diff --git a/test-integ/catalogv2/explicit_destinations_test.go b/test-integ/catalogv2/explicit_destinations_test.go index 7e7c8034e5..2c03384630 100644 --- a/test-integ/catalogv2/explicit_destinations_test.go +++ b/test-integ/catalogv2/explicit_destinations_test.go @@ -152,7 +152,9 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes( clusterName, newID("single-server"), topology.NodeVersionV2, - nil, + func(wrk *topology.Workload) { + wrk.WorkloadIdentity = "single-server-identity" + }, ), }, } @@ -169,6 +171,7 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes( func(wrk *topology.Workload) { delete(wrk.Ports, "grpc") // v2 mode turns this on, so turn it off delete(wrk.Ports, "http2") // v2 mode turns this on, so turn it off + wrk.WorkloadIdentity = "single-client-identity" wrk.Destinations = []*topology.Destination{{ ID: newID("single-server"), PortName: "http", @@ -187,12 +190,12 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes( }, }, &pbauth.TrafficPermissions{ Destination: &pbauth.Destination{ - IdentityName: "single-server", + IdentityName: "single-server-identity", }, Action: pbauth.Action_ACTION_ALLOW, Permissions: []*pbauth.Permission{{ Sources: []*pbauth.Source{{ - IdentityName: "single-client", + IdentityName: "single-client-identity", Namespace: namespace, }}, }}, @@ -208,7 +211,9 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes( clusterName, newID("multi-server"), topology.NodeVersionV2, - nil, + func(wrk *topology.Workload) { + wrk.WorkloadIdentity = "multi-server-identity" + }, ), }, } @@ -223,6 +228,7 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes( newID("multi-client"), topology.NodeVersionV2, func(wrk *topology.Workload) { + wrk.WorkloadIdentity = "multi-client-identity" wrk.Destinations = []*topology.Destination{ { ID: newID("multi-server"), @@ -249,12 +255,12 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes( }, }, &pbauth.TrafficPermissions{ Destination: &pbauth.Destination{ - IdentityName: "multi-server", + IdentityName: "multi-server-identity", }, Action: pbauth.Action_ACTION_ALLOW, Permissions: []*pbauth.Permission{{ Sources: []*pbauth.Source{{ - IdentityName: "multi-client", + IdentityName: "multi-client-identity", Namespace: namespace, }}, }}, diff --git a/test/integration/consul-container/test/multiport/explicit_destination_test.go b/test/integration/consul-container/test/multiport/explicit_destination_test.go deleted file mode 100644 index a65ff2095d..0000000000 --- a/test/integration/consul-container/test/multiport/explicit_destination_test.go +++ /dev/null @@ -1,228 +0,0 @@ -// Copyright (c) HashiCorp, Inc. -// SPDX-License-Identifier: BUSL-1.1 - -package multiport - -import ( - "context" - "fmt" - pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1" - pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v2beta1" - pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1" - libassert "github.com/hashicorp/consul/test/integration/consul-container/libs/assert" - "github.com/stretchr/testify/require" - "testing" - - rtest "github.com/hashicorp/consul/internal/resource/resourcetest" - "github.com/hashicorp/consul/proto-public/pbresource" - libcluster "github.com/hashicorp/consul/test/integration/consul-container/libs/cluster" - libservice "github.com/hashicorp/consul/test/integration/consul-container/libs/service" - "github.com/hashicorp/consul/test/integration/consul-container/libs/topology" - "github.com/hashicorp/consul/test/integration/consul-container/libs/utils" -) - -// TestMultiportService_Explicit makes sure two services in the same datacenter have connectivity -// with transparent proxy enabled. -// -// Steps: -// - Create a single server cluster. -// - Create the example static-server and sidecar containers, then register them both with Consul -// - Create an example static-client sidecar, then register both the service and sidecar with Consul -// - Make sure a request from static-client to the virtual address (.virtual.consul) returns a -// response from the upstream. -func TestMultiportService_Explicit(t *testing.T) { - t.Parallel() - - cluster := createCluster(t) - followers, err := cluster.Followers() - require.NoError(t, err) - client := pbresource.NewResourceServiceClient(followers[0].GetGRPCConn()) - resourceClient := rtest.NewClient(client) - - serverIP := cluster.Agents[1].GetIP() - clientIP := cluster.Agents[2].GetIP() - - serverService := createServerServicesAndWorkloads(t, resourceClient, serverIP) - createClientResources(t, resourceClient, serverService, clientIP) - - _, clientDataplane := createServices(t, cluster) - - _, port := clientDataplane.GetAddr() - - assertDataplaneContainerState(t, clientDataplane, "running") - libassert.HTTPServiceEchoes(t, "localhost", port, "") - libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", port), "static-server", "") -} - -// createServices creates the static-client and static-server services with -// transparent proxy enabled. It returns a Service for the static-client. -func createServices(t *testing.T, cluster *libcluster.Cluster) (*libcluster.ConsulDataplaneContainer, *libcluster.ConsulDataplaneContainer) { - n1 := cluster.Agents[1] - - // Create a service and dataplane - serverDataplane, err := createServiceAndDataplane(t, n1, "static-server-workload", "static-server", 8080, 8079, []int{}) - require.NoError(t, err) - - n2 := cluster.Agents[2] - // Create a service and dataplane - clientDataplane, err := createServiceAndDataplane(t, n2, "static-client-workload", "static-client", 8080, 8079, []int{libcluster.ServiceUpstreamLocalBindPort}) - require.NoError(t, err) - - return serverDataplane, clientDataplane -} - -func createServiceAndDataplane(t *testing.T, node libcluster.Agent, proxyID, serviceName string, httpPort, grpcPort int, serviceBindPorts []int) (*libcluster.ConsulDataplaneContainer, error) { - // Do some trickery to ensure that partial completion is correctly torn - // down, but successful execution is not. - var deferClean utils.ResettableDefer - defer deferClean.Execute() - - // Create a service and proxy instance - svc, err := libservice.NewExampleService(context.Background(), serviceName, httpPort, grpcPort, node) - if err != nil { - return nil, err - } - deferClean.Add(func() { - _ = svc.Terminate() - }) - - // Create Consul Dataplane - dp, err := libcluster.NewConsulDataplane(context.Background(), proxyID, "0.0.0.0", 8502, serviceBindPorts, node, false, "") - require.NoError(t, err) - deferClean.Add(func() { - _ = dp.Terminate() - }) - - // disable cleanup functions now that we have an object with a Terminate() function - deferClean.Reset() - - return dp, nil -} - -func createServerServicesAndWorkloads(t *testing.T, resourceClient *rtest.Client, ipAddress string) *pbresource.Resource { - serverService := rtest.ResourceID(&pbresource.ID{ - Name: "static-server-service", - Type: pbcatalog.ServiceType, - }).WithData(t, &pbcatalog.Service{ - Workloads: &pbcatalog.WorkloadSelector{Prefixes: []string{"static-server"}}, - Ports: []*pbcatalog.ServicePort{ - {TargetPort: "tcp", Protocol: pbcatalog.Protocol_PROTOCOL_TCP}, - {TargetPort: "mesh", Protocol: pbcatalog.Protocol_PROTOCOL_MESH}, - }, - }).Write(t, resourceClient) - - workloadPortMap := map[string]*pbcatalog.WorkloadPort{ - "tcp": { - Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_TCP, - }, - "mesh": { - Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH, - }, - } - - rtest.ResourceID(&pbresource.ID{ - Name: "static-server-identity", - Type: pbauth.WorkloadIdentityType, - }).Write(t, resourceClient) - - rtest.ResourceID(&pbresource.ID{ - Name: "static-server-workload", - Type: pbcatalog.WorkloadType, - }). - WithData(t, &pbcatalog.Workload{ - Addresses: []*pbcatalog.WorkloadAddress{ - {Host: ipAddress}, - }, - Ports: workloadPortMap, - Identity: "static-server-identity", - }). - Write(t, resourceClient) - return serverService -} - -func createClientResources(t *testing.T, resourceClient *rtest.Client, staticServerResource *pbresource.Resource, ipAddress string) { - rtest.ResourceID(&pbresource.ID{ - Name: "static-client-service", - Type: pbcatalog.ServiceType, - }).WithData(t, &pbcatalog.Service{ - Workloads: &pbcatalog.WorkloadSelector{Prefixes: []string{"static-client"}}, - Ports: []*pbcatalog.ServicePort{ - {TargetPort: "tcp", Protocol: pbcatalog.Protocol_PROTOCOL_TCP}, - {TargetPort: "mesh", Protocol: pbcatalog.Protocol_PROTOCOL_MESH}, - }, - }).Write(t, resourceClient) - - workloadPortMap := map[string]*pbcatalog.WorkloadPort{ - "tcp": { - Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_TCP, - }, - "mesh": { - Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH, - }, - } - - rtest.ResourceID(&pbresource.ID{ - Name: "static-client-workload", - Type: pbcatalog.WorkloadType, - }). - WithData(t, &pbcatalog.Workload{ - Addresses: []*pbcatalog.WorkloadAddress{ - {Host: ipAddress}, - }, - Ports: workloadPortMap, - Identity: "static-client-identity", - }). - Write(t, resourceClient) - - destId := staticServerResource.GetId() - destRef := &pbresource.Reference{ - Type: destId.Type, - Tenancy: destId.Tenancy, - Name: destId.Name, - Section: "", - } - rtest.ResourceID(&pbresource.ID{ - Name: "static-client-upstreams", - Type: pbmesh.DestinationsType, - }). - WithData(t, &pbmesh.Destinations{ - Destinations: []*pbmesh.Destination{ - { - DestinationRef: destRef, - DestinationPort: "tcp", - ListenAddr: &pbmesh.Destination_IpPort{ - IpPort: &pbmesh.IPPortAddress{ - Ip: "0.0.0.0", - Port: libcluster.ServiceUpstreamLocalBindPort, - }, - }, - }, - }, - Workloads: &pbcatalog.WorkloadSelector{ - Prefixes: []string{"static-client"}, - }, - }). - Write(t, resourceClient) -} - -func createCluster(t *testing.T) *libcluster.Cluster { - cluster, _, _ := topology.NewCluster(t, &topology.ClusterConfig{ - NumServers: 3, - BuildOpts: &libcluster.BuildOptions{ - Datacenter: "dc1", - InjectAutoEncryption: true, - InjectGossipEncryption: true, - AllowHTTPAnyway: true, - }, - Cmd: `-hcl=experiments=["resource-apis"] log_level="TRACE"`, - }) - - return cluster -} - -// assertDataplaneContainerState validates service container status -func assertDataplaneContainerState(t *testing.T, dataplane *libcluster.ConsulDataplaneContainer, state string) { - containerStatus, err := dataplane.GetStatus() - require.NoError(t, err) - require.Equal(t, containerStatus, state, fmt.Sprintf("Expected: %s. Got %s", state, containerStatus)) -} diff --git a/testing/deployer/sprawl/acl_rules.go b/testing/deployer/sprawl/acl_rules.go index 9743c211fb..554b418cd0 100644 --- a/testing/deployer/sprawl/acl_rules.go +++ b/testing/deployer/sprawl/acl_rules.go @@ -102,7 +102,7 @@ func tokenForWorkload(wrk *topology.Workload, overridePolicy *api.ACLPolicy, ent token.TemplatedPolicies = []*api.ACLTemplatedPolicy{{ TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName, TemplateVariables: &api.ACLTemplatedPolicyVariables{ - Name: wrk.ID.Name, + Name: wrk.WorkloadIdentity, }, }} } else { diff --git a/testing/deployer/sprawl/catalog.go b/testing/deployer/sprawl/catalog.go index b306dd01e5..59a42fd895 100644 --- a/testing/deployer/sprawl/catalog.go +++ b/testing/deployer/sprawl/catalog.go @@ -286,7 +286,9 @@ func (s *Sprawl) syncWorkloadsForDataplaneInstances(cluster *topology.Cluster) e } else { syncWorkload = deregisterWorkloadFromNode } - syncWorkload(node, wrk) + if err := syncWorkload(node, wrk); err != nil { + return err + } } // Deregister the virtual node if node is disabled @@ -723,7 +725,7 @@ func workloadInstanceToResources( Data: &pbcatalog.Workload{ // TODO(rb): disabling this until node scoping makes sense again // NodeName: node.PodName(), - Identity: wrk.ID.Name, + Identity: wrk.WorkloadIdentity, Ports: wlPorts, Addresses: []*pbcatalog.WorkloadAddress{ {Host: node.LocalAddress()}, diff --git a/testing/deployer/topology/compile.go b/testing/deployer/topology/compile.go index f7ae1fe4d9..7698de7465 100644 --- a/testing/deployer/topology/compile.go +++ b/testing/deployer/topology/compile.go @@ -342,7 +342,7 @@ func compile(logger hclog.Logger, raw *Config, prev *Topology) (*Topology, error wrk.Node = n wrk.NodeVersion = n.Version if n.IsV2() { - wrk.Workload = wrk.ID.Name + "-" + n.PodName() + wrk.Workload = wrk.ID.Name + "-" + n.Name } if !IsValidLabel(wrk.ID.Partition) {