diff --git a/.changelog/3315.txt b/.changelog/3315.txt new file mode 100644 index 0000000000..b0c1729b1f --- /dev/null +++ b/.changelog/3315.txt @@ -0,0 +1,3 @@ +```release-note:improvement +helm: add validation that global.cloud.enabled is not set with externalServers.hosts set to HCP-managed clusters +``` \ No newline at end of file diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 53f894035a..2fafae7df1 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -6,6 +6,9 @@ {{ template "consul.validateVaultWebhookCertConfiguration" . }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} {{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} {{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} {{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 748b75de5d..67be4474ea 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2639,6 +2639,30 @@ reservedNameTest() { [ "${actual}" = "true" ] } +@test "connectInject/Deployment: validates that externalServers.hosts is not set with an HCP-managed cluster's address" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'global.enabled=false' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=abc.aws.hashicorp.cloud' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . > /dev/stderr + + [ "$status" -eq 1 ] + + [[ "$output" =~ "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters." ]] +} + @test "connectInject/Deployment: can provide a TLS server name for the sidecar-injector when global.cloud.enabled is set" { cd `chart_dir` local env=$(helm template \ diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 49d986cd7d..16ae7f8bc4 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -655,8 +655,12 @@ global: # Enables installing an HCP Consul Central self-managed cluster. # Requires Consul v1.14+. cloud: - # If true, the Helm chart will enable the installation of an HCP Consul Central - # self-managed cluster. + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. enabled: false # The resource id of the HCP Consul Central cluster to link to. Eg: