github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21441 Commits
1703 Branches
457 Tags
697 MiB
Tree: 4421ce1677
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4421ce1677'
${ noResults }
consul/api/config_entry_test.go

1447 lines
32 KiB
Raw Normal View History Unescape

Add copyright headers for acl, api and bench folders (#16706) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files * copyright headers for agent folder * fix merge conflicts * copyright headers for agent folder * Ignore test data files * fix proto files * ignore agent/uiserver folder for now * copyright headers for agent folder * Add copyright headers for acl, api and bench folders
2 years ago
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
Add HTTP endpoints for config entry management (#5718)
6 years ago
package api
import (
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"encoding/json"
Add HTTP endpoints for config entry management (#5718)
6 years ago
"testing"
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"time"
Add HTTP endpoints for config entry management (#5718)
6 years ago
"github.com/stretchr/testify/require"
add general runstep test helper instead of copying it all over the place (#13013)
3 years ago
"github.com/hashicorp/consul/sdk/testutil"
Add HTTP endpoints for config entry management (#5718)
6 years ago
)
func TestAPI_ConfigEntries(t *testing.T) {
t.Parallel()
c, s := makeClient(t)
defer s.Stop()
config_entries := c.ConfigEntries()
t.Run("Proxy Defaults", func(t *testing.T) {
global_proxy := &ProxyConfigEntry{
Kind: ProxyDefaults,
Name: ProxyConfigGlobal,
Config: map[string]interface{}{
"foo": "bar",
"bar": 1.0,
},
Permissive mTLS (#17035) This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2 years ago
MutualTLSMode: MutualTLSModeStrict,
api: support GetMeta() and GetNamespace() on all config entry kinds (#8764) Fixes #8755 Since I was updating the interface, i also added the missing `GetNamespace()`. Depending upon how you look at it, this is a breaking change since it adds methods to the exported interface `api.ConfigEntry`. Given that you cannot define your own config entry kinds, and all of the machinery of the `api.Client` acts like a factory to construct the canned ones from the rest of the module, this feels like it's not a problematic change as it would only break someone who had reimplemented the `ConfigEntry` interface themselves for no apparent utility?
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
Add HTTP endpoints for config entry management (#5718)
6 years ago
}
// set it
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
6 years ago
_, wm, err := config_entries.Set(global_proxy, nil)
Add HTTP endpoints for config entry management (#5718)
6 years ago
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
// get it
entry, qm, err := config_entries.Get(ProxyDefaults, ProxyConfigGlobal, nil)
require.NoError(t, err)
require.NotNil(t, qm)
require.NotEqual(t, 0, qm.RequestTime)
// verify it
readProxy, ok := entry.(*ProxyConfigEntry)
require.True(t, ok)
require.Equal(t, global_proxy.Kind, readProxy.Kind)
require.Equal(t, global_proxy.Name, readProxy.Name)
require.Equal(t, global_proxy.Config, readProxy.Config)
Permissive mTLS (#17035) This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2 years ago
require.Equal(t, global_proxy.MutualTLSMode, readProxy.MutualTLSMode)
require.Equal(t, global_proxy.Meta, readProxy.GetMeta())
api: support GetMeta() and GetNamespace() on all config entry kinds (#8764) Fixes #8755 Since I was updating the interface, i also added the missing `GetNamespace()`. Depending upon how you look at it, this is a breaking change since it adds methods to the exported interface `api.ConfigEntry`. Given that you cannot define your own config entry kinds, and all of the machinery of the `api.Client` acts like a factory to construct the canned ones from the rest of the module, this feels like it's not a problematic change as it would only break someone who had reimplemented the `ConfigEntry` interface themselves for no apparent utility?
4 years ago
require.Equal(t, global_proxy.Meta, readProxy.GetMeta())
Add HTTP endpoints for config entry management (#5718)
6 years ago
global_proxy.Config["baz"] = true
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
6 years ago
// CAS update fail
written, _, err := config_entries.CAS(global_proxy, 0, nil)
require.NoError(t, err)
require.False(t, written)
// CAS update success
written, wm, err = config_entries.CAS(global_proxy, readProxy.ModifyIndex, nil)
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
require.NoError(t, err)
require.True(t, written)
// Non CAS update
global_proxy.Config["baz"] = "baz"
_, wm, err = config_entries.Set(global_proxy, nil)
Add HTTP endpoints for config entry management (#5718)
6 years ago
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
// list it
entries, qm, err := config_entries.List(ProxyDefaults, nil)
require.NoError(t, err)
require.NotNil(t, qm)
require.NotEqual(t, 0, qm.RequestTime)
require.Len(t, entries, 1)
readProxy, ok = entries[0].(*ProxyConfigEntry)
require.True(t, ok)
require.Equal(t, global_proxy.Kind, readProxy.Kind)
require.Equal(t, global_proxy.Name, readProxy.Name)
require.Equal(t, global_proxy.Config, readProxy.Config)
// delete it
wm, err = config_entries.Delete(ProxyDefaults, ProxyConfigGlobal, nil)
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
ci: enable SA4006 staticcheck check And fix the 'value not used' issues. Many of these are not bugs, but a few are tests not checking errors, and one appears to be a missed error in non-test code.
5 years ago
_, _, err = config_entries.Get(ProxyDefaults, ProxyConfigGlobal, nil)
Add HTTP endpoints for config entry management (#5718)
6 years ago
require.Error(t, err)
})
t.Run("Service Defaults", func(t *testing.T) {
service := &ServiceConfigEntry{
Permissive mTLS (#17035) This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2 years ago
Kind: ServiceDefaults,
Name: "foo",
NET-5912/service-defaults protocol validation (#21593) * fix: add validation for protocol field on service-defaults config entry * test: update test cases with correct protocol
3 months ago
Protocol: "http",
Permissive mTLS (#17035) This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2 years ago
MutualTLSMode: MutualTLSModeStrict,
api: support GetMeta() and GetNamespace() on all config entry kinds (#8764) Fixes #8755 Since I was updating the interface, i also added the missing `GetNamespace()`. Depending upon how you look at it, this is a breaking change since it adds methods to the exported interface `api.ConfigEntry`. Given that you cannot define your own config entry kinds, and all of the machinery of the `api.Client` acts like a factory to construct the canned ones from the rest of the module, this feels like it's not a problematic change as it would only break someone who had reimplemented the `ConfigEntry` interface themselves for no apparent utility?
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
Add envoy connection balancing. (#14616) Add envoy connection balancing config.
2 years ago
MaxInboundConnections: 5,
BalanceInboundConnections: "exact_balance",
LocalConnectTimeoutMs: 5000,
LocalRequestTimeoutMs: 7000,
Add HTTP endpoints for config entry management (#5718)
6 years ago
}
update gateway-services table with endpoints (#13217) * update gateway-services table with endpoints * fix failing test * remove unneeded config in test * rename "endpoint" to "destination" * more endpoint renaming to destination in tests * update isDestination based on service-defaults config entry creation * use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist) * set unknown state to empty to avoid modifying alot of tests * fix logic to set the kind correctly on CRUD * fix failing tests * add missing tests and fix service delete * fix failing test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * fix a bug with kind and add relevant test * fix compile error * fix failing tests * add kind to clone * fix failing tests * fix failing tests in catalog endpoint * fix service dump test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * remove duplicate tests * rename consts and fix kind when no destination is defined in the service-defaults. * rename Kind to ServiceKind and change switch to use .(type) Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
3 years ago
dest := &DestinationConfig{
feat: convert destination address to slice
2 years ago
Addresses: []string{"my.example.com"},
Port: 80,
feat: add endpoint struct to ServiceConfigEntry
3 years ago
}
Add HTTP endpoints for config entry management (#5718)
6 years ago
service2 := &ServiceConfigEntry{
update gateway-services table with endpoints (#13217) * update gateway-services table with endpoints * fix failing test * remove unneeded config in test * rename "endpoint" to "destination" * more endpoint renaming to destination in tests * update isDestination based on service-defaults config entry creation * use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist) * set unknown state to empty to avoid modifying alot of tests * fix logic to set the kind correctly on CRUD * fix failing tests * add missing tests and fix service delete * fix failing test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * fix a bug with kind and add relevant test * fix compile error * fix failing tests * add kind to clone * fix failing tests * fix failing tests in catalog endpoint * fix service dump test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * remove duplicate tests * rename consts and fix kind when no destination is defined in the service-defaults. * rename Kind to ServiceKind and change switch to use .(type) Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
3 years ago
Kind: ServiceDefaults,
Name: "bar",
NET-5912/service-defaults protocol validation (#21593) * fix: add validation for protocol field on service-defaults config entry * test: update test cases with correct protocol
3 months ago
Protocol: "http",
update gateway-services table with endpoints (#13217) * update gateway-services table with endpoints * fix failing test * remove unneeded config in test * rename "endpoint" to "destination" * more endpoint renaming to destination in tests * update isDestination based on service-defaults config entry creation * use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist) * set unknown state to empty to avoid modifying alot of tests * fix logic to set the kind correctly on CRUD * fix failing tests * add missing tests and fix service delete * fix failing test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * fix a bug with kind and add relevant test * fix compile error * fix failing tests * add kind to clone * fix failing tests * fix failing tests in catalog endpoint * fix service dump test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * remove duplicate tests * rename consts and fix kind when no destination is defined in the service-defaults. * rename Kind to ServiceKind and change switch to use .(type) Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
3 years ago
Destination: dest,
Add HTTP endpoints for config entry management (#5718)
6 years ago
}
// set it
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
6 years ago
_, wm, err := config_entries.Set(service, nil)
Add HTTP endpoints for config entry management (#5718)
6 years ago
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
// also set the second one
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
6 years ago
_, wm, err = config_entries.Set(service2, nil)
Add HTTP endpoints for config entry management (#5718)
6 years ago
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
// get it
entry, qm, err := config_entries.Get(ServiceDefaults, "foo", nil)
require.NoError(t, err)
require.NotNil(t, qm)
require.NotEqual(t, 0, qm.RequestTime)
// verify it
readService, ok := entry.(*ServiceConfigEntry)
require.True(t, ok)
require.Equal(t, service.Kind, readService.Kind)
require.Equal(t, service.Name, readService.Name)
require.Equal(t, service.Protocol, readService.Protocol)
Permissive mTLS (#17035) This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2 years ago
require.Equal(t, service.MutualTLSMode, readService.MutualTLSMode)
api: support GetMeta() and GetNamespace() on all config entry kinds (#8764) Fixes #8755 Since I was updating the interface, i also added the missing `GetNamespace()`. Depending upon how you look at it, this is a breaking change since it adds methods to the exported interface `api.ConfigEntry`. Given that you cannot define your own config entry kinds, and all of the machinery of the `api.Client` acts like a factory to construct the canned ones from the rest of the module, this feels like it's not a problematic change as it would only break someone who had reimplemented the `ConfigEntry` interface themselves for no apparent utility?
4 years ago
require.Equal(t, service.Meta, readService.Meta)
require.Equal(t, service.Meta, readService.GetMeta())
fix: missing MaxInboundConnections field in service-defaults config entry (#14072) * fix: missing max_inbound_connections field in merge config
2 years ago
require.Equal(t, service.MaxInboundConnections, readService.MaxInboundConnections)
Add envoy connection balancing. (#14616) Add envoy connection balancing config.
2 years ago
require.Equal(t, service.BalanceInboundConnections, readService.BalanceInboundConnections)
Config-entry: Support proxy config in service-defaults (#14395) * Config-entry: Support proxy config in service-defaults * Update website/content/docs/connect/config-entries/service-defaults.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2 years ago
require.Equal(t, service.LocalConnectTimeoutMs, readService.LocalConnectTimeoutMs)
require.Equal(t, service.LocalRequestTimeoutMs, readService.LocalRequestTimeoutMs)
Add HTTP endpoints for config entry management (#5718)
6 years ago
// update it
service.Protocol = "tcp"
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
6 years ago
// CAS fail
written, _, err := config_entries.CAS(service, 0, nil)
require.NoError(t, err)
require.False(t, written)
// CAS success
written, wm, err = config_entries.CAS(service, readService.ModifyIndex, nil)
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
require.True(t, written)
// update no cas
NET-5912/service-defaults protocol validation (#21593) * fix: add validation for protocol field on service-defaults config entry * test: update test cases with correct protocol
3 months ago
service.Protocol = "tcp"
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
6 years ago
_, wm, err = config_entries.Set(service, nil)
Add HTTP endpoints for config entry management (#5718)
6 years ago
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
// list them
entries, qm, err := config_entries.List(ServiceDefaults, nil)
require.NoError(t, err)
require.NotNil(t, qm)
require.NotEqual(t, 0, qm.RequestTime)
require.Len(t, entries, 2)
for _, entry = range entries {
switch entry.GetName() {
case "foo":
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
6 years ago
// this also verifies that the update value was persisted and
Add HTTP endpoints for config entry management (#5718)
6 years ago
// the updated values are seen
readService, ok = entry.(*ServiceConfigEntry)
require.True(t, ok)
require.Equal(t, service.Kind, readService.Kind)
require.Equal(t, service.Name, readService.Name)
require.Equal(t, service.Protocol, readService.Protocol)
case "bar":
readService, ok = entry.(*ServiceConfigEntry)
require.True(t, ok)
require.Equal(t, service2.Kind, readService.Kind)
require.Equal(t, service2.Name, readService.Name)
require.Equal(t, service2.Protocol, readService.Protocol)
update gateway-services table with endpoints (#13217) * update gateway-services table with endpoints * fix failing test * remove unneeded config in test * rename "endpoint" to "destination" * more endpoint renaming to destination in tests * update isDestination based on service-defaults config entry creation * use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist) * set unknown state to empty to avoid modifying alot of tests * fix logic to set the kind correctly on CRUD * fix failing tests * add missing tests and fix service delete * fix failing test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * fix a bug with kind and add relevant test * fix compile error * fix failing tests * add kind to clone * fix failing tests * fix failing tests in catalog endpoint * fix service dump test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * remove duplicate tests * rename consts and fix kind when no destination is defined in the service-defaults. * rename Kind to ServiceKind and change switch to use .(type) Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
3 years ago
require.Equal(t, dest, readService.Destination)
Add HTTP endpoints for config entry management (#5718)
6 years ago
}
}
// delete it
wm, err = config_entries.Delete(ServiceDefaults, "foo", nil)
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
// verify deletion
ci: enable SA4006 staticcheck check And fix the 'value not used' issues. Many of these are not bugs, but a few are tests not checking errors, and one appears to be a missed error in non-test code.
5 years ago
_, _, err = config_entries.Get(ServiceDefaults, "foo", nil)
Add HTTP endpoints for config entry management (#5718)
6 years ago
require.Error(t, err)
})
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
4 years ago
t.Run("Mesh", func(t *testing.T) {
mesh := &MeshConfigEntry{
Permissive mTLS (#17035) This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2 years ago
TransparentProxy: TransparentProxyMeshConfig{MeshDestinationsOnly: true},
AllowEnablingPermissiveMutualTLS: true,
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
fix(api): OSS<->ENT exported service incompatibility
2 years ago
Partition: defaultPartition,
Namespace: defaultNamespace,
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
4 years ago
}
ce := c.ConfigEntries()
add general runstep test helper instead of copying it all over the place (#13013)
3 years ago
testutil.RunStep(t, "set and get", func(t *testing.T) {
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
4 years ago
_, wm, err := ce.Set(mesh, nil)
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
entry, qm, err := ce.Get(MeshConfig, MeshConfigMesh, nil)
require.NoError(t, err)
require.NotNil(t, qm)
require.NotEqual(t, 0, qm.RequestTime)
result, ok := entry.(*MeshConfigEntry)
require.True(t, ok)
// ignore indexes
result.CreateIndex = 0
result.ModifyIndex = 0
require.Equal(t, mesh, result)
})
add general runstep test helper instead of copying it all over the place (#13013)
3 years ago
testutil.RunStep(t, "list", func(t *testing.T) {
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
4 years ago
entries, qm, err := ce.List(MeshConfig, nil)
require.NoError(t, err)
require.NotNil(t, qm)
require.NotEqual(t, 0, qm.RequestTime)
require.Len(t, entries, 1)
})
add general runstep test helper instead of copying it all over the place (#13013)
3 years ago
testutil.RunStep(t, "delete", func(t *testing.T) {
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
4 years ago
wm, err := ce.Delete(MeshConfig, MeshConfigMesh, nil)
require.NoError(t, err)
require.NotNil(t, wm)
require.NotEqual(t, 0, wm.RequestTime)
// verify deletion
_, _, err = ce.Get(MeshConfig, MeshConfigMesh, nil)
require.Error(t, err)
})
})
Support Check-And-Set deletion of config entries (#11419) Implements #11372
3 years ago
t.Run("CAS deletion", func(t *testing.T) {
entry := &ProxyConfigEntry{
Kind: ProxyDefaults,
Name: ProxyConfigGlobal,
Config: map[string]interface{}{
"foo": "bar",
},
}
// Create a config entry.
created, _, err := config_entries.Set(entry, nil)
bulk rewrite using this script set -euo pipefail unset CDPATH cd "$(dirname "$0")" for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do echo "=== require: $f ===" sed -i '/require := require.New(t)/d' $f # require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f # require.XXX(tblah) but not require.XXX(t, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f # require.XXX(rblah) but not require.XXX(r, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f gofmt -s -w $f done for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do echo "=== assert: $f ===" sed -i '/assert := assert.New(t)/d' $f # assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f # assert.XXX(tblah) but not assert.XXX(t, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f # assert.XXX(rblah) but not assert.XXX(r, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f gofmt -s -w $f done
3 years ago
require.NoError(t, err)
require.True(t, created, "entry should have been created")
Support Check-And-Set deletion of config entries (#11419) Implements #11372
3 years ago
// Read it back to get the ModifyIndex.
result, _, err := config_entries.Get(entry.Kind, entry.Name, nil)
bulk rewrite using this script set -euo pipefail unset CDPATH cd "$(dirname "$0")" for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do echo "=== require: $f ===" sed -i '/require := require.New(t)/d' $f # require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f # require.XXX(tblah) but not require.XXX(t, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f # require.XXX(rblah) but not require.XXX(r, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f gofmt -s -w $f done for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do echo "=== assert: $f ===" sed -i '/assert := assert.New(t)/d' $f # assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f # assert.XXX(tblah) but not assert.XXX(t, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f # assert.XXX(rblah) but not assert.XXX(r, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f gofmt -s -w $f done
3 years ago
require.NoError(t, err)
require.NotNil(t, entry)
Support Check-And-Set deletion of config entries (#11419) Implements #11372
3 years ago
// Attempt a deletion with an invalid index.
deleted, _, err := config_entries.DeleteCAS(entry.Kind, entry.Name, result.GetModifyIndex()-1, nil)
bulk rewrite using this script set -euo pipefail unset CDPATH cd "$(dirname "$0")" for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do echo "=== require: $f ===" sed -i '/require := require.New(t)/d' $f # require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f # require.XXX(tblah) but not require.XXX(t, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f # require.XXX(rblah) but not require.XXX(r, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f gofmt -s -w $f done for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do echo "=== assert: $f ===" sed -i '/assert := assert.New(t)/d' $f # assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f # assert.XXX(tblah) but not assert.XXX(t, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f # assert.XXX(rblah) but not assert.XXX(r, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f gofmt -s -w $f done
3 years ago
require.NoError(t, err)
require.False(t, deleted, "entry should not have been deleted")
Support Check-And-Set deletion of config entries (#11419) Implements #11372
3 years ago
// Attempt a deletion with a valid index.
deleted, _, err = config_entries.DeleteCAS(entry.Kind, entry.Name, result.GetModifyIndex(), nil)
bulk rewrite using this script set -euo pipefail unset CDPATH cd "$(dirname "$0")" for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do echo "=== require: $f ===" sed -i '/require := require.New(t)/d' $f # require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f # require.XXX(tblah) but not require.XXX(t, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f # require.XXX(rblah) but not require.XXX(r, blah) sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f gofmt -s -w $f done for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do echo "=== assert: $f ===" sed -i '/assert := assert.New(t)/d' $f # assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f # assert.XXX(tblah) but not assert.XXX(t, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f # assert.XXX(rblah) but not assert.XXX(r, blah) sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f gofmt -s -w $f done
3 years ago
require.NoError(t, err)
require.True(t, deleted, "entry should have been deleted")
Support Check-And-Set deletion of config entries (#11419) Implements #11372
3 years ago
})
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
4 years ago
}
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
func TestDecodeConfigEntry(t *testing.T) {
t.Parallel()
for _, tc := range []struct {
name string
body string
expect ConfigEntry
expectErr string
}{
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
5 years ago
{
name: "expose-paths: kitchen sink proxy",
body: `
{
"Kind": "proxy-defaults",
"Name": "global",
"Expose": {
"Checks": true,
"Paths": [
{
"LocalPathPort": 8080,
"ListenerPort": 21500,
"Path": "/healthz",
"Protocol": "http2"
}
]
}
}
`,
expect: &ProxyConfigEntry{
Kind: "proxy-defaults",
Name: "global",
Expose: ExposeConfig{
Checks: true,
Paths: []ExposePath{
{
LocalPathPort: 8080,
ListenerPort: 21500,
Path: "/healthz",
Protocol: "http2",
},
},
},
},
},
{
name: "expose-paths: kitchen sink service default",
body: `
{
"Kind": "service-defaults",
"Name": "global",
"Expose": {
"Checks": true,
"Paths": [
{
"LocalPathPort": 8080,
"ListenerPort": 21500,
"Path": "/healthz",
"Protocol": "http2"
}
]
}
}
`,
expect: &ServiceConfigEntry{
Kind: "service-defaults",
Name: "global",
Expose: ExposeConfig{
Checks: true,
Paths: []ExposePath{
{
LocalPathPort: 8080,
ListenerPort: 21500,
Path: "/healthz",
Protocol: "http2",
},
},
},
},
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
{
name: "proxy-defaults",
body: `
{
"Kind": "proxy-defaults",
"Name": "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"Config": {
"foo": 19,
"bar": "abc",
"moreconfig": {
"moar": "config"
}
},
"MeshGateway": {
"Mode": "remote"
Add TransparentProxy opt to proxy definition
4 years ago
},
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
4 years ago
"Mode": "transparent",
"TransparentProxy": {
Add flag for transparent proxies to dial individual instances (#10329)
4 years ago
"OutboundListenerPort": 808,
"DialedDirectly": true
feat: add access logging API to proxy defaults (#15780)
2 years ago
},
"AccessLogs": {
"Enabled": true,
"DisableListenerLogs": true,
"Type": "file",
"Path": "/tmp/logs.txt",
"TextFormat": "[%START_TIME%]"
add failover policy to ProxyConfigEntry in api (#16759) * add failover policy to ProxyConfigEntry in api * update docs
2 years ago
},
"FailoverPolicy": {
"Mode": "default"
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
4 years ago
}
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
}
`,
expect: &ProxyConfigEntry{
Kind: "proxy-defaults",
Name: "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
Config: map[string]interface{}{
"foo": float64(19),
"bar": "abc",
"moreconfig": map[string]interface{}{
"moar": "config",
},
},
MeshGateway: MeshGatewayConfig{
Mode: MeshGatewayModeRemote,
},
Add flag for transparent proxies to dial individual instances (#10329)
4 years ago
Mode: ProxyModeTransparent,
TransparentProxy: &TransparentProxyConfig{
OutboundListenerPort: 808,
DialedDirectly: true,
},
Change field to pointer so it will be parsed as nil (#15831)
2 years ago
AccessLogs: &AccessLogsConfig{
feat: add access logging API to proxy defaults (#15780)
2 years ago
Enabled: true,
DisableListenerLogs: true,
Type: FileLogSinkType,
Path: "/tmp/logs.txt",
TextFormat: "[%START_TIME%]",
},
add failover policy to ProxyConfigEntry in api (#16759) * add failover policy to ProxyConfigEntry in api * update docs
2 years ago
FailoverPolicy: &ServiceResolverFailoverPolicy{
Mode: "default",
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
},
},
{
name: "service-defaults",
body: `
{
"Kind": "service-defaults",
"Name": "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"Protocol": "http",
connect: introduce ExternalSNI field on service-defaults (#6324) Compiling this will set an optional SNI field on each DiscoveryTarget. When set this value should be used for TLS connections to the instances of the target. If not set the default should be used. Setting ExternalSNI will disable mesh gateway use for that target. It also disables several service-resolver features that do not make sense for an external service.
5 years ago
"ExternalSNI": "abc-123",
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"MeshGateway": {
"Mode": "remote"
Create new types for service-defaults upstream cfg
4 years ago
},
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
4 years ago
"Mode": "transparent",
"TransparentProxy": {
Add flag for transparent proxies to dial individual instances (#10329)
4 years ago
"OutboundListenerPort": 808,
"DialedDirectly": true
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
4 years ago
},
Add envoy connection balancing. (#14616) Add envoy connection balancing config.
2 years ago
"BalanceInboundConnections": "exact_balance",
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
"UpstreamConfig": {
"Overrides": [
{
"Name": "redis",
Create new types for service-defaults upstream cfg
4 years ago
"PassiveHealthCheck": {
"MaxFailures": 3,
update enforcing consecutive 5xx type to pointer type (#14592) * update enforcing condecutive 5xx type to pointer type * update test
2 years ago
"Interval": "2s",
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979) * Add MaxEjectionPercent to config entry * Add BaseEjectionTime to config entry * Add MaxEjectionPercent and BaseEjectionTime to protobufs * Add MaxEjectionPercent and BaseEjectionTime to api * Fix integration test breakage * Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings * Website docs for MaxEjectionPercent and BaseEjection time * Add `make docs` to browse docs at http://localhost:3000 * Changelog entry * so that is the difference between consul-docker and dev-docker * blah * update proto funcs * update proto --------- Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2 years ago
"EnforcingConsecutive5xx": 60,
"MaxEjectionPercent": 4,
"BaseEjectionTime": "5s"
Add envoy connection balancing. (#14616) Add envoy connection balancing config.
2 years ago
},
"BalanceOutboundConnections": "exact_balance"
Create new types for service-defaults upstream cfg
4 years ago
},
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
{
"Name": "finance--billing",
Create new types for service-defaults upstream cfg
4 years ago
"MeshGateway": {
"Mode": "remote"
}
}
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
],
"Defaults": {
Restore old Envoy prefix on escape hatches This is done because after removing ID and NodeName from ServiceConfigRequest we will no longer know whether a request coming in is for a Consul client earlier than v1.10.
4 years ago
"EnvoyClusterJSON": "zip",
"EnvoyListenerJSON": "zop",
Create new types for service-defaults upstream cfg
4 years ago
"ConnectTimeoutMs": 5000,
"Protocol": "http",
"Limits": {
"MaxConnections": 3,
"MaxPendingRequests": 4,
"MaxConcurrentRequests": 5
},
"PassiveHealthCheck": {
"MaxFailures": 5,
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979) * Add MaxEjectionPercent to config entry * Add BaseEjectionTime to config entry * Add MaxEjectionPercent and BaseEjectionTime to protobufs * Add MaxEjectionPercent and BaseEjectionTime to api * Fix integration test breakage * Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings * Website docs for MaxEjectionPercent and BaseEjection time * Add `make docs` to browse docs at http://localhost:3000 * Changelog entry * so that is the difference between consul-docker and dev-docker * blah * update proto funcs * update proto --------- Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2 years ago
"Interval": "4s",
"EnforcingConsecutive5xx": 61,
"MaxEjectionPercent": 5,
"BaseEjectionTime": "6s"
Create new types for service-defaults upstream cfg
4 years ago
}
}
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
}
}
`,
expect: &ServiceConfigEntry{
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
Kind: "service-defaults",
Name: "main",
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
connect: introduce ExternalSNI field on service-defaults (#6324) Compiling this will set an optional SNI field on each DiscoveryTarget. When set this value should be used for TLS connections to the instances of the target. If not set the default should be used. Setting ExternalSNI will disable mesh gateway use for that target. It also disables several service-resolver features that do not make sense for an external service.
5 years ago
Protocol: "http",
ExternalSNI: "abc-123",
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
MeshGateway: MeshGatewayConfig{
Mode: MeshGatewayModeRemote,
},
Add flag for transparent proxies to dial individual instances (#10329)
4 years ago
Mode: ProxyModeTransparent,
TransparentProxy: &TransparentProxyConfig{
OutboundListenerPort: 808,
DialedDirectly: true,
},
Add envoy connection balancing. (#14616) Add envoy connection balancing config.
2 years ago
BalanceInboundConnections: "exact_balance",
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
UpstreamConfig: &UpstreamConfiguration{
Overrides: []*UpstreamConfig{
{
Name: "redis",
Turn Limits and PassiveHealthChecks into pointers
4 years ago
PassiveHealthCheck: &PassiveHealthCheck{
update enforcing consecutive 5xx type to pointer type (#14592) * update enforcing condecutive 5xx type to pointer type * update test
2 years ago
MaxFailures: 3,
Interval: 2 * time.Second,
EnforcingConsecutive5xx: uint32Pointer(60),
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979) * Add MaxEjectionPercent to config entry * Add BaseEjectionTime to config entry * Add MaxEjectionPercent and BaseEjectionTime to protobufs * Add MaxEjectionPercent and BaseEjectionTime to api * Fix integration test breakage * Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings * Website docs for MaxEjectionPercent and BaseEjection time * Add `make docs` to browse docs at http://localhost:3000 * Changelog entry * so that is the difference between consul-docker and dev-docker * blah * update proto funcs * update proto --------- Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2 years ago
MaxEjectionPercent: uint32Pointer(4),
BaseEjectionTime: durationPointer(5 * time.Second),
Create new types for service-defaults upstream cfg
4 years ago
},
Add envoy connection balancing. (#14616) Add envoy connection balancing config.
2 years ago
BalanceOutboundConnections: "exact_balance",
Create new types for service-defaults upstream cfg
4 years ago
},
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
{
Name: "finance--billing",
Create new types for service-defaults upstream cfg
4 years ago
MeshGateway: MeshGatewayConfig{Mode: "remote"},
},
},
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
Defaults: &UpstreamConfig{
Restore old Envoy prefix on escape hatches This is done because after removing ID and NodeName from ServiceConfigRequest we will no longer know whether a request coming in is for a Consul client earlier than v1.10.
4 years ago
EnvoyClusterJSON: "zip",
EnvoyListenerJSON: "zop",
Protocol: "http",
ConnectTimeoutMs: 5000,
Turn Limits and PassiveHealthChecks into pointers
4 years ago
Limits: &UpstreamLimits{
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
MaxConnections: intPointer(3),
MaxPendingRequests: intPointer(4),
MaxConcurrentRequests: intPointer(5),
Create new types for service-defaults upstream cfg
4 years ago
},
Turn Limits and PassiveHealthChecks into pointers
4 years ago
PassiveHealthCheck: &PassiveHealthCheck{
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979) * Add MaxEjectionPercent to config entry * Add BaseEjectionTime to config entry * Add MaxEjectionPercent and BaseEjectionTime to protobufs * Add MaxEjectionPercent and BaseEjectionTime to api * Fix integration test breakage * Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings * Website docs for MaxEjectionPercent and BaseEjection time * Add `make docs` to browse docs at http://localhost:3000 * Changelog entry * so that is the difference between consul-docker and dev-docker * blah * update proto funcs * update proto --------- Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2 years ago
MaxFailures: 5,
Interval: 4 * time.Second,
EnforcingConsecutive5xx: uint32Pointer(61),
MaxEjectionPercent: uint32Pointer(5),
BaseEjectionTime: durationPointer(6 * time.Second),
Create new types for service-defaults upstream cfg
4 years ago
},
},
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
},
},
feat: add endpoint struct to ServiceConfigEntry
3 years ago
{
name: "service-defaults-endpoint",
body: `
{
"Kind": "service-defaults",
"Name": "external",
"Protocol": "http",
update gateway-services table with endpoints (#13217) * update gateway-services table with endpoints * fix failing test * remove unneeded config in test * rename "endpoint" to "destination" * more endpoint renaming to destination in tests * update isDestination based on service-defaults config entry creation * use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist) * set unknown state to empty to avoid modifying alot of tests * fix logic to set the kind correctly on CRUD * fix failing tests * add missing tests and fix service delete * fix failing test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * fix a bug with kind and add relevant test * fix compile error * fix failing tests * add kind to clone * fix failing tests * fix failing tests in catalog endpoint * fix service dump test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * remove duplicate tests * rename consts and fix kind when no destination is defined in the service-defaults. * rename Kind to ServiceKind and change switch to use .(type) Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
3 years ago
"Destination": {
feat: convert destination address to slice
2 years ago
"Addresses": [
"1.2.3.4"
],
chore(test): Update bats version
3 years ago
"Port": 443
feat: add endpoint struct to ServiceConfigEntry
3 years ago
}
}
`,
expect: &ServiceConfigEntry{
Kind: "service-defaults",
Name: "external",
Protocol: "http",
update gateway-services table with endpoints (#13217) * update gateway-services table with endpoints * fix failing test * remove unneeded config in test * rename "endpoint" to "destination" * more endpoint renaming to destination in tests * update isDestination based on service-defaults config entry creation * use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist) * set unknown state to empty to avoid modifying alot of tests * fix logic to set the kind correctly on CRUD * fix failing tests * add missing tests and fix service delete * fix failing test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * fix a bug with kind and add relevant test * fix compile error * fix failing tests * add kind to clone * fix failing tests * fix failing tests in catalog endpoint * fix service dump test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * remove duplicate tests * rename consts and fix kind when no destination is defined in the service-defaults. * rename Kind to ServiceKind and change switch to use .(type) Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
3 years ago
Destination: &DestinationConfig{
feat: convert destination address to slice
2 years ago
Addresses: []string{"1.2.3.4"},
Port: 443,
feat: add endpoint struct to ServiceConfigEntry
3 years ago
},
},
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
{
name: "service-router: kitchen sink",
body: `
{
"Kind": "service-router",
"Name": "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"Routes": [
{
"Match": {
"HTTP": {
"PathExact": "/foo",
"Header": [
{
"Name": "debug1",
"Present": true
},
{
"Name": "debug2",
"Present": false,
"Invert": true
},
{
"Name": "debug3",
"Exact": "1"
},
{
"Name": "debug4",
"Prefix": "aaa"
},
{
"Name": "debug5",
"Suffix": "bbb"
},
{
"Name": "debug6",
"Regex": "a.*z"
}
]
}
},
"Destination": {
"Service": "carrot",
"ServiceSubset": "kale",
"Namespace": "leek",
"PrefixRewrite": "/alternate",
"RequestTimeout": "99s",
Add support for configuring Envoys route idle_timeout (#14340) * Add idleTimeout Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
2 years ago
"IdleTimeout": "99s",
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"NumRetries": 12345,
"RetryOnConnectFailure": true,
"RetryOnStatusCodes": [401, 209]
}
},
{
"Match": {
"HTTP": {
"PathPrefix": "/foo",
"Methods": [ "GET", "DELETE" ],
"QueryParam": [
{
"Name": "hack1",
"Present": true
},
{
"Name": "hack2",
"Exact": "1"
},
{
"Name": "hack3",
"Regex": "a.*z"
}
]
}
}
},
{
"Match": {
"HTTP": {
"PathRegex": "/foo"
}
}
}
]
}
`,
expect: &ServiceRouterConfigEntry{
Kind: "service-router",
Name: "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
Routes: []ServiceRoute{
{
Match: &ServiceRouteMatch{
HTTP: &ServiceRouteHTTPMatch{
PathExact: "/foo",
Header: []ServiceRouteHTTPMatchHeader{
{
Name: "debug1",
Present: true,
},
{
Name: "debug2",
Present: false,
Invert: true,
},
{
Name: "debug3",
Exact: "1",
},
{
Name: "debug4",
Prefix: "aaa",
},
{
Name: "debug5",
Suffix: "bbb",
},
{
Name: "debug6",
Regex: "a.*z",
},
},
},
},
Destination: &ServiceRouteDestination{
Service: "carrot",
ServiceSubset: "kale",
Namespace: "leek",
PrefixRewrite: "/alternate",
RequestTimeout: 99 * time.Second,
Add support for configuring Envoys route idle_timeout (#14340) * Add idleTimeout Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
2 years ago
IdleTimeout: 99 * time.Second,
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
NumRetries: 12345,
RetryOnConnectFailure: true,
RetryOnStatusCodes: []uint32{401, 209},
},
},
{
Match: &ServiceRouteMatch{
HTTP: &ServiceRouteHTTPMatch{
PathPrefix: "/foo",
Methods: []string{"GET", "DELETE"},
QueryParam: []ServiceRouteHTTPMatchQueryParam{
{
Name: "hack1",
Present: true,
},
{
Name: "hack2",
Exact: "1",
},
{
Name: "hack3",
Regex: "a.*z",
},
},
},
},
},
{
Match: &ServiceRouteMatch{
HTTP: &ServiceRouteHTTPMatch{
PathRegex: "/foo",
},
},
},
},
},
},
{
name: "service-splitter: kitchen sink",
body: `
{
"Kind": "service-splitter",
"Name": "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"Splits": [
{
"Weight": 99.1,
"ServiceSubset": "v1"
},
{
"Weight": 0.9,
"Service": "other",
"Namespace": "alt"
}
]
}
`,
expect: &ServiceSplitterConfigEntry{
Kind: ServiceSplitter,
Name: "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
Splits: []ServiceSplit{
{
Weight: 99.1,
ServiceSubset: "v1",
},
{
Weight: 0.9,
Service: "other",
Namespace: "alt",
},
},
},
},
{
name: "service-resolver: subsets with failover",
body: `
{
"Kind": "service-resolver",
"Name": "main",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
"DefaultSubset": "v1",
"ConnectTimeout": "15s",
"Subsets": {
"v1": {
"Filter": "Service.Meta.version == v1"
},
"v2": {
"Filter": "Service.Meta.version == v2",
"OnlyPassing": true
}
},
"Failover": {
"v2": {
"Service": "failcopy",
"ServiceSubset": "sure",
"Namespace": "neighbor",
"Datacenters": ["dc5", "dc14"]
},
"*": {
"Datacenters": ["dc7"]
}
}
}`,
expect: &ServiceResolverConfigEntry{
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
Kind: "service-resolver",
Name: "main",
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
DefaultSubset: "v1",
ConnectTimeout: 15 * time.Second,
Subsets: map[string]ServiceResolverSubset{
"v1": {
Filter: "Service.Meta.version == v1",
},
"v2": {
Filter: "Service.Meta.version == v2",
OnlyPassing: true,
},
},
Failover: map[string]ServiceResolverFailover{
"v2": {
Service: "failcopy",
ServiceSubset: "sure",
Namespace: "neighbor",
Datacenters: []string{"dc5", "dc14"},
},
"*": {
Datacenters: []string{"dc7"},
},
},
},
},
{
name: "service-resolver: redirect",
body: `
{
"Kind": "service-resolver",
"Name": "main",
"Redirect": {
"Service": "other",
"ServiceSubset": "backup",
"Namespace": "alt",
"Datacenter": "dc9"
}
}
`,
expect: &ServiceResolverConfigEntry{
Kind: "service-resolver",
Name: "main",
Redirect: &ServiceResolverRedirect{
Service: "other",
ServiceSubset: "backup",
Namespace: "alt",
Datacenter: "dc9",
},
},
},
{
name: "service-resolver: default",
body: `
{
"Kind": "service-resolver",
"Name": "main"
}
`,
expect: &ServiceResolverConfigEntry{
Kind: "service-resolver",
Name: "main",
},
},
Add session flag to cookie config
4 years ago
{
name: "service-resolver: envoy hash lb kitchen sink",
body: `
{
"Kind": "service-resolver",
"Name": "main",
"LoadBalancer": {
"Policy": "ring_hash",
"RingHashConfig": {
"MinimumRingSize": 1,
"MaximumRingSize": 2
},
"HashPolicies": [
{
"Field": "cookie",
"FieldValue": "good-cookie",
"CookieConfig": {
"TTL": "1s",
"Path": "/oven"
},
"Terminal": true
},
{
"Field": "cookie",
"FieldValue": "less-good-cookie",
"CookieConfig": {
"Session": true,
"Path": "/toaster"
},
"Terminal": true
},
{
"Field": "header",
"FieldValue": "x-user-id"
},
{
"SourceIP": true
}
]
}
}
`,
expect: &ServiceResolverConfigEntry{
Kind: "service-resolver",
Name: "main",
LoadBalancer: &LoadBalancer{
Policy: "ring_hash",
RingHashConfig: &RingHashConfig{
MinimumRingSize: 1,
MaximumRingSize: 2,
},
HashPolicies: []HashPolicy{
{
Field: "cookie",
FieldValue: "good-cookie",
CookieConfig: &CookieConfig{
TTL: 1 * time.Second,
Path: "/oven",
},
Terminal: true,
},
{
Field: "cookie",
FieldValue: "less-good-cookie",
CookieConfig: &CookieConfig{
Session: true,
Path: "/toaster",
},
Terminal: true,
},
{
Field: "header",
FieldValue: "x-user-id",
},
{
SourceIP: true,
},
},
},
},
},
{
name: "service-resolver: envoy least request kitchen sink",
body: `
{
"Kind": "service-resolver",
"Name": "main",
"LoadBalancer": {
"Policy": "least_request",
"LeastRequestConfig": {
"ChoiceCount": 2
}
}
}
`,
expect: &ServiceResolverConfigEntry{
Kind: "service-resolver",
Name: "main",
LoadBalancer: &LoadBalancer{
Policy: "least_request",
LeastRequestConfig: &LeastRequestConfig{
ChoiceCount: 2,
},
},
},
},
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
{
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>
3 years ago
// TODO(rb): test SDS stuff here in both places (global/service)
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
name: "ingress-gateway",
body: `
{
"Kind": "ingress-gateway",
"Name": "ingress-web",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
Add TLS field to ingress API structs - Adds test in api and command/config/write packages
5 years ago
"Tls": {
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>
3 years ago
"Enabled": true,
"TLSMinVersion": "TLSv1_1",
"TLSMaxVersion": "TLSv1_2",
"CipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
Add TLS field to ingress API structs - Adds test in api and command/config/write packages
5 years ago
},
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
"Listeners": [
{
"Port": 8080,
"Protocol": "http",
"Services": [
{
"Name": "web",
Accept partition for ingress services
3 years ago
"Namespace": "foo",
"Partition": "bar"
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
},
{
"Name": "db"
}
]
},
{
"Port": 9999,
"Protocol": "tcp",
"Services": [
{
"Name": "mysql"
}
]
}
]
}
`,
expect: &IngressGatewayConfigEntry{
Kind: "ingress-gateway",
Name: "ingress-web",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
Add TLS field to ingress API structs - Adds test in api and command/config/write packages
5 years ago
TLS: GatewayTLSConfig{
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>
3 years ago
Enabled: true,
TLSMinVersion: "TLSv1_1",
TLSMaxVersion: "TLSv1_2",
CipherSuites: []string{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
},
Add TLS field to ingress API structs - Adds test in api and command/config/write packages
5 years ago
},
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
Listeners: []IngressListener{
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
4 years ago
{
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
Port: 8080,
Protocol: "http",
Services: []IngressService{
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
4 years ago
{
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
Name: "web",
Namespace: "foo",
Accept partition for ingress services
3 years ago
Partition: "bar",
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
4 years ago
{
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
Name: "db",
},
},
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
4 years ago
{
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
Port: 9999,
Protocol: "tcp",
Services: []IngressService{
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
4 years ago
{
Add config entry/state for Ingress Gateways (#7483) * Add Ingress gateway config entry and other relevant structs * Add api package tests for ingress gateways * Embed EnterpriseMeta into ingress service struct * Add namespace fields to api module and test consul config write decoding * Don't require a port for ingress gateways * Add snakeJSON and camelJSON cases in command test * Run Normalize on service's ent metadata Sadly cannot think of a way to test this in OSS. * Every protocol requires at least 1 service * Validate ingress protocols * Update agent/structs/config_entry_gateways.go Co-authored-by: Chris Piraino <cpiraino@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>
5 years ago
Name: "mysql",
},
},
},
},
},
},
Add config entry for terminating gateways (#7545) This config entry will be used to configure terminating gateways. It accepts the name of the gateway and a list of services the gateway will represent. For each service users will be able to specify: its name, namespace, and additional options for TLS origination. Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
5 years ago
{
name: "terminating-gateway",
body: `
{
"Kind": "terminating-gateway",
"Name": "terminating-west",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
Add config entry for terminating gateways (#7545) This config entry will be used to configure terminating gateways. It accepts the name of the gateway and a list of services the gateway will represent. For each service users will be able to specify: its name, namespace, and additional options for TLS origination. Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
5 years ago
"Services": [
{
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
"Namespace": "foo",
Add config entry for terminating gateways (#7545) This config entry will be used to configure terminating gateways. It accepts the name of the gateway and a list of services the gateway will represent. For each service users will be able to specify: its name, namespace, and additional options for TLS origination. Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
5 years ago
"Name": "web",
"CAFile": "/etc/ca.pem",
"CertFile": "/etc/cert.pem",
TLS Origination for Terminating Gateways (#7671)
5 years ago
"KeyFile": "/etc/tls.key",
"SNI": "mydomain"
Add config entry for terminating gateways (#7545) This config entry will be used to configure terminating gateways. It accepts the name of the gateway and a list of services the gateway will represent. For each service users will be able to specify: its name, namespace, and additional options for TLS origination. Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
5 years ago
},
{
"Name": "api"
},
{
"Namespace": "bar",
"Name": "*"
}
]
}`,
expect: &TerminatingGatewayConfigEntry{
Kind: "terminating-gateway",
Name: "terminating-west",
connect: all config entries pick up a meta field (#8596) Fixes #8595
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
Add config entry for terminating gateways (#7545) This config entry will be used to configure terminating gateways. It accepts the name of the gateway and a list of services the gateway will represent. For each service users will be able to specify: its name, namespace, and additional options for TLS origination. Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
5 years ago
Services: []LinkedService{
{
Namespace: "foo",
Name: "web",
CAFile: "/etc/ca.pem",
CertFile: "/etc/cert.pem",
KeyFile: "/etc/tls.key",
TLS Origination for Terminating Gateways (#7671)
5 years ago
SNI: "mydomain",
Add config entry for terminating gateways (#7545) This config entry will be used to configure terminating gateways. It accepts the name of the gateway and a list of services the gateway will represent. For each service users will be able to specify: its name, namespace, and additional options for TLS origination. Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
5 years ago
},
{
Name: "api",
},
{
Namespace: "bar",
Name: "*",
},
},
},
},
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
4 years ago
{
name: "service-intentions: kitchen sink",
body: `
{
"Kind": "service-intentions",
"Name": "web",
"Meta" : {
"foo": "bar",
"gir": "zim"
},
"Sources": [
{
"Name": "foo",
"Action": "deny",
"Type": "consul",
"Description": "foo desc"
},
{
"Name": "bar",
"Action": "allow",
"Description": "bar desc"
},
{
"Name": "l7",
"Permissions": [
{
"Action": "deny",
"HTTP": {
"PathExact": "/admin",
"Header": [
{
"Name": "hdr-present",
"Present": true
},
{
"Name": "hdr-exact",
"Exact": "exact"
},
{
"Name": "hdr-prefix",
"Prefix": "prefix"
},
{
"Name": "hdr-suffix",
"Suffix": "suffix"
},
{
"Name": "hdr-regex",
"Regex": "regex"
},
{
"Name": "hdr-absent",
"Present": true,
"Invert": true
}
]
}
},
{
"Action": "allow",
"HTTP": {
"PathPrefix": "/v3/"
}
},
{
"Action": "allow",
"HTTP": {
"PathRegex": "/v[12]/.*",
"Methods": [
"GET",
"POST"
]
}
}
]
},
{
"Name": "*",
"Action": "deny",
"Description": "wild desc"
}
]
}
`,
expect: &ServiceIntentionsConfigEntry{
Kind: "service-intentions",
Name: "web",
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
Sources: []*SourceIntention{
{
Name: "foo",
Action: "deny",
Type: "consul",
Description: "foo desc",
},
{
Name: "bar",
Action: "allow",
Description: "bar desc",
},
{
Name: "l7",
Permissions: []*IntentionPermission{
{
Action: "deny",
HTTP: &IntentionHTTPPermission{
PathExact: "/admin",
Header: []IntentionHTTPHeaderPermission{
{
Name: "hdr-present",
Present: true,
},
{
Name: "hdr-exact",
Exact: "exact",
},
{
Name: "hdr-prefix",
Prefix: "prefix",
},
{
Name: "hdr-suffix",
Suffix: "suffix",
},
{
Name: "hdr-regex",
Regex: "regex",
},
{
Name: "hdr-absent",
Present: true,
Invert: true,
},
},
},
},
{
Action: "allow",
HTTP: &IntentionHTTPPermission{
PathPrefix: "/v3/",
},
},
{
Action: "allow",
HTTP: &IntentionHTTPPermission{
PathRegex: "/v[12]/.*",
Methods: []string{"GET", "POST"},
},
},
},
},
{
Name: "*",
Action: "deny",
Description: "wild desc",
},
},
},
},
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
4 years ago
{
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
4 years ago
name: "mesh",
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
4 years ago
body: `
{
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
4 years ago
"Kind": "mesh",
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
4 years ago
"Meta" : {
"foo": "bar",
"gir": "zim"
},
"TransparentProxy": {
Rename CatalogDestinationsOnly (#10397) CatalogDestinationsOnly is a passthrough that would enable dialing addresses outside of Consul's catalog. However, when this flag is set to true only _connect_ endpoints for services can be dialed. This flag is being renamed to signal that non-Connect endpoints can't be dialed by transparent proxies when the value is set to true.
3 years ago
"MeshDestinationsOnly": true
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
3 years ago
},
"TLS": {
"Incoming": {
"TLSMinVersion": "TLSv1_1",
"TLSMaxVersion": "TLSv1_2",
"CipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
},
"Outgoing": {
"TLSMinVersion": "TLSv1_1",
"TLSMaxVersion": "TLSv1_2",
"CipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
}
Update mesh config tests Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
},
"HTTP": {
"SanitizeXForwardedClientCert": true
feat: add PeerThroughMeshGateways to mesh config
2 years ago
},
"Peering": {
"PeerThroughMeshGateways": true
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
4 years ago
}
}
`,
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
4 years ago
expect: &MeshConfigEntry{
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
4 years ago
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
},
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
4 years ago
TransparentProxy: TransparentProxyMeshConfig{
Rename CatalogDestinationsOnly (#10397) CatalogDestinationsOnly is a passthrough that would enable dialing addresses outside of Consul's catalog. However, when this flag is set to true only _connect_ endpoints for services can be dialed. This flag is being renamed to signal that non-Connect endpoints can't be dialed by transparent proxies when the value is set to true.
3 years ago
MeshDestinationsOnly: true,
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
4 years ago
},
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
3 years ago
TLS: &MeshTLSConfig{
Incoming: &MeshDirectionalTLSConfig{
TLSMinVersion: "TLSv1_1",
TLSMaxVersion: "TLSv1_2",
CipherSuites: []string{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
},
},
Outgoing: &MeshDirectionalTLSConfig{
TLSMinVersion: "TLSv1_1",
TLSMaxVersion: "TLSv1_2",
CipherSuites: []string{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
},
},
},
Update mesh config tests Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago
HTTP: &MeshHTTPConfig{
SanitizeXForwardedClientCert: true,
},
feat: add PeerThroughMeshGateways to mesh config
2 years ago
Peering: &PeeringMeshConfig{
PeerThroughMeshGateways: true,
},
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
4 years ago
},
},
api: un-deprecate api.DecodeConfigEntry (#6278) Add clarifying commentary about when it is not safe to use it. Also add tests.
5 years ago
} {
tc := tc
t.Run(tc.name+": DecodeConfigEntry", func(t *testing.T) {
var raw map[string]interface{}
require.NoError(t, json.Unmarshal([]byte(tc.body), &raw))
got, err := DecodeConfigEntry(raw)
require.NoError(t, err)
require.Equal(t, tc.expect, got)
})
t.Run(tc.name+": DecodeConfigEntryFromJSON", func(t *testing.T) {
got, err := DecodeConfigEntryFromJSON([]byte(tc.body))
require.NoError(t, err)
require.Equal(t, tc.expect, got)
})
t.Run(tc.name+": DecodeConfigEntrySlice", func(t *testing.T) {
var raw []map[string]interface{}
require.NoError(t, json.Unmarshal([]byte("["+tc.body+"]"), &raw))
got, err := decodeConfigEntrySlice(raw)
require.NoError(t, err)
require.Len(t, got, 1)
require.Equal(t, tc.expect, got[0])
})
}
}
connect: update centralized upstreams representation in service-defaults (#10015)
4 years ago
func intPointer(v int) *int {
return &v
}
update enforcing consecutive 5xx type to pointer type (#14592) * update enforcing condecutive 5xx type to pointer type * update test
2 years ago
func uint32Pointer(v uint32) *uint32 {
return &v
}
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979) * Add MaxEjectionPercent to config entry * Add BaseEjectionTime to config entry * Add MaxEjectionPercent and BaseEjectionTime to protobufs * Add MaxEjectionPercent and BaseEjectionTime to api * Fix integration test breakage * Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings * Website docs for MaxEjectionPercent and BaseEjection time * Add `make docs` to browse docs at http://localhost:3000 * Changelog entry * so that is the difference between consul-docker and dev-docker * blah * update proto funcs * update proto --------- Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2 years ago
func durationPointer(d time.Duration) *time.Duration {
return &d
}