github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'zalimeni/skip-failure-notification-slack-on-cancel--test-skip-latest'
${ noResults }
consul/testing/deployer/sprawl/acl_rules.go

208 lines
4.0 KiB
Raw Permalink Normal View History Unescape

[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
1 year ago
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
package sprawl
import (
"fmt"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/testing/deployer/topology"
)
func policyForCrossNamespaceRead(partition string) *api.ACLPolicy {
return &api.ACLPolicy{
Name: "cross-ns-catalog-read",
Description: "cross-ns-catalog-read",
Partition: partition,
Rules: fmt.Sprintf(`
partition %[1]q {
namespace_prefix "" {
node_prefix "" { policy = "read" }
service_prefix "" { policy = "read" }
}
}
`, partition),
}
}
const anonymousTokenAccessorID = "00000000-0000-0000-0000-000000000002"
func anonymousToken() *api.ACLToken {
return &api.ACLToken{
AccessorID: anonymousTokenAccessorID,
// SecretID: "anonymous",
Description: "anonymous",
Local: false,
Policies: []*api.ACLTokenPolicyLink{
{
Name: "anonymous",
},
},
}
}
func anonymousPolicy(enterprise bool) *api.ACLPolicy {
p := &api.ACLPolicy{
Name: "anonymous",
Description: "anonymous",
}
if enterprise {
p.Rules = `
partition_prefix "" {
namespace_prefix "" {
node_prefix "" { policy = "read" }
service_prefix "" { policy = "read" }
}
}
`
} else {
p.Rules = `
node_prefix "" { policy = "read" }
service_prefix "" { policy = "read" }
`
}
return p
}
func tokenForNode(node *topology.Node, enterprise bool) *api.ACLToken {
nid := node.ID()
tokenName := "agent--" + nid.ACLString()
token := &api.ACLToken{
Description: tokenName,
Local: false,
NodeIdentities: []*api.ACLNodeIdentity{{
NodeName: node.PodName(),
Datacenter: node.Datacenter,
}},
}
if enterprise {
token.Partition = node.Partition
token.Namespace = "default"
}
return token
}
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
// Deprecated: tokenForWorkload
func tokenForService(wrk *topology.Workload, overridePolicy *api.ACLPolicy, enterprise bool) *api.ACLToken {
return tokenForWorkload(wrk, overridePolicy, enterprise)
}
func tokenForWorkload(wrk *topology.Workload, overridePolicy *api.ACLPolicy, enterprise bool) *api.ACLToken {
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
token := &api.ACLToken{
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
Description: "service--" + wrk.ID.ACLString(),
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
Local: false,
}
if overridePolicy != nil {
token.Policies = []*api.ACLTokenPolicyLink{{ID: overridePolicy.ID}}
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
} else if wrk.IsV2() {
testing/deployer: update deployer to use v2 catalog constructs when requested (#19046) This updates the testing/deployer (aka "topology test") framework to conditionally configure and launch catalog constructs using v2 resources. This is controlled via a Version field on the Node construct in a topology.Config. This only functions for a dataplane type and has other restrictions that match the rest of v2 (no peering, no wanfed, no mesh gateways). Like config entries, you can statically provide a set of initial resources to be synced when bringing up the cluster (beyond those that are generated for you such as workloads, services, etc). If you want to author a test that can be freely converted between v1 and v2 then that is possible. If you switch to the multi-port definition on a topology.Service (aka "workload/instance") then that makes v1 ineligible. This also adds a starter set of "on every PR" integration tests for single and multiport under test-integ/catalogv2
1 year ago
token.TemplatedPolicies = []*api.ACLTemplatedPolicy{{
TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName,
TemplateVariables: &api.ACLTemplatedPolicyVariables{
test: fix some multiport deployer bugs and remove a container test already handled by deployer tests (#19614)
1 year ago
Name: wrk.WorkloadIdentity,
testing/deployer: update deployer to use v2 catalog constructs when requested (#19046) This updates the testing/deployer (aka "topology test") framework to conditionally configure and launch catalog constructs using v2 resources. This is controlled via a Version field on the Node construct in a topology.Config. This only functions for a dataplane type and has other restrictions that match the rest of v2 (no peering, no wanfed, no mesh gateways). Like config entries, you can statically provide a set of initial resources to be synced when bringing up the cluster (beyond those that are generated for you such as workloads, services, etc). If you want to author a test that can be freely converted between v1 and v2 then that is possible. If you switch to the multi-port definition on a topology.Service (aka "workload/instance") then that makes v1 ineligible. This also adds a starter set of "on every PR" integration tests for single and multiport under test-integ/catalogv2
1 year ago
},
}}
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
} else {
token.ServiceIdentities = []*api.ACLServiceIdentity{{
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
ServiceName: wrk.ID.Name,
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
}}
}
if enterprise {
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
token.Namespace = wrk.ID.Namespace
token.Partition = wrk.ID.Partition
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
}
return token
}
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
const (
meshGatewayCommunityRules = `
service "mesh-gateway" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
agent_prefix "" {
policy = "read"
}
# for peering
mesh = "write"
peering = "read"
`
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
meshGatewayEntDefaultRules = `
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
namespace_prefix "" {
service "mesh-gateway" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
}
agent_prefix "" {
policy = "read"
}
# for peering
mesh = "write"
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
partition_prefix "" {
peering = "read"
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
}
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
`
meshGatewayEntNonDefaultRules = `
namespace_prefix "" {
service "mesh-gateway" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
}
agent_prefix "" {
policy = "read"
}
# for peering
mesh = "write"
`
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
)
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
func policyForMeshGateway(wrk *topology.Workload, enterprise bool) *api.ACLPolicy {
policyName := "mesh-gateway--" + wrk.ID.ACLString()
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
policy := &api.ACLPolicy{
Name: policyName,
Description: policyName,
}
if enterprise {
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
policy.Partition = wrk.ID.Partition
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
policy.Namespace = "default"
}
if enterprise {
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600) Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it: - ServiceID -> ID - Service -> Workload - Upstream -> Destination
1 year ago
if wrk.ID.Partition == "default" {
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605) Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
1 year ago
policy.Rules = meshGatewayEntDefaultRules
} else {
policy.Rules = meshGatewayEntNonDefaultRules
}
} else {
policy.Rules = meshGatewayCommunityRules
Add `testing/deployer` (neé `consul-topology`) [NET-4610] (#17823) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
1 year ago
}
return policy
}