hashicorp · DanStough · Sep 5, 2023 · Aug 23, 2023 · Aug 31, 2023
@@ -21,11 +21,12 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 
+	"github.com/hashicorp/consul/api"
+
 	"github.com/hashicorp/consul-k8s/control-plane/api-gateway/common"
 	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
 	"github.com/hashicorp/consul-k8s/control-plane/consul"
 	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
-	"github.com/hashicorp/consul/api"
 )
 
 func Test_resourceCache_diff(t *testing.T) {
@@ -1322,7 +1323,7 @@ func TestCache_Write(t *testing.T) {
 					GRPCPort:        port,
 					APITimeout:      0,
 				},
-				ConsulServerConnMgr: test.MockConnMgrForIPAndPort(serverURL.Hostname(), port),
+				ConsulServerConnMgr: test.MockConnMgrForIPAndPort(t, serverURL.Hostname(), port, false),
 				NamespacesEnabled:   false,
 				Logger:              logrtest.NewTestLogger(t),
 			})
@@ -1600,7 +1601,7 @@ func Test_Run(t *testing.T) {
 			GRPCPort:        port,
 			APITimeout:      0,
 		},
-		ConsulServerConnMgr: test.MockConnMgrForIPAndPort(serverURL.Hostname(), port),
+		ConsulServerConnMgr: test.MockConnMgrForIPAndPort(t, serverURL.Hostname(), port, false),
 		NamespacesEnabled:   false,
 		Logger:              logrtest.NewTestLogger(t),
 	})
@@ -2001,7 +2002,7 @@ func TestCache_Delete(t *testing.T) {
 					GRPCPort:        port,
 					APITimeout:      0,
 				},
-				ConsulServerConnMgr: test.MockConnMgrForIPAndPort(serverURL.Hostname(), port),
+				ConsulServerConnMgr: test.MockConnMgrForIPAndPort(t, serverURL.Hostname(), port, false),
 				NamespacesEnabled:   false,
 				Logger:              logrtest.NewTestLogger(t),
 			})

@@ -13,12 +13,13 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/consul-k8s/control-plane/consul"
-	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
 	"github.com/hashicorp/go-hclog"
 	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul-k8s/control-plane/consul"
+	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
 )
 
 const (
@@ -233,7 +234,7 @@ func TestConsulSyncer_stopsGracefully(t *testing.T) {
 
 	testClient := &test.TestServerClient{
 		Cfg:     &consul.Config{APIClientConfig: &api.Config{}, HTTPPort: port},
-		Watcher: test.MockConnMgrForIPAndPort(parsedURL.Host, port),
+		Watcher: test.MockConnMgrForIPAndPort(t, parsedURL.Host, port, false),
 	}
 
 	// Start the syncer.

@@ -8,8 +8,11 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
+	mapset "github.com/deckarep/golang-set"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
 )
 
 // DetermineAndValidatePort behaves as follows:
@@ -90,6 +93,26 @@ func ShouldOverwriteProbes(pod corev1.Pod, globalOverwrite bool) (bool, error) {
 	return globalOverwrite, nil
 }
 
+// ShouldIgnore ignores namespaces where we don't mesh-inject.
+func ShouldIgnore(namespace string, denySet, allowSet mapset.Set) bool {
+	// Ignores system namespaces.
+	if namespace == metav1.NamespaceSystem || namespace == metav1.NamespacePublic || namespace == "local-path-storage" {
+		return true
+	}
+
+	// Ignores deny list.
+	if denySet.Contains(namespace) {
+		return true
+	}
+
+	// Ignores if not in allow list or allow list is not *.
+	if !allowSet.Contains("*") && !allowSet.Contains(namespace) {
+		return true
+	}
+
+	return false
+}
+
 func ConsulNodeNameFromK8sNode(nodeName string) string {
 	return fmt.Sprintf("%s-virtual", nodeName)
 }
@@ -6,11 +6,13 @@ package common
 import (
 	"testing"
 
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
-	"github.com/hashicorp/consul-k8s/control-plane/namespaces"
+	mapset "github.com/deckarep/golang-set"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
+	"github.com/hashicorp/consul-k8s/control-plane/namespaces"
 )
 
 func TestCommonDetermineAndValidatePort(t *testing.T) {
@@ -259,3 +261,56 @@ func minimal() *corev1.Pod {
 		},
 	}
 }
+
+func TestShouldIgnore(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		name      string
+		namespace string
+		denySet   mapset.Set
+		allowSet  mapset.Set
+		expected  bool
+	}{
+		{
+			name:      "system namespace",
+			namespace: "kube-system",
+			denySet:   mapset.NewSetWith(),
+			allowSet:  mapset.NewSetWith("*"),
+			expected:  true,
+		},
+		{
+			name:      "other system namespace",
+			namespace: "local-path-storage",
+			denySet:   mapset.NewSetWith(),
+			allowSet:  mapset.NewSetWith("*"),
+			expected:  true,
+		},
+		{
+			name:      "any namespace allowed",
+			namespace: "foo",
+			denySet:   mapset.NewSetWith(),
+			allowSet:  mapset.NewSetWith("*"),
+			expected:  false,
+		},
+		{
+			name:      "in deny list",
+			namespace: "foo",
+			denySet:   mapset.NewSetWith("foo"),
+			allowSet:  mapset.NewSetWith("*"),
+			expected:  true,
+		},
+		{
+			name:      "not in allow list",
+			namespace: "foo",
+			denySet:   mapset.NewSetWith(),
+			allowSet:  mapset.NewSetWith("bar"),
+			expected:  true,
+		},
+	}
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := ShouldIgnore(tt.namespace, tt.denySet, tt.allowSet)
+			require.Equal(t, tt.expected, actual)
+		})
+	}
+}
@@ -181,8 +181,12 @@ const (
 	// to explicitly perform the peering operation again.
 	AnnotationPeeringVersion = "consul.hashicorp.com/peering-version"
 
+	// LegacyAnnotationConsulK8sVersion is the current version of this binary.
+	// TODO: remove this annotation in a future release.
+	LegacyAnnotationConsulK8sVersion = "consul.hashicorp.com/connect-k8s-version"
+
 	// AnnotationConsulK8sVersion is the current version of this binary.
-	AnnotationConsulK8sVersion = "consul.hashicorp.com/connect-k8s-version"
+	AnnotationConsulK8sVersion = "consul.hashicorp.com/consul-k8s-version"
 
 	// LabelServiceIgnore is a label that can be added to a service to prevent it from being
 	// registered with Consul.
@@ -202,6 +206,25 @@ const (
 	ManagedByValue = "consul-k8s-endpoints-controller"
 )
 
+// ********************
+// V2 Exclusive Annotations & Labels
+// ********************
+
+const (
+	// AnnotationMeshInject is the key of the annotation that controls whether
+	// V2 mesh injection is explicitly enabled or disabled for a pod using.
+	// be set to a truthy or falsy value, as parseable by strconv.ParseBool.
+	AnnotationMeshInject = "consul.hashicorp.com/mesh-inject"
+
+	// KeyMeshInjectStatus is the key of the annotation that is added to
+	// a pod after an injection is done.
+	KeyMeshInjectStatus = "consul.hashicorp.com/mesh-inject-status"
+
+	// ManagedByPodValue is used in Consul metadata to identify the manager
+	// of this resource.
+	ManagedByPodValue = "consul-k8s-pod-controller"
+)
+
 // Annotations used by Prometheus.
 const (
 	AnnotationPrometheusScrape = "prometheus.io/scrape"

@@ -7,6 +7,12 @@ const (
 	// ConsulCAFile is the location of the Consul CA file inside the injected pod.
 	ConsulCAFile = "/consul/connect-inject/consul-ca.pem"
 
+	// DefaultConsulNS is the default Consul namespace name.
+	DefaultConsulNS = "default"
+
+	// DefaultConsulPartition is the default Consul partition name.
+	DefaultConsulPartition = "default"
+
 	// ProxyDefaultInboundPort is the default inbound port for the proxy.
 	ProxyDefaultInboundPort = 20000
 

@@ -6,20 +6,26 @@ package endpoints
 import (
 	"fmt"
 
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
-	"github.com/hashicorp/consul-k8s/control-plane/consul"
 	"github.com/hashicorp/consul-server-connection-manager/discovery"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-version"
 	corev1 "k8s.io/api/core/v1"
+
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
+	"github.com/hashicorp/consul-k8s/control-plane/consul"
 )
 
 const minSupportedConsulDataplaneVersion = "v1.0.0-beta1"
 
 // isConsulDataplaneSupported returns true if the consul-k8s version on the pod supports
 // consul-dataplane architecture of Consul.
 func isConsulDataplaneSupported(pod corev1.Pod) bool {
-	if anno, ok := pod.Annotations[constants.AnnotationConsulK8sVersion]; ok {
+	anno, ok := pod.Annotations[constants.LegacyAnnotationConsulK8sVersion]
+	if !ok {
+		anno, ok = pod.Annotations[constants.AnnotationConsulK8sVersion]
+	}
+
+	if ok {
 		consulK8sVersion, err := version.NewVersion(anno)
 		if err != nil {
 			// Only consul-k8s v1.0.0+ (including pre-release versions) have the version annotation. So it would be

@@ -7,14 +7,15 @@ import (
 	"testing"
 
 	logrtest "github.com/go-logr/logr/testr"
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
-	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
 	"github.com/hashicorp/consul-server-connection-manager/discovery"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/sdk/testutil"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
+	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
 )
 
 func TestIsConsulDataplaneSupported(t *testing.T) {
@@ -46,7 +47,7 @@ func TestIsConsulDataplaneSupported(t *testing.T) {
 				},
 			}
 			if version != "" {
-				pod.ObjectMeta.Annotations[constants.AnnotationConsulK8sVersion] = version
+				pod.ObjectMeta.Annotations[constants.LegacyAnnotationConsulK8sVersion] = version
 			}
 
 			require.Equal(t, c.expIsConsulDataplaneSupported, isConsulDataplaneSupported(pod))

@@ -13,22 +13,22 @@ import (
 
 	mapset "github.com/deckarep/golang-set"
 	"github.com/go-logr/logr"
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/common"
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/metrics"
-	"github.com/hashicorp/consul-k8s/control-plane/consul"
-	"github.com/hashicorp/consul-k8s/control-plane/helper/parsetags"
-	"github.com/hashicorp/consul-k8s/control-plane/namespaces"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-multierror"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/common"
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/metrics"
+	"github.com/hashicorp/consul-k8s/control-plane/consul"
+	"github.com/hashicorp/consul-k8s/control-plane/helper/parsetags"
+	"github.com/hashicorp/consul-k8s/control-plane/namespaces"
 )
 
 const (
@@ -142,7 +142,7 @@ func (r *Controller) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	var serviceEndpoints corev1.Endpoints
 
 	// Ignore the request if the namespace of the endpoint is not allowed.
-	if shouldIgnore(req.Namespace, r.DenyK8sNamespacesSet, r.AllowK8sNamespacesSet) {
+	if common.ShouldIgnore(req.Namespace, r.DenyK8sNamespacesSet, r.AllowK8sNamespacesSet) {
 		return ctrl.Result{}, nil
 	}
 
@@ -1287,26 +1287,6 @@ func (r *Controller) processLabeledUpstream(pod corev1.Pod, rawUpstream string)
 	return upstream, nil
 }
 
-// shouldIgnore ignores namespaces where we don't connect-inject.
-func shouldIgnore(namespace string, denySet, allowSet mapset.Set) bool {
-	// Ignores system namespaces.
-	if namespace == metav1.NamespaceSystem || namespace == metav1.NamespacePublic || namespace == "local-path-storage" {
-		return true
-	}
-
-	// Ignores deny list.
-	if denySet.Contains(namespace) {
-		return true
-	}
-
-	// Ignores if not in allow list or allow list is not *.
-	if !allowSet.Contains("*") && !allowSet.Contains(namespace) {
-		return true
-	}
-
-	return false
-}
-
 // consulNamespace returns the Consul destination namespace for a provided Kubernetes namespace
 // depending on Consul Namespaces being enabled and the value of namespace mirroring.
 func (r *Controller) consulNamespace(namespace string) string {

@@ -14,9 +14,6 @@ import (
 	logrtest "github.com/go-logr/logr/testing"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
-	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
-	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
-	"github.com/hashicorp/consul-k8s/control-plane/namespaces"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/sdk/testutil"
 	"github.com/stretchr/testify/require"
@@ -26,6 +23,10 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
+	"github.com/hashicorp/consul-k8s/control-plane/helper/test"
+	"github.com/hashicorp/consul-k8s/control-plane/namespaces"
 )
 
 // TestReconcileCreateEndpoint tests the logic to create service instances in Consul from the addresses in the Endpoints
@@ -2121,7 +2122,7 @@ func createPodWithNamespace(name, namespace, ip string, inject bool, managedByEn
 			Namespace: namespace,
 			Labels:    map[string]string{},
 			Annotations: map[string]string{
-				constants.AnnotationConsulK8sVersion: "1.0.0",
+				constants.LegacyAnnotationConsulK8sVersion: "1.0.0",
 			},
 		},
 		Status: corev1.PodStatus{