335 lines
18 KiB
YAML
335 lines
18 KiB
YAML
{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
|
|
{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}}
|
|
{{- if (or $serverEnabled .Values.externalServers.enabled) }}
|
|
{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}}
|
|
{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}}
|
|
{{- if .Values.global.acls.manageSystemACLs }}
|
|
{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}}
|
|
{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}}
|
|
{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}}
|
|
{{ template "consul.validateRequiredCloudSecretsExist" . }}
|
|
{{ template "consul.validateCloudSecretKeys" . }}
|
|
{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}}
|
|
{{- /* We don't render this job when server.updatePartition > 0 because that
|
|
means a server rollout is in progress and this job won't complete unless
|
|
the rollout is finished (which won't happen until the partition is 0).
|
|
If we ran it in this case, then the job would not complete which would cause
|
|
the server-acl-init-cleanup hook to run indefinitely which would cause the
|
|
helm upgrade command to hang.
|
|
*/ -}}
|
|
{{- if eq (int .Values.server.updatePartition) 0 }}
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ template "consul.fullname" . }}-server-acl-init
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
heritage: {{ .Release.Service }}
|
|
release: {{ .Release.Name }}
|
|
component: server-acl-init
|
|
{{- if .Values.global.extraLabels }}
|
|
{{- toYaml .Values.global.extraLabels | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
template:
|
|
metadata:
|
|
name: {{ template "consul.fullname" . }}-server-acl-init
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
release: {{ .Release.Name }}
|
|
component: server-acl-init
|
|
{{- if .Values.global.extraLabels }}
|
|
{{- toYaml .Values.global.extraLabels | nindent 8 }}
|
|
{{- end }}
|
|
annotations:
|
|
"consul.hashicorp.com/connect-inject": "false"
|
|
{{- if .Values.global.acls.annotations }}
|
|
{{- tpl .Values.global.acls.annotations . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.global.secretsBackend.vault.enabled }}
|
|
|
|
{{- /* Run the Vault agent as both an init container and sidecar.
|
|
The Vault agent sidecar is needed when server-acl-init bootstraps ACLs
|
|
and writes the bootstrap token back to Vault.
|
|
* agent-pre-populate: true - Run the Vault agent init container.
|
|
* agent-pre-populate-only: false - Also, run the Vault agent sidecar.
|
|
* agent-cache-enable: true - Enable the Agent cache listener.
|
|
* agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200.
|
|
* agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init
|
|
tells the Vault agent to stop (without this the Job will not complete).
|
|
*/}}
|
|
"vault.hashicorp.com/agent-pre-populate": "true"
|
|
"vault.hashicorp.com/agent-pre-populate-only": "false"
|
|
"vault.hashicorp.com/agent-cache-enable": "true"
|
|
"vault.hashicorp.com/agent-cache-listener-port": "8200"
|
|
"vault.hashicorp.com/agent-enable-quit": "true"
|
|
"vault.hashicorp.com/agent-inject": "true"
|
|
{{- if .Values.global.acls.partitionToken.secretName }}
|
|
{{- with .Values.global.acls.partitionToken }}
|
|
"vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}"
|
|
"vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.global.tls.enabled }}
|
|
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
|
|
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
|
|
{{- end }}
|
|
{{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }}
|
|
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }}
|
|
{{- else if .Values.global.tls.enabled }}
|
|
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
|
|
{{- end }}
|
|
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
|
|
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
|
|
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
|
|
{{- end }}
|
|
{{- if .Values.global.acls.replicationToken.secretName }}
|
|
"vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}"
|
|
"vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }}
|
|
{{- end }}
|
|
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
|
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
|
{{- end }}
|
|
{{- end }}
|
|
spec:
|
|
restartPolicy: Never
|
|
serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init
|
|
{{- if .Values.server.containerSecurityContext.aclInit }}
|
|
securityContext:
|
|
{{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }}
|
|
{{- end }}
|
|
{{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }}
|
|
volumes:
|
|
{{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }}
|
|
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
|
|
- name: consul-ca-cert
|
|
secret:
|
|
{{- if .Values.global.tls.caCert.secretName }}
|
|
secretName: {{ .Values.global.tls.caCert.secretName }}
|
|
{{- else }}
|
|
secretName: {{ template "consul.fullname" . }}-ca-cert
|
|
{{- end }}
|
|
items:
|
|
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
|
|
path: tls.crt
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }}
|
|
- name: acl-replication-token
|
|
secret:
|
|
secretName: {{ .Values.global.acls.replicationToken.secretName }}
|
|
items:
|
|
- key: {{ .Values.global.acls.replicationToken.secretKey }}
|
|
path: acl-replication-token
|
|
{{- end }}
|
|
{{- end }}
|
|
containers:
|
|
- name: server-acl-init-job
|
|
image: {{ .Values.global.imageK8S }}
|
|
{{- if not .Values.server.containerSecurityContext.aclInit }}
|
|
{{- include "consul.restrictedSecurityContext" . | nindent 8 }}
|
|
{{- end }}
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
# Extract the Vault namespace from the Vault agent annotations.
|
|
{{- if .Values.global.secretsBackend.vault.enabled }}
|
|
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
|
- name: VAULT_NAMESPACE
|
|
value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}
|
|
{{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }}
|
|
volumeMounts:
|
|
{{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }}
|
|
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
|
|
- name: consul-ca-cert
|
|
mountPath: /consul/tls/ca
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }}
|
|
- name: acl-replication-token
|
|
mountPath: /consul/acl/tokens
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
command:
|
|
- "/bin/sh"
|
|
- "-ec"
|
|
- |
|
|
CONSUL_FULLNAME="{{template "consul.fullname" . }}"
|
|
|
|
consul-k8s-control-plane server-acl-init \
|
|
-log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \
|
|
-log-json={{ .Values.global.logJSON }} \
|
|
-resource-prefix=${CONSUL_FULLNAME} \
|
|
-k8s-namespace={{ .Release.Namespace }} \
|
|
-set-server-tokens={{ $serverEnabled }} \
|
|
{{- if .Values.global.secretsBackend.vault.enabled }}
|
|
-secrets-backend=vault \
|
|
{{- else }}
|
|
-secrets-backend=kubernetes \
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.acls.bootstrapToken.secretName }}
|
|
-bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \
|
|
-bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \
|
|
{{- end }}
|
|
|
|
{{- if .Values.syncCatalog.enabled }}
|
|
-sync-catalog=true \
|
|
{{- if .Values.syncCatalog.consulNodeName }}
|
|
-sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.peering.enabled }}
|
|
-enable-peering=true \
|
|
{{- end }}
|
|
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }}
|
|
-allow-dns=true \
|
|
{{- end }}
|
|
|
|
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
|
|
-connect-inject=true \
|
|
{{- end }}
|
|
{{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }}
|
|
-auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.federation.k8sAuthMethodHost }}
|
|
-auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \
|
|
{{- end }}
|
|
|
|
{{- if .Values.meshGateway.enabled }}
|
|
-mesh-gateway=true \
|
|
{{- end }}
|
|
|
|
{{- if .Values.ingressGateways.enabled }}
|
|
{{- if .Values.global.enableConsulNamespaces }}
|
|
{{- $root := . }}
|
|
{{- range .Values.ingressGateways.gateways }}
|
|
{{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}
|
|
-ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \
|
|
{{- else }}
|
|
-ingress-gateway-name="{{ .name }}" \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- else }}
|
|
{{- range .Values.ingressGateways.gateways }}
|
|
-ingress-gateway-name="{{ .name }}" \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.terminatingGateways.enabled }}
|
|
{{- if .Values.global.enableConsulNamespaces }}
|
|
{{- $root := . }}
|
|
{{- range .Values.terminatingGateways.gateways }}
|
|
{{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}
|
|
-terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \
|
|
{{- else }}
|
|
-terminating-gateway-name="{{ .name }}" \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- else }}
|
|
{{- range .Values.terminatingGateways.gateways }}
|
|
-terminating-gateway-name="{{ .name }}" \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.connectInject.aclBindingRuleSelector }}
|
|
-acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \
|
|
{{- end }}
|
|
|
|
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }}
|
|
-create-enterprise-license-token=true \
|
|
{{- end }}
|
|
|
|
{{- if .Values.server.snapshotAgent.enabled }}
|
|
-snapshot-agent=true \
|
|
{{- end }}
|
|
|
|
{{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
|
|
-client=false \
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.acls.createReplicationToken }}
|
|
-create-acl-replication-token=true \
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.federation.enabled }}
|
|
-federation=true \
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.acls.replicationToken.secretName }}
|
|
{{- if .Values.global.secretsBackend.vault.enabled }}
|
|
-acl-replication-token-file=/vault/secrets/replication-token \
|
|
{{- else }}
|
|
-acl-replication-token-file=/consul/acl/tokens/acl-replication-token \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }}
|
|
-partition-token-file=/vault/secrets/partition-token \
|
|
{{- end }}
|
|
|
|
{{- if .Values.apiGateway.enabled }}
|
|
-api-gateway-controller=true \
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.enableConsulNamespaces }}
|
|
-enable-namespaces=true \
|
|
{{- /* syncCatalog must be enabled to set sync flags */}}
|
|
{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
|
|
{{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }}
|
|
-consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \
|
|
{{- end }}
|
|
{{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }}
|
|
-enable-sync-k8s-namespace-mirroring=true \
|
|
{{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }}
|
|
-sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- /* connectInject must be enabled to set inject flags */}}
|
|
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
|
|
{{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }}
|
|
-consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \
|
|
{{- end }}
|
|
{{- if .Values.connectInject.consulNamespaces.mirroringK8S }}
|
|
-enable-inject-k8s-namespace-mirroring=true \
|
|
{{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}
|
|
-inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.global.acls.resources }}
|
|
resources:
|
|
{{- toYaml .Values.global.acls.resources | nindent 10 }}
|
|
{{- end }}
|
|
{{- if .Values.global.acls.tolerations }}
|
|
tolerations:
|
|
{{ tpl .Values.global.acls.tolerations . | indent 8 | trim }}
|
|
{{- end }}
|
|
{{- if .Values.global.acls.nodeSelector }}
|
|
nodeSelector:
|
|
{{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|