Merge pull request hashicorp#37 from anubhavmishra/service-account-ge…

…nerate-certs

Add a Service account for the Consul Connect Injector to generate certificates automatically

templates/connect-inject-clusterrole.yaml

@@ -0,0 +1,20 @@
+# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
+{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ template "consul.fullname" . }}-connect-injector-webhook
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  verbs: 
+    - "get"
+    - "list"
+    - "watch"
+    - "patch"
+{{- end }}

templates/connect-inject-clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "consul.fullname" . }}-connect-injector-webhook-admin-role-binding
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "consul.fullname" . }}-connect-injector-webhook
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
+    namespace: {{ .Release.Namespace }}
+{{- end }}

templates/connect-inject-deployment.yaml

@@ -25,6 +25,9 @@ spec:
         release: {{ .Release.Name }}
         component: connect-injector
     spec:
+  {{- if not .Values.connectInject.certs.secretName }}
+      serviceAccountName: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
+  {{- end }}
       containers:
         - name: sidecar-injector
           image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}"

templates/connect-inject-serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- end }}

test/unit/connect-inject-clusterrole.bats

@@ -0,0 +1,53 @@
+#!/usr/bin/env bats
+
+load _helpers
+@test "connectInject/ClusterRole: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrole.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ClusterRole: enabled with global.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrole.yaml  \
+      --set 'global.enabled=false' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq -s 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "connectInject/ClusterRole: disabled with connectInject.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrole.yaml  \
+      --set 'connectInject.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ClusterRole: disabled with connectInject.certs.secretName set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrole.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'connectInject.certs.secretName=foo' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ClusterRole: enabled with connectInject.certs.secretName not set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrole.yaml  \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

test/unit/connect-inject-clusterrolebinding.bats

@@ -0,0 +1,53 @@
+#!/usr/bin/env bats
+
+load _helpers
+@test "connectInject/ClusterRoleBinding: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrolebinding.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ClusterRoleBinding: enabled with global.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrolebinding.yaml  \
+      --set 'global.enabled=false' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq -s 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "connectInject/ClusterRoleBinding: disabled with connectInject.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrolebinding.yaml  \
+      --set 'connectInject.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ClusterRoleBinding: disabled with connectInject.certs.secretName set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrolebinding.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'connectInject.certs.secretName=foo' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ClusterRoleBinding: enabled with connectInject.certs.secretName not set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-clusterrolebinding.yaml  \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

test/unit/connect-inject-deployment.bats

@@ -165,3 +165,28 @@ load _helpers
       yq '.spec.template.spec.containers[0].command | any(contains("-tls-auto"))' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
+
+
+#--------------------------------------------------------------------
+# service account name
+
+@test "connectInject/Deployment: with secretName: no serviceAccountName set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.certs.secretName=foo' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.serviceAccountName | has("serviceAccountName")' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/Deployment: no secretName: serviceAccountName set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.serviceAccountName | contains("connect-injector-webhook-svc-account")' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

test/unit/connect-inject-serviceaccount.bats

@@ -0,0 +1,53 @@
+#!/usr/bin/env bats
+
+load _helpers
+@test "connectInject/ServiceAccount: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-serviceaccount.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ServiceAccount: enabled with global.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-serviceaccount.yaml  \
+      --set 'global.enabled=false' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq -s 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "connectInject/ServiceAccount: disabled with connectInject.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-serviceaccount.yaml  \
+      --set 'connectInject.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ServiceAccount: disabled with connectInject.certs.secretName set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-serviceaccount.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'connectInject.certs.secretName=foo' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/ServiceAccount: enabled with connectInject.certs.secretName not set" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-serviceaccount.yaml  \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

values.yaml

@@ -189,7 +189,8 @@ connectInject:
   certs:
     # secretName is the name of the secret that has the TLS certificate and
     # private key to serve the injector webhook. If this is null, then the
-    # injector will default to its automatic management mode.
+    # injector will default to its automatic management mode that will assign
+    # a service account to the injector to generate its own certificates.
     secretName: null
 
     # caBundle is a base64-encoded PEM-encoded certificate bundle for the