Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [NET-9500] Cleanup orphaned inline-certs and acl role/policy into release/1.2.x #4120

Closed
wants to merge 2 commits into from
Closed

Backport of [NET-9500] Cleanup orphaned inline-certs and acl role/policy into release/1.2.x #4120

wants to merge 2 commits into from

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #4067 to be assessed for backporting due to the inclusion of the label backport/1.2.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@jm96441n
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul-k8s/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

Changes proposed in this PR

  • Add a goroutine on start up that loops and tries to clean up inline certs that are no longer referenced by any gateway and the original shared acl role/policy that is now specific to each gateway. Once all those are cleaned up the goroutine will exit and stop polling

How I've tested this PR

Run/Write tests

Manual Testing:

  1. clone the following gist: https://gist.github.com/jm96441n/b92a80c2251c7a54d1feada320c5eac6
  2. run the start.sh script in the gist (this will install consul 1.18-ent so ensure you have an ent license setup)
  3. port forward port 8501 to the consul server instance
  4. once the cluster is up run the following in another terminal:
export CONSUL_HTTP_ADDR="127.0.0.1:8501"
export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-consul-bootstrap-acl-token --template={{.data.token}} | base64 -d)
export CONSUL_HTTP_SSL=true
export CONSUL_HTTP_SSL_VERIFY=false
  1. run consul acl role list and you will see the shared "managed-gateway-acl-role"
  2. run consul acl policy list and you will see the shared "api-gateway-token-policy"
  3. run consul acl binding-rule list and you will see the shared binding-rules referencing both managed-gateway-acl-role
  4. run consul config list -kind inline-certificate and you will see an inline certificate listed
  5. in the consul_values.yaml uncomment lines 3 and 4 and comment lines 4 and 5 (also make sure you build consul-k8s from this branch and have an up to date build of main of consul)
  6. in the same terminal run export CONSUL_K8S_CHARTS_LOCATION="$HOME/hashi/consul-k8s/charts/consul" and replace the value being set with the location of the helm charts in your local copy of consul-k8s
  7. run the following helm upgrade --install consul $CONSUL_K8S_CHARTS_LOCATION -f ./consul_values.yaml -n consul --create-namespace --wait to install the new version of consul-k8s that you built
  8. force a re-reconciliation of your gateways (this should happen by default due to the change in dataplane version, if it does not you can delete and recreate the gateways)
  9. run consul acl role list and you will not see the shared "managed-gateway-acl-role"
  10. run consul acl policy list and you will not see the shared "api-gateway-token-policy"
  11. . run consul acl binding-rule list and you will not see the shared binding-rules referencing managed-gateway-acl-role
  12. run consul config list -kind inline-certificate and you will see no inline certificates listed

How I expect reviewers to test this PR

read the code
run the tests
do the above steps

Checklist

Overview of commits

@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Jun 12, 2024
edited
Loading

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

1 out of 2 committers have signed the CLA.

  • jm96441n
  • temp

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

@jm96441n @nathancoleman
[NET-9500] Cleanup orphaned inline-certs and acl role/policy (#4067)
c5a0d4b 
* add cleanup goroutine to handle cleaning up old acl roles and inline
certs

* added first unit test

* added more tests

* fixing binding rule deleting

* linting

* added tests and cleaned up

* Update control-plane/api-gateway/binding/cleanup.go

Co-authored-by: Nathan Coleman <[email protected]>

* Update control-plane/api-gateway/binding/cleanup.go

Co-authored-by: Nathan Coleman <[email protected]>

* Update control-plane/api-gateway/binding/cleanup.go

Co-authored-by: Nathan Coleman <[email protected]>

* Update control-plane/api-gateway/binding/cleanup_test.go

Co-authored-by: Nathan Coleman <[email protected]>

* Increase sleep time

---------

Co-authored-by: Nathan Coleman <[email protected]>
@jm96441n
Copy link
Member

already backported, closing #4133

@jm96441n jm96441n closed this Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jm96441n jm96441n Awaiting requested review from jm96441n

Assignees

@jm96441n jm96441n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hc-github-team-consul-core @jm96441n