-k8s=true \
+              {{- if .Values.apiGateway.consulNamespaces.mirroringK8SPrefix }}
+              -mirroring-k8s-prefix={{ .Values.apiGateway.consulNamespaces.mirroringK8SPrefix }} \
+              {{- end }}
+              {{- end }}
+              {{- end }}
               -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \
         volumeMounts:
           {{- if .Values.global.tls.enabled }}

charts/consul/test/unit/api-gateway-controller-deployment.bats

@@ -36,6 +36,44 @@ load _helpers
       .
 }
 
+@test "apiGateway/Deployment: enable namespaces" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/api-gateway-controller-deployment.yaml  \
+      --set 'apiGateway.enabled=true' \
+      --set 'apiGateway.image=bar' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | join(" ") | contains("-consul-destination-namespace=default")' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "apiGateway/Deployment: enable namespace mirroring" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/api-gateway-controller-deployment.yaml  \
+      --set 'apiGateway.enabled=true' \
+      --set 'apiGateway.image=bar' \
+      --set 'global.enableConsulNamespaces=true' \
+      --set 'apiGateway.consulNamespaces.mirroringK8S=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | join(" ") | contains("-mirroring-k8s=true")' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "apiGateway/Deployment: enable namespace mirroring prefixes" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/api-gateway-controller-deployment.yaml  \
+      --set 'apiGateway.enabled=true' \
+      --set 'apiGateway.image=bar' \
+      --set 'global.enableConsulNamespaces=true' \
+      --set 'apiGateway.consulNamespaces.mirroringK8S=true' \
+      --set 'apiGateway.consulNamespaces.mirroringK8SPrefix=foo' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | join(" ") | contains("-mirroring-k8s-prefix=foo")' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
 
 @test "apiGateway/Deployment: container image overrides" {
   cd `chart_dir`

charts/consul/values.yaml

@@ -2552,6 +2552,29 @@ apiGateway:
       # @type: string
       service: null
 
+  # [Enterprise Only] These settings manage the API Gateway's interaction with
+  # Consul namespaces (requires consul-ent v1.7+).
+  # Also, `global.enableConsulNamespaces` must be true.
+  consulNamespaces:
+    # Name of the Consul namespace to register all
+    # k8s services into. If the Consul namespace does not already exist,
+    # it will be created. This will be ignored if `mirroringK8S` is true.
+    consulDestinationNamespace: "default"
+
+    # If true, k8s services will be registered into a Consul namespace
+    # of the same name as their k8s namespace, optionally prefixed if
+    # `mirroringK8SPrefix` is set below. If the Consul namespace does not
+    # already exist, it will be created. Turning this on overrides the
+    # `consulDestinationNamespace` setting.
+    # `addK8SNamespaceSuffix` may no longer be needed if enabling this option.
+    mirroringK8S: false
+
+    # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
+    # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
+    # service in the k8s `staging` namespace will be registered into the
+    # `k8s-staging` Consul namespace.
+    mirroringK8SPrefix: ""
+
   # Configuration for the ServiceAccount created for the api-gateway component
   serviceAccount:
     # This value defines additional annotations for the client service account. This should be formatted as a multi-line