Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNS proxy helm chart #4164

Merged
merged 11 commits into from
Jul 15, 2024
Merged

DNS proxy helm chart #4164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
2dbc6f6
adding templates
dhiaayachi Jul 5, 2024
ba706bd
fix deployment to run the right container
dhiaayachi Jul 9, 2024
8f3c495
remove the probes for the time being
dhiaayachi Jul 9, 2024
35ff8b7
align helm with the RFC
dhiaayachi Jul 10, 2024
ebcd760
disable consul-dns service when dns proxy is enabled
dhiaayachi Jul 10, 2024
ff8eeaa
add dns proxy enabled tests
dhiaayachi Jul 10, 2024
7438064
revert adding tests for dns proxy as we need to have the right datapl…
dhiaayachi Jul 10, 2024
68b2226
change dns port to 8700
dhiaayachi Jul 10, 2024
c260d5b
fix dns-proxy to use global enable variable as well as dns.proxy.enabled
dhiaayachi Jul 11, 2024
b102bce
add bats tests
dhiaayachi Jul 11, 2024
f54511d
change port to 53
dhiaayachi Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions charts/consul/templates/dns-proxy-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-dns-proxy
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: dns-proxy
{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }}
dhiaayachi marked this conversation as resolved.
Show resolved Hide resolved
rules:
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-dns-proxy-acl-token
verbs:
- get
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-dns-proxy
verbs:
- use
{{- end }}
{{- else }}
rules: []
{{- end }}
dhiaayachi marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
20 changes: 20 additions & 0 deletions charts/consul/templates/dns-proxy-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-dns-proxy
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: dns-proxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-dns-proxy
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-dns-proxy
namespace: {{ .Release.Namespace }}
{{- end }}
198 changes: 198 additions & 0 deletions charts/consul/templates/dns-proxy-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,198 @@
{{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
{{ template "consul.validateRequiredCloudSecretsExist" . }}
{{ template "consul.validateCloudSecretKeys" . }}
dhiaayachi marked this conversation as resolved.
Show resolved Hide resolved

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-dns-proxy
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: dns-proxy
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.dns.proxy.replicas }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: dns-proxy
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: dns-proxy
{{- if .Values.global.extraLabels }}
{{- toYaml .Values.global.extraLabels | nindent 8 }}
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
"consul.hashicorp.com/mesh-inject": "false"
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
{{- end }}
{{- end }}
{{- if .Values.dns.annotations }}
{{- tpl .Values.dns.annotations . | nindent 8 }}
{{- end }}
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "consul.fullname" . }}-dns-proxy
volumes:
- name: consul-service
emptyDir:
medium: "Memory"
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- end }}
containers:
- name: dns-proxy
image: {{ .Values.global.imageConsulDataplane | quote }}
volumeMounts:
- mountPath: /consul/service
name: consul-service
readOnly: true
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: DP_CREDENTIAL_LOGIN_META1
value: pod=$(NAMESPACE)/$(POD_NAME)
- name: DP_CREDENTIAL_LOGIN_META2
value: component=dns-proxy
- name: DP_SERVICE_NODE_NAME
value: $(NODE_NAME)-virtual
command:
- consul-dataplane
args:
- -consul-dns-bind-addr=0.0.0.0
- -consul-dns-bind-port={{ .Values.dns.proxy.port }}
{{- if .Values.externalServers.enabled }}
- -addresses={{ .Values.externalServers.hosts | first }}
{{- else }}
- -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc
{{- end }}
{{- if .Values.externalServers.enabled }}
- -grpc-port={{ .Values.externalServers.grpcPort }}
{{- else }}
- -grpc-port=8502
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }}
{{- if .Values.global.secretsBackend.vault.enabled }}
- -ca-certs=/vault/secrets/serverca.crt
{{- else }}
- -ca-certs=/consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }}
- -tls-server-name={{.Values.externalServers.tlsServerName }}
{{- else if .Values.global.cloud.enabled }}
- -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}}
{{- end }}
{{- else }}
- -tls-disabled
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- -credential-type=login
- -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
- -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }}
- -login-datacenter={{ .Values.global.federation.primaryDatacenter }}
{{- else }}
- -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
- -login-partition={{ .Values.global.adminPartitions.name }}
{{- end }}
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
- -service-partition={{ .Values.global.adminPartitions.name }}
{{- end }}
- -log-level={{ default .Values.global.logLevel .Values.dns.proxy.logLevel }}
- -log-json={{ .Values.global.logJSON }}

{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }}
- -server-watch-disabled=true
{{- end }}
- -mode=dns-proxy
livenessProbe:
tcpSocket:
port: {{ .Values.dns.proxy.port }}
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
tcpSocket:
port: {{ .Values.dns.proxy.port }}
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
ports:
- containerPort: {{ .Values.dns.proxy.port }}
hostPort: {{ .Values.dns.proxy.port }}
protocol: "TCP"
name: dns-tcp
- containerPort: {{ .Values.dns.proxy.port }}
hostPort: {{ .Values.dns.proxy.port }}
protocol: "UDP"
name: dns-udp
{{- end }}
39 changes: 39 additions & 0 deletions charts/consul/templates/dns-proxy-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}

apiVersion: v1
kind: Service
metadata:
name: {{ template "consul.fullname" . }}-dns-proxy
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: dns-proxy
{{- if .Values.dns.annotations }}
annotations:
{{ tpl .Values.dns.annotations . | nindent 4 | trim }}
{{- end }}
spec:
selector:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: dns-proxy
{{- if .Values.dns.type }}
type: {{ .Values.dns.type }}
{{- end }}
{{- if .Values.dns.clusterIP }}
clusterIP: {{ .Values.dns.clusterIP }}
{{- end }}
ports:
- name: dns-tcp
port: {{ .Values.dns.proxy.port }}
protocol: "TCP"
targetPort: dns-tcp
- name: dns-udp
port: {{ .Values.dns.proxy.port }}
protocol: "UDP"
targetPort: dns-udp
---
{{- end }}
19 changes: 19 additions & 0 deletions charts/consul/templates/dns-proxy-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-dns-proxy
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: dns-proxy
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 2 additions & 0 deletions charts/consul/templates/dns-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }}
{{- if not .Values.dns.proxy.enabled }}
# Service for Consul DNS.
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -39,3 +40,4 @@ spec:
{{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }}
{{- end }}
{{- end }}
{{- end }}
Loading
Loading