Skip to content

fix permissions for /consul/extra-config #1307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kschoche merged 3 commits into from
Aug 10, 2022
Merged

fix permissions for /consul/extra-config #1307

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
68b68ab
fix permissions for /consul/extra-config
eb4x Jun 25, 2022
22fc7ea
fix serverCert tests
eb4x Jul 4, 2022
193f40a
fix global.acls.manageSystemACLs tests
eb4x Jul 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion charts/consul/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,6 @@ substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The out
is passed to consul as a -config-file param on command line.
*/}}
{{- define "consul.extraconfig" -}}
mkdir -p /consul/extra-config
cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json
Expand Down
4 changes: 4 additions & 0 deletions charts/consul/templates/client-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,8 @@ spec:
- name: config
configMap:
name: {{ template "consul.fullname" . }}-client-config
- name: extra-config
emptyDir: {}
- name: consul-data
emptyDir:
medium: "Memory"
Expand Down Expand Up @@ -359,6 +361,8 @@ spec:
mountPath: /consul/data
- name: config
mountPath: /consul/config
- name: extra-config
mountPath: /consul/extra-config
- mountPath: /consul/login
name: consul-data
readOnly: true
Expand Down
4 changes: 4 additions & 0 deletions charts/consul/templates/server-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ spec:
- name: config
configMap:
name: {{ template "consul.fullname" . }}-server-config
- name: extra-config
emptyDir: {}
{{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }}
- name: consul-ca-cert
secret:
Expand Down Expand Up @@ -303,6 +305,8 @@ spec:
mountPath: /consul/data
- name: config
mountPath: /consul/config
- name: extra-config
mountPath: /consul/extra-config
{{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca/
Expand Down
69 changes: 40 additions & 29 deletions charts/consul/test/unit/client-daemonset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,27 @@ load _helpers
[ "${actual}" = "bar" ]
}

#--------------------------------------------------------------------
# extra-config

@test "client/DaemonSet: has extra-config volume" {
cd `chart_dir`

# check that the extra-config volume is defined
local volume_name=$(helm template \
-s templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "extra-config") | .name' | tee /dev/stderr)
[ "${volume_name}" = "extra-config" ]

# check that the consul container mounts the volume at /consul/extra-config
local mount_path=$(helm template \
-s templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[] | select(.name == "consul") | .volumeMounts[] | select(.name == "extra-config") | .mountPath' | tee /dev/stderr)
[ "${mount_path}" = "/consul/extra-config" ]
}

#--------------------------------------------------------------------
# extraVolumes

Expand Down Expand Up @@ -1072,29 +1093,22 @@ load _helpers

@test "client/DaemonSet: aclconfig volume is created when global.acls.manageSystemACLs=true" {
cd `chart_dir`
local actual=$(helm template \
local volume_name=$(helm template \
-s templates/client-daemonset.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[3].name == "aclconfig"' | tee /dev/stderr)
[ "${actual}" = "true" ]
yq -r '.spec.template.spec.volumes[] | select(.name == "aclconfig") | .name' | tee /dev/stderr)
[ "${volume_name}" = "aclconfig" ]
}

@test "client/DaemonSet: aclconfig volumeMount is created when global.acls.manageSystemACLs=true" {
cd `chart_dir`
local object=$(helm template \
local mount_path=$(helm template \
-s templates/client-daemonset.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[3]' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.name' | tee /dev/stderr)
[ "${actual}" = "aclconfig" ]

local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/consul/aclconfig" ]
yq -r '.spec.template.spec.containers[] | select(.name == "consul") | .volumeMounts[] | select(.name == "aclconfig") | .mountPath' | tee /dev/stderr)
[ "${mount_path}" = "/consul/aclconfig" ]
}

@test "client/DaemonSet: command includes aclconfig dir when global.acls.manageSystemACLs=true" {
Expand Down Expand Up @@ -1232,37 +1246,34 @@ local actual=$(echo $object |

@test "client/DaemonSet: Adds consul login volume when ACLs are enabled" {
cd `chart_dir`
local object=$(helm template \
local volume=$(helm template \
-s templates/client-daemonset.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | yq '.spec.template.spec.volumes[2]' | tee /dev/stderr)
local actual=$(echo $object |
. | yq '.spec.template.spec.volumes[] | select(.name == "consul-data")' | tee /dev/stderr)

local volume_name=$(echo $volume |
yq -r '.name' | tee /dev/stderr)
[ "${actual}" = "consul-data" ]
[ "${volume_name}" = "consul-data" ]

local actual=$(echo $object |
local volume_emptydir_medium=$(echo $volume |
yq -r '.emptyDir.medium' | tee /dev/stderr)
[ "${actual}" = "Memory" ]
[ "${volume_emptydir_medium}" = "Memory" ]
}

@test "client/DaemonSet: Adds consul login volumeMount to client container when ACLs are enabled" {
cd `chart_dir`
local object=$(helm template \
local volume_mount=$(helm template \
-s templates/client-daemonset.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | yq '.spec.template.spec.containers[0].volumeMounts[2]' | tee /dev/stderr)
. | yq '.spec.template.spec.containers[] | select(.name == "consul") | .volumeMounts[] | select(.name == "consul-data")' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.name' | tee /dev/stderr)
[ "${actual}" = "consul-data" ]

local actual=$(echo $object |
local volume_mount_path=$(echo $volume_mount |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/consul/login" ]
[ "${volume_mount_path}" = "/consul/login" ]

local actual=$(echo $object |
local volume_mount_ro=$(echo $volume_mount |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
[ "${volume_mount_ro}" = "true" ]
}

@test "client/DaemonSet: Adds consul login volumeMount to acl-init init container when ACLs are enabled" {
Expand Down
25 changes: 23 additions & 2 deletions charts/consul/test/unit/server-statefulset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ load _helpers
. | tee /dev/stderr )

local actual=$(echo "$object" |
yq -r '.spec.template.spec.volumes[2].secret.secretName' | tee /dev/stderr)
yq -r '.spec.template.spec.volumes[] | select(.name == "consul-server-cert") | .secret.secretName' | tee /dev/stderr)
[ "${actual}" = "release-name-consul-server-cert" ]
}

Expand All @@ -221,7 +221,7 @@ load _helpers
. | tee /dev/stderr )

local actual=$(echo "$object" |
yq -r '.spec.template.spec.volumes[2].secret.secretName' | tee /dev/stderr)
yq -r '.spec.template.spec.volumes[] | select(.name == "consul-server-cert") | .secret.secretName' | tee /dev/stderr)
[ "${actual}" = "server-cert" ]
}

Expand Down Expand Up @@ -348,6 +348,27 @@ load _helpers
yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr)
}

#--------------------------------------------------------------------
# extra-config

@test "server/StatefulSet: has extra-config volume" {
cd `chart_dir`

# check that the extra-config volume is defined
local volume_name=$(helm template \
-s templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "extra-config") | .name' | tee /dev/stderr)
[ "${volume_name}" = "extra-config" ]

# check that the consul container mounts the volume at /consul/extra-config
local mount_path=$(helm template \
-s templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[] | select(.name == "consul") | .volumeMounts[] | select(.name == "extra-config") | .mountPath' | tee /dev/stderr)
[ "${mount_path}" = "/consul/extra-config" ]
}

#--------------------------------------------------------------------
# extraVolumes

Expand Down