Skip to content

Add support for setting the namespace that the CNI plugin is installed #1756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kschoche merged 3 commits into from
Nov 30, 2022
Merged

Add support for setting the namespace that the CNI plugin is installed #1756

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
eff5c19
Add support for setting the namespace that the CNI plugin is installe…
kschoche Nov 30, 2022
78bf978
add extra test
kschoche Nov 30, 2022
750d458
add changelog
kschoche Nov 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
## UNRELEASED

IMPROVEMENTS:
* Helm:
* CNI: Add `connectInject.cni.namespace` stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [[GH-1756](https://github.com/hashicorp/consul-k8s/pull/1756)]

## 1.0.1 (November 21, 2022)

BUG FIXES:
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-networkattachmentdefinition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-resourcequota.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: v1
kind: ResourceQuota
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-securitycontextconstraints.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
2 changes: 1 addition & 1 deletion charts/consul/templates/cni-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-cni
namespace: {{ .Release.Namespace }}
namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
23 changes: 23 additions & 0 deletions charts/consul/test/unit/cni-clusterrole.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,29 @@ load _helpers
[[ "${actual}" == "true" ]]
}

@test "cni/ClusterRole: cni namespace has a default when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-clusterrole.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/ClusterRole: able to set cni namespace" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-clusterrole.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.cni.namespace=kube-system' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}

@test "cni/ClusterRole: disabled with connectInject.cni.enabled=false and connectInject.enabled=true" {
cd `chart_dir`
assert_empty helm template \
Expand Down
22 changes: 22 additions & 0 deletions charts/consul/test/unit/cni-clusterrolebinding.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,25 @@ load _helpers
[ "${actual}" = "foo" ]
}

@test "cni/ClusterRoleBinding: subject namespace is correct when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-clusterrolebinding.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/ClusterRoleBinding: subject namespace can be set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-clusterrolebinding.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.cni.namespace=kube-system' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}
45 changes: 45 additions & 0 deletions charts/consul/test/unit/cni-daemonset.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -295,3 +295,48 @@ rollingUpdate:
[ "${actual}" = '{"mountPath":"bar","name":"cni-net-dir"}' ]
}

@test "cni/DaemonSet: cni namespace has a default when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-daemonset.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/DaemonSet: able to set cni namespace" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-daemonset.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.cni.namespace=kube-system' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}

@test "cni/DaemonSet: still uses cni.namespace when helm -n is used" {
cd `chart_dir`
local actual=$(helm template -n foo \
-s templates/cni-daemonset.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.cni.namespace=kube-system' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}

@test "cni/DaemonSet: default namespace can be overridden by helm -n" {
cd `chart_dir`
local actual=$(helm template -n foo \
-s templates/cni-daemonset.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "foo" ]]
}
24 changes: 24 additions & 0 deletions charts/consul/test/unit/cni-networkattachmentdefinition.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,27 @@ load _helpers

}

@test "cni/NetworkAttachmentDefinition: cni namespace has a default when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-networkattachmentdefinition.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.cni.multus=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/NetworkAttachmentDefinition: able to set cni namespace" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-networkattachmentdefinition.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.cni.multus=true' \
--set 'connectInject.cni.namespace=kube-system' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}
24 changes: 24 additions & 0 deletions charts/consul/test/unit/cni-podsecuritypolicy.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,27 @@ load _helpers
[[ "${actual}" == "true" ]]
}

@test "cni/PodSecurityPolicy: cni namespace has a default when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-podsecuritypolicy.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/PodSecurityPolicy: able to set cni namespace" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-podsecuritypolicy.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
--set 'connectInject.cni.namespace=kube-system' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}
23 changes: 23 additions & 0 deletions charts/consul/test/unit/cni-resourcequota.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,29 @@ load _helpers
.
}

@test "cni/ResourceQuota: cni namespace has a default when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-resourcequota.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/ResourceQuota: able to set cni namespace" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-resourcequota.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.cni.namespace=kube-system' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}

#--------------------------------------------------------------------
# pods

Expand Down
24 changes: 24 additions & 0 deletions charts/consul/test/unit/cni-securitycontextcontstraints.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,27 @@ load _helpers
[ "${actual}" = "true" ]
}

@test "cni/SecurityContextConstraints: cni namespace has a default when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-securitycontextconstraints.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.openshift.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/SecurityContextConstraints: able to set cni namespace" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-securitycontextconstraints.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.openshift.enabled=true' \
--set 'connectInject.cni.namespace=kube-system' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}
23 changes: 23 additions & 0 deletions charts/consul/test/unit/cni-serviceaccount.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,29 @@ load _helpers
.
}

@test "cni/ServiceAccount: cni namespace has a default when not set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-serviceaccount.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "default" ]]
}

@test "cni/ServiceAccount: able to set cni namespace" {
cd `chart_dir`
local actual=$(helm template \
-s templates/cni-serviceaccount.yaml \
--set 'connectInject.cni.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.cni.namespace=kube-system' \
. | tee /dev/stderr |
yq -r -c '.metadata.namespace' | tee /dev/stderr)
[[ "${actual}" == "kube-system" ]]
}

#--------------------------------------------------------------------
# global.imagePullSecrets

Expand Down
5 changes: 5 additions & 0 deletions charts/consul/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1920,6 +1920,11 @@ connectInject:
# @type: string
logLevel: null

# Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources.
# Ex: "kube-system"
# @type: string
namespace: null

# Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/'
# Example on GKE:
#
Expand Down