hashicorp · DanStough · Aug 23, 2023 · Aug 18, 2023 · Aug 23, 2023 · Aug 23, 2023
@@ -446,3 +446,52 @@ Usage: {{ template "consul.validateTelemetryCollectorCloud" . }}
 {{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}}
 {{- end }}
 {{- end -}}
+
+{{/*
+Fails if global.experiments.resourceAPIs is set along with any of these unsupported features.
+- global.peering.enabled
+- global.federation.enabled
+- global.cloud.enabled
+- client.enabled
+- ui.enabled
+- syncCatalog.enabled
+- meshGateway.enabled
+- ingressGateways.enabled
+- terminatingGateways.enabled
+- apiGateway.enabled
+
+Usage: {{ template "consul.validateResourceAPIs" . }}
+
+*/}}
+{{- define "consul.validateResourceAPIs" -}}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, meshGateway.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}}
+{{- end }}
+{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }}
+{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}}
+{{- end }}
+{{- end }}
@@ -11,6 +11,7 @@
 {{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}}
 {{ template "consul.validateRequiredCloudSecretsExist" . }}
 {{ template "consul.validateCloudSecretKeys" . }}
+{{ template "consul.validateResourceAPIs" . }}
 # The deployment for running the Connect sidecar injector
 apiVersion: apps/v1
 kind: Deployment
@@ -146,6 +147,9 @@ spec:
                 -release-namespace="{{ .Release.Namespace }}" \
                 -resource-prefix={{ template "consul.fullname" . }} \
                 -listen=:8080 \
+                {{- if (mustHas "resource-apis" .Values.global.experiments) }}
+                -enable-resource-apis=true
+                {{- end }}
                 {{- range $k, $v := .Values.connectInject.consulNode.meta }}
                 -node-meta={{ $k }}={{ $v }} \
                 {{- end }}

@@ -114,6 +114,9 @@ spec:
                 {{- if .Values.global.cloud.enabled }}
                 -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \
                 {{- end }}
+                {{- if (mustHas "resource-apis" .Values.global.experiments) }}
+                -enable-resource-apis=true
+                {{- end }}
           resources:
             requests:
               memory: "50Mi"

@@ -415,6 +415,9 @@ spec:
                 {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }}
                 -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"
                 {{- end }}
+                {{- if (mustHas "resource-apis" .Values.global.experiments) }}
+                -hcl="experiments=[\"resource-apis\"]"
+                {{- end }}
           volumeMounts:
             - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }}
               mountPath: /consul/data

@@ -2587,3 +2587,30 @@ reservedNameTest() {
     jq -r '. | select( .name == "CONSUL_TLS_SERVER_NAME").value' | tee /dev/stderr)
   [ "${actual}" = "server.dc1.consul" ]
 }
+
+#--------------------------------------------------------------------
+# resource-apis
+
+@test "connectInject/Deployment: resource-apis is not set by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("-enable-resource-apis=true"))' | tee /dev/stderr)
+
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/Deployment: -enable-resource-apis=true is set when global.experiments contains [\"resource-apis\"] " {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("-enable-resource-apis=true"))' | tee /dev/stderr)
+
+  [ "${actual}" = "true" ]
+}
@@ -327,3 +327,140 @@ load _helpers
   actual=$(echo $object | jq '.volumeMounts[] | select(.name == "consul-ca-cert")')
   [ "${actual}" = "" ]
 }
+
+#--------------------------------------------------------------------
+# consul.validateResourceAPIs
+# These tests use test-runner.yaml to test the
+# consul.validateResourceAPIs helper since we need an existing template
+
+@test "connectInject/Deployment: fails if resource-apis is set and peering is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'global.tls.enabled=true' \
+      --set 'meshGateway.enabled=true' \
+      --set 'global.peering.enabled=true' \
+      .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and federation is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'global.tls.enabled=true' \
+      --set 'meshGateway.enabled=true' \
+      --set 'global.federation.enabled=true' \
+      .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and cloud is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'global.cloud.enabled=true' \
+      --set 'global.cloud.resourceId.secretName=hello' \
+      --set 'global.cloud.resourceId.secretKey=hello' \
+      --set 'global.cloud.clientId.secretName=hello' \
+      --set 'global.cloud.clientId.secretKey=hello' \
+      --set 'global.cloud.clientSecret.secretName=hello' \
+      --set 'global.cloud.clientSecret.secretKey=hello' \
+      .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and client is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'client.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and ui is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and syncCatalog is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'syncCatalog.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and meshGateway is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'meshGateway.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, meshGateway.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and ingressGateways is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'ingressGateways.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and terminatingGateways is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'terminatingGateways.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported." ]]
+}
+
+@test "connectInject/Deployment: fails if resource-apis is set and apiGateway is enabled" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/tests/test-runner.yaml \
+      --set 'connectInject.enabled=true' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      --set 'apiGateway.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported." ]]
+}
@@ -938,3 +938,43 @@ reservedNameTest() {
   [ "${actualTemplateFoo}" = "bar" ]
   [ "${actualTemplateBaz}" = "qux" ]
 }
+
+#--------------------------------------------------------------------
+# global.experiments=["resource-apis"]
+
+@test "partitionInit/Job: -enable-resource-apis=true is not set in command when global.experiments is empty" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/partition-init-job.yaml \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
+      --set 'server.enabled=false' \
+      --set 'global.adminPartitions.name=bar' \
+      --set 'externalServers.enabled=true' \
+      --set 'externalServers.hosts[0]=foo' \
+      . | tee /dev/stderr)
+
+  # Test the flag is set.
+  local actual=$(echo "$object" |
+    yq '.spec.template.spec.containers[] | select(.name == "partition-init-job") | .command | any(contains("-enable-resource-apis=true"))' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "partitionInit/Job:  -enable-resource-apis=true is set in command when global.experiments contains \"resource-apis\"" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/partition-init-job.yaml \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
+      --set 'server.enabled=false' \
+      --set 'global.adminPartitions.name=bar' \
+      --set 'externalServers.enabled=true' \
+      --set 'externalServers.hosts[0]=foo' \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      . | tee /dev/stderr)
+
+  local actual=$(echo "$object" |
+    yq '.spec.template.spec.containers[] | select(.name == "partition-init-job") | .command | any(contains("-enable-resource-apis=true"))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
@@ -2896,3 +2896,31 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \
       yq -r '.spec.template.spec.containers[1].command[2] | contains("-interval=10h34m5s")' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# global.experiments=["resource-apis"]
+
+@test "server/StatefulSet: experiments=[\"resource-apis\"] is not set in command when global.experiments is empty" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      . | tee /dev/stderr)
+
+  # Test the flag is set.
+  local actual=$(echo "$object" |
+    yq '.spec.template.spec.containers[] | select(.name == "consul") | .command | any(contains("-hcl=\"experiments=[\\\"resource-apis\\\"]\""))' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "server/StatefulSet: experiments=[\"resource-apis\"] is set in command when global.experiments contains \"resource-apis\"" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'global.experiments[0]=resource-apis' \
+      --set 'ui.enabled=false' \
+      . | tee /dev/stderr)
+
+  local actual=$(echo "$object" |
+    yq '.spec.template.spec.containers[] | select(.name == "consul") | .command | any(contains("-hcl=\"experiments=[\\\"resource-apis\\\"]\""))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
@@ -735,6 +735,24 @@ global:
   # @type: array<string>
   trustedCAs: [ ]
 
+  # Consul feature flags that will be enabled across components.
+  # Supported feature flags:
+  # * `resource-apis`:
+  #   _**Danger**_! This feature is under active development. It is not
+  #   recommended for production use. Setting this flag during an
+  #   upgrade could risk breaking your Consul cluster.
+  #   If this flag is set, Consul components will use the
+  #   V2 resources APIs for all operations.
+  #
+  # Example:
+  #
+  # ```yaml
+  # experiments: [ "resource-apis" ]
+  # ```
+  # @type: array<string>
+  experiments: [ ]
+
+
 # Server, when enabled, configures a server cluster to run. This should
 # be disabled if you plan on connecting to a Consul cluster external to
 # the Kube cluster.