diff --git a/charts/consul/templates/cni-clusterrole.yaml b/charts/consul/templates/cni-clusterrole.yaml index 39dc5ead50..773942cca8 100644 --- a/charts/consul/templates/cni-clusterrole.yaml +++ b/charts/consul/templates/cni-clusterrole.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/cni-clusterrolebinding.yaml b/charts/consul/templates/cni-clusterrolebinding.yaml index 86c19d86aa..4b860388b6 100644 --- a/charts/consul/templates/cni-clusterrolebinding.yaml +++ b/charts/consul/templates/cni-clusterrolebinding.yaml @@ -16,5 +16,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} {{- end }} diff --git a/charts/consul/templates/cni-daemonset.yaml b/charts/consul/templates/cni-daemonset.yaml index 7b9f90d939..e9a6807338 100644 --- a/charts/consul/templates/cni-daemonset.yaml +++ b/charts/consul/templates/cni-daemonset.yaml @@ -4,7 +4,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/cni-networkattachmentdefinition.yaml b/charts/consul/templates/cni-networkattachmentdefinition.yaml index d0feaf5cb1..80ef50bac6 100644 --- a/charts/consul/templates/cni-networkattachmentdefinition.yaml +++ b/charts/consul/templates/cni-networkattachmentdefinition.yaml @@ -3,7 +3,7 @@ apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/cni-podsecuritypolicy.yaml b/charts/consul/templates/cni-podsecuritypolicy.yaml index 15b96bc230..b600ed1b4b 100644 --- a/charts/consul/templates/cni-podsecuritypolicy.yaml +++ b/charts/consul/templates/cni-podsecuritypolicy.yaml @@ -3,7 +3,7 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/cni-resourcequota.yaml b/charts/consul/templates/cni-resourcequota.yaml index abfe5a8876..054c3061f5 100644 --- a/charts/consul/templates/cni-resourcequota.yaml +++ b/charts/consul/templates/cni-resourcequota.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ResourceQuota metadata: name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/cni-securitycontextconstraints.yaml b/charts/consul/templates/cni-securitycontextconstraints.yaml index 95cfc555e1..2c09dba9b8 100644 --- a/charts/consul/templates/cni-securitycontextconstraints.yaml +++ b/charts/consul/templates/cni-securitycontextconstraints.yaml @@ -3,7 +3,7 @@ apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/cni-serviceaccount.yaml b/charts/consul/templates/cni-serviceaccount.yaml index 6b2a7627f7..cf4250b696 100644 --- a/charts/consul/templates/cni-serviceaccount.yaml +++ b/charts/consul/templates/cni-serviceaccount.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "consul.fullname" . }}-cni - namespace: {{ .Release.Namespace }} + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/test/unit/cni-clusterrole.bats b/charts/consul/test/unit/cni-clusterrole.bats index 02675ed882..4556d48f0d 100644 --- a/charts/consul/test/unit/cni-clusterrole.bats +++ b/charts/consul/test/unit/cni-clusterrole.bats @@ -20,6 +20,29 @@ load _helpers [[ "${actual}" == "true" ]] } +@test "cni/ClusterRole: cni namespace has a default when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-clusterrole.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/ClusterRole: able to set cni namespace" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-clusterrole.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} + @test "cni/ClusterRole: disabled with connectInject.cni.enabled=false and connectInject.enabled=true" { cd `chart_dir` assert_empty helm template \ diff --git a/charts/consul/test/unit/cni-clusterrolebinding.bats b/charts/consul/test/unit/cni-clusterrolebinding.bats index ba217e7706..98cdb283c4 100644 --- a/charts/consul/test/unit/cni-clusterrolebinding.bats +++ b/charts/consul/test/unit/cni-clusterrolebinding.bats @@ -55,3 +55,25 @@ load _helpers [ "${actual}" = "foo" ] } +@test "cni/ClusterRoleBinding: subject namespace is correct when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-clusterrolebinding.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/ClusterRoleBinding: subject namespace can be set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-clusterrolebinding.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} diff --git a/charts/consul/test/unit/cni-daemonset.bats b/charts/consul/test/unit/cni-daemonset.bats index 17c80d2da0..3b5e046a67 100644 --- a/charts/consul/test/unit/cni-daemonset.bats +++ b/charts/consul/test/unit/cni-daemonset.bats @@ -295,3 +295,48 @@ rollingUpdate: [ "${actual}" = '{"mountPath":"bar","name":"cni-net-dir"}' ] } +@test "cni/DaemonSet: cni namespace has a default when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-daemonset.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/DaemonSet: able to set cni namespace" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-daemonset.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} + +@test "cni/DaemonSet: still uses cni.namespace when helm -n is used" { + cd `chart_dir` + local actual=$(helm template -n foo \ + -s templates/cni-daemonset.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} + +@test "cni/DaemonSet: default namespace can be overridden by helm -n" { + cd `chart_dir` + local actual=$(helm template -n foo \ + -s templates/cni-daemonset.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "foo" ]] +} diff --git a/charts/consul/test/unit/cni-networkattachmentdefinition.bats b/charts/consul/test/unit/cni-networkattachmentdefinition.bats index a7f0d1da03..65730079bb 100644 --- a/charts/consul/test/unit/cni-networkattachmentdefinition.bats +++ b/charts/consul/test/unit/cni-networkattachmentdefinition.bats @@ -59,3 +59,27 @@ load _helpers } +@test "cni/NetworkAttachmentDefinition: cni namespace has a default when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-networkattachmentdefinition.yaml \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.cni.multus=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/NetworkAttachmentDefinition: able to set cni namespace" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-networkattachmentdefinition.yaml \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.cni.multus=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} diff --git a/charts/consul/test/unit/cni-podsecuritypolicy.bats b/charts/consul/test/unit/cni-podsecuritypolicy.bats index 37df761995..21af659cde 100644 --- a/charts/consul/test/unit/cni-podsecuritypolicy.bats +++ b/charts/consul/test/unit/cni-podsecuritypolicy.bats @@ -30,3 +30,27 @@ load _helpers [[ "${actual}" == "true" ]] } +@test "cni/PodSecurityPolicy: cni namespace has a default when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-podsecuritypolicy.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/PodSecurityPolicy: able to set cni namespace" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-podsecuritypolicy.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} diff --git a/charts/consul/test/unit/cni-resourcequota.bats b/charts/consul/test/unit/cni-resourcequota.bats index 36c7a26b30..f7495d3565 100644 --- a/charts/consul/test/unit/cni-resourcequota.bats +++ b/charts/consul/test/unit/cni-resourcequota.bats @@ -29,6 +29,29 @@ load _helpers . } +@test "cni/ResourceQuota: cni namespace has a default when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-resourcequota.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/ResourceQuota: able to set cni namespace" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-resourcequota.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} + #-------------------------------------------------------------------- # pods diff --git a/charts/consul/test/unit/cni-securitycontextcontstraints.bats b/charts/consul/test/unit/cni-securitycontextcontstraints.bats index 759979aee2..933282f0dc 100644 --- a/charts/consul/test/unit/cni-securitycontextcontstraints.bats +++ b/charts/consul/test/unit/cni-securitycontextcontstraints.bats @@ -31,3 +31,27 @@ load _helpers [ "${actual}" = "true" ] } +@test "cni/SecurityContextConstraints: cni namespace has a default when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-securitycontextconstraints.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.openshift.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/SecurityContextConstraints: able to set cni namespace" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-securitycontextconstraints.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.openshift.enabled=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} diff --git a/charts/consul/test/unit/cni-serviceaccount.bats b/charts/consul/test/unit/cni-serviceaccount.bats index 4f2071f823..73146bd0d9 100644 --- a/charts/consul/test/unit/cni-serviceaccount.bats +++ b/charts/consul/test/unit/cni-serviceaccount.bats @@ -29,6 +29,29 @@ load _helpers . } +@test "cni/ServiceAccount: cni namespace has a default when not set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-serviceaccount.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "default" ]] +} + +@test "cni/ServiceAccount: able to set cni namespace" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/cni-serviceaccount.yaml \ + --set 'connectInject.cni.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'connectInject.cni.namespace=kube-system' \ + . | tee /dev/stderr | + yq -r -c '.metadata.namespace' | tee /dev/stderr) + [[ "${actual}" == "kube-system" ]] +} + #-------------------------------------------------------------------- # global.imagePullSecrets diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 05ac341f01..78b9752062 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -1945,6 +1945,11 @@ connectInject: # @type: string logLevel: null + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' # Example on GKE: #