Backport of test: fix some multiport deployer bugs and remove a container test already handled by deployer tests into release/1.17.x (#19652)

backport of commit eb13295e2b

Co-authored-by: R.B. Boyer <rb@hashicorp.com>

test-integ/catalogv2/explicit_destinations_test.go

@@ -152,7 +152,9 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes(
 				clusterName,
 				newID("single-server"),
 				topology.NodeVersionV2,
-				nil,
+				func(wrk *topology.Workload) {
+					wrk.WorkloadIdentity = "single-server-identity"
+				},
 			),
 		},
 	}
@@ -169,6 +171,7 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes(
 				func(wrk *topology.Workload) {
 					delete(wrk.Ports, "grpc")  // v2 mode turns this on, so turn it off
 					delete(wrk.Ports, "http2") // v2 mode turns this on, so turn it off
+					wrk.WorkloadIdentity = "single-client-identity"
 					wrk.Destinations = []*topology.Destination{{
 						ID:           newID("single-server"),
 						PortName:     "http",
@@ -187,12 +190,12 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes(
 		},
 	}, &pbauth.TrafficPermissions{
 		Destination: &pbauth.Destination{
-			IdentityName: "single-server",
+			IdentityName: "single-server-identity",
 		},
 		Action: pbauth.Action_ACTION_ALLOW,
 		Permissions: []*pbauth.Permission{{
 			Sources: []*pbauth.Source{{
-				IdentityName: "single-client",
+				IdentityName: "single-client-identity",
 				Namespace:    namespace,
 			}},
 		}},
@@ -208,7 +211,9 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes(
 				clusterName,
 				newID("multi-server"),
 				topology.NodeVersionV2,
-				nil,
+				func(wrk *topology.Workload) {
+					wrk.WorkloadIdentity = "multi-server-identity"
+				},
 			),
 		},
 	}
@@ -223,6 +228,7 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes(
 				newID("multi-client"),
 				topology.NodeVersionV2,
 				func(wrk *topology.Workload) {
+					wrk.WorkloadIdentity = "multi-client-identity"
 					wrk.Destinations = []*topology.Destination{
 						{
 							ID:           newID("multi-server"),
@@ -249,12 +255,12 @@ func (c testBasicL4ExplicitDestinationsCreator) topologyConfigAddNodes(
 		},
 	}, &pbauth.TrafficPermissions{
 		Destination: &pbauth.Destination{
-			IdentityName: "multi-server",
+			IdentityName: "multi-server-identity",
 		},
 		Action: pbauth.Action_ACTION_ALLOW,
 		Permissions: []*pbauth.Permission{{
 			Sources: []*pbauth.Source{{
-				IdentityName: "multi-client",
+				IdentityName: "multi-client-identity",
 				Namespace:    namespace,
 			}},
 		}},

test/integration/consul-container/test/multiport/explicit_destination_test.go

@@ -1,228 +0,0 @@
-// Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: BUSL-1.1
-
-package multiport
-
-import (
-	"context"
-	"fmt"
-	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1"
-	pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v2beta1"
-	pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1"
-	libassert "github.com/hashicorp/consul/test/integration/consul-container/libs/assert"
-	"github.com/stretchr/testify/require"
-	"testing"
-
-	rtest "github.com/hashicorp/consul/internal/resource/resourcetest"
-	"github.com/hashicorp/consul/proto-public/pbresource"
-	libcluster "github.com/hashicorp/consul/test/integration/consul-container/libs/cluster"
-	libservice "github.com/hashicorp/consul/test/integration/consul-container/libs/service"
-	"github.com/hashicorp/consul/test/integration/consul-container/libs/topology"
-	"github.com/hashicorp/consul/test/integration/consul-container/libs/utils"
-)
-
-// TestMultiportService_Explicit makes sure two services in the same datacenter have connectivity
-// with transparent proxy enabled.
-//
-// Steps:
-//   - Create a single server cluster.
-//   - Create the example static-server and sidecar containers, then register them both with Consul
-//   - Create an example static-client sidecar, then register both the service and sidecar with Consul
-//   - Make sure a request from static-client to the virtual address (<svc>.virtual.consul) returns a
-//     response from the upstream.
-func TestMultiportService_Explicit(t *testing.T) {
-	t.Parallel()
-
-	cluster := createCluster(t)
-	followers, err := cluster.Followers()
-	require.NoError(t, err)
-	client := pbresource.NewResourceServiceClient(followers[0].GetGRPCConn())
-	resourceClient := rtest.NewClient(client)
-
-	serverIP := cluster.Agents[1].GetIP()
-	clientIP := cluster.Agents[2].GetIP()
-
-	serverService := createServerServicesAndWorkloads(t, resourceClient, serverIP)
-	createClientResources(t, resourceClient, serverService, clientIP)
-
-	_, clientDataplane := createServices(t, cluster)
-
-	_, port := clientDataplane.GetAddr()
-
-	assertDataplaneContainerState(t, clientDataplane, "running")
-	libassert.HTTPServiceEchoes(t, "localhost", port, "")
-	libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", port), "static-server", "")
-}
-
-// createServices creates the static-client and static-server services with
-// transparent proxy enabled. It returns a Service for the static-client.
-func createServices(t *testing.T, cluster *libcluster.Cluster) (*libcluster.ConsulDataplaneContainer, *libcluster.ConsulDataplaneContainer) {
-	n1 := cluster.Agents[1]
-
-	// Create a service and dataplane
-	serverDataplane, err := createServiceAndDataplane(t, n1, "static-server-workload", "static-server", 8080, 8079, []int{})
-	require.NoError(t, err)
-
-	n2 := cluster.Agents[2]
-	// Create a service and dataplane
-	clientDataplane, err := createServiceAndDataplane(t, n2, "static-client-workload", "static-client", 8080, 8079, []int{libcluster.ServiceUpstreamLocalBindPort})
-	require.NoError(t, err)
-
-	return serverDataplane, clientDataplane
-}
-
-func createServiceAndDataplane(t *testing.T, node libcluster.Agent, proxyID, serviceName string, httpPort, grpcPort int, serviceBindPorts []int) (*libcluster.ConsulDataplaneContainer, error) {
-	// Do some trickery to ensure that partial completion is correctly torn
-	// down, but successful execution is not.
-	var deferClean utils.ResettableDefer
-	defer deferClean.Execute()
-
-	// Create a service and proxy instance
-	svc, err := libservice.NewExampleService(context.Background(), serviceName, httpPort, grpcPort, node)
-	if err != nil {
-		return nil, err
-	}
-	deferClean.Add(func() {
-		_ = svc.Terminate()
-	})
-
-	// Create Consul Dataplane
-	dp, err := libcluster.NewConsulDataplane(context.Background(), proxyID, "0.0.0.0", 8502, serviceBindPorts, node, false, "")
-	require.NoError(t, err)
-	deferClean.Add(func() {
-		_ = dp.Terminate()
-	})
-
-	// disable cleanup functions now that we have an object with a Terminate() function
-	deferClean.Reset()
-
-	return dp, nil
-}
-
-func createServerServicesAndWorkloads(t *testing.T, resourceClient *rtest.Client, ipAddress string) *pbresource.Resource {
-	serverService := rtest.ResourceID(&pbresource.ID{
-		Name: "static-server-service",
-		Type: pbcatalog.ServiceType,
-	}).WithData(t, &pbcatalog.Service{
-		Workloads: &pbcatalog.WorkloadSelector{Prefixes: []string{"static-server"}},
-		Ports: []*pbcatalog.ServicePort{
-			{TargetPort: "tcp", Protocol: pbcatalog.Protocol_PROTOCOL_TCP},
-			{TargetPort: "mesh", Protocol: pbcatalog.Protocol_PROTOCOL_MESH},
-		},
-	}).Write(t, resourceClient)
-
-	workloadPortMap := map[string]*pbcatalog.WorkloadPort{
-		"tcp": {
-			Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
-		},
-		"mesh": {
-			Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH,
-		},
-	}
-
-	rtest.ResourceID(&pbresource.ID{
-		Name: "static-server-identity",
-		Type: pbauth.WorkloadIdentityType,
-	}).Write(t, resourceClient)
-
-	rtest.ResourceID(&pbresource.ID{
-		Name: "static-server-workload",
-		Type: pbcatalog.WorkloadType,
-	}).
-		WithData(t, &pbcatalog.Workload{
-			Addresses: []*pbcatalog.WorkloadAddress{
-				{Host: ipAddress},
-			},
-			Ports:    workloadPortMap,
-			Identity: "static-server-identity",
-		}).
-		Write(t, resourceClient)
-	return serverService
-}
-
-func createClientResources(t *testing.T, resourceClient *rtest.Client, staticServerResource *pbresource.Resource, ipAddress string) {
-	rtest.ResourceID(&pbresource.ID{
-		Name: "static-client-service",
-		Type: pbcatalog.ServiceType,
-	}).WithData(t, &pbcatalog.Service{
-		Workloads: &pbcatalog.WorkloadSelector{Prefixes: []string{"static-client"}},
-		Ports: []*pbcatalog.ServicePort{
-			{TargetPort: "tcp", Protocol: pbcatalog.Protocol_PROTOCOL_TCP},
-			{TargetPort: "mesh", Protocol: pbcatalog.Protocol_PROTOCOL_MESH},
-		},
-	}).Write(t, resourceClient)
-
-	workloadPortMap := map[string]*pbcatalog.WorkloadPort{
-		"tcp": {
-			Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
-		},
-		"mesh": {
-			Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH,
-		},
-	}
-
-	rtest.ResourceID(&pbresource.ID{
-		Name: "static-client-workload",
-		Type: pbcatalog.WorkloadType,
-	}).
-		WithData(t, &pbcatalog.Workload{
-			Addresses: []*pbcatalog.WorkloadAddress{
-				{Host: ipAddress},
-			},
-			Ports:    workloadPortMap,
-			Identity: "static-client-identity",
-		}).
-		Write(t, resourceClient)
-
-	destId := staticServerResource.GetId()
-	destRef := &pbresource.Reference{
-		Type:    destId.Type,
-		Tenancy: destId.Tenancy,
-		Name:    destId.Name,
-		Section: "",
-	}
-	rtest.ResourceID(&pbresource.ID{
-		Name: "static-client-upstreams",
-		Type: pbmesh.DestinationsType,
-	}).
-		WithData(t, &pbmesh.Destinations{
-			Destinations: []*pbmesh.Destination{
-				{
-					DestinationRef:  destRef,
-					DestinationPort: "tcp",
-					ListenAddr: &pbmesh.Destination_IpPort{
-						IpPort: &pbmesh.IPPortAddress{
-							Ip:   "0.0.0.0",
-							Port: libcluster.ServiceUpstreamLocalBindPort,
-						},
-					},
-				},
-			},
-			Workloads: &pbcatalog.WorkloadSelector{
-				Prefixes: []string{"static-client"},
-			},
-		}).
-		Write(t, resourceClient)
-}
-
-func createCluster(t *testing.T) *libcluster.Cluster {
-	cluster, _, _ := topology.NewCluster(t, &topology.ClusterConfig{
-		NumServers: 3,
-		BuildOpts: &libcluster.BuildOptions{
-			Datacenter:             "dc1",
-			InjectAutoEncryption:   true,
-			InjectGossipEncryption: true,
-			AllowHTTPAnyway:        true,
-		},
-		Cmd: `-hcl=experiments=["resource-apis"] log_level="TRACE"`,
-	})
-
-	return cluster
-}
-
-// assertDataplaneContainerState validates service container status
-func assertDataplaneContainerState(t *testing.T, dataplane *libcluster.ConsulDataplaneContainer, state string) {
-	containerStatus, err := dataplane.GetStatus()
-	require.NoError(t, err)
-	require.Equal(t, containerStatus, state, fmt.Sprintf("Expected: %s. Got %s", state, containerStatus))
-}

testing/deployer/sprawl/acl_rules.go

@@ -102,7 +102,7 @@ func tokenForWorkload(wrk *topology.Workload, overridePolicy *api.ACLPolicy, ent
 		token.TemplatedPolicies = []*api.ACLTemplatedPolicy{{
 			TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName,
 			TemplateVariables: &api.ACLTemplatedPolicyVariables{
-				Name: wrk.ID.Name,
+				Name: wrk.WorkloadIdentity,
 			},
 		}}
 	} else {

testing/deployer/sprawl/catalog.go

@@ -286,7 +286,9 @@ func (s *Sprawl) syncWorkloadsForDataplaneInstances(cluster *topology.Cluster) e
 			} else {
 				syncWorkload = deregisterWorkloadFromNode
 			}
-			syncWorkload(node, wrk)
+			if err := syncWorkload(node, wrk); err != nil {
+				return err
+			}
 		}
 
 		// Deregister the virtual node if node is disabled
@@ -723,7 +725,7 @@ func workloadInstanceToResources(
 			Data: &pbcatalog.Workload{
 				// TODO(rb): disabling this until node scoping makes sense again
 				// NodeName: node.PodName(),
-				Identity: wrk.ID.Name,
+				Identity: wrk.WorkloadIdentity,
 				Ports:    wlPorts,
 				Addresses: []*pbcatalog.WorkloadAddress{
 					{Host: node.LocalAddress()},

testing/deployer/topology/compile.go

@@ -342,7 +342,7 @@ func compile(logger hclog.Logger, raw *Config, prev *Topology) (*Topology, error
 				wrk.Node = n
 				wrk.NodeVersion = n.Version
 				if n.IsV2() {
-					wrk.Workload = wrk.ID.Name + "-" + n.PodName()
+					wrk.Workload = wrk.ID.Name + "-" + n.Name
 				}
 
 				if !IsValidLabel(wrk.ID.Partition) {