CNI Helm Charts

Add helm charts for CNI installer

charts/consul/templates/cni-clusterrole.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.connectInject.cni.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "consul.fullname" . }}-cni
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: cni 
+rules:
+- apiGroups: [""]
+  resources: 
+  - pods
+  verbs: 
+  - get
+  - list
+  - watch
+  - patch
+  - update
+{{- end }}

charts/consul/templates/cni-clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.connectInject.cni.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "consul.fullname" . }}-cni
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: cni
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "consul.fullname" . }}-cni
+subjects:
+- kind: ServiceAccount
+  name: {{ template "consul.fullname" . }}-cni
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/consul/templates/cni-daemonset.yaml

@@ -0,0 +1,85 @@
+{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}}
+{{- if .Values.connectInject.cni.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "consul.fullname" . }}-cni
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: cni 
+spec:
+  {{- if .Values.connectInject.cni.updateStrategy }}
+  updateStrategy:
+    {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "consul.name" . }}
+      chart: {{ template "consul.chart" . }}
+      release: {{ .Release.Name }}
+      component: cni
+  template:
+    metadata:
+      labels:
+        app: {{ template "consul.name" . }}
+        chart: {{ template "consul.chart" . }}
+        release: {{ .Release.Name }}
+        component: cni
+      annotations:
+        consul.hashicorp.com/connect-inject: "false"
+    spec:
+      # consul-cni only runs on linux operating systems
+      nodeSelector:
+        kubernetes.io/os: linux
+      tolerations:
+        # Mark the pod as a critical add-on for rescheduling.
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "consul.fullname" . }}-cni
+      {{- if not .Values.global.openshift.enabled }}
+      securityContext:
+        {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}}
+      {{- end }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 10
+      containers:
+        # This container installs the consul CNI binaries and CNI network config file on each node
+        - name: install-cni
+          image: {{ .Values.global.imageK8S }}
+          securityContext:
+            privileged: true
+          command:
+            - consul-k8s-control-plane
+            - install-cni
+            - -multus={{ .Values.connectInject.cni.multus }}
+            - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}
+            - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }}
+            - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }}
+            - -dns-prefix={{ template "consul.fullname" . }}
+          {{- with .Values.connectInject.cni.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.connectInject.cni.cniBinDir }}
+              name: cni-bin-dir
+            - mountPath: {{ .Values.connectInject.cni.cniNetDir }}
+              name: cni-net-dir
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ .Values.connectInject.cni.cniBinDir }} 
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.connectInject.cni.cniNetDir }} 
+{{- end }}

charts/consul/templates/cni-podsecuritypolicy.yaml

@@ -0,0 +1,31 @@
+{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-cni
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: cni 
+spec:
+  privileged: true
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+  - hostPath
+  - secret
+  - emptyDir
+  hostNetwork: false
+  readOnlyRootFilesystem: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}

charts/consul/templates/cni-resourcequota.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.connectInject.cni.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "consul.fullname" . }}-cni
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: cni 
+spec:
+  hard:
+    pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}

charts/consul/templates/cni-serviceaccount.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.connectInject.cni.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "consul.fullname" . }}-cni
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: cni 
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range . }}
+- name: {{ .name }}
+{{- end }}
+{{- end }}
+{{- end}}

charts/consul/templates/connect-inject-clusterrole.yaml

@@ -19,11 +19,19 @@ rules:
   - get
 {{- end }}
 - apiGroups: [ "" ]
-  resources: [ "pods", "endpoints", "services", "namespaces", "nodes" ]
+  resources: [ "endpoints", "services", "namespaces" ]
   verbs:
   - "get"
   - "list"
   - "watch"
+- apiGroups: [ "" ]
+  resources:
+  - pods
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "update"
 - apiGroups:
   - coordination.k8s.io
   resources:

charts/consul/templates/connect-inject-deployment.yaml

@@ -139,6 +139,7 @@ spec:
                 {{- else }}
                 -default-enable-transparent-proxy=false \
                 {{- end }}
+                -enable-cni={{ .Values.connectInject.cni.enabled }} \
                 {{- if .Values.global.peering.enabled }}
                 -enable-peering=true \
                 {{- if (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") }}

charts/consul/test/unit/cni-clusterrole.bats

@@ -0,0 +1,31 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "cni/ClusterRole: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/cni-clusterrole.yaml  \
+      .
+}
+
+@test "cni/ClusterRole: enabled with connectInject.cni.enabled=true and connectInject.enabled=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/cni-clusterrole.yaml  \
+      --set 'connectInject.cni.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [[ "${actual}" == "true" ]]
+}
+
+@test "cni/ClusterRole: disabled with connectInject.cni.enabled=false and connectInject.enabled=true" {
+  cd `chart_dir`
+  assert_empty helm template \
+      --set 'connectInject.cni.enabled=false' \
+      --set 'connectInject.enabled=true' \
+      -s templates/cni-clusterrole.yaml  \
+      .
+}
+

charts/consul/test/unit/cni-clusterrolebinding.bats

@@ -0,0 +1,57 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "cni/ClusterRoleBinding: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/cni-clusterrolebinding.yaml  \
+      .
+}
+
+@test "cni/ClusterRoleBinding: enabled with connectInject.cni.enabled=true and connectInject.enabled=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/cni-clusterrolebinding.yaml  \
+      --set 'connectInject.cni.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [[ "${actual}" == "true" ]]
+}
+
+@test "cni/ClusterRoleBinding: disabled with connectInject.cni.enabled=false and connectInject.enabled=true" {
+  cd `chart_dir`
+  assert_empty helm template \
+      --set 'connectInject.cni.enabled=false' \
+      --set 'connectInject.enabled=true' \
+      -s templates/cni-clusterrolebinding.yaml  \
+      .
+}
+
+#--------------------------------------------------------------------
+# subjects
+
+@test "cni/ClusterRoleBinding: subject name is correct" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/cni-clusterrolebinding.yaml  \
+      --set 'connectInject.cni.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.subjects[0].name' | tee /dev/stderr)
+  [ "${actual}" = "release-name-consul-cni" ]
+}
+
+@test "cni/ClusterRoleBinding: subject namespace is correct" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/cni-clusterrolebinding.yaml  \
+      --set 'connectInject.cni.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --namespace foo \
+      . | tee /dev/stderr |
+      yq -r '.subjects[0].namespace' | tee /dev/stderr)
+  [ "${actual}" = "foo" ]
+}
+