hashicorp · pglass · Aug 8, 2023 · Jul 31, 2023 · Jul 31, 2023 · Aug 1, 2023
@@ -123,7 +123,7 @@ func (c *ConnectHelper) DeployClientAndServer(t *testing.T) {
 
 	logger.Log(t, "creating static-server and static-client deployments")
 
-	c.setupAppNamespace(t)
+	c.SetupAppNamespace(t)
 
 	opts := c.KubectlOptsForApp(t)
 	if c.Cfg.EnableCNI && c.Cfg.EnableOpenshift {
@@ -170,10 +170,10 @@ func (c *ConnectHelper) DeployClientAndServer(t *testing.T) {
 		})
 }
 
-// setupAppNamespace creates a namespace where applications are deployed. This
+// SetupAppNamespace creates a namespace where applications are deployed. This
 // does nothing if UseAppNamespace is not set. The app namespace is relevant
 // when testing with restricted PSA enforcement enabled.
-func (c *ConnectHelper) setupAppNamespace(t *testing.T) {
+func (c *ConnectHelper) SetupAppNamespace(t *testing.T) {
 	if !c.UseAppNamespace {
 		return
 	}
@@ -204,7 +204,7 @@ func (c *ConnectHelper) setupAppNamespace(t *testing.T) {
 func (c *ConnectHelper) CreateResolverRedirect(t *testing.T) {
 	logger.Log(t, "creating resolver redirect")
 	opts := c.KubectlOptsForApp(t)
-	c.setupAppNamespace(t)
+	c.SetupAppNamespace(t)
 	kustomizeDir := "../fixtures/cases/resolver-redirect-virtualip"
 	k8s.KubectlApplyK(t, opts, kustomizeDir)
 

@@ -139,6 +139,7 @@ func CopySecret(t *testing.T, sourceContext, destContext environment.TestContext
 		secret.ResourceVersion = ""
 		require.NoError(r, err)
 	})
+	secret.Namespace = destContext.KubectlOptions(t).Namespace
 	_, err = destContext.KubernetesClient(t).CoreV1().Secrets(destContext.KubectlOptions(t).Namespace).Create(context.Background(), secret, metav1.CreateOptions{})
 	require.NoError(t, err)
 }
@@ -9,11 +9,11 @@ import (
 	"strconv"
 	"testing"
 
+	"github.com/hashicorp/consul-k8s/acceptance/framework/connhelper"
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
 	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
 	"github.com/hashicorp/consul-k8s/acceptance/framework/k8s"
 	"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
-	"github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -43,10 +43,6 @@ func TestWANFederation(t *testing.T) {
 			env := suite.Environment()
 			cfg := suite.Config()
 
-			if cfg.UseKind {
-				t.Skipf("skipping wan federation tests as they currently fail on Kind even though they work on other clouds.")
-			}
-
 			primaryContext := env.DefaultContext(t)
 			secondaryContext := env.Context(t, 1)
 
@@ -86,6 +82,7 @@ func TestWANFederation(t *testing.T) {
 			federationSecret, err := primaryContext.KubernetesClient(t).CoreV1().Secrets(primaryContext.KubectlOptions(t).Namespace).Get(context.Background(), federationSecretName, metav1.GetOptions{})
 			require.NoError(t, err)
 			federationSecret.ResourceVersion = ""
+			federationSecret.Namespace = secondaryContext.KubectlOptions(t).Namespace
 			_, err = secondaryContext.KubernetesClient(t).CoreV1().Secrets(secondaryContext.KubectlOptions(t).Namespace).Create(context.Background(), federationSecret, metav1.CreateOptions{})
 			require.NoError(t, err)
 
@@ -161,30 +158,43 @@ func TestWANFederation(t *testing.T) {
 				k8s.KubectlDeleteK(t, secondaryContext.KubectlOptions(t), kustomizeDir)
 			})
 
+			primaryHelper := connhelper.ConnectHelper{
+				Secure:          c.secure,
+				ReleaseName:     releaseName,
+				Ctx:             primaryContext,
+				UseAppNamespace: cfg.EnableRestrictedPSAEnforcement,
+				Cfg:             cfg,
+				ConsulClient:    primaryClient,
+			}
+			secondaryHelper := connhelper.ConnectHelper{
+				Secure:          c.secure,
+				ReleaseName:     releaseName,
+				Ctx:             secondaryContext,
+				UseAppNamespace: cfg.EnableRestrictedPSAEnforcement,
+				Cfg:             cfg,
+				ConsulClient:    secondaryClient,
+			}
+
+			// When restricted PSA enforcement is enabled on the Consul
+			// namespace, deploy the test apps to a different unrestricted
+			// namespace because they can't run in a restricted namespace.
+			// This creates the app namespace only if necessary.
+			primaryHelper.SetupAppNamespace(t)
+			secondaryHelper.SetupAppNamespace(t)
+
 			// Check that we can connect services over the mesh gateways
 			logger.Log(t, "creating static-server in dc2")
-			k8s.DeployKustomize(t, secondaryContext.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/cases/static-server-inject")
+			k8s.DeployKustomize(t, secondaryHelper.KubectlOptsForApp(t), cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/cases/static-server-inject")
 
 			logger.Log(t, "creating static-client in dc1")
-			k8s.DeployKustomize(t, primaryContext.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/cases/static-client-multi-dc")
+			k8s.DeployKustomize(t, primaryHelper.KubectlOptsForApp(t), cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/cases/static-client-multi-dc")
 
 			if c.secure {
-				logger.Log(t, "creating intention")
-				_, _, err = primaryClient.ConfigEntries().Set(&api.ServiceIntentionsConfigEntry{
-					Kind: api.ServiceIntentions,
-					Name: "static-server",
-					Sources: []*api.SourceIntention{
-						{
-							Name:   StaticClientName,
-							Action: api.IntentionActionAllow,
-						},
-					},
-				}, nil)
-				require.NoError(t, err)
+				primaryHelper.CreateIntention(t)
 			}
 
 			logger.Log(t, "checking that connection is successful")
-			k8s.CheckStaticServerConnectionSuccessful(t, primaryContext.KubectlOptions(t), StaticClientName, "http://localhost:1234")
+			k8s.CheckStaticServerConnectionSuccessful(t, primaryHelper.KubectlOptsForApp(t), StaticClientName, "http://localhost:1234")
 		})
 	}
 }
@@ -93,6 +93,7 @@ spec:
       containers:
         - name: create-federation-secret
           image: "{{ .Values.global.imageK8S }}"
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           env:
             - name: NAMESPACE
               valueFrom:

@@ -175,6 +175,7 @@ spec:
       # ingress-gateway-init registers the ingress gateway service with Consul.
       - name: ingress-gateway-init
         image: {{ $root.Values.global.imageK8S }}
+        {{- include "consul.restrictedSecurityContext" $ | nindent 8 }}
         env:
         - name: NAMESPACE
           valueFrom:
@@ -233,6 +234,7 @@ spec:
       containers:
       - name: ingress-gateway
         image: {{ $root.Values.global.imageConsulDataplane | quote }}
+        {{- include "consul.restrictedSecurityContext" $ | nindent 8 }}
         {{- if (default $defaults.resources .resources) }}
         resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }}
         {{- end }}

@@ -81,6 +81,7 @@ spec:
       containers:
         - name: partition-init-job
           image: {{ .Values.global.imageK8S }}
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           env:
           {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }}
           {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }}

@@ -77,6 +77,7 @@ spec:
       containers:
       - name: sync-catalog
         image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}"
+        {{- include "consul.restrictedSecurityContext" . | nindent 8 }}
         env:
         {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}
         {{- if .Values.global.acls.manageSystemACLs }}

@@ -160,6 +160,7 @@ spec:
         # terminating-gateway-init registers the terminating gateway service with Consul.
         - name: terminating-gateway-init
           image: {{ $root.Values.global.imageK8S }}
+          {{- include "consul.restrictedSecurityContext" $ | nindent 10 }}
           env:
           - name: NAMESPACE
             valueFrom:
@@ -218,6 +219,7 @@ spec:
       containers:
         - name: terminating-gateway
           image: {{ $root.Values.global.imageConsulDataplane | quote }}
+          {{- include "consul.restrictedSecurityContext" $ | nindent 10 }}
           volumeMounts:
             - name: consul-service
               mountPath: /consul/service