From 1b1f33f224b2aad34f2c68b451e0b65b88db4516 Mon Sep 17 00:00:00 2001 From: Ranjandas Date: Fri, 30 Jun 2023 00:24:24 +1000 Subject: [PATCH 01/14] Fixes Secondary ConnectCA update (#17846) This fixes a bug that was identified which resulted in subsequent ConnectCA configuration update not to persist in the cluster. --- .changelog/17846.txt | 3 +++ agent/consul/leader_connect_ca.go | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 .changelog/17846.txt diff --git a/.changelog/17846.txt b/.changelog/17846.txt new file mode 100644 index 0000000000..bd5a052f85 --- /dev/null +++ b/.changelog/17846.txt @@ -0,0 +1,3 @@ +```release-note:bug +connect/ca: Fixes a bug preventing CA configuration updates in secondary datacenters +``` diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index 8c715588ee..c8c63c8874 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -735,7 +735,9 @@ func shouldPersistNewRootAndConfig(newActiveRoot *structs.CARoot, oldConfig, new if newConfig == nil { return false } - return newConfig.Provider == oldConfig.Provider && reflect.DeepEqual(newConfig.Config, oldConfig.Config) + + // Do not persist if the new provider and config are the same as the old + return !(newConfig.Provider == oldConfig.Provider && reflect.DeepEqual(newConfig.Config, oldConfig.Config)) } func (c *CAManager) UpdateConfiguration(args *structs.CARequest) (reterr error) { From a60b36394df4abf5d1826556f1321c5db0977cbb Mon Sep 17 00:00:00 2001 From: John Maguire Date: Thu, 29 Jun 2023 12:35:13 -0400 Subject: [PATCH 02/14] fixing typo in link to jwt-validations-with-intentions doc (#17955) --- website/content/docs/connect/intentions/jwt-authorization.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/connect/intentions/jwt-authorization.mdx b/website/content/docs/connect/intentions/jwt-authorization.mdx index 9a8458054e..c49ac4fbc6 100644 --- a/website/content/docs/connect/intentions/jwt-authorization.mdx +++ b/website/content/docs/connect/intentions/jwt-authorization.mdx @@ -92,7 +92,7 @@ JWT = { } ``` -You can include additional configuration information to require the token to match specific claims. You can also configure the `JWT` field to apply only to requests that come from certain HTTP paths. Refer to [JWT validations with intentions](/consul/docs/conntect/config-entries/service-intentions#jwt-validations-with-intentions) for an example configuration. +You can include additional configuration information to require the token to match specific claims. You can also configure the `JWT` field to apply only to requests that come from certain HTTP paths. Refer to [JWT validations with intentions](/consul/docs/connect/config-entries/service-intentions#jwt-validations-with-intentions) for an example configuration. After you update the service intention, write the configuration to Consul so that it takes effect: From 85b78fe186bb4d6609dc3f76d854ec9aea264626 Mon Sep 17 00:00:00 2001 From: David Yu Date: Thu, 29 Jun 2023 12:19:03 -0700 Subject: [PATCH 03/14] Fix streaming backend link (#17958) * Fix streaming backend link * Update health.mdx --- website/content/api-docs/health.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/website/content/api-docs/health.mdx b/website/content/api-docs/health.mdx index cb8ef9f4ea..bd373c91b9 100644 --- a/website/content/api-docs/health.mdx +++ b/website/content/api-docs/health.mdx @@ -222,8 +222,7 @@ The table below shows this endpoint's support for | `YES` 1 | `all` | `background refresh` | `node:read,service:read` |

- 1some query parameters will use the - streaming backend + 1some query parameters will use the streaming backend for blocking queries.

### Path Parameters From 1512ea307e7824fc0e24d6eeb6e7fb3c731c3b53 Mon Sep 17 00:00:00 2001 From: Ronald Date: Thu, 29 Jun 2023 16:37:40 -0400 Subject: [PATCH 04/14] Dynamically create jwks clusters for jwt-providers (#17944) --- agent/xds/clusters.go | 94 +++++++++ agent/xds/clusters_test.go | 179 ++++++++++++++++++ agent/xds/jwt_authn.go | 15 +- agent/xds/jwt_authn_test.go | 19 +- .../jwt_authn/intention-with-path.golden | 2 +- ...ltiple-providers-and-one-permission.golden | 6 +- .../testdata/jwt_authn/remote-provider.golden | 2 +- .../top-level-provider-with-permission.golden | 4 +- ...ttp-provider-with-hostname-and-port.golden | 23 +++ ...http-provider-with-hostname-no-port.golden | 23 +++ .../http-provider-with-ip-and-port.golden | 23 +++ .../http-provider-with-ip-no-port.golden | 23 +++ ...tps-provider-with-hostname-and-port.golden | 32 ++++ ...ttps-provider-with-hostname-no-port.golden | 32 ++++ .../https-provider-with-ip-and-port.golden | 32 ++++ .../https-provider-with-ip-no-port.golden | 32 ++++ 16 files changed, 520 insertions(+), 21 deletions(-) create mode 100644 agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-and-port.golden create mode 100644 agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-no-port.golden create mode 100644 agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-and-port.golden create mode 100644 agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-no-port.golden create mode 100644 agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden create mode 100644 agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden create mode 100644 agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden create mode 100644 agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index a6f58a11f2..68ae4643b4 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -6,6 +6,8 @@ package xds import ( "errors" "fmt" + "net/url" + "strconv" "strings" "time" @@ -141,6 +143,22 @@ func (s *ResourceGenerator) clustersFromSnapshotConnectProxy(cfgSnap *proxycfg.C clusters = append(clusters, upstreamCluster) } + // add clusters for jwt-providers + for _, prov := range cfgSnap.JWTProviders { + //skip cluster creation for local providers + if prov.JSONWebKeySet == nil || prov.JSONWebKeySet.Remote == nil { + continue + } + + cluster, err := makeJWTProviderCluster(prov) + if err != nil { + s.Logger.Warn("failed to make jwt-provider cluster", "provider name", prov.Name, "error", err) + continue + } + + clusters = append(clusters, cluster) + } + for _, u := range cfgSnap.Proxy.Upstreams { if u.DestinationType != structs.UpstreamDestTypePreparedQuery { continue @@ -184,6 +202,82 @@ func (s *ResourceGenerator) clustersFromSnapshotConnectProxy(cfgSnap *proxycfg.C return clusters, nil } +func makeJWTProviderCluster(p *structs.JWTProviderConfigEntry) (*envoy_cluster_v3.Cluster, error) { + if p.JSONWebKeySet == nil || p.JSONWebKeySet.Remote == nil { + return nil, fmt.Errorf("cannot create JWKS cluster for non-remote JWKS. Provider Name: %s", p.Name) + } + hostname, scheme, port, err := parseJWTRemoteURL(p.JSONWebKeySet.Remote.URI) + if err != nil { + return nil, err + } + + // TODO: expose additional fields: eg. ConnectTimeout, through + // JWTProviderConfigEntry to allow user to configure cluster + cluster := &envoy_cluster_v3.Cluster{ + Name: makeJWKSClusterName(p.Name), + ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_STRICT_DNS, + }, + LoadAssignment: &envoy_endpoint_v3.ClusterLoadAssignment{ + ClusterName: makeJWKSClusterName(p.Name), + Endpoints: []*envoy_endpoint_v3.LocalityLbEndpoints{ + { + LbEndpoints: []*envoy_endpoint_v3.LbEndpoint{ + makeEndpoint(hostname, port), + }, + }, + }, + }, + } + + if scheme == "https" { + // TODO: expose this configuration through JWTProviderConfigEntry to allow + // user to configure certs + jwksTLSContext, err := makeUpstreamTLSTransportSocket( + &envoy_tls_v3.UpstreamTlsContext{ + CommonTlsContext: &envoy_tls_v3.CommonTlsContext{ + ValidationContextType: &envoy_tls_v3.CommonTlsContext_ValidationContext{ + ValidationContext: &envoy_tls_v3.CertificateValidationContext{}, + }, + }, + }, + ) + if err != nil { + return nil, err + } + + cluster.TransportSocket = jwksTLSContext + } + return cluster, nil +} + +// parseJWTRemoteURL splits the URI into domain, scheme and port. +// It will default to port 80 for http and 443 for https for any +// URI that does not specify a port. +func parseJWTRemoteURL(uri string) (string, string, int, error) { + u, err := url.ParseRequestURI(uri) + if err != nil { + return "", "", 0, err + } + + var port int + if u.Port() != "" { + port, err = strconv.Atoi(u.Port()) + if err != nil { + return "", "", port, err + } + } + + if port == 0 { + port = 80 + if u.Scheme == "https" { + port = 443 + } + } + + return u.Hostname(), u.Scheme, port, nil +} + func makeExposeClusterName(destinationPort int) string { return fmt.Sprintf("exposed_cluster_%d", destinationPort) } diff --git a/agent/xds/clusters_test.go b/agent/xds/clusters_test.go index ff72bd35c8..446f0ae247 100644 --- a/agent/xds/clusters_test.go +++ b/agent/xds/clusters_test.go @@ -959,6 +959,185 @@ func TestEnvoyLBConfig_InjectToCluster(t *testing.T) { } } +func TestMakeJWTProviderCluster(t *testing.T) { + // All tests here depend on golden files located under: agent/xds/testdata/jwt_authn_cluster/* + tests := map[string]struct { + provider *structs.JWTProviderConfigEntry + expectedError string + }{ + "remote-jwks-not-configured": { + provider: &structs.JWTProviderConfigEntry{ + Kind: "jwt-provider", + Name: "okta", + JSONWebKeySet: &structs.JSONWebKeySet{}, + }, + expectedError: "cannot create JWKS cluster for non remote JWKS. Provider Name: okta", + }, + "local-jwks-configured": { + provider: &structs.JWTProviderConfigEntry{ + Kind: "jwt-provider", + Name: "okta", + JSONWebKeySet: &structs.JSONWebKeySet{ + Local: &structs.LocalJWKS{ + Filename: "filename", + }, + }, + }, + expectedError: "cannot create JWKS cluster for non remote JWKS. Provider Name: okta", + }, + "https-provider-with-hostname-no-port": { + provider: makeTestProviderWithJWKS("https://example-okta.com/.well-known/jwks.json"), + }, + "http-provider-with-hostname-no-port": { + provider: makeTestProviderWithJWKS("http://example-okta.com/.well-known/jwks.json"), + }, + "https-provider-with-hostname-and-port": { + provider: makeTestProviderWithJWKS("https://example-okta.com:90/.well-known/jwks.json"), + }, + "http-provider-with-hostname-and-port": { + provider: makeTestProviderWithJWKS("http://example-okta.com:90/.well-known/jwks.json"), + }, + "https-provider-with-ip-no-port": { + provider: makeTestProviderWithJWKS("https://127.0.0.1"), + }, + "http-provider-with-ip-no-port": { + provider: makeTestProviderWithJWKS("http://127.0.0.1"), + }, + "https-provider-with-ip-and-port": { + provider: makeTestProviderWithJWKS("https://127.0.0.1:9091"), + }, + "http-provider-with-ip-and-port": { + provider: makeTestProviderWithJWKS("http://127.0.0.1:9091"), + }, + } + + for name, tt := range tests { + tt := tt + t.Run(name, func(t *testing.T) { + cluster, err := makeJWTProviderCluster(tt.provider) + if tt.expectedError != "" { + require.Error(t, err, tt.expectedError) + } else { + require.NoError(t, err) + gotJSON := protoToJSON(t, cluster) + require.JSONEq(t, goldenSimple(t, filepath.Join("jwt_authn_clusters", name), gotJSON), gotJSON) + } + + }) + } +} + +func makeTestProviderWithJWKS(uri string) *structs.JWTProviderConfigEntry { + return &structs.JWTProviderConfigEntry{ + Kind: "jwt-provider", + Name: "okta", + Issuer: "test-issuer", + JSONWebKeySet: &structs.JSONWebKeySet{ + Remote: &structs.RemoteJWKS{ + RequestTimeoutMs: 1000, + FetchAsynchronously: true, + URI: uri, + }, + }, + } +} + +func TestParseJWTRemoteURL(t *testing.T) { + tests := map[string]struct { + uri string + expectedHost string + expectedPort int + expectedScheme string + expectError bool + }{ + "invalid-url": { + uri: ".com", + expectError: true, + }, + "https-hostname-no-port": { + uri: "https://test.test.com", + expectedHost: "test.test.com", + expectedPort: 443, + expectedScheme: "https", + }, + "https-hostname-with-port": { + uri: "https://test.test.com:4545", + expectedHost: "test.test.com", + expectedPort: 4545, + expectedScheme: "https", + }, + "https-hostname-with-port-and-path": { + uri: "https://test.test.com:4545/test", + expectedHost: "test.test.com", + expectedPort: 4545, + expectedScheme: "https", + }, + "http-hostname-no-port": { + uri: "http://test.test.com", + expectedHost: "test.test.com", + expectedPort: 80, + expectedScheme: "http", + }, + "http-hostname-with-port": { + uri: "http://test.test.com:4636", + expectedHost: "test.test.com", + expectedPort: 4636, + expectedScheme: "http", + }, + "https-ip-no-port": { + uri: "https://127.0.0.1", + expectedHost: "127.0.0.1", + expectedPort: 443, + expectedScheme: "https", + }, + "https-ip-with-port": { + uri: "https://127.0.0.1:3434", + expectedHost: "127.0.0.1", + expectedPort: 3434, + expectedScheme: "https", + }, + "http-ip-no-port": { + uri: "http://127.0.0.1", + expectedHost: "127.0.0.1", + expectedPort: 80, + expectedScheme: "http", + }, + "http-ip-with-port": { + uri: "http://127.0.0.1:9190", + expectedHost: "127.0.0.1", + expectedPort: 9190, + expectedScheme: "http", + }, + "http-ip-with-port-and-path": { + uri: "http://127.0.0.1:9190/some/where", + expectedHost: "127.0.0.1", + expectedPort: 9190, + expectedScheme: "http", + }, + "http-ip-no-port-with-path": { + uri: "http://127.0.0.1/test/path", + expectedHost: "127.0.0.1", + expectedPort: 80, + expectedScheme: "http", + }, + } + + for name, tt := range tests { + tt := tt + t.Run(name, func(t *testing.T) { + host, scheme, port, err := parseJWTRemoteURL(tt.uri) + if tt.expectError { + require.Error(t, err) + } else { + require.NoError(t, err) + require.Equal(t, host, tt.expectedHost) + require.Equal(t, scheme, tt.expectedScheme) + require.Equal(t, port, tt.expectedPort) + } + }) + } +} + // UID is just a convenience function to aid in writing tests less verbosely. func UID(input string) proxycfg.UpstreamID { return proxycfg.UpstreamIDFromString(input) diff --git a/agent/xds/jwt_authn.go b/agent/xds/jwt_authn.go index 0dc95f5eec..ba1c17bbc2 100644 --- a/agent/xds/jwt_authn.go +++ b/agent/xds/jwt_authn.go @@ -19,6 +19,7 @@ import ( const ( jwtEnvoyFilter = "envoy.filters.http.jwt_authn" jwtMetadataKeyPrefix = "jwt_payload" + jwksClusterPrefix = "jwks_cluster" ) // This is an intermediate JWTProvider form used to associate @@ -158,7 +159,7 @@ func buildJWTProviderConfig(p *structs.JWTProviderConfigEntry, metadataKeySuffix } envoyCfg.JwksSourceSpecifier = specifier } else if remote := p.JSONWebKeySet.Remote; remote != nil && remote.URI != "" { - envoyCfg.JwksSourceSpecifier = makeRemoteJWKS(remote) + envoyCfg.JwksSourceSpecifier = makeRemoteJWKS(remote, p.Name) } else { return nil, fmt.Errorf("invalid jwt provider config; missing JSONWebKeySet for provider: %s", p.Name) } @@ -210,14 +211,12 @@ func makeLocalJWKS(l *structs.LocalJWKS, pName string) (*envoy_http_jwt_authn_v3 return specifier, nil } -func makeRemoteJWKS(r *structs.RemoteJWKS) *envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks { +func makeRemoteJWKS(r *structs.RemoteJWKS, providerName string) *envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks { remote_specifier := envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks{ RemoteJwks: &envoy_http_jwt_authn_v3.RemoteJwks{ HttpUri: &envoy_core_v3.HttpUri{ - Uri: r.URI, - // TODO(roncodingenthusiast): An explicit cluster is required. - // Need to figure out replacing `jwks_cluster` will an actual cluster - HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: "jwks_cluster"}, + Uri: r.URI, + HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: makeJWKSClusterName(providerName)}, }, AsyncFetch: &envoy_http_jwt_authn_v3.JwksAsyncFetch{ FastListener: r.FetchAsynchronously, @@ -239,6 +238,10 @@ func makeRemoteJWKS(r *structs.RemoteJWKS) *envoy_http_jwt_authn_v3.JwtProvider_ return &remote_specifier } +func makeJWKSClusterName(providerName string) string { + return fmt.Sprintf("%s_%s", jwksClusterPrefix, providerName) +} + func buildJWTRetryPolicy(r *structs.JWKSRetryPolicy) *envoy_core_v3.RetryPolicy { var pol envoy_core_v3.RetryPolicy if r == nil { diff --git a/agent/xds/jwt_authn_test.go b/agent/xds/jwt_authn_test.go index 589421e8c0..b2a7d7ce54 100644 --- a/agent/xds/jwt_authn_test.go +++ b/agent/xds/jwt_authn_test.go @@ -438,7 +438,7 @@ func TestBuildJWTProviderConfig(t *testing.T) { RemoteJwks: &envoy_http_jwt_authn_v3.RemoteJwks{ HttpUri: &envoy_core_v3.HttpUri{ Uri: oktaRemoteJWKS.URI, - HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: "jwks_cluster"}, + HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: makeJWKSClusterName(ceRemoteJWKS.Name)}, Timeout: &durationpb.Duration{Seconds: 1}, }, AsyncFetch: &envoy_http_jwt_authn_v3.JwksAsyncFetch{ @@ -520,16 +520,18 @@ func TestMakeLocalJWKS(t *testing.T) { func TestMakeRemoteJWKS(t *testing.T) { tests := map[string]struct { - jwks *structs.RemoteJWKS - expected *envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks + jwks *structs.RemoteJWKS + providerName string + expected *envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks }{ "with-no-cache-duration": { - jwks: oktaRemoteJWKS, + jwks: oktaRemoteJWKS, + providerName: "auth0", expected: &envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks{ RemoteJwks: &envoy_http_jwt_authn_v3.RemoteJwks{ HttpUri: &envoy_core_v3.HttpUri{ Uri: oktaRemoteJWKS.URI, - HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: "jwks_cluster"}, + HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: makeJWKSClusterName("auth0")}, Timeout: &durationpb.Duration{Seconds: 1}, }, AsyncFetch: &envoy_http_jwt_authn_v3.JwksAsyncFetch{ @@ -539,12 +541,13 @@ func TestMakeRemoteJWKS(t *testing.T) { }, }, "with-retry-policy": { - jwks: extendedRemoteJWKS, + jwks: extendedRemoteJWKS, + providerName: "okta", expected: &envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks{ RemoteJwks: &envoy_http_jwt_authn_v3.RemoteJwks{ HttpUri: &envoy_core_v3.HttpUri{ Uri: oktaRemoteJWKS.URI, - HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: "jwks_cluster"}, + HttpUpstreamType: &envoy_core_v3.HttpUri_Cluster{Cluster: makeJWKSClusterName("okta")}, Timeout: &durationpb.Duration{Seconds: 1}, }, AsyncFetch: &envoy_http_jwt_authn_v3.JwksAsyncFetch{ @@ -560,7 +563,7 @@ func TestMakeRemoteJWKS(t *testing.T) { for name, tt := range tests { tt := tt t.Run(name, func(t *testing.T) { - res := makeRemoteJWKS(tt.jwks) + res := makeRemoteJWKS(tt.jwks, tt.providerName) require.Equal(t, res, tt.expected) }) } diff --git a/agent/xds/testdata/jwt_authn/intention-with-path.golden b/agent/xds/testdata/jwt_authn/intention-with-path.golden index 306ecad5f6..6e925758ca 100644 --- a/agent/xds/testdata/jwt_authn/intention-with-path.golden +++ b/agent/xds/testdata/jwt_authn/intention-with-path.golden @@ -9,7 +9,7 @@ "remoteJwks": { "httpUri": { "uri": "https://example-okta.com/.well-known/jwks.json", - "cluster": "jwks_cluster", + "cluster": "jwks_cluster_okta", "timeout": "1s" }, "asyncFetch": { diff --git a/agent/xds/testdata/jwt_authn/multiple-providers-and-one-permission.golden b/agent/xds/testdata/jwt_authn/multiple-providers-and-one-permission.golden index feb1d6012e..ca9a99265e 100644 --- a/agent/xds/testdata/jwt_authn/multiple-providers-and-one-permission.golden +++ b/agent/xds/testdata/jwt_authn/multiple-providers-and-one-permission.golden @@ -9,7 +9,7 @@ "remoteJwks": { "httpUri": { "uri": "https://example-okta.com/.well-known/jwks.json", - "cluster": "jwks_cluster", + "cluster": "jwks_cluster_okta", "timeout": "1s" }, "asyncFetch": { @@ -23,7 +23,7 @@ "remoteJwks": { "httpUri": { "uri": "https://example-okta.com/.well-known/jwks.json", - "cluster": "jwks_cluster", + "cluster": "jwks_cluster_okta", "timeout": "1s" }, "asyncFetch": { @@ -37,7 +37,7 @@ "remoteJwks": { "httpUri": { "uri": "https://example-auth0.com/.well-known/jwks.json", - "cluster": "jwks_cluster", + "cluster": "jwks_cluster_auth0", "timeout": "1s" }, "asyncFetch": { diff --git a/agent/xds/testdata/jwt_authn/remote-provider.golden b/agent/xds/testdata/jwt_authn/remote-provider.golden index b84e1ea102..6116a58cec 100644 --- a/agent/xds/testdata/jwt_authn/remote-provider.golden +++ b/agent/xds/testdata/jwt_authn/remote-provider.golden @@ -9,7 +9,7 @@ "remoteJwks": { "httpUri": { "uri": "https://example-okta.com/.well-known/jwks.json", - "cluster": "jwks_cluster", + "cluster": "jwks_cluster_okta", "timeout": "1s" }, "asyncFetch": { diff --git a/agent/xds/testdata/jwt_authn/top-level-provider-with-permission.golden b/agent/xds/testdata/jwt_authn/top-level-provider-with-permission.golden index 42a609470d..6eed6793df 100644 --- a/agent/xds/testdata/jwt_authn/top-level-provider-with-permission.golden +++ b/agent/xds/testdata/jwt_authn/top-level-provider-with-permission.golden @@ -9,7 +9,7 @@ "remoteJwks": { "httpUri": { "uri": "https://example-okta.com/.well-known/jwks.json", - "cluster": "jwks_cluster", + "cluster": "jwks_cluster_okta", "timeout": "1s" }, "asyncFetch": { @@ -23,7 +23,7 @@ "remoteJwks": { "httpUri": { "uri": "https://example-okta.com/.well-known/jwks.json", - "cluster": "jwks_cluster", + "cluster": "jwks_cluster_okta", "timeout": "1s" }, "asyncFetch": { diff --git a/agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-and-port.golden new file mode 100644 index 0000000000..a8f9de349b --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-and-port.golden @@ -0,0 +1,23 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "example-okta.com", + "portValue": 90 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "type": "STRICT_DNS" +} \ No newline at end of file diff --git a/agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-no-port.golden new file mode 100644 index 0000000000..977b8c70f1 --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-no-port.golden @@ -0,0 +1,23 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "example-okta.com", + "portValue": 80 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "type": "STRICT_DNS" +} \ No newline at end of file diff --git a/agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-and-port.golden new file mode 100644 index 0000000000..f5dbc48409 --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-and-port.golden @@ -0,0 +1,23 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9091 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "type": "STRICT_DNS" +} \ No newline at end of file diff --git a/agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-no-port.golden new file mode 100644 index 0000000000..e47f1a6fbe --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/http-provider-with-ip-no-port.golden @@ -0,0 +1,23 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 80 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "type": "STRICT_DNS" +} \ No newline at end of file diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden new file mode 100644 index 0000000000..54af47ef8b --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden @@ -0,0 +1,32 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "example-okta.com", + "portValue": 90 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "validationContext": {} + } + } + }, + "type": "STRICT_DNS" +} \ No newline at end of file diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden new file mode 100644 index 0000000000..7b266fa484 --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden @@ -0,0 +1,32 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "example-okta.com", + "portValue": 443 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "validationContext": {} + } + } + }, + "type": "STRICT_DNS" +} \ No newline at end of file diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden new file mode 100644 index 0000000000..bdcbe0f3dc --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden @@ -0,0 +1,32 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9091 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "validationContext": {} + } + } + }, + "type": "STRICT_DNS" +} \ No newline at end of file diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden new file mode 100644 index 0000000000..c72e0e93d9 --- /dev/null +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden @@ -0,0 +1,32 @@ +{ + "loadAssignment": { + "clusterName": "jwks_cluster_okta", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 443 + } + } + } + } + ] + } + ] + }, + "name": "jwks_cluster_okta", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "validationContext": {} + } + } + }, + "type": "STRICT_DNS" +} \ No newline at end of file From f7305b279c2d9dc3e0a224c776d5ccafc4fd396c Mon Sep 17 00:00:00 2001 From: Dan Bond Date: Thu, 29 Jun 2023 13:43:32 -0700 Subject: [PATCH 05/14] website: remove deprecated agent rpc docs (#17962) --- website/content/docs/agent/rpc.mdx | 260 ----------------------------- website/data/docs-nav-data.json | 5 - 2 files changed, 265 deletions(-) delete mode 100644 website/content/docs/agent/rpc.mdx diff --git a/website/content/docs/agent/rpc.mdx b/website/content/docs/agent/rpc.mdx deleted file mode 100644 index bdff4a05fc..0000000000 --- a/website/content/docs/agent/rpc.mdx +++ /dev/null @@ -1,260 +0,0 @@ ---- -layout: docs -page_title: Legacy RPC Protocol -description: >- - Consul agents originally could be controlled through the RPC protocol. This feature was deprecated in version 0.8 in favor of the HTTP API. Learn about agent RPC interactions and how they worked. ---- - -# RPC Protocol - -~> The RPC Protocol is deprecated and support was removed in Consul -0.8. Please use the [HTTP API](/consul/api-docs), which has -support for all features of the RPC Protocol. - -The Consul agent provides a complete RPC mechanism that can -be used to control the agent programmatically. This RPC -mechanism is the same one used by the CLI but can be -used by other applications to easily leverage the power -of Consul without directly embedding. - -It is important to note that the RPC protocol does not support -all the same operations as the [HTTP API](/consul/api-docs). - -## Implementation Details - -The RPC protocol is implemented using [MsgPack](http://msgpack.org/) -over TCP. This choice was driven by the fact that all operating -systems support TCP, and MsgPack provides a fast serialization format -that is broadly available across languages. - -All RPC requests have a request header, and some requests have -a request body. The request header looks like: - -```javascript -{ - "Command": "Handshake", - "Seq": 0 -} -``` - -All responses have a response header, and some may contain -a response body. The response header looks like: - -```javascript -{ - "Seq": 0, - "Error": "" -} -``` - -The `Command` in the request is used to specify what command the server should -run, and the `Seq` is used to track the request. Responses are -tagged with the same `Seq` as the request. This allows for some -concurrency on the server side as requests are not purely FIFO. -Thus, the `Seq` value should not be re-used between commands. -All responses may be accompanied by an error. - -Possible commands include: - -- handshake - Initializes the connection and sets the version -- force-leave - Removes a failed node from the cluster -- join - Requests Consul join another node -- members-lan - Returns the list of LAN members -- members-wan - Returns the list of WAN members -- monitor - Starts streaming logs over the connection -- stop - Stops streaming logs -- leave - Instructs the Consul agent to perform a graceful leave and shutdown -- stats - Provides various debugging statistics -- reload - Triggers a configuration reload - -Each command is documented below along with any request or -response body that is applicable. - -### handshake - -This command is used to initialize an RPC connection. As it informs -the server which version the client is using, handshake MUST be the -first command sent. - -The request header must be followed by a handshake body, like: - -```javascript -{ - "Version": 1 -} -``` - -The body specifies the IPC version being used; however, only version -1 is currently supported. This is to ensure backwards compatibility -in the future. - -There is no special response body, but the client should wait for the -response and check for an error. - -### force-leave - -This command is used to remove failed nodes from a cluster. It takes -the following body: - -```javascript -{ - "Node": "failed-node-name" -} -``` - -There is no special response body. - -### join - -This command is used to join an existing cluster using one or more known nodes. -It takes the following body: - -```javascript -{ - "Existing": [ - "192.168.0.1:6000", - "192.168.0.2:6000" - ], - "WAN": false -} -``` - -The `Existing` nodes are each contacted, and `WAN` controls if we are adding a -WAN member or LAN member. LAN members are expected to be in the same datacenter -and should be accessible at relatively low latencies. WAN members are expected to -be operating in different datacenters with relatively high access latencies. It is -important that only agents running in "server" mode are able to join nodes over the -WAN. - -The response contains both a header and body. The body looks like: - -```javascript -{ - "Num": 2 -} -``` - -'Num' indicates the number of nodes successfully joined. - -### members-lan - -This command is used to return all the known LAN members and associated -information. All agents will respond to this command. - -There is no request body, but the response looks like: - -```javascript -{ - "Members": [ - { - "Name": "TestNode" - "Addr": [127, 0, 0, 1], - "Port": 5000, - "Tags": { - "role": "test" - }, - "Status": "alive", - "ProtocolMin": 0, - "ProtocolMax": 3, - "ProtocolCur": 2, - "DelegateMin": 0, - "DelegateMax": 1, - "DelegateCur": 1, - }, - ... - ] -} -``` - -### members-wan - -This command is used to return all the known WAN members and associated -information. Only agents in server mode will respond to this command. - -There is no request body, and the response is the same as `members-lan` - -### monitor - -The monitor command subscribes the channel to log messages from the Agent. - -The request looks like: - -```javascript -{ - "LogLevel": "DEBUG" -} -``` - -This subscribes the client to all messages of at least DEBUG level. - -The server will respond with a standard response header indicating if the monitor -was successful. If so, any future logs will be sent and tagged with -the same `Seq` as in the `monitor` request. - -Assume we issued the previous monitor command with `"Seq": 50`. We may start -getting messages like: - -```javascript -{ - "Seq": 50, - "Error": "" -} - -{ - "Log": "2013/12/03 13:06:53 [INFO] agent: Received event: member-join" -} -``` - -It is important to realize that these messages are sent asynchronously -and not in response to any command. If a client is streaming -commands, there may be logs streamed while a client is waiting for a -response to a command. This is why the `Seq` must be used to pair requests -with their corresponding responses. - -The client can only be subscribed to at most a single monitor instance. -To stop streaming, the `stop` command is used. - -### stop - -This command stops a monitor. - -The request looks like: - -```javascript -{ - "Stop": 50 -} -``` - -This unsubscribes the client from the monitor with `Seq` value of 50. - -There is no response body. - -### leave - -This command is used to trigger a graceful leave and shutdown. -There is no request body or response body. - -### stats - -This command provides debug information. There is no request body, and the -response body looks like: - -```javascript -{ - "agent": { - "check_monitors": 0, - ... - }, - "consul: { - "server": "true", - ... - }, - ... -} -``` - -### reload - -This command is used to trigger a reload of configurations. -There is no request body or response body. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 6d92dab502..16feb0d11d 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1071,11 +1071,6 @@ "title": "Sentinel", "path": "agent/sentinel" }, - { - "title": "RPC", - "path": "agent/rpc", - "hidden": true - }, { "title": "Experimental WAL LogStore", "routes": [ From 2736e645d4c0794c4736fd71177a0ee829f70199 Mon Sep 17 00:00:00 2001 From: Derek Menteer <105233703+hashi-derek@users.noreply.github.com> Date: Thu, 29 Jun 2023 16:04:21 -0500 Subject: [PATCH 06/14] Fix missing BalanceOutboundConnections in v2 catalog. (#17964) --- proto-public/pbmesh/v1alpha1/connection.pb.go | 110 ++++++++------- proto-public/pbmesh/v1alpha1/connection.proto | 8 +- proto-public/pbmesh/v1alpha1/upstreams.pb.go | 126 +++++++++--------- proto-public/pbmesh/v1alpha1/upstreams.proto | 2 +- 4 files changed, 122 insertions(+), 124 deletions(-) diff --git a/proto-public/pbmesh/v1alpha1/connection.pb.go b/proto-public/pbmesh/v1alpha1/connection.pb.go index 5edc0ee76d..65fa3ba329 100644 --- a/proto-public/pbmesh/v1alpha1/connection.pb.go +++ b/proto-public/pbmesh/v1alpha1/connection.pb.go @@ -23,50 +23,50 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) -type BalanceInboundConnections int32 +type BalanceConnections int32 const ( // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX - BalanceInboundConnections_BALANCE_INBOUND_CONNECTIONS_DEFAULT BalanceInboundConnections = 0 - BalanceInboundConnections_BALANCE_INBOUND_CONNECTIONS_EXACT BalanceInboundConnections = 1 + BalanceConnections_BALANCE_CONNECTIONS_DEFAULT BalanceConnections = 0 + BalanceConnections_BALANCE_CONNECTIONS_EXACT BalanceConnections = 1 ) -// Enum value maps for BalanceInboundConnections. +// Enum value maps for BalanceConnections. var ( - BalanceInboundConnections_name = map[int32]string{ - 0: "BALANCE_INBOUND_CONNECTIONS_DEFAULT", - 1: "BALANCE_INBOUND_CONNECTIONS_EXACT", + BalanceConnections_name = map[int32]string{ + 0: "BALANCE_CONNECTIONS_DEFAULT", + 1: "BALANCE_CONNECTIONS_EXACT", } - BalanceInboundConnections_value = map[string]int32{ - "BALANCE_INBOUND_CONNECTIONS_DEFAULT": 0, - "BALANCE_INBOUND_CONNECTIONS_EXACT": 1, + BalanceConnections_value = map[string]int32{ + "BALANCE_CONNECTIONS_DEFAULT": 0, + "BALANCE_CONNECTIONS_EXACT": 1, } ) -func (x BalanceInboundConnections) Enum() *BalanceInboundConnections { - p := new(BalanceInboundConnections) +func (x BalanceConnections) Enum() *BalanceConnections { + p := new(BalanceConnections) *p = x return p } -func (x BalanceInboundConnections) String() string { +func (x BalanceConnections) String() string { return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) } -func (BalanceInboundConnections) Descriptor() protoreflect.EnumDescriptor { +func (BalanceConnections) Descriptor() protoreflect.EnumDescriptor { return file_pbmesh_v1alpha1_connection_proto_enumTypes[0].Descriptor() } -func (BalanceInboundConnections) Type() protoreflect.EnumType { +func (BalanceConnections) Type() protoreflect.EnumType { return &file_pbmesh_v1alpha1_connection_proto_enumTypes[0] } -func (x BalanceInboundConnections) Number() protoreflect.EnumNumber { +func (x BalanceConnections) Number() protoreflect.EnumNumber { return protoreflect.EnumNumber(x) } -// Deprecated: Use BalanceInboundConnections.Descriptor instead. -func (BalanceInboundConnections) EnumDescriptor() ([]byte, []int) { +// Deprecated: Use BalanceConnections.Descriptor instead. +func (BalanceConnections) EnumDescriptor() ([]byte, []int) { return file_pbmesh_v1alpha1_connection_proto_rawDescGZIP(), []int{0} } @@ -130,8 +130,8 @@ type InboundConnectionsConfig struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - MaxInboundConnections uint64 `protobuf:"varint,12,opt,name=max_inbound_connections,json=maxInboundConnections,proto3" json:"max_inbound_connections,omitempty"` - BalanceInboundConnections BalanceInboundConnections `protobuf:"varint,13,opt,name=balance_inbound_connections,json=balanceInboundConnections,proto3,enum=hashicorp.consul.mesh.v1alpha1.BalanceInboundConnections" json:"balance_inbound_connections,omitempty"` + MaxInboundConnections uint64 `protobuf:"varint,12,opt,name=max_inbound_connections,json=maxInboundConnections,proto3" json:"max_inbound_connections,omitempty"` + BalanceInboundConnections BalanceConnections `protobuf:"varint,13,opt,name=balance_inbound_connections,json=balanceInboundConnections,proto3,enum=hashicorp.consul.mesh.v1alpha1.BalanceConnections" json:"balance_inbound_connections,omitempty"` } func (x *InboundConnectionsConfig) Reset() { @@ -173,11 +173,11 @@ func (x *InboundConnectionsConfig) GetMaxInboundConnections() uint64 { return 0 } -func (x *InboundConnectionsConfig) GetBalanceInboundConnections() BalanceInboundConnections { +func (x *InboundConnectionsConfig) GetBalanceInboundConnections() BalanceConnections { if x != nil { return x.BalanceInboundConnections } - return BalanceInboundConnections_BALANCE_INBOUND_CONNECTIONS_DEFAULT + return BalanceConnections_BALANCE_CONNECTIONS_DEFAULT } var File_pbmesh_v1alpha1_connection_proto protoreflect.FileDescriptor @@ -194,45 +194,43 @@ var file_pbmesh_v1alpha1_connection_proto_rawDesc = []byte{ 0x75, 0x74, 0x4d, 0x73, 0x12, 0x2c, 0x0a, 0x12, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x5f, 0x6d, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, - 0x4d, 0x73, 0x22, 0xcd, 0x01, 0x0a, 0x18, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, + 0x4d, 0x73, 0x22, 0xc6, 0x01, 0x0a, 0x18, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x79, 0x0a, 0x1b, 0x62, 0x61, 0x6c, 0x61, 0x6e, + 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x72, 0x0a, 0x1b, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x39, 0x2e, 0x68, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x42, 0x61, - 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x19, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, - 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x2a, 0x6b, 0x0a, 0x19, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x6e, 0x62, - 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, - 0x27, 0x0a, 0x23, 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x49, 0x4e, 0x42, 0x4f, 0x55, - 0x4e, 0x44, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x44, - 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x25, 0x0a, 0x21, 0x42, 0x41, 0x4c, 0x41, - 0x4e, 0x43, 0x45, 0x5f, 0x49, 0x4e, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, - 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x45, 0x58, 0x41, 0x43, 0x54, 0x10, 0x01, 0x42, - 0x97, 0x02, 0x0a, 0x22, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, - 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x0f, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, - 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, - 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x3b, 0x6d, 0x65, 0x73, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0xa2, 0x02, 0x03, 0x48, 0x43, 0x4d, 0xaa, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, - 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, - 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, - 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xe2, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, - 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, - 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x21, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, - 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, - 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, + 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x52, 0x19, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, + 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2a, 0x54, 0x0a, 0x12, 0x42, + 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x1f, 0x0a, 0x1b, 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, + 0x4e, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, + 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, + 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x45, 0x58, 0x41, 0x43, 0x54, 0x10, + 0x01, 0x42, 0x97, 0x02, 0x0a, 0x22, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, + 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x0f, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, + 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, + 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x6d, 0x65, 0x73, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48, 0x43, 0x4d, 0xaa, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, 0x69, + 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, + 0x2e, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, + 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, + 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xe2, 0x02, 0x2a, 0x48, 0x61, 0x73, + 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, + 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x21, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, + 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, + 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -250,12 +248,12 @@ func file_pbmesh_v1alpha1_connection_proto_rawDescGZIP() []byte { var file_pbmesh_v1alpha1_connection_proto_enumTypes = make([]protoimpl.EnumInfo, 1) var file_pbmesh_v1alpha1_connection_proto_msgTypes = make([]protoimpl.MessageInfo, 2) var file_pbmesh_v1alpha1_connection_proto_goTypes = []interface{}{ - (BalanceInboundConnections)(0), // 0: hashicorp.consul.mesh.v1alpha1.BalanceInboundConnections + (BalanceConnections)(0), // 0: hashicorp.consul.mesh.v1alpha1.BalanceConnections (*ConnectionConfig)(nil), // 1: hashicorp.consul.mesh.v1alpha1.ConnectionConfig (*InboundConnectionsConfig)(nil), // 2: hashicorp.consul.mesh.v1alpha1.InboundConnectionsConfig } var file_pbmesh_v1alpha1_connection_proto_depIdxs = []int32{ - 0, // 0: hashicorp.consul.mesh.v1alpha1.InboundConnectionsConfig.balance_inbound_connections:type_name -> hashicorp.consul.mesh.v1alpha1.BalanceInboundConnections + 0, // 0: hashicorp.consul.mesh.v1alpha1.InboundConnectionsConfig.balance_inbound_connections:type_name -> hashicorp.consul.mesh.v1alpha1.BalanceConnections 1, // [1:1] is the sub-list for method output_type 1, // [1:1] is the sub-list for method input_type 1, // [1:1] is the sub-list for extension type_name diff --git a/proto-public/pbmesh/v1alpha1/connection.proto b/proto-public/pbmesh/v1alpha1/connection.proto index 8a1f4f0e7c..1d054e503b 100644 --- a/proto-public/pbmesh/v1alpha1/connection.proto +++ b/proto-public/pbmesh/v1alpha1/connection.proto @@ -12,11 +12,11 @@ message ConnectionConfig { message InboundConnectionsConfig { uint64 max_inbound_connections = 12; - BalanceInboundConnections balance_inbound_connections = 13; + BalanceConnections balance_inbound_connections = 13; } -enum BalanceInboundConnections { +enum BalanceConnections { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX - BALANCE_INBOUND_CONNECTIONS_DEFAULT = 0; - BALANCE_INBOUND_CONNECTIONS_EXACT = 1; + BALANCE_CONNECTIONS_DEFAULT = 0; + BALANCE_CONNECTIONS_EXACT = 1; } diff --git a/proto-public/pbmesh/v1alpha1/upstreams.pb.go b/proto-public/pbmesh/v1alpha1/upstreams.pb.go index 575fe43006..93b151a336 100644 --- a/proto-public/pbmesh/v1alpha1/upstreams.pb.go +++ b/proto-public/pbmesh/v1alpha1/upstreams.pb.go @@ -432,11 +432,11 @@ type UpstreamConfig struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - ConnectTimeoutMs uint64 `protobuf:"varint,2,opt,name=connect_timeout_ms,json=connectTimeoutMs,proto3" json:"connect_timeout_ms,omitempty"` - Limits *UpstreamLimits `protobuf:"bytes,3,opt,name=limits,proto3" json:"limits,omitempty"` - PassiveHealthCheck *PassiveHealthCheck `protobuf:"bytes,4,opt,name=passive_health_check,json=passiveHealthCheck,proto3" json:"passive_health_check,omitempty"` - BalanceInboundConnections BalanceInboundConnections `protobuf:"varint,5,opt,name=balance_inbound_connections,json=balanceInboundConnections,proto3,enum=hashicorp.consul.mesh.v1alpha1.BalanceInboundConnections" json:"balance_inbound_connections,omitempty"` - MeshGatewayMode MeshGatewayMode `protobuf:"varint,6,opt,name=mesh_gateway_mode,json=meshGatewayMode,proto3,enum=hashicorp.consul.mesh.v1alpha1.MeshGatewayMode" json:"mesh_gateway_mode,omitempty"` + ConnectTimeoutMs uint64 `protobuf:"varint,2,opt,name=connect_timeout_ms,json=connectTimeoutMs,proto3" json:"connect_timeout_ms,omitempty"` + Limits *UpstreamLimits `protobuf:"bytes,3,opt,name=limits,proto3" json:"limits,omitempty"` + PassiveHealthCheck *PassiveHealthCheck `protobuf:"bytes,4,opt,name=passive_health_check,json=passiveHealthCheck,proto3" json:"passive_health_check,omitempty"` + BalanceOutboundConnections BalanceConnections `protobuf:"varint,5,opt,name=balance_outbound_connections,json=balanceOutboundConnections,proto3,enum=hashicorp.consul.mesh.v1alpha1.BalanceConnections" json:"balance_outbound_connections,omitempty"` + MeshGatewayMode MeshGatewayMode `protobuf:"varint,6,opt,name=mesh_gateway_mode,json=meshGatewayMode,proto3,enum=hashicorp.consul.mesh.v1alpha1.MeshGatewayMode" json:"mesh_gateway_mode,omitempty"` } func (x *UpstreamConfig) Reset() { @@ -492,11 +492,11 @@ func (x *UpstreamConfig) GetPassiveHealthCheck() *PassiveHealthCheck { return nil } -func (x *UpstreamConfig) GetBalanceInboundConnections() BalanceInboundConnections { +func (x *UpstreamConfig) GetBalanceOutboundConnections() BalanceConnections { if x != nil { - return x.BalanceInboundConnections + return x.BalanceOutboundConnections } - return BalanceInboundConnections_BALANCE_INBOUND_CONNECTIONS_DEFAULT + return BalanceConnections_BALANCE_CONNECTIONS_DEFAULT } func (x *UpstreamConfig) GetMeshGatewayMode() MeshGatewayMode { @@ -740,7 +740,7 @@ var file_pbmesh_v1alpha1_upstreams_proto_rawDesc = []byte{ 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x0d, 0x0a, 0x0b, - 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x22, 0xc4, 0x03, 0x0a, 0x0e, + 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x22, 0xbf, 0x03, 0x0a, 0x0e, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x12, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x5f, 0x6d, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x63, 0x6f, 0x6e, 0x6e, @@ -755,60 +755,60 @@ var file_pbmesh_v1alpha1_upstreams_proto_rawDesc = []byte{ 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x69, 0x76, 0x65, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x12, 0x70, 0x61, 0x73, 0x73, 0x69, 0x76, 0x65, 0x48, - 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x79, 0x0a, 0x1b, 0x62, 0x61, - 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, - 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x39, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, - 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, - 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x19, 0x62, 0x61, 0x6c, 0x61, - 0x6e, 0x63, 0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x5b, 0x0a, 0x11, 0x6d, 0x65, 0x73, 0x68, 0x5f, 0x67, 0x61, - 0x74, 0x65, 0x77, 0x61, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x2f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, + 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x74, 0x0a, 0x1c, 0x62, 0x61, + 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, + 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, + 0x32, 0x32, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x4d, 0x6f, 0x64, - 0x65, 0x52, 0x0f, 0x6d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x4d, 0x6f, - 0x64, 0x65, 0x22, 0xa3, 0x01, 0x0a, 0x0e, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x4c, - 0x69, 0x6d, 0x69, 0x74, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x63, 0x6f, 0x6e, - 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e, - 0x6d, 0x61, 0x78, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x30, - 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x5f, 0x72, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x12, 0x6d, 0x61, - 0x78, 0x50, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, - 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, - 0x6e, 0x74, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x05, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x43, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x22, 0xaa, 0x01, 0x0a, 0x12, 0x50, 0x61, 0x73, - 0x73, 0x69, 0x76, 0x65, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, - 0x35, 0x0a, 0x08, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x69, 0x6e, - 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x12, 0x21, 0x0a, 0x0c, 0x6d, 0x61, 0x78, 0x5f, 0x66, 0x61, - 0x69, 0x6c, 0x75, 0x72, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x6d, 0x61, - 0x78, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x73, 0x12, 0x3a, 0x0a, 0x19, 0x65, 0x6e, 0x66, - 0x6f, 0x72, 0x63, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x74, 0x69, - 0x76, 0x65, 0x5f, 0x35, 0x78, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x17, 0x65, 0x6e, - 0x66, 0x6f, 0x72, 0x63, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x74, 0x69, - 0x76, 0x65, 0x35, 0x78, 0x78, 0x42, 0x96, 0x02, 0x0a, 0x22, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, + 0x31, 0x2e, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x1a, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x4f, 0x75, 0x74, + 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x12, 0x5b, 0x0a, 0x11, 0x6d, 0x65, 0x73, 0x68, 0x5f, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, + 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, - 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x0e, 0x55, 0x70, - 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, - 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, - 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x6d, 0x65, 0x73, 0x68, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48, 0x43, 0x4d, 0xaa, 0x02, 0x1e, 0x48, 0x61, - 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, - 0x65, 0x73, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x1e, 0x48, - 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, - 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xe2, 0x02, 0x2a, - 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, - 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x47, - 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x21, 0x48, 0x61, 0x73, - 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, - 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, + 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x0f, 0x6d, 0x65, + 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x22, 0xa3, 0x01, + 0x0a, 0x0e, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x73, + 0x12, 0x27, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e, 0x6d, 0x61, 0x78, 0x43, 0x6f, + 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x30, 0x0a, 0x14, 0x6d, 0x61, 0x78, + 0x5f, 0x70, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x12, 0x6d, 0x61, 0x78, 0x50, 0x65, 0x6e, 0x64, + 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x6d, + 0x61, 0x78, 0x5f, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x72, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x15, 0x6d, 0x61, + 0x78, 0x43, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x73, 0x22, 0xaa, 0x01, 0x0a, 0x12, 0x50, 0x61, 0x73, 0x73, 0x69, 0x76, 0x65, 0x48, + 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x35, 0x0a, 0x08, 0x69, 0x6e, + 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, + 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, + 0x6c, 0x12, 0x21, 0x0a, 0x0c, 0x6d, 0x61, 0x78, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, + 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x6d, 0x61, 0x78, 0x46, 0x61, 0x69, 0x6c, + 0x75, 0x72, 0x65, 0x73, 0x12, 0x3a, 0x0a, 0x19, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x69, 0x6e, + 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x35, 0x78, + 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x17, 0x65, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x69, + 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x74, 0x69, 0x76, 0x65, 0x35, 0x78, 0x78, + 0x42, 0x96, 0x02, 0x0a, 0x22, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, + 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x0e, 0x55, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, + 0x6d, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, + 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x3b, 0x6d, 0x65, 0x73, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0xa2, 0x02, 0x03, 0x48, 0x43, 0x4d, 0xaa, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, + 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, + 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, + 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xe2, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, + 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, + 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x21, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, + 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, + 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, } var ( @@ -835,7 +835,7 @@ var file_pbmesh_v1alpha1_upstreams_proto_goTypes = []interface{}{ (*PassiveHealthCheck)(nil), // 7: hashicorp.consul.mesh.v1alpha1.PassiveHealthCheck (*v1alpha1.WorkloadSelector)(nil), // 8: hashicorp.consul.catalog.v1alpha1.WorkloadSelector (*pbresource.ID)(nil), // 9: hashicorp.consul.resource.ID - (BalanceInboundConnections)(0), // 10: hashicorp.consul.mesh.v1alpha1.BalanceInboundConnections + (BalanceConnections)(0), // 10: hashicorp.consul.mesh.v1alpha1.BalanceConnections (MeshGatewayMode)(0), // 11: hashicorp.consul.mesh.v1alpha1.MeshGatewayMode (*durationpb.Duration)(nil), // 12: google.protobuf.Duration } @@ -853,7 +853,7 @@ var file_pbmesh_v1alpha1_upstreams_proto_depIdxs = []int32{ 5, // 10: hashicorp.consul.mesh.v1alpha1.PreparedQueryUpstream.upstream_config:type_name -> hashicorp.consul.mesh.v1alpha1.UpstreamConfig 6, // 11: hashicorp.consul.mesh.v1alpha1.UpstreamConfig.limits:type_name -> hashicorp.consul.mesh.v1alpha1.UpstreamLimits 7, // 12: hashicorp.consul.mesh.v1alpha1.UpstreamConfig.passive_health_check:type_name -> hashicorp.consul.mesh.v1alpha1.PassiveHealthCheck - 10, // 13: hashicorp.consul.mesh.v1alpha1.UpstreamConfig.balance_inbound_connections:type_name -> hashicorp.consul.mesh.v1alpha1.BalanceInboundConnections + 10, // 13: hashicorp.consul.mesh.v1alpha1.UpstreamConfig.balance_outbound_connections:type_name -> hashicorp.consul.mesh.v1alpha1.BalanceConnections 11, // 14: hashicorp.consul.mesh.v1alpha1.UpstreamConfig.mesh_gateway_mode:type_name -> hashicorp.consul.mesh.v1alpha1.MeshGatewayMode 12, // 15: hashicorp.consul.mesh.v1alpha1.PassiveHealthCheck.interval:type_name -> google.protobuf.Duration 16, // [16:16] is the sub-list for method output_type diff --git a/proto-public/pbmesh/v1alpha1/upstreams.proto b/proto-public/pbmesh/v1alpha1/upstreams.proto index 9239bac774..c1f444e9cc 100644 --- a/proto-public/pbmesh/v1alpha1/upstreams.proto +++ b/proto-public/pbmesh/v1alpha1/upstreams.proto @@ -61,7 +61,7 @@ message UpstreamConfig { uint64 connect_timeout_ms = 2; UpstreamLimits limits = 3; PassiveHealthCheck passive_health_check = 4; - BalanceInboundConnections balance_inbound_connections = 5; + BalanceConnections balance_outbound_connections = 5; MeshGatewayMode mesh_gateway_mode = 6; } From 2af6bc434a578f1d39cee860c057665447393c6a Mon Sep 17 00:00:00 2001 From: Ashesh Vidyut <134911583+absolutelightning@users.noreply.github.com> Date: Fri, 30 Jun 2023 03:00:29 +0000 Subject: [PATCH 07/14] feature - [NET - 4005] - [Supportability] Reloadable Configuration - enable_debug (#17565) * # This is a combination of 9 commits. # This is the 1st commit message: init without tests # This is the commit message #2: change log # This is the commit message #3: fix tests # This is the commit message #4: fix tests # This is the commit message #5: added tests # This is the commit message #6: change log breaking change # This is the commit message #7: removed breaking change # This is the commit message #8: fix test # This is the commit message #9: keeping the test behaviour same * # This is a combination of 12 commits. # This is the 1st commit message: init without tests # This is the commit message #2: change log # This is the commit message #3: fix tests # This is the commit message #4: fix tests # This is the commit message #5: added tests # This is the commit message #6: change log breaking change # This is the commit message #7: removed breaking change # This is the commit message #8: fix test # This is the commit message #9: keeping the test behaviour same # This is the commit message #10: made enable debug atomic bool # This is the commit message #11: fix lint # This is the commit message #12: fix test true enable debug * parent 10f500e895d92cc3691ade7b74a33db755d22039 author absolutelightning 1687352587 +0530 committer absolutelightning 1687352592 +0530 init without tests change log fix tests fix tests added tests change log breaking change removed breaking change fix test keeping the test behaviour same made enable debug atomic bool fix lint fix test true enable debug using enable debug in agent as atomic bool test fixes fix tests fix tests added update on correct locaiton fix tests fix reloadable config enable debug fix tests fix init and acl 403 * revert commit --- .changelog/17565.txt | 3 +++ agent/agent.go | 12 ++++++++-- agent/agent_endpoint_test.go | 8 ++++--- agent/agent_test.go | 33 ++++++++++++++++++++++++++++ agent/config/runtime_test.go | 2 +- agent/http.go | 23 ++++++++++++-------- agent/http_oss_test.go | 7 ++++-- agent/http_test.go | 41 +++++++++++++++++++++++++---------- agent/ui_endpoint_oss_test.go | 4 +++- agent/ui_endpoint_test.go | 4 +++- 10 files changed, 107 insertions(+), 30 deletions(-) create mode 100644 .changelog/17565.txt diff --git a/.changelog/17565.txt b/.changelog/17565.txt new file mode 100644 index 0000000000..f7cf46c389 --- /dev/null +++ b/.changelog/17565.txt @@ -0,0 +1,3 @@ +```release-note:feature +reloadable config: Made enable_debug config reloadable and enable pprof command to work when config toggles to true +``` \ No newline at end of file diff --git a/agent/agent.go b/agent/agent.go index 90bfffc1af..fa75a1cd1c 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -19,6 +19,7 @@ import ( "strconv" "strings" "sync" + "sync/atomic" "time" "github.com/armon/go-metrics" @@ -415,6 +416,8 @@ type Agent struct { // enterpriseAgent embeds fields that we only access in consul-enterprise builds enterpriseAgent + + enableDebug atomic.Bool } // New process the desired options and creates a new Agent. @@ -597,6 +600,8 @@ func (a *Agent) Start(ctx context.Context) error { // Overwrite the configuration. a.config = c + a.enableDebug.Store(c.EnableDebug) + if err := a.tlsConfigurator.Update(a.config.TLS); err != nil { return fmt.Errorf("Failed to load TLS configurations after applying auto-config settings: %w", err) } @@ -1126,13 +1131,13 @@ func (a *Agent) listenHTTP() ([]apiServer, error) { httpServer := &http.Server{ Addr: l.Addr().String(), TLSConfig: tlscfg, - Handler: srv.handler(a.config.EnableDebug), + Handler: srv.handler(), MaxHeaderBytes: a.config.HTTPMaxHeaderBytes, } if scada.IsCapability(l.Addr()) { // wrap in http2 server handler - httpServer.Handler = h2c.NewHandler(srv.handler(a.config.EnableDebug), &http2.Server{}) + httpServer.Handler = h2c.NewHandler(srv.handler(), &http2.Server{}) } // Load the connlimit helper into the server @@ -4290,6 +4295,9 @@ func (a *Agent) reloadConfigInternal(newCfg *config.RuntimeConfig) error { a.proxyConfig.SetUpdateRateLimit(newCfg.XDSUpdateRateLimit) + a.enableDebug.Store(newCfg.EnableDebug) + a.config.EnableDebug = newCfg.EnableDebug + return nil } diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 5194e2ae34..c465b687a8 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -1623,7 +1623,7 @@ func TestHTTPHandlers_AgentMetricsStream_ACLDeny(t *testing.T) { resp := httptest.NewRecorder() req, err := http.NewRequestWithContext(ctx, http.MethodGet, "/v1/agent/metrics/stream", nil) require.NoError(t, err) - handle := h.handler(false) + handle := h.handler() handle.ServeHTTP(resp, req) require.Equal(t, http.StatusForbidden, resp.Code) require.Contains(t, resp.Body.String(), "Permission denied") @@ -1660,7 +1660,7 @@ func TestHTTPHandlers_AgentMetricsStream(t *testing.T) { resp := httptest.NewRecorder() req, err := http.NewRequestWithContext(ctx, http.MethodGet, "/v1/agent/metrics/stream", nil) require.NoError(t, err) - handle := h.handler(false) + handle := h.handler() handle.ServeHTTP(resp, req) require.Equal(t, http.StatusOK, resp.Code) @@ -6008,8 +6008,10 @@ func TestAgent_Monitor(t *testing.T) { cancelCtx, cancelFunc := context.WithCancel(context.Background()) req = req.WithContext(cancelCtx) + a.enableDebug.Store(true) + resp := httptest.NewRecorder() - handler := a.srv.handler(true) + handler := a.srv.handler() go handler.ServeHTTP(resp, req) args := &structs.ServiceDefinition{ diff --git a/agent/agent_test.go b/agent/agent_test.go index b234573f3e..a2e27feaf4 100644 --- a/agent/agent_test.go +++ b/agent/agent_test.go @@ -4193,6 +4193,39 @@ func TestAgent_ReloadConfig_XDSUpdateRateLimit(t *testing.T) { require.Equal(t, rate.Limit(1000), a.proxyConfig.UpdateRateLimit()) } +func TestAgent_ReloadConfig_EnableDebug(t *testing.T) { + if testing.Short() { + t.Skip("too slow for testing.Short") + } + + cfg := fmt.Sprintf(`data_dir = %q`, testutil.TempDir(t, "agent")) + + a := NewTestAgent(t, cfg) + defer a.Shutdown() + + c := TestConfig( + testutil.Logger(t), + config.FileSource{ + Name: t.Name(), + Format: "hcl", + Data: cfg + ` enable_debug = true`, + }, + ) + require.NoError(t, a.reloadConfigInternal(c)) + require.Equal(t, true, a.enableDebug.Load()) + + c = TestConfig( + testutil.Logger(t), + config.FileSource{ + Name: t.Name(), + Format: "hcl", + Data: cfg + ` enable_debug = false`, + }, + ) + require.NoError(t, a.reloadConfigInternal(c)) + require.Equal(t, false, a.enableDebug.Load()) +} + func TestAgent_consulConfig_AutoEncryptAllowTLS(t *testing.T) { if testing.Short() { t.Skip("too slow for testing.Short") diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index beaf214dba..cc5451804d 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -324,8 +324,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { rt.DevMode = true rt.DisableAnonymousSignature = true rt.DisableKeyringFile = true - rt.EnableDebug = true rt.Experiments = []string{"resource-apis"} + rt.EnableDebug = true rt.UIConfig.Enabled = true rt.LeaveOnTerm = false rt.Logging.LogLevel = "DEBUG" diff --git a/agent/http.go b/agent/http.go index 1706794adf..32010c343a 100644 --- a/agent/http.go +++ b/agent/http.go @@ -167,7 +167,7 @@ func (s *HTTPHandlers) ReloadConfig(newCfg *config.RuntimeConfig) error { // // The first call must not be concurrent with any other call. Subsequent calls // may be concurrent with HTTP requests since no state is modified. -func (s *HTTPHandlers) handler(enableDebug bool) http.Handler { +func (s *HTTPHandlers) handler() http.Handler { // Memoize multiple calls. if s.h != nil { return s.h @@ -210,7 +210,15 @@ func (s *HTTPHandlers) handler(enableDebug bool) http.Handler { // handlePProf takes the given pattern and pprof handler // and wraps it to add authorization and metrics handlePProf := func(pattern string, handler http.HandlerFunc) { + wrapper := func(resp http.ResponseWriter, req *http.Request) { + + // If enableDebug register wrapped pprof handlers + if !s.agent.enableDebug.Load() && s.checkACLDisabled() { + resp.WriteHeader(http.StatusNotFound) + return + } + var token string s.parseToken(req, &token) @@ -245,14 +253,11 @@ func (s *HTTPHandlers) handler(enableDebug bool) http.Handler { handleFuncMetrics(pattern, s.wrap(bound, methods)) } - // If enableDebug or ACL enabled, register wrapped pprof handlers - if enableDebug || !s.checkACLDisabled() { - handlePProf("/debug/pprof/", pprof.Index) - handlePProf("/debug/pprof/cmdline", pprof.Cmdline) - handlePProf("/debug/pprof/profile", pprof.Profile) - handlePProf("/debug/pprof/symbol", pprof.Symbol) - handlePProf("/debug/pprof/trace", pprof.Trace) - } + handlePProf("/debug/pprof/", pprof.Index) + handlePProf("/debug/pprof/cmdline", pprof.Cmdline) + handlePProf("/debug/pprof/profile", pprof.Profile) + handlePProf("/debug/pprof/symbol", pprof.Symbol) + handlePProf("/debug/pprof/trace", pprof.Trace) if s.IsUIEnabled() { // Note that we _don't_ support reloading ui_config.{enabled, content_dir, diff --git a/agent/http_oss_test.go b/agent/http_oss_test.go index 60a9567979..5ba36320f6 100644 --- a/agent/http_oss_test.go +++ b/agent/http_oss_test.go @@ -144,7 +144,8 @@ func TestHTTPAPI_OptionMethod_OSS(t *testing.T) { uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path) req, _ := http.NewRequest("OPTIONS", uri, nil) resp := httptest.NewRecorder() - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + a.srv.handler().ServeHTTP(resp, req) allMethods := append([]string{"OPTIONS"}, methods...) if resp.Code != http.StatusOK { @@ -190,7 +191,9 @@ func TestHTTPAPI_AllowedNets_OSS(t *testing.T) { req, _ := http.NewRequest(method, uri, nil) req.RemoteAddr = "192.168.1.2:5555" resp := httptest.NewRecorder() - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) require.Equal(t, http.StatusForbidden, resp.Code, "%s %s", method, path) }) diff --git a/agent/http_test.go b/agent/http_test.go index 967b1b0b43..99100c5fbc 100644 --- a/agent/http_test.go +++ b/agent/http_test.go @@ -288,7 +288,9 @@ func TestSetupHTTPServer_HTTP2(t *testing.T) { err = setupHTTPS(httpServer, noopConnState, time.Second) require.NoError(t, err) - srvHandler := a.srv.handler(true) + a.enableDebug.Store(true) + + srvHandler := a.srv.handler() mux, ok := srvHandler.(*wrappedMux) require.True(t, ok, "expected a *wrappedMux, got %T", handler) mux.mux.HandleFunc("/echo", handler) @@ -483,7 +485,9 @@ func TestHTTPAPI_Ban_Nonprintable_Characters(t *testing.T) { t.Fatal(err) } resp := httptest.NewRecorder() - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) if got, want := resp.Code, http.StatusBadRequest; got != want { t.Fatalf("bad response code got %d want %d", got, want) } @@ -506,7 +510,9 @@ func TestHTTPAPI_Allow_Nonprintable_Characters_With_Flag(t *testing.T) { t.Fatal(err) } resp := httptest.NewRecorder() - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) // Key doesn't actually exist so we should get 404 if got, want := resp.Code, http.StatusNotFound; got != want { t.Fatalf("bad response code got %d want %d", got, want) @@ -645,7 +651,9 @@ func requireHasHeadersSet(t *testing.T, a *TestAgent, path string) { resp := httptest.NewRecorder() req, _ := http.NewRequest("GET", path, nil) - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) hdrs := resp.Header() require.Equal(t, "*", hdrs.Get("Access-Control-Allow-Origin"), @@ -706,14 +714,18 @@ func TestAcceptEncodingGzip(t *testing.T) { // negotiation, but since this call doesn't go through a real // transport, the header has to be set manually req.Header["Accept-Encoding"] = []string{"gzip"} - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) require.Equal(t, 200, resp.Code) require.Equal(t, "", resp.Header().Get("Content-Encoding")) resp = httptest.NewRecorder() req, _ = http.NewRequest("GET", "/v1/kv/long", nil) req.Header["Accept-Encoding"] = []string{"gzip"} - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) require.Equal(t, 200, resp.Code) require.Equal(t, "gzip", resp.Header().Get("Content-Encoding")) } @@ -1068,8 +1080,9 @@ func TestHTTPServer_PProfHandlers_EnableDebug(t *testing.T) { resp := httptest.NewRecorder() req, _ := http.NewRequest("GET", "/debug/pprof/profile?seconds=1", nil) + a.enableDebug.Store(true) httpServer := &HTTPHandlers{agent: a.Agent} - httpServer.handler(true).ServeHTTP(resp, req) + httpServer.handler().ServeHTTP(resp, req) require.Equal(t, http.StatusOK, resp.Code) } @@ -1087,7 +1100,7 @@ func TestHTTPServer_PProfHandlers_DisableDebugNoACLs(t *testing.T) { req, _ := http.NewRequest("GET", "/debug/pprof/profile", nil) httpServer := &HTTPHandlers{agent: a.Agent} - httpServer.handler(false).ServeHTTP(resp, req) + httpServer.handler().ServeHTTP(resp, req) require.Equal(t, http.StatusNotFound, resp.Code) } @@ -1168,7 +1181,9 @@ func TestHTTPServer_PProfHandlers_ACLs(t *testing.T) { t.Run(fmt.Sprintf("case %d (%#v)", i, c), func(t *testing.T) { req, _ := http.NewRequest("GET", fmt.Sprintf("%s?token=%s", c.endpoint, c.token), nil) resp := httptest.NewRecorder() - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) assert.Equal(t, c.code, resp.Code) }) } @@ -1478,7 +1493,9 @@ func TestEnableWebUI(t *testing.T) { req, _ := http.NewRequest("GET", "/ui/", nil) resp := httptest.NewRecorder() - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) require.Equal(t, http.StatusOK, resp.Code) // Validate that it actually sent the index page we expect since an error @@ -1507,7 +1524,9 @@ func TestEnableWebUI(t *testing.T) { { req, _ := http.NewRequest("GET", "/ui/", nil) resp := httptest.NewRecorder() - a.srv.handler(true).ServeHTTP(resp, req) + a.enableDebug.Store(true) + + a.srv.handler().ServeHTTP(resp, req) require.Equal(t, http.StatusOK, resp.Code) require.Contains(t, resp.Body.String(), `