From 3a2e62053ac1dc78afe1df60eb4187f5de4a8dca Mon Sep 17 00:00:00 2001 From: Nitya Dhanushkodi Date: Tue, 19 Sep 2023 17:02:01 -0700 Subject: [PATCH] v2: various fixes to make K8s tproxy multiport acceptance tests and manual explicit upstreams (single port) tests pass (#18874) Adding coauthors who mobbed/paired at various points throughout last week. Co-authored-by: Dan Stough Co-authored-by: Iryna Shustava Co-authored-by: John Murret Co-authored-by: Michael Zalimeni Co-authored-by: Ashwin Venkatesh Co-authored-by: Michael Wilkerson --- .../dataplane/get_envoy_bootstrap_params.go | 3 +- agent/xds/delta.go | 11 +++-- agent/xdsv2/cluster_resources.go | 2 + agent/xdsv2/listener_resources.go | 43 ++++++++++--------- agent/xdsv2/resources_test.go | 10 +++-- ...-single-implicit-destination-tproxy.golden | 15 ++++++- ...-single-implicit-destination-tproxy.golden | 37 +++++++++++++++- .../builder/destination_builder.go | 3 +- .../sidecarproxy/builder/local_app.go | 3 ++ ...it-and-explicit-destinations-tproxy.golden | 6 ++- .../destination/l4-multi-destination.golden | 6 ++- ...ltiple-implicit-destinations-tproxy.golden | 6 ++- ...le-destination-ip-port-bind-address.golden | 7 ++- ...estination-unix-socket-bind-address.golden | 3 +- ...-single-implicit-destination-tproxy.golden | 3 +- .../mixed-multi-destination.golden | 13 ++++-- ...ltiple-implicit-destinations-tproxy.golden | 12 ++++-- ...-single-implicit-destination-tproxy.golden | 6 ++- ...tion-with-multiple-workloads-tproxy.golden | 6 ++- ...kload-addresses-with-specific-ports.golden | 3 ++ ...le-workload-addresses-without-ports.golden | 3 ++ ...ngle-workload-address-without-ports.golden | 3 ++ ...kload-addresses-with-specific-ports.golden | 3 ++ ...le-workload-addresses-without-ports.golden | 3 ++ ...ngle-workload-address-without-ports.golden | 3 ++ ...ort-l4-workload-with-only-mesh-port.golden | 3 ++ .../controllers/sidecarproxy/controller.go | 5 +++ .../sidecarproxy/fetcher/data_fetcher.go | 13 +++++- .../sidecarproxy/fetcher/data_fetcher_test.go | 3 ++ .../mappers/sidecarproxymapper/mapper.go | 4 ++ 30 files changed, 187 insertions(+), 54 deletions(-) diff --git a/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go b/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go index 037331569a..d69d7b1905 100644 --- a/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go +++ b/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go @@ -59,7 +59,6 @@ func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.G Tenancy: &pbresource.Tenancy{ Namespace: req.Namespace, Partition: req.Partition, - PeerName: "local", }, Type: catalog.WorkloadType, } @@ -69,6 +68,7 @@ func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.G if err != nil { // This error should already include the gRPC status code and so we don't need to wrap it // in status.Error. + logger.Error("Error looking up workload", "error", err) return nil, err } var workload pbcatalog.Workload @@ -93,6 +93,7 @@ func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.G Type: mesh.ProxyConfigurationType, }) if err != nil { + logger.Error("Error looking up proxyConfiguration", "error", err) return nil, err } diff --git a/agent/xds/delta.go b/agent/xds/delta.go index a0894954ea..e303447ee5 100644 --- a/agent/xds/delta.go +++ b/agent/xds/delta.go @@ -116,7 +116,13 @@ func getEnvoyConfiguration(proxySnapshot proxysnapshot.ProxySnapshot, logger hcl ) c := proxySnapshot.(*proxytracker.ProxyState) logger.Trace("ProxyState", c) - return generator.AllResourcesFromIR(c) + resources, err := generator.AllResourcesFromIR(c) + if err != nil { + logger.Error("error generating resources from proxy state template", "err", err) + return nil, err + } + logger.Trace("generated resources from proxy state template", "resources", resources) + return resources, nil default: return nil, errors.New("proxysnapshot must be of type ProxyState or ConfigSnapshot") } @@ -428,9 +434,8 @@ func newResourceIDFromEnvoyNode(node *envoy_config_core_v3.Node) *pbresource.ID Tenancy: &pbresource.Tenancy{ Namespace: entMeta.NamespaceOrDefault(), Partition: entMeta.PartitionOrDefault(), - PeerName: "local", }, - Type: mesh.ProxyStateTemplateV1AlphaType, + Type: mesh.ProxyStateTemplateType, } } diff --git a/agent/xdsv2/cluster_resources.go b/agent/xdsv2/cluster_resources.go index dc19027338..66dc78bc49 100644 --- a/agent/xdsv2/cluster_resources.go +++ b/agent/xdsv2/cluster_resources.go @@ -376,6 +376,8 @@ func addEnvoyLBToCluster(dynamicConfig *pbproxystate.DynamicEndpointGroupConfig, } // TODO(proxystate): In a future PR this will create clusters and add it to ProxyResources.proxyState +// Currently, we do not traverse the listener -> endpoint paths and instead just generate each resource by iterating +// through its top level map. In the future we want to traverse these paths to ensure each listener has a cluster, etc. func (pr *ProxyResources) makeEnvoyClusterFromL4Destination(l4 *pbproxystate.L4Destination) error { return nil } diff --git a/agent/xdsv2/listener_resources.go b/agent/xdsv2/listener_resources.go index ca8a3fa3b3..2ea703c699 100644 --- a/agent/xdsv2/listener_resources.go +++ b/agent/xdsv2/listener_resources.go @@ -540,14 +540,13 @@ func (pr *ProxyResources) makeEnvoyTLSParameters(defaultParams *pbproxystate.TLS } func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSocket) (*envoy_core_v3.TransportSocket, error) { - // TODO(JM): did this just make tests pass. Figure out whether proxyState.Tls will always be available. - if pr.proxyState.Tls == nil { - return nil, nil - } if ts == nil { return nil, nil } commonTLSContext := &envoy_tls_v3.CommonTlsContext{} + if ts.AlpnProtocols != nil { + commonTLSContext.AlpnProtocols = ts.AlpnProtocols + } // Create connection TLS. Listeners should only look at inbound TLS. switch ts.ConnectionTls.(type) { @@ -555,16 +554,16 @@ func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSoc downstreamContext := &envoy_tls_v3.DownstreamTlsContext{} downstreamContext.CommonTlsContext = commonTLSContext // Set TLS Parameters. - tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters) - commonTLSContext.TlsParams = tlsParams + if pr.proxyState.Tls != nil { + tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters) + commonTLSContext.TlsParams = tlsParams + } else { + commonTLSContext.TlsParams = &envoy_tls_v3.TlsParameters{} + } // Set the certificate config on the tls context. // For inbound mesh, we need to add the identity certificate // and the validation context for the mesh depending on the provided trust bundle names. - if pr.proxyState.Tls == nil { - // if tls is nil but connection tls is provided, then the proxy state is misconfigured - return nil, fmt.Errorf("proxyState.Tls is required to generate router's transport socket") - } im := ts.ConnectionTls.(*pbproxystate.TransportSocket_InboundMesh).InboundMesh leaf, ok := pr.proxyState.LeafCertificates[im.IdentityKey] if !ok { @@ -640,9 +639,13 @@ func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSoc case *pbproxystate.TransportSocket_InboundNonMesh: downstreamContext := &envoy_tls_v3.DownstreamTlsContext{} downstreamContext.CommonTlsContext = commonTLSContext - // Set TLS Parameters - tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters) - commonTLSContext.TlsParams = tlsParams + // Set TLS Parameters. + if pr.proxyState.Tls != nil { + tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters) + commonTLSContext.TlsParams = tlsParams + } else { + commonTLSContext.TlsParams = &envoy_tls_v3.TlsParameters{} + } // For non-mesh, we don't care about validation context as currently we don't support mTLS for non-mesh connections. nonMeshTLS := ts.ConnectionTls.(*pbproxystate.TransportSocket_InboundNonMesh).InboundNonMesh err := pr.addNonMeshCertConfig(commonTLSContext, nonMeshTLS) @@ -657,15 +660,15 @@ func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSoc case *pbproxystate.TransportSocket_OutboundMesh: upstreamContext := &envoy_tls_v3.UpstreamTlsContext{} upstreamContext.CommonTlsContext = commonTLSContext - // Set TLS Parameters - tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.OutboundTlsParameters, ts.TlsParameters) - commonTLSContext.TlsParams = tlsParams + // Set TLS Parameters. + if pr.proxyState.Tls != nil { + tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.OutboundTlsParameters, ts.TlsParameters) + commonTLSContext.TlsParams = tlsParams + } else { + commonTLSContext.TlsParams = &envoy_tls_v3.TlsParameters{} + } // For outbound mesh, we need to insert the mesh identity certificate // and the validation context for the mesh depending on the provided trust bundle names. - if pr.proxyState.Tls == nil { - // if tls is nil but connection tls is provided, then the proxy state is misconfigured - return nil, fmt.Errorf("proxyState.Tls is required to generate router's transport socket") - } om := ts.GetOutboundMesh() leaf, ok := pr.proxyState.LeafCertificates[om.IdentityKey] if !ok { diff --git a/agent/xdsv2/resources_test.go b/agent/xdsv2/resources_test.go index edc20bccc4..4b0ea814b0 100644 --- a/agent/xdsv2/resources_test.go +++ b/agent/xdsv2/resources_test.go @@ -4,17 +4,19 @@ package xdsv2 import ( + "os" + "path/filepath" + "sort" + "testing" + envoy_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" + "github.com/hashicorp/consul/agent/xds/response" "github.com/hashicorp/consul/envoyextensions/xdscommon" proxytracker "github.com/hashicorp/consul/internal/mesh/proxy-tracker" meshv1alpha1 "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1" "github.com/hashicorp/consul/sdk/testutil" - "os" - "path/filepath" - "sort" - "testing" "github.com/stretchr/testify/require" "google.golang.org/protobuf/encoding/protojson" diff --git a/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden index f17fbfac21..72715b7215 100644 --- a/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden +++ b/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden @@ -53,7 +53,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" }, "sni": "api-1.default.dc1.internal.foo.consul" }, @@ -64,8 +65,20 @@ } } } + }, + "leafCertificates": { + "test-identity": { + "cert": "cert1", + "key": "key1" } }, + "trustBundles": { + "local": { + "trustDomain": "foo.consul", + "roots": ["root1"] + } + } + }, "requiredEndpoints": { "api-1.default.dc1.internal.foo.consul": { "id": { diff --git a/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden index d4f50e5ccc..76f814eb39 100644 --- a/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden +++ b/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden @@ -10,7 +10,42 @@ "ads": {}, "resourceApiVersion": "V3" } - } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "alpnProtocols": [ + "consul~tcp" + ], + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "cert1\n" + }, + "privateKey": { + "inlineString": "key1\n" + } + } + ], + "tlsParams": {}, + "validationContext": { + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ], + "trustedCa": { + "inlineString": "root1\n" + } + } + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + }, + "type": "EDS" } ], "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go index 147d6a7b54..126e5bfc68 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go @@ -508,7 +508,8 @@ func (b *Builder) addCluster(clusterName, sni, portName string, destinationIdent OutboundMesh: &pbproxystate.OutboundMeshMTLS{ IdentityKey: b.proxyStateTemplate.ProxyState.Identity.Name, ValidationContext: &pbproxystate.MeshOutboundValidationContext{ - SpiffeIds: spiffeIDs, + SpiffeIds: spiffeIDs, + TrustBundlePeerNameKey: b.id.Tenancy.PeerName, }, Sni: sni, }, diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go index 61ccccfbf7..c339dd34c9 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go @@ -243,6 +243,9 @@ func (b *Builder) addInboundListener(name string, workload *pbcatalog.Workload) }, } + // Add TLS inspection capability to be able to parse ALPN and/or SNI information from inbound connections. + listener.Capabilities = append(listener.Capabilities, pbproxystate.Capability_CAPABILITY_L4_TLS_INSPECTION) + return b.NewListenerBuilder(listener) } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden index aee378f190..8159795836 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -43,7 +44,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden index 1c393ec7dc..4dd21947a7 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden @@ -28,7 +28,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -53,7 +54,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden index d23c1ff1c7..145b38ecd3 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -43,7 +44,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden index 3ac00f37a7..0f4689784f 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden @@ -28,7 +28,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -50,7 +51,9 @@ "outboundMesh": { "identityKey": "test-identity", "sni": "api-2.default.dc1.internal.foo.consul", - "validationContext": {} + "validationContext": { + "trustBundlePeerNameKey": "local" + } } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden index 69e075a349..e0d2566656 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden index 8941ab0728..2158ad93fd 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden index c0394a25bc..ee03beb415 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -40,7 +41,9 @@ "outboundMesh": { "identityKey": "test-identity", "sni": "api-2.default.dc1.internal.foo.consul", - "validationContext": {} + "validationContext": { + "trustBundlePeerNameKey": "local" + } } } } @@ -74,7 +77,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -99,7 +103,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden index f7f3c9ffa7..7260bdc283 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -43,7 +44,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -68,7 +70,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -93,7 +96,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden index 61ffc42206..7db01393db 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -43,7 +44,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden index 61ffc42206..7db01393db 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -18,7 +18,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } @@ -43,7 +44,8 @@ "validationContext": { "spiffeIds": [ "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" - ] + ], + "trustBundlePeerNameKey": "local" } } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden index f347530259..acac9b8194 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden @@ -29,6 +29,9 @@ }, "listeners": [ { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], "direction": "DIRECTION_INBOUND", "hostPort": { "host": "10.0.0.2", diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden index f9136e89d3..fea63239f2 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden @@ -29,6 +29,9 @@ }, "listeners": [ { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], "direction": "DIRECTION_INBOUND", "hostPort": { "host": "10.0.0.1", diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden index f9136e89d3..fea63239f2 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden @@ -29,6 +29,9 @@ }, "listeners": [ { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], "direction": "DIRECTION_INBOUND", "hostPort": { "host": "10.0.0.1", diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden index f7240ea256..f84bc6dfbc 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden @@ -44,6 +44,9 @@ }, "listeners": [ { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], "direction": "DIRECTION_INBOUND", "hostPort": { "host": "10.0.0.3", diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden index e66f1e13d3..b588d6a747 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden @@ -44,6 +44,9 @@ }, "listeners": [ { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], "direction": "DIRECTION_INBOUND", "hostPort": { "host": "10.0.0.1", diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden index e66f1e13d3..b588d6a747 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden @@ -44,6 +44,9 @@ }, "listeners": [ { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], "direction": "DIRECTION_INBOUND", "hostPort": { "host": "10.0.0.1", diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden index da29255b87..f47ebba21d 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden @@ -17,6 +17,9 @@ }, "listeners": [ { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], "direction": "DIRECTION_INBOUND", "hostPort": { "host": "10.0.0.1", diff --git a/internal/mesh/internal/controllers/sidecarproxy/controller.go b/internal/mesh/internal/controllers/sidecarproxy/controller.go index 73ce3c6c3f..98dab6ae75 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/controller.go +++ b/internal/mesh/internal/controllers/sidecarproxy/controller.go @@ -202,6 +202,11 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c // Get all destinationsData. destinationsRefs := r.destinationsCache.DestinationsBySourceProxy(req.ID) + if len(destinationsRefs) > 0 { + rt.Logger.Trace("found destinations for this proxy", "id", req.ID, "destination_refs", destinationsRefs) + } else { + rt.Logger.Trace("did not find any destinations for this proxy", "id", req.ID) + } destinationsData, statuses, err := dataFetcher.FetchExplicitDestinationsData(ctx, destinationsRefs) if err != nil { rt.Logger.Error("error fetching explicit destinations for this proxy", "error", err) diff --git a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go index 4bf5df4827..98d301b402 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go +++ b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go @@ -352,7 +352,12 @@ func (f *Fetcher) FetchImplicitDestinationsData( if err != nil { return nil, err } - endpointsMap[seRK] = se + // We only add the endpoint to the map if it's not nil. If it's missing on lookup now, the + // controller should get triggered when the endpoint exists again since it watches service + // endpoints. + if se != nil { + endpointsMap[seRK] = se + } } } } @@ -439,6 +444,12 @@ func (f *Fetcher) FetchAndMergeProxyConfigurations(ctx context.Context, id *pbre proto.Merge(result.DynamicConfig, proxyCfg.DynamicConfig) } + // Default the outbound listener port. If we don't do the nil check here, then BuildDestinations will panic creating + // the outbound listener. + if result.DynamicConfig.TransparentProxy == nil { + result.DynamicConfig.TransparentProxy = &pbmesh.TransparentProxy{OutboundListenerPort: 15001} + } + return result, nil } diff --git a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go index fb73b93c2a..4e3835db15 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go +++ b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go @@ -1029,6 +1029,9 @@ func (suite *dataFetcherSuite) TestFetcher_FetchAndMergeProxyConfigurations() { DynamicConfig: &pbmesh.DynamicConfig{ Mode: pbmesh.ProxyMode_PROXY_MODE_TRANSPARENT, MutualTlsMode: pbmesh.MutualTLSMode_MUTUAL_TLS_MODE_DEFAULT, + TransparentProxy: &pbmesh.TransparentProxy{ + OutboundListenerPort: 15001, + }, }, } diff --git a/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go b/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go index 23b762ff59..7de9c8f55a 100644 --- a/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go +++ b/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go @@ -5,6 +5,7 @@ package sidecarproxymapper import ( "context" + "fmt" "github.com/hashicorp/consul/internal/catalog" "github.com/hashicorp/consul/internal/controller" @@ -54,6 +55,9 @@ func mapSelectorToProxyStateTemplates(ctx context.Context, if err != nil { return nil, err } + if len(resp.Resources) == 0 { + return nil, fmt.Errorf("no workloads found") + } for _, r := range resp.Resources { id := resource.ReplaceType(types.ProxyStateTemplateType, r.Id) result = append(result, controller.Request{