hashicorp · natemollica-nm · Jan 22, 2025 · Jan 22, 2025 · Jan 24, 2025 · Jan 24, 2025
@@ -0,0 +1,3 @@
+```release-note:bug
+control-plane: Fixed bug in TerminatingGateway controller workflow for handling AdminPartition enabled cluster ACL policies for associated TerminatingGateway services ([NET-12039](https://hashicorp.atlassian.net/browse/NET-12039)).
+```
@@ -0,0 +1,3 @@
+```release-note:feature
+control-plane: Add available Zone Kubernetes Topology Metadata for NodePort Service when Syncing Kubernetes Services.
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+helm: Add support for `server.snapshotAgent.extraVolumes` and `server.snapshotAgent.extraEnvironmentVars` so privileged credentials can be configured for the snapshot agent.
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+security: Support running Consul under Pod Security Admissions (PSA) restricted mode.
+```
@@ -481,9 +481,17 @@ func (h *HelmCluster) CreatePortForwardTunnel(t *testing.T, remotePort int, rele
 		releaseName = release[0]
 	}
 	serverPod := fmt.Sprintf("%s-consul-server-0", releaseName)
+	if releaseName == "" {
+		serverPod = "consul-server-0"
+	}
 	return portforward.CreateTunnelToResourcePort(t, serverPod, remotePort, h.helmOptions.KubectlOptions, h.logger)
 }
 
+// For instances when namespace is being manually set by the test and needs to be overridden.
+func (h *HelmCluster) SetNamespace(ns string) {
+	h.helmOptions.KubectlOptions.Namespace = ns
+}
+
 func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...string) (client *api.Client, configAddress string) {
 	t.Helper()
 
@@ -514,10 +522,17 @@ func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...st
 				// and will try to read the replication token from the federation secret.
 				// In secondary servers, we don't create a bootstrap token since ACLs are only bootstrapped in the primary.
 				// Instead, we provide a replication token that serves the role of the bootstrap token.
-				aclSecret, err := h.kubernetesClient.CoreV1().Secrets(namespace).Get(context.Background(), releaseName+"-consul-bootstrap-acl-token", metav1.GetOptions{})
+				aclSecretName := releaseName + "-consul-bootstrap-acl-token"
+				if releaseName == "" {
+					aclSecretName = "consul-bootstrap-acl-token"
+				}
+				aclSecret, err := h.kubernetesClient.CoreV1().Secrets(namespace).Get(context.Background(), aclSecretName, metav1.GetOptions{})
 				if err != nil && errors.IsNotFound(err) {
-					federationSecret := fmt.Sprintf("%s-consul-federation", releaseName)
-					aclSecret, err = h.kubernetesClient.CoreV1().Secrets(namespace).Get(context.Background(), federationSecret, metav1.GetOptions{})
+					federationSecretName := fmt.Sprintf("%s-consul-federation", releaseName)
+					if releaseName == "" {
+						federationSecretName = "consul-federation"
+					}
+					aclSecret, err = h.kubernetesClient.CoreV1().Secrets(namespace).Get(context.Background(), federationSecretName, metav1.GetOptions{})
 					require.NoError(r, err)
 					config.Token = string(aclSecret.Data["replicationToken"])
 				} else if err == nil {

@@ -11,13 +11,14 @@ import (
 	"time"
 
 	"github.com/gruntwork-io/terratest/modules/k8s"
-	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
-	"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	"k8s.io/apimachinery/pkg/util/yaml"
+
+	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
+	"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
 )
 
 // Deploy creates a Kubernetes deployment by applying configuration stored at filepath,
@@ -141,15 +142,15 @@ func CheckStaticServerConnectionMultipleFailureMessages(t *testing.T, options *k
 			require.Contains(r, output, expectedOutput)
 		} else {
 			require.Error(r, err)
-			require.Condition(r, func() bool {
+			require.Conditionf(r, func() bool {
 				exists := false
 				for _, msg := range failureMessages {
 					if strings.Contains(output, msg) {
 						exists = true
 					}
 				}
 				return exists
-			})
+			}, "expected failure messages %q but got %q", failureMessages, output)
 		}
 	})
 }

@@ -8,15 +8,16 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
-	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
-	"github.com/hashicorp/consul-k8s/acceptance/framework/k8s"
-	"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/types"
 	gwv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+
+	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
+	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
+	"github.com/hashicorp/consul-k8s/acceptance/framework/k8s"
+	"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
 )
 
 // TestAPIGateway_ExternalServers tests that connect works when using external servers.

@@ -27,69 +27,14 @@ import (
 // Test that api gateway basic functionality works in a default installation and a secure installation.
 func TestOpenshift_Basic(t *testing.T) {
 	cfg := suite.Config()
-
-	cmd := exec.Command("helm", "repo", "add", "hashicorp", "https://helm.releases.hashicorp.com")
-	output, err := cmd.CombinedOutput()
-	require.NoErrorf(t, err, "failed to add hashicorp helm repo: %s", string(output))
-
-	// FUTURE for some reason NewHelmCluster creates a consul server pod that runs as root which
-	//   isn't allowed in OpenShift. In order to test OpenShift properly, we have to call helm and k8s
-	//   directly to bypass. Ideally we would just fix the framework that is running the pod as root.
-	cmd = exec.Command("kubectl", "create", "namespace", "consul")
-	output, err = cmd.CombinedOutput()
-	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
-		cmd = exec.Command("kubectl", "delete", "namespace", "consul")
-		output, err = cmd.CombinedOutput()
-		assert.NoErrorf(t, err, "failed to delete namespace: %s", string(output))
-	})
-
-	require.NoErrorf(t, err, "failed to add hashicorp helm repo: %s", string(output))
-
-	cmd = exec.Command("kubectl", "create", "secret", "generic",
-		"consul-ent-license",
-		"--namespace", "consul",
-		`--from-literal=key=`+cfg.EnterpriseLicense)
-	output, err = cmd.CombinedOutput()
-	require.NoErrorf(t, err, "failed to add consul enterprise license: %s", string(output))
-
-	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
-		cmd = exec.Command("kubectl", "delete", "secret", "consul-ent-license")
-		output, err = cmd.CombinedOutput()
-		assert.NoErrorf(t, err, "failed to delete secret: %s", string(output))
-	})
-
-	chartPath := "../../../charts/consul"
-	cmd = exec.Command("helm", "upgrade", "--install", "consul", chartPath,
-		"--namespace", "consul",
-		"--set", "global.name=consul",
-		"--set", "connectInject.enabled=true",
-		"--set", "connectInject.transparentProxy.defaultEnabled=false",
-		"--set", "connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts=8000",
-		"--set", "global.acls.manageSystemACLs=true",
-		"--set", "global.tls.enabled=true",
-		"--set", "global.tls.enableAutoEncrypt=true",
-		"--set", "global.openshift.enabled=true",
-		"--set", "global.image="+cfg.ConsulImage,
-		"--set", "global.imageK8S="+cfg.ConsulK8SImage,
-		"--set", "global.imageConsulDataplane="+cfg.ConsulDataplaneImage,
-		"--set", "global.enterpriseLicense.secretName=consul-ent-license",
-		"--set", "global.enterpriseLicense.secretKey=key",
-	)
-	output, err = cmd.CombinedOutput()
-	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
-		cmd := exec.Command("helm", "uninstall", "consul", "--namespace", "consul")
-		output, err := cmd.CombinedOutput()
-		require.NoErrorf(t, err, "failed to uninstall consul: %s", string(output))
-	})
-
-	require.NoErrorf(t, err, "failed to install consul: %s", string(output))
+	newOpenshiftCluster(t, cfg, true, false)
 
 	// this is normally called by the environment, but because we have to bypass we have to call it explicitly
 	logf.SetLogger(logr.New(nil))
 	logger.Log(t, "creating resources for OpenShift test")
 
-	cmd = exec.Command("kubectl", "apply", "-f", "../fixtures/cases/openshift/basic")
-	output, err = cmd.CombinedOutput()
+	cmd := exec.Command("kubectl", "apply", "-f", "../fixtures/cases/openshift/basic")
+	output, err := cmd.CombinedOutput()
 	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
 		cmd := exec.Command("kubectl", "delete", "-f", "../fixtures/cases/openshift/basic")
 		output, err := cmd.CombinedOutput()

@@ -0,0 +1,72 @@
+package openshift
+
+import (
+	"github.com/hashicorp/consul-k8s/acceptance/framework/config"
+	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"os/exec"
+	"strconv"
+	"testing"
+)
+
+func newOpenshiftCluster(t *testing.T, cfg *config.TestConfig, secure, namespaceMirroring bool) {
+	cmd := exec.Command("helm", "repo", "add", "hashicorp", "https://helm.releases.hashicorp.com")
+	output, err := cmd.CombinedOutput()
+	require.NoErrorf(t, err, "failed to add hashicorp helm repo: %s", string(output))
+
+	// FUTURE for some reason NewHelmCluster creates a consul server pod that runs as root which
+	//   isn't allowed in OpenShift. In order to test OpenShift properly, we have to call helm and k8s
+	//   directly to bypass. Ideally we would just fix the framework that is running the pod as root.
+	cmd = exec.Command("kubectl", "create", "namespace", "consul")
+	output, err = cmd.CombinedOutput()
+	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
+		cmd = exec.Command("kubectl", "delete", "namespace", "consul")
+		output, err = cmd.CombinedOutput()
+		assert.NoErrorf(t, err, "failed to delete namespace: %s", string(output))
+	})
+
+	require.NoErrorf(t, err, "failed to add hashicorp helm repo: %s", string(output))
+
+	cmd = exec.Command("kubectl", "create", "secret", "generic",
+		"consul-ent-license",
+		"--namespace", "consul",
+		`--from-literal=key=`+cfg.EnterpriseLicense)
+	output, err = cmd.CombinedOutput()
+	require.NoErrorf(t, err, "failed to add consul enterprise license: %s", string(output))
+
+	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
+		cmd = exec.Command("kubectl", "delete", "secret", "consul-ent-license", "--namespace", "consul")
+		output, err = cmd.CombinedOutput()
+		assert.NoErrorf(t, err, "failed to delete secret: %s", string(output))
+	})
+
+	chartPath := "../../../charts/consul"
+	cmd = exec.Command("helm", "upgrade", "--install", "consul", chartPath,
+		"--namespace", "consul",
+		"--set", "global.name=consul",
+		"--set", "connectInject.enabled=true",
+		"--set", "connectInject.transparentProxy.defaultEnabled=false",
+		"--set", "connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts=8000",
+		"--set", "global.acls.manageSystemACLs="+strconv.FormatBool(secure),
+		"--set", "global.tls.enabled="+strconv.FormatBool(secure),
+		"--set", "global.tls.enableAutoEncrypt="+strconv.FormatBool(secure),
+		"--set", "global.enableConsulNamespaces="+strconv.FormatBool(namespaceMirroring),
+		"--set", "global.consulNamespaces.mirroringK8S="+strconv.FormatBool(namespaceMirroring),
+		"--set", "global.openshift.enabled=true",
+		"--set", "global.image="+cfg.ConsulImage,
+		"--set", "global.imageK8S="+cfg.ConsulK8SImage,
+		"--set", "global.imageConsulDataplane="+cfg.ConsulDataplaneImage,
+		"--set", "global.enterpriseLicense.secretName=consul-ent-license",
+		"--set", "global.enterpriseLicense.secretKey=key",
+	)
+
+	output, err = cmd.CombinedOutput()
+	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
+		cmd := exec.Command("helm", "uninstall", "consul", "--namespace", "consul")
+		output, err := cmd.CombinedOutput()
+		require.NoErrorf(t, err, "failed to uninstall consul: %s", string(output))
+	})
+
+	require.NoErrorf(t, err, "failed to install consul: %s", string(output))
+}