From 1502547e3874372636d96d11d07ba9e43c2a99d2 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 8 Sep 2021 11:48:41 -0400 Subject: [PATCH] Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc" This reverts commit 74fb650b6b966588f8faeec26935a858af2b8bb5, reversing changes made to 58bd8173364effb98b9fd9f9b98d31dd887a9bac. --- .changelog/10588.txt | 4 - agent/agent.go | 15 +- agent/agent_endpoint.go | 17 +- agent/config/builder.go | 14 +- agent/config/config.go | 10 +- agent/config/flags.go | 3 +- agent/config/flags_test.go | 2 +- agent/config/runtime.go | 22 +-- agent/config/runtime_test.go | 24 +-- .../TestRuntimeConfig_Sanitize.golden | 12 +- agent/xds/server.go | 10 +- command/agent/agent.go | 4 +- command/connect/envoy/envoy.go | 25 +-- command/connect/envoy/envoy_test.go | 92 ++++----- ...-config.golden => grpc-addr-config.golden} | 0 .../envoy/testdata/xds-addr-config.golden | 185 ------------------ tlsutil/config.go | 8 +- website/content/docs/agent/options.mdx | 25 +-- 18 files changed, 109 insertions(+), 363 deletions(-) delete mode 100644 .changelog/10588.txt rename command/connect/envoy/testdata/{deprecated-grpc-addr-config.golden => grpc-addr-config.golden} (100%) delete mode 100644 command/connect/envoy/testdata/xds-addr-config.golden diff --git a/.changelog/10588.txt b/.changelog/10588.txt deleted file mode 100644 index 20ed86e710..0000000000 --- a/.changelog/10588.txt +++ /dev/null @@ -1,4 +0,0 @@ -```release-note:deprecation -config: the `ports.grpc` and `addresses.grpc` configuration settings have been renamed to `ports.xds` and `addresses.xds` to better match their function. -``` - diff --git a/agent/agent.go b/agent/agent.go index a143ff94de..de35ba77b2 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -621,7 +621,8 @@ func (a *Agent) Start(ctx context.Context) error { a.apiServers.Start(srv) } - if err := a.listenAndServeXDS(); err != nil { + // Start gRPC server. + if err := a.listenAndServeGRPC(); err != nil { return err } @@ -669,8 +670,8 @@ func (a *Agent) Failed() <-chan struct{} { return a.apiServers.failed } -func (a *Agent) listenAndServeXDS() error { - if len(a.config.XDSAddrs) < 1 { +func (a *Agent) listenAndServeGRPC() error { + if len(a.config.GRPCAddrs) < 1 { return nil } @@ -690,9 +691,13 @@ func (a *Agent) listenAndServeXDS() error { if a.config.HTTPSPort <= 0 { tlsConfig = nil } - a.grpcServer = xds.NewGRPCServer(xdsServer, tlsConfig) + var err error + a.grpcServer, err = xdsServer.GRPCServer(tlsConfig) + if err != nil { + return err + } - ln, err := a.startListeners(a.config.XDSAddrs) + ln, err := a.startListeners(a.config.GRPCAddrs) if err != nil { return err } diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go index 58be8b72cf..c389ccce59 100644 --- a/agent/agent_endpoint.go +++ b/agent/agent_endpoint.go @@ -39,12 +39,11 @@ type Self struct { Member serf.Member Stats map[string]map[string]string Meta map[string]string - XDS *XDSSelf `json:"xDS,omitempty"` + XDS *xdsSelf `json:"xDS,omitempty"` } -type XDSSelf struct { +type xdsSelf struct { SupportedProxies map[string][]string - Port int } func (s *HTTPHandlers) AgentSelf(resp http.ResponseWriter, req *http.Request) (interface{}, error) { @@ -67,13 +66,12 @@ func (s *HTTPHandlers) AgentSelf(resp http.ResponseWriter, req *http.Request) (i } } - var xds *XDSSelf + var xds *xdsSelf if s.agent.grpcServer != nil { - xds = &XDSSelf{ + xds = &xdsSelf{ SupportedProxies: map[string][]string{ "envoy": proxysupport.EnvoyVersions, }, - Port: s.agent.config.XDSPort, } } @@ -96,14 +94,9 @@ func (s *HTTPHandlers) AgentSelf(resp http.ResponseWriter, req *http.Request) (i Server: s.agent.config.ServerMode, Version: s.agent.config.Version, } - debugConfig := s.agent.config.Sanitized() - // Backwards compat for the envoy command. Never use DebugConfig for - // programmatic access to data. - debugConfig["GRPCPort"] = s.agent.config.XDSPort - return Self{ Config: config, - DebugConfig: debugConfig, + DebugConfig: s.agent.config.Sanitized(), Coord: cs[s.agent.config.SegmentName], Member: s.agent.LocalMember(), Stats: s.agent.Stats(), diff --git a/agent/config/builder.go b/agent/config/builder.go index c1072c265f..ecbb379755 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -428,10 +428,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) { httpPort := b.portVal("ports.http", c.Ports.HTTP) httpsPort := b.portVal("ports.https", c.Ports.HTTPS) serverPort := b.portVal("ports.server", c.Ports.Server) - if c.Ports.XDS == nil { - c.Ports.XDS = c.Ports.GRPC - } - xdsPort := b.portVal("ports.xds", c.Ports.XDS) + grpcPort := b.portVal("ports.grpc", c.Ports.GRPC) serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN) serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN) proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort) @@ -558,10 +555,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) { dnsAddrs := b.makeAddrs(b.expandAddrs("addresses.dns", c.Addresses.DNS), clientAddrs, dnsPort) httpAddrs := b.makeAddrs(b.expandAddrs("addresses.http", c.Addresses.HTTP), clientAddrs, httpPort) httpsAddrs := b.makeAddrs(b.expandAddrs("addresses.https", c.Addresses.HTTPS), clientAddrs, httpsPort) - if c.Addresses.XDS == nil { - c.Addresses.XDS = c.Addresses.GRPC - } - xdsAddrs := b.makeAddrs(b.expandAddrs("addresses.xds", c.Addresses.XDS), clientAddrs, xdsPort) + grpcAddrs := b.makeAddrs(b.expandAddrs("addresses.grpc", c.Addresses.GRPC), clientAddrs, grpcPort) for _, a := range dnsAddrs { if x, ok := a.(*net.TCPAddr); ok { @@ -1008,8 +1002,8 @@ func (b *builder) build() (rt RuntimeConfig, err error) { EncryptKey: stringVal(c.EncryptKey), EncryptVerifyIncoming: boolVal(c.EncryptVerifyIncoming), EncryptVerifyOutgoing: boolVal(c.EncryptVerifyOutgoing), - XDSPort: xdsPort, - XDSAddrs: xdsAddrs, + GRPCPort: grpcPort, + GRPCAddrs: grpcAddrs, HTTPMaxConnsPerClient: intVal(c.Limits.HTTPMaxConnsPerClient), HTTPSHandshakeTimeout: b.durationVal("limits.https_handshake_timeout", c.Limits.HTTPSHandshakeTimeout), KeyFile: stringVal(c.KeyFile), diff --git a/agent/config/config.go b/agent/config/config.go index 650c080fd6..7a85b6747e 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -337,10 +337,7 @@ type Addresses struct { DNS *string `mapstructure:"dns"` HTTP *string `mapstructure:"http"` HTTPS *string `mapstructure:"https"` - XDS *string `mapstructure:"xds"` - - // Deprecated: replaced by XDS - GRPC *string `mapstructure:"grpc"` + GRPC *string `mapstructure:"grpc"` } type AdvertiseAddrsConfig struct { @@ -693,16 +690,13 @@ type Ports struct { SerfLAN *int `mapstructure:"serf_lan"` SerfWAN *int `mapstructure:"serf_wan"` Server *int `mapstructure:"server"` - XDS *int `mapstructure:"xds"` + GRPC *int `mapstructure:"grpc"` ProxyMinPort *int `mapstructure:"proxy_min_port"` ProxyMaxPort *int `mapstructure:"proxy_max_port"` SidecarMinPort *int `mapstructure:"sidecar_min_port"` SidecarMaxPort *int `mapstructure:"sidecar_max_port"` ExposeMinPort *int `mapstructure:"expose_min_port"` ExposeMaxPort *int `mapstructure:"expose_max_port"` - - // Deprecated: replaced by XDS - GRPC *int `mapstructure:"grpc"` } type UnixSocket struct { diff --git a/agent/config/flags.go b/agent/config/flags.go index 0349ad9005..00deebe1bb 100644 --- a/agent/config/flags.go +++ b/agent/config/flags.go @@ -53,8 +53,7 @@ func AddFlags(fs *flag.FlagSet, f *LoadOpts) { add(&f.FlagValues.EnableLocalScriptChecks, "enable-local-script-checks", "Enables health check scripts from configuration file.") add(&f.FlagValues.HTTPConfig.AllowWriteHTTPFrom, "allow-write-http-from", "Only allow write endpoint calls from given network. CIDR format, can be specified multiple times.") add(&f.FlagValues.EncryptKey, "encrypt", "Provides the gossip encryption key.") - add(&f.FlagValues.Ports.XDS, "grpc-port", "Deprecated, use xds-port") - add(&f.FlagValues.Ports.XDS, "xds-port", "Sets the xDS gRPC port to listen on (used by Envoy proxies).") + add(&f.FlagValues.Ports.GRPC, "grpc-port", "Sets the gRPC API port to listen on (currently needed for Envoy xDS only).") add(&f.FlagValues.Ports.HTTP, "http-port", "Sets the HTTP API port to listen on.") add(&f.FlagValues.Ports.HTTPS, "https-port", "Sets the HTTPS API port to listen on.") add(&f.FlagValues.StartJoinAddrsLAN, "join", "Address of an agent to join at start time. Can be specified multiple times.") diff --git a/agent/config/flags_test.go b/agent/config/flags_test.go index a5c51b7d10..5e1009450a 100644 --- a/agent/config/flags_test.go +++ b/agent/config/flags_test.go @@ -49,7 +49,7 @@ func TestAddFlags_WithParse(t *testing.T) { }, { args: []string{`-grpc-port`, `1`}, - expected: LoadOpts{FlagValues: Config{Ports: Ports{XDS: pInt(1)}}}, + expected: LoadOpts{FlagValues: Config{Ports: Ports{GRPC: pInt(1)}}}, }, { args: []string{`-http-port`, `1`}, diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 78aca0241b..2a78f73f5f 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -675,27 +675,27 @@ type RuntimeConfig struct { // hcl: encrypt_verify_outgoing = (true|false) EncryptVerifyOutgoing bool - // XDSPort is the port the xDS gRPC server listens on. This port only + // GRPCPort is the port the gRPC server listens on. Currently this only // exposes the xDS and ext_authz APIs for Envoy and it is disabled by default. // - // hcl: ports { xds = int } - // flags: -xds-port int - XDSPort int + // hcl: ports { grpc = int } + // flags: -grpc-port int + GRPCPort int - // XDSAddrs contains the list of TCP addresses and UNIX sockets the xDS gRPC - // server will bind to. If the xDS endpoint is disabled (ports.xds <= 0) + // GRPCAddrs contains the list of TCP addresses and UNIX sockets the gRPC + // server will bind to. If the gRPC endpoint is disabled (ports.grpc <= 0) // the list is empty. // - // The addresses are taken from 'addresses.xds' which should contain a + // The addresses are taken from 'addresses.grpc' which should contain a // space separated list of ip addresses, UNIX socket paths and/or // go-sockaddr templates. UNIX socket paths must be written as - // 'unix://', e.g. 'unix:///var/run/consul-xds.sock'. + // 'unix://', e.g. 'unix:///var/run/consul-grpc.sock'. // - // If 'addresses.xds' was not provided the 'client_addr' addresses are + // If 'addresses.grpc' was not provided the 'client_addr' addresses are // used. // - // hcl: client_addr = string addresses { xds = string } ports { xds = int } - XDSAddrs []net.Addr + // hcl: client_addr = string addresses { grpc = string } ports { grpc = int } + GRPCAddrs []net.Addr // HTTPAddrs contains the list of TCP addresses and UNIX sockets the HTTP // server will bind to. If the HTTP endpoint is disabled (ports.http <= 0) diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 0ba64fdc8a..cf3ad45512 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -338,8 +338,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.GossipWANProbeTimeout = 100 * time.Millisecond rt.GossipWANSuspicionMult = 3 rt.ConsulServerHealthInterval = 10 * time.Millisecond - rt.XDSPort = 8502 - rt.XDSAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")} + rt.GRPCPort = 8502 + rt.GRPCAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")} rt.RPCConfig.EnableStreaming = true }, }) @@ -1048,8 +1048,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.HTTPAddrs = []net.Addr{tcpAddr("0.0.0.0:2")} rt.HTTPSPort = 3 rt.HTTPSAddrs = []net.Addr{tcpAddr("0.0.0.0:3")} - rt.XDSPort = 4 - rt.XDSAddrs = []net.Addr{tcpAddr("0.0.0.0:4")} + rt.GRPCPort = 4 + rt.GRPCAddrs = []net.Addr{tcpAddr("0.0.0.0:4")} rt.DataDir = dataDir }, }) @@ -1121,8 +1121,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.HTTPAddrs = []net.Addr{tcpAddr("2.2.2.2:2")} rt.HTTPSPort = 3 rt.HTTPSAddrs = []net.Addr{tcpAddr("3.3.3.3:3")} - rt.XDSPort = 4 - rt.XDSAddrs = []net.Addr{tcpAddr("4.4.4.4:4")} + rt.GRPCPort = 4 + rt.GRPCAddrs = []net.Addr{tcpAddr("4.4.4.4:4")} rt.DataDir = dataDir }, }) @@ -1145,8 +1145,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.HTTPAddrs = []net.Addr{tcpAddr("1.2.3.4:2"), tcpAddr("[2001:db8::1]:2")} rt.HTTPSPort = 3 rt.HTTPSAddrs = []net.Addr{tcpAddr("1.2.3.4:3"), tcpAddr("[2001:db8::1]:3")} - rt.XDSPort = 4 - rt.XDSAddrs = []net.Addr{tcpAddr("1.2.3.4:4"), tcpAddr("[2001:db8::1]:4")} + rt.GRPCPort = 4 + rt.GRPCAddrs = []net.Addr{tcpAddr("1.2.3.4:4"), tcpAddr("[2001:db8::1]:4")} rt.DataDir = dataDir }, }) @@ -1181,8 +1181,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.HTTPAddrs = []net.Addr{tcpAddr("2.2.2.2:2"), unixAddr("unix://http"), tcpAddr("[2001:db8::20]:2")} rt.HTTPSPort = 3 rt.HTTPSAddrs = []net.Addr{tcpAddr("3.3.3.3:3"), unixAddr("unix://https"), tcpAddr("[2001:db8::30]:3")} - rt.XDSPort = 4 - rt.XDSAddrs = []net.Addr{tcpAddr("4.4.4.4:4"), unixAddr("unix://grpc"), tcpAddr("[2001:db8::40]:4")} + rt.GRPCPort = 4 + rt.GRPCAddrs = []net.Addr{tcpAddr("4.4.4.4:4"), unixAddr("unix://grpc"), tcpAddr("[2001:db8::40]:4")} rt.DataDir = dataDir }, }) @@ -5477,8 +5477,8 @@ func TestLoad_FullConfig(t *testing.T) { EncryptKey: "A4wELWqH", EncryptVerifyIncoming: true, EncryptVerifyOutgoing: true, - XDSPort: 4881, - XDSAddrs: []net.Addr{tcpAddr("32.31.61.91:4881")}, + GRPCPort: 4881, + GRPCAddrs: []net.Addr{tcpAddr("32.31.61.91:4881")}, HTTPAddrs: []net.Addr{tcpAddr("83.39.91.39:7999")}, HTTPBlockEndpoints: []string{"RBvAFcGD", "fWOWFznh"}, AllowWriteHTTPFrom: []*net.IPNet{cidr("127.0.0.0/8"), cidr("22.33.44.55/32"), cidr("0.0.0.0/0")}, diff --git a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden index 020d12c067..d69bf7f3d5 100644 --- a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden +++ b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden @@ -94,8 +94,8 @@ "DeregisterCriticalServiceAfter": "0s", "DockerContainerID": "", "EnterpriseMeta": {}, - "FailuresBeforeWarning": 0, "FailuresBeforeCritical": 0, + "FailuresBeforeWarning": 0, "GRPC": "", "GRPCUseTLS": false, "H2PING": "", @@ -188,6 +188,8 @@ "EnterpriseRuntimeConfig": {}, "ExposeMaxPort": 0, "ExposeMinPort": 0, + "GRPCAddrs": [], + "GRPCPort": 0, "GossipLANGossipInterval": "0s", "GossipLANGossipNodes": 0, "GossipLANProbeInterval": "0s", @@ -296,8 +298,8 @@ "CheckID": "", "DeregisterCriticalServiceAfter": "0s", "DockerContainerID": "", - "FailuresBeforeWarning": 0, "FailuresBeforeCritical": 0, + "FailuresBeforeWarning": 0, "GRPC": "", "GRPCUseTLS": false, "H2PING": "", @@ -415,7 +417,5 @@ "VerifyServerHostname": false, "Version": "", "VersionPrerelease": "", - "Watches": [], - "XDSAddrs": [], - "XDSPort": 0 -} + "Watches": [] +} \ No newline at end of file diff --git a/agent/xds/server.go b/agent/xds/server.go index 1cb3e59498..c4a673fcd4 100644 --- a/agent/xds/server.go +++ b/agent/xds/server.go @@ -548,15 +548,14 @@ func tokenFromContext(ctx context.Context) string { return "" } -// NewGRPCServer creates a grpc.Server, registers the Server, and then returns -// the grpc.Server. -func NewGRPCServer(s *Server, tlsConfigurator *tlsutil.Configurator) *grpc.Server { +// GRPCServer returns a server instance that can handle xDS requests. +func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error) { opts := []grpc.ServerOption{ grpc.MaxConcurrentStreams(2048), } if tlsConfigurator != nil { if tlsConfigurator.Cert() != nil { - creds := credentials.NewTLS(tlsConfigurator.IncomingXDSConfig()) + creds := credentials.NewTLS(tlsConfigurator.IncomingGRPCConfig()) opts = append(opts, grpc.Creds(creds)) } } @@ -566,7 +565,8 @@ func NewGRPCServer(s *Server, tlsConfigurator *tlsutil.Configurator) *grpc.Serve if !s.DisableV2Protocol { envoy_discovery_v2.RegisterAggregatedDiscoveryServiceServer(srv, &adsServerV2Shim{srv: s}) } - return srv + + return srv, nil } // authorize the xDS request using the token stored in ctx. This authorization is diff --git a/command/agent/agent.go b/command/agent/agent.go index 1291237a6a..37ec6de84d 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -200,8 +200,8 @@ func (c *cmd) run(args []string) int { } ui.Info(fmt.Sprintf(" Datacenter: '%s' (Segment: '%s')", config.Datacenter, segment)) ui.Info(fmt.Sprintf(" Server: %v (Bootstrap: %v)", config.ServerMode, config.Bootstrap)) - ui.Info(fmt.Sprintf(" Client Addr: %v (HTTP: %d, HTTPS: %d, xDS: %d, DNS: %d)", config.ClientAddrs, - config.HTTPPort, config.HTTPSPort, config.XDSPort, config.DNSPort)) + ui.Info(fmt.Sprintf(" Client Addr: %v (HTTP: %d, HTTPS: %d, gRPC: %d, DNS: %d)", config.ClientAddrs, + config.HTTPPort, config.HTTPSPort, config.GRPCPort, config.DNSPort)) ui.Info(fmt.Sprintf(" Cluster Addr: %v (LAN: %d, WAN: %d)", config.AdvertiseAddrLAN, config.SerfPortLAN, config.SerfPortWAN)) ui.Info(fmt.Sprintf(" Encrypt: Gossip: %v, TLS-Outgoing: %v, TLS-Incoming: %v, Auto-Encrypt-TLS: %t", diff --git a/command/connect/envoy/envoy.go b/command/connect/envoy/envoy.go index 1615887815..989fcdb902 100644 --- a/command/connect/envoy/envoy.go +++ b/command/connect/envoy/envoy.go @@ -426,7 +426,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) { return nil, err } - xdsAddr, err := c.xdsAddress(httpCfg) + grpcAddr, err := c.grpcAddress(httpCfg) if err != nil { return nil, err } @@ -471,7 +471,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) { caPEM = strings.Replace(strings.Join(pems, ""), "\n", "\\n", -1) return &BootstrapTplArgs{ - GRPC: xdsAddr, + GRPC: grpcAddr, ProxyCluster: cluster, ProxyID: c.proxyID, ProxySourceService: proxySourceService, @@ -557,12 +557,13 @@ func (c *cmd) generateConfig() ([]byte, error) { } // TODO: make method a function -func (c *cmd) xdsAddress(httpCfg *api.Config) (GRPC, error) { +func (c *cmd) grpcAddress(httpCfg *api.Config) (GRPC, error) { g := GRPC{} addr := c.grpcAddr + // See if we need to lookup grpcAddr if addr == "" { - port, err := c.lookupXDSPort() + port, err := c.lookupGRPCPort() if err != nil { c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err)) } @@ -620,25 +621,11 @@ func (c *cmd) xdsAddress(httpCfg *api.Config) (GRPC, error) { return g, nil } -func (c *cmd) lookupXDSPort() (int, error) { +func (c *cmd) lookupGRPCPort() (int, error) { self, err := c.client.Agent().Self() if err != nil { return 0, err } - - type response struct { - XDS struct { - Port int - } - } - - var resp response - if err := mapstructure.Decode(self, &resp); err == nil && resp.XDS.Port != 0 { - return resp.XDS.Port, nil - } - - // Fallback to old API for the case where a new consul CLI is being used with - // an older API version. cfg, ok := self["DebugConfig"] if !ok { return 0, fmt.Errorf("unexpected agent response: no debug config") diff --git a/command/connect/envoy/envoy_test.go b/command/connect/envoy/envoy_test.go index c79f4551fa..ef999cc240 100644 --- a/command/connect/envoy/envoy_test.go +++ b/command/connect/envoy/envoy_test.go @@ -112,8 +112,7 @@ type generateConfigTestCase struct { Files map[string]string ProxyConfig map[string]interface{} NamespacesEnabled bool - XDSPort int // only used for testing custom-configured grpc port - AgentSelf110 bool // fake the agent API from versions v1.10 and earlier + GRPCPort int // only used for testing custom-configured grpc port WantArgs BootstrapTplArgs WantErr string } @@ -358,35 +357,9 @@ func TestGenerateConfig(t *testing.T) { }, }, { - Name: "xds-addr-config", - Flags: []string{"-proxy-id", "test-proxy"}, - XDSPort: 9999, - WantArgs: BootstrapTplArgs{ - EnvoyVersion: defaultEnvoyVersion, - ProxyCluster: "test-proxy", - ProxyID: "test-proxy", - // We don't know this til after the lookup so it will be empty in the - // initial args call we are testing here. - ProxySourceService: "", - // Should resolve IP, note this might not resolve the same way - // everywhere which might make this test brittle but not sure what else - // to do. - GRPC: GRPC{ - AgentAddress: "127.0.0.1", - AgentPort: "9999", - }, - AdminAccessLogPath: "/dev/null", - AdminBindAddress: "127.0.0.1", - AdminBindPort: "19000", - LocalAgentClusterName: xds.LocalAgentClusterName, - PrometheusScrapePath: "/metrics", - }, - }, - { - Name: "deprecated-grpc-addr-config", - Flags: []string{"-proxy-id", "test-proxy"}, - XDSPort: 9999, - AgentSelf110: true, + Name: "grpc-addr-config", + Flags: []string{"-proxy-id", "test-proxy"}, + GRPCPort: 9999, WantArgs: BootstrapTplArgs{ EnvoyVersion: defaultEnvoyVersion, ProxyCluster: "test-proxy", @@ -1041,23 +1014,29 @@ func TestEnvoy_GatewayRegistration(t *testing.T) { // testMockAgent combines testMockAgentProxyConfig and testMockAgentSelf, // routing /agent/service/... requests to testMockAgentProxyConfig and // routing /agent/self requests to testMockAgentSelf. -func testMockAgent(tc generateConfigTestCase) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { - switch { - case strings.Contains(r.URL.Path, "/agent/services"): - testMockAgentGatewayConfig(tc.NamespacesEnabled)(w, r) - case strings.Contains(r.URL.Path, "/agent/service"): - testMockAgentProxyConfig(tc.ProxyConfig, tc.NamespacesEnabled)(w, r) - case strings.Contains(r.URL.Path, "/agent/self"): - testMockAgentSelf(tc.XDSPort, tc.AgentSelf110)(w, r) - default: - http.NotFound(w, r) +func testMockAgent(agentCfg map[string]interface{}, grpcPort int, namespacesEnabled bool) http.HandlerFunc { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if strings.Contains(r.URL.Path, "/agent/services") { + testMockAgentGatewayConfig(namespacesEnabled)(w, r) + return } - } + + if strings.Contains(r.URL.Path, "/agent/service") { + testMockAgentProxyConfig(agentCfg, namespacesEnabled)(w, r) + return + } + + if strings.Contains(r.URL.Path, "/agent/self") { + testMockAgentSelf(grpcPort)(w, r) + return + } + + http.NotFound(w, r) + }) } func testMockAgentGatewayConfig(namespacesEnabled bool) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Parse the proxy-id from the end of the URL (blindly assuming it's correct // format) params := r.URL.Query() @@ -1092,7 +1071,7 @@ func testMockAgentGatewayConfig(namespacesEnabled bool) http.HandlerFunc { return } w.Write(cfgJSON) - } + }) } func namespaceFromQuery(r *http.Request) string { @@ -1114,7 +1093,7 @@ func partitionFromQuery(r *http.Request) string { } func testMockAgentProxyConfig(cfg map[string]interface{}, namespacesEnabled bool) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Parse the proxy-id from the end of the URL (blindly assuming it's correct // format) proxyID := strings.TrimPrefix(r.URL.Path, "/v1/agent/service/") @@ -1144,7 +1123,7 @@ func testMockAgentProxyConfig(cfg map[string]interface{}, namespacesEnabled bool return } w.Write(cfgJSON) - } + }) } func TestEnvoyCommand_canBindInternal(t *testing.T) { @@ -1244,21 +1223,16 @@ func TestEnvoyCommand_canBindInternal(t *testing.T) { } // testMockAgentSelf returns an empty /v1/agent/self response except GRPC -// port is filled in to match the given wantXDSPort argument. -func testMockAgentSelf(wantXDSPort int, agentSelf110 bool) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { +// port is filled in to match the given wantGRPCPort argument. +func testMockAgentSelf(wantGRPCPort int) http.HandlerFunc { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { resp := agent.Self{ Config: map[string]interface{}{ "Datacenter": "dc1", }, - } - - if agentSelf110 { - resp.DebugConfig = map[string]interface{}{ - "GRPCPort": wantXDSPort, - } - } else { - resp.XDS = &agent.XDSSelf{Port: wantXDSPort} + DebugConfig: map[string]interface{}{ + "GRPCPort": wantGRPCPort, + }, } selfJSON, err := json.Marshal(resp) @@ -1268,5 +1242,5 @@ func testMockAgentSelf(wantXDSPort int, agentSelf110 bool) http.HandlerFunc { return } w.Write(selfJSON) - } + }) } diff --git a/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden b/command/connect/envoy/testdata/grpc-addr-config.golden similarity index 100% rename from command/connect/envoy/testdata/deprecated-grpc-addr-config.golden rename to command/connect/envoy/testdata/grpc-addr-config.golden diff --git a/command/connect/envoy/testdata/xds-addr-config.golden b/command/connect/envoy/testdata/xds-addr-config.golden deleted file mode 100644 index 7e50ee3082..0000000000 --- a/command/connect/envoy/testdata/xds-addr-config.golden +++ /dev/null @@ -1,185 +0,0 @@ -{ - "admin": { - "access_log_path": "/dev/null", - "address": { - "socket_address": { - "address": "127.0.0.1", - "port_value": 19000 - } - } - }, - "node": { - "cluster": "test-proxy", - "id": "test-proxy", - "metadata": { - "namespace": "default", - "partition": "default", - "envoy_version": "1.18.4" - } - }, - "static_resources": { - "clusters": [ - { - "name": "local_agent", - "ignore_health_on_host_removal": false, - "connect_timeout": "1s", - "type": "STATIC", - "http2_protocol_options": {}, - "loadAssignment": { - "clusterName": "local_agent", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socket_address": { - "address": "127.0.0.1", - "port_value": 9999 - } - } - } - } - ] - } - ] - } - } - ] - }, - "stats_config": { - "stats_tags": [ - { - "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.destination.custom_hash" - }, - { - "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.destination.service_subset" - }, - { - "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.destination.service" - }, - { - "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.destination.namespace" - }, - { - "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.destination.datacenter" - }, - { - "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", - "tag_name": "consul.destination.routing_type" - }, - { - "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", - "tag_name": "consul.destination.trust_domain" - }, - { - "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.destination.target" - }, - { - "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", - "tag_name": "consul.destination.full_target" - }, - { - "regex": "^(?:tcp|http)\\.upstream\\.(([^.]+)(?:\\.[^.]+)?\\.[^.]+\\.)", - "tag_name": "consul.upstream.service" - }, - { - "regex": "^(?:tcp|http)\\.upstream\\.([^.]+(?:\\.[^.]+)?\\.([^.]+)\\.)", - "tag_name": "consul.upstream.datacenter" - }, - { - "regex": "^(?:tcp|http)\\.upstream\\.([^.]+(?:\\.([^.]+))?\\.[^.]+\\.)", - "tag_name": "consul.upstream.namespace" - }, - { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.custom_hash" - }, - { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.service_subset" - }, - { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.service" - }, - { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.namespace" - }, - { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.datacenter" - }, - { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", - "tag_name": "consul.routing_type" - }, - { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", - "tag_name": "consul.trust_domain" - }, - { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", - "tag_name": "consul.target" - }, - { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", - "tag_name": "consul.full_target" - }, - { - "tag_name": "local_cluster", - "fixed_value": "test-proxy" - }, - { - "tag_name": "consul.source.service", - "fixed_value": "test-proxy" - }, - { - "tag_name": "consul.source.namespace", - "fixed_value": "default" - }, - { - "tag_name": "consul.source.partition", - "fixed_value": "default" - }, - { - "tag_name": "consul.source.datacenter", - "fixed_value": "dc1" - } - ], - "use_all_default_tags": true - }, - "dynamic_resources": { - "lds_config": { - "ads": {}, - "resource_api_version": "V3" - }, - "cds_config": { - "ads": {}, - "resource_api_version": "V3" - }, - "ads_config": { - "api_type": "DELTA_GRPC", - "transport_api_version": "V3", - "grpc_services": { - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "" - } - ], - "envoy_grpc": { - "cluster_name": "local_agent" - } - } - } - } -} - diff --git a/tlsutil/config.go b/tlsutil/config.go index a3116c12af..6abe923294 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -613,9 +613,9 @@ func (c *Configurator) VerifyServerHostname() bool { return c.base.VerifyServerHostname || c.autoTLS.verifyServerHostname } -// IncomingXDSConfig generates a *tls.Config for incoming xDS connections. -func (c *Configurator) IncomingXDSConfig() *tls.Config { - c.log("IncomingXDSConfig") +// IncomingGRPCConfig generates a *tls.Config for incoming GRPC connections. +func (c *Configurator) IncomingGRPCConfig() *tls.Config { + c.log("IncomingGRPCConfig") // false has the effect that this config doesn't require a client cert // verification. This is because there is no verify_incoming_grpc @@ -624,7 +624,7 @@ func (c *Configurator) IncomingXDSConfig() *tls.Config { // effect on the grpc server. config := c.commonTLSConfig(false) config.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) { - return c.IncomingXDSConfig(), nil + return c.IncomingGRPCConfig(), nil } return config } diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index ebc2a10ad3..1550c77f2d 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -239,12 +239,8 @@ The options below are all specified on the command-line. If it is provided after Consul has been initialized with an encryption key, then the provided key is ignored and a warning will be displayed. -- `-xds-port` - the xDS gRPC port to listen on. Default - -1 (disabled). See [ports](#ports) documentation for more detail. - -- `-grpc-port` ((#\_grpc_port)) - Deprecated, use `-xds-port` instead. - The xDS gRPC port to listen on. Default - -1 (disabled). See [ports](#ports) documentation for more detail. +- `-grpc-port` ((#\_grpc_port)) - the gRPC API port to listen on. Default + -1 (gRPC disabled). See [ports](#ports) documentation for more detail. - `-hcl` ((#\_hcl)) - A HCL configuration fragment. This HCL configuration fragment is appended to the configuration and allows to specify the full range @@ -786,7 +782,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." bind addresses. In Consul 1.0 and later these can be set to a space-separated list of addresses to bind to, or a [go-sockaddr] template that can potentially resolve to multiple addresses. - `http`, `https` and `xds` all support binding to a Unix domain socket. A + `http`, `https` and `grpc` all support binding to a Unix domain socket. A socket can be specified in the form `unix:///path/to/socket`. A new domain socket will be created at the given path. If the specified file path already exists, Consul will attempt to clear the file and create the domain socket @@ -807,8 +803,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." - `dns` - The DNS server. Defaults to `client_addr` - `http` - The HTTP API. Defaults to `client_addr` - `https` - The HTTPS API. Defaults to `client_addr` - - `xds` - The xDS gRPC API. Defaults to `client_addr` - - `grpc` - Deprecated: use `xds` instead. The xDS gRPC API. Defaults to `client_addr` + - `grpc` - The gRPC API. Defaults to `client_addr` - `advertise_addr` Equivalent to the [`-advertise` command-line flag](#_advertise). @@ -1703,16 +1698,10 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr - `https` ((#https_port)) - The HTTPS API, -1 to disable. Default -1 (disabled). **We recommend using `8501`** for `https` by convention as some tooling will work automatically with this. - - `xds` - The xDS gRPC API, -1 to disable. Default -1 (disabled). - **We recommend using `8502`** for `xds` by convention as some tooling will work + - `grpc` ((#grpc_port)) - The gRPC API, -1 to disable. Default -1 (disabled). + **We recommend using `8502`** for `grpc` by convention as some tooling will work automatically with this. This is set to `8502` by default when the agent runs - in `-dev` mode. Currently xDS is only used to expose Envoy xDS API to Envoy - proxies. - - `grpc` ((#grpc_port)) - Deprecated: use `xds` instead. - The xDS gRPC API, -1 to disable. Default -1 (disabled). - **We recommend using `8502`** for `xds` by convention as some tooling will work - automatically with this. This is set to `8502` by default when the agent runs - in `-dev` mode. Currently xDS is only used to expose Envoy xDS API to Envoy + in `-dev` mode. Currently gRPC is only used to expose Envoy xDS API to Envoy proxies. - `serf_lan` ((#serf_lan_port)) - The Serf LAN port. Default 8301. TCP and UDP. Equivalent to the [`-serf-lan-port` command line flag](#_serf_lan_port).