Commit Graph

353 Commits (df4c288ba895a014084a328199419f58dc853978)

Author SHA1 Message Date
Nitya Dhanushkodi 0ec7bddb9a
[Net-5594][Net-7466] v2: Only route to endpoints that implement the port being routed to, and make xdscontroller and xdsv2 golden tests use tenancy (#20356)
* If a workload does not implement a port, it should not be included in the list of endpoints for the Envoy cluster for that port.

* Adds tenancy tests for xds controller and xdsv2 resource generation, and adds all those files.

* The original change in this PR was for filtering the list of endpoints by the port being routed to (bullet 1). Since I made changes to sidecarproxycontroller golden files, I realized some of the golden files were unused because of the tenancy changes, so when I deleted those, that broke xds controller tests which weren't correctly using tenancy. So when I fixed that, then the xdsv2 tests broke, so I added tenancy support there too. So now, from sidecarproxy controller -> xds controller -> xdsv2 we now have tenancy support and all the golden files are lined up.
2024-01-26 10:07:21 -08:00
sarahalsmiller 37ebaa6920
Net 7155- Consul API Gateway Controller Stub Work (#20324)
* API Gateway proto

* fix lint issue

* new line

* run make proto format

* checkpoint

* stub

* Update internal/mesh/internal/controllers/apigateways/controller.go
2024-01-25 23:16:20 +00:00
Luke Kysow 840f11a0c5
Change logging of registered v2 resource endpoints to add /api prefix (#20352)
* Change logging of registered v2 resource endpoints to add /api prefix

Previous:

    agent.http: Registered resource endpoint: endpoint=/demo/v1/executive

New:

    agent.http: Registered resource endpoint: endpoint=/api/demo/v1/executive

This reduces confusion when attempting to call the APIs after looking at
the logs.
2024-01-25 14:18:54 -08:00
Nick Cellino ec0df00fc1
Add finalizer to link resource (#20321)
* Add finalizer to link resource

* Update internal/hcp/internal/controllers/link/controller.go

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* Address PR style feedback

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
2024-01-25 12:27:36 -05:00
John Landa 65920dccf4
move deny action to enterprise only for traffic permissions (#20313)
Add missing import

Add explicit enum case for deny action

Remove extra comments

Add build tags to ent and ce tests

Add copyright headers for the ce files

Fix case statements for ce validator

Remove ce tests with Deny traffic permissions

Fix more integration tests

Split more ce and ent tests, add back ent deny tests for traffic permissions controller

temp rename before rebase

Readd ent deny tests for traffic permissions controller
2024-01-24 13:01:22 -07:00
John Maguire cfe4d59938
[NET-7265] Panic when passing an incorrect type to the data fetcher for gatewayproxy (#20238)
* panic when passing an incorrect type to the data fetcher

* Add assertions for sidecarproxy datafetcher as well

* rename assertion function

* Add in comments to ensure devs know about potential panics for using
invalid types

* fix method call
2024-01-24 14:16:56 -05:00
Melissa Kam 7900544249
[CC-7063] Fetch HCP agent bootstrap config in Link reconciler (#20306)
* Move config-dependent methods to separate package

In order to reuse the fetching and file creation part of the
bootstrap package, move the code that would cause cyclical
dependencies to a different package.

* Export needed bootstrap methods and variables

Also add back validating persisted config and update tests.

* Add support to check for just management token

Add a new method that fetches the bootstrap configuration only if
there isn't a valid management token file instead of checking for
all the hcp-config files.

* Pass data dir as a dependency to link controller

The link controller needs to check the data directory for
the hcp-config files.

* Fetch bootstrap config for token in controller

Load the management token when reconciling a link resource, which will
fetch the agent boostrap configuration if the token is not already
persisted locally. Skip this step if the cluster is in read-only mode.

* Validate resource ID format in link creation

* Handle unauthorized and forbidden errors

Check for 401 and 403s when making GNM requests, exit bootstrap fetch
loop and return specific failure statuses for link.

* Move test function to a testing file

* Log load and status write errors
2024-01-24 09:51:43 -06:00
aahel 3446eb3b1b
added computed failover controller (#20329)
* added computed failover controller

* removed some uncessary changes

* removed uncessary changes

* minor refactor

* minor refactor fmt

* added copyright
2024-01-24 11:50:27 +05:30
skpratt 0abf8f8426
Net 5092/internal l7 traffic permissions (#20276)
* wire up L7 Traffic Permissions

* testing

* update comment
2024-01-23 20:07:58 -06:00
skpratt 44bcda8523
Net 7074/decentralized exported services management (#20318)
* Add decentralized management of V1 exported-services config entries using V2 multicluster resources.

* cleanup

---------

Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
2024-01-23 19:44:10 -06:00
Tauhid Anjum b37fe80eee
Net 6774 Make Sameness Groups Work With Traffic Permissions CE (#20316)
* Make Sameness Groups Work With Traffic Permissions

* Fix controller dependency
2024-01-23 13:23:03 +05:30
Tauhid Anjum 5d294b26d3
NET-5824 Exported services api (#20015)
* Exported services api implemented

* Tests added, refactored code

* Adding server tests

* changelog added

* Proto gen added

* Adding codegen changes

* changing url, response object

* Fixing lint error by having namespace and partition directly

* Tests changes

* refactoring tests

* Simplified uniqueness logic for exported services, sorted the response in order of service name

* Fix lint errors, refactored code
2024-01-23 10:06:59 +05:30
Nathan Coleman 995ba32cc0
Use null route cluster for default router when no matches on v2 mesh gateway (#20270)
* Use black hole cluster for default router when no matches

* Update test assertions

* Use null route cluster instead of black hole cluster concept

* Update test assertions
2024-01-22 10:50:04 -08:00
Melissa Kam a9dd6f5c02
Add a separate test for initializer retries (#20298)
Separate test for initializer retries
2024-01-19 16:59:44 -06:00
Melissa Kam 98c9702ba3
[CC-7031] Add initialization support to resource controllers (#20138)
* Add Initializer to the controller

The Initializer adds support for running any required initialization
steps when the controller is first started.

* Implement HCP Link initializer

The link initializer will create a Link resource if the
cloud configuration has been set.

* Simplify retry logic and testing

* Remove internal retry, replace with logging logic
2024-01-19 11:47:48 -06:00
Matt Keeler 0a261682cd
Migrate the node health controller to use the cache (#20248)
Some edge case error testing had to be removed because it was no longer possible to force errors when going through the cache layer as opposed to the resource service itself.
2024-01-19 12:22:45 -05:00
Matt Keeler cee9df574d
Deflake the catalog v2beta1 integration tests (#20278) 2024-01-19 10:49:47 -05:00
Nick Cellino fe678e9da1
Sync cluster attributes from GNM to Link resource (#20158)
* Add 'GetCluster' function to HCP client

* Sync cluster data inside Link controller

* Add access mode to HCP Link

* Sync AccessLevel property

* Fix imports and remove outdated comments

* Switch accessMode to access level

* Add comment around HCPClientFn

* Fix spacing in link.proto

* Add helper for writing status. Fix reconciliation loop
2024-01-19 10:02:55 -05:00
Matt Keeler f9c04881f9
Failover policy cache (#20244)
* Migrate the Failover controller to use the controller cache
* Remove the Catalog FailoverMapper and its usage in the mesh routes controller.
2024-01-19 09:35:34 -05:00
Nathan Coleman c40b59823a
[NET-6431] Remove explicit endpoints function from PST builder (#20262)
This isn't needed since we just populate RequiredEndpoints, which is already done for the base case
2024-01-18 19:13:37 -05:00
Dan Stough 0edfa74d15
feat(v2dns): recursor support (#20249)
* feat(v2dns): recursor support

* test: fix leaking test agent in dns svc test
2024-01-18 18:30:04 -05:00
Matt Keeler 59cb12c798
Migrate the Endpoints controller to use the controller cache (#20241)
* Add cache resource decoding helpers

* Implement a common package for workload selection facilities. This includes:

   * Controller cache Index
   * ACL hooks
   * Dependency Mapper to go from workload to list of resources which select it
   * Dependency Mapper to go from a resource which selects workloads to all the workloads it selects.

* Update the endpoints controller to use the cache instead of custom mappers.

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2024-01-18 17:52:52 -05:00
Matt Keeler 9897be76ad
Update workload health controller to use the controller cache (#20240) 2024-01-18 16:30:11 -05:00
John Maguire 7888d00e49
[NET6429] Add listeners for mesh-gateway v2 (#20253)
Add listeners for mesh-gateway v2
2024-01-18 17:52:06 +00:00
Dan Stough 15ab80c832
feat(v2dns): move DNSPolicy to workload/endpoints (#20246) 2024-01-18 11:37:42 -05:00
Nathan Coleman d2e991ddfc
Remove unnecessary fetching of gateway (#20172)
The fetched gateway isn't currently used anywhere
2024-01-17 14:13:13 -05:00
Matt Keeler 326c0ecfbe
In-Memory gRPC (#19942)
* Implement In-Process gRPC for use by controller caching/indexing

This replaces the pipe base listener implementation we were previously using. The new style CAN avoid cloning resources which our controller caching/indexing is taking advantage of to not duplicate resource objects in memory.

To maintain safety for controllers and for them to be able to modify data they get back from the cache and the resource service, the client they are presented in their runtime will be wrapped with an autogenerated client which clones request and response messages as they pass through the client.

Another sizable change in this PR is to consolidate how server specific gRPC services get registered and managed. Before this was in a bunch of different methods and it was difficult to track down how gRPC services were registered. Now its all in one place.

* Fix race in tests

* Ensure the resource service is registered to the multiplexed handler for forwarding from client agents

* Expose peer streaming on the internal handler
2024-01-12 11:54:07 -05:00
Michael Zalimeni 76b5de5039
[NET-4968] Upgrade Go to 1.21 (#20062)
* Upgrade Go to 1.21

* ci: detect Go backwards compatibility test version automatically

For our submodules and other places we choose to test against previous
Go versions, detect this version automatically from the current one
rather than hard-coding it.
2024-01-12 09:57:38 -05:00
Ganesh S 10baf87421
Sort peer list in expander (#20167) 2024-01-11 12:51:07 +05:30
Dan Stough d52e80b619
[OSS] feat: add experiments flag for v2 dns and skeleton interfaces (#20115)
feat: add experiments flag for v2 dns and skeleton interfaces
2024-01-10 11:19:20 -05:00
Nick Cellino 0deebaf637
Add Link resource type and controller skeleton (#19788)
* Add HCCLink resource type

* Register HCCLink resource type with basic validation

* Add validation for required fields

* Add test for default ACLs

* Add no-op controller for HCCLink

* Add resource-apis semantic validation check in hcclink controller

* Add copyright headers

* Rename HCCLink to Link

* Add hcp_cluster_url to link proto

* Update 'disabled' reason with more detail

* Update link status name to consul.io/hcp/link

* Change link version from v1 to v2

* Use feature flag/experiment to enable v2 resources with HCP
2024-01-09 13:57:59 -05:00
John Maguire c6c2d8bf82
[NET-6426] Modify Reconcile Loop for Mesh Gateway Resources to Correctly Write Proxy State Template (#20085) 2024-01-08 23:26:00 -05:00
Nathan Coleman 8233303876
Adjust type + field names for ComputedExportedServices (#20030)
Adjust type + field names for ComputedExportedServices

The existing type and field names in `ComputedExportedServices` are confusing to work with.

For example, the mechanics of looping through services and their consumers wind up being:
```go
// The field name here doesn't reflect what is actually at each index of the list
for _, service := range exportedServices.Consumers {
    for _, consumer := range service.Consumers {
        // The prefix matching the type here causes stutter when reading and
        // isn't consistent with naming conventions for tenancy in pbresource
        tenancy := consumer.ConsumerTenancy
    }
}
```
2024-01-08 21:56:45 +00:00
Ganesh S 0d57acc549
Add sameness group references in exported services controller (#20100) 2024-01-08 11:55:52 +05:30
Kumar Kavish 9c8e9cebaa
[NET-6765] Audit the routes controller and add missing tenancy tests (#20016)
- moved resources to different tenancies.
2023-12-28 16:00:18 +05:30
John Murret b9ad0dfa41
NET-7025 - ci: test-integrations failures in compatibility tests. panics occuring in selectionTracker.TrackIDForSelection (#20040)
* ci: test-integrations failures in compatibility tests. panics occuring in selectionTracker.TrackIDForSelection

* Update selection_tracker.go
2023-12-22 16:32:40 +00:00
Nathan Coleman ab60fec15a
[NET-6426] Add gateway proxy controller that generates empty proxy state template (#19901)
* NET-6426 Create ProxyStateTemplate when reconciling MeshGateway resource

* Add TODO for switching fetch method based on gateway type

* Use gateway-kind in workload metadata instead of owner reference

* Create ProxyStateTemplate builder for gatewayproxy controller

* Update to use new controller interface

* Add copyright headers

* Set correct name for ProxyStateTemplate identity reference

* Generate empty ProxyStateTemplate by fetching MeshGateway

This cheats and looks up the MeshGateway directly. In the future, we will need a Workload => xGateway mapper

* Specify owner reference when writing ProxyStateTemplate

* Update dependency mapper to account for multiple controllers per resource type

* Regenerate v2 resource dependencies map

* Add helpful trace logs, tag TODOs with ticket identifiers
2023-12-21 16:37:47 -05:00
Nathan Coleman 874e68f1eb
[NET-6899] Create name-aligned Service when reconciling MeshGateway resource (#19900)
* NET-6899 Create name-aligned Service when reconciling MeshGateway resource

The Service has an owner reference added to it indicating that it belongs to a MeshGateway

* Specify port list when creating Service

* Use constants, add TODO w/ ticket reference

* Include gateway-kind in metadata of Service resource
2023-12-21 13:26:25 -05:00
Nathan Coleman 010bf533d1
NET-6663 Modify sidecarproxy controller to skip xGateway resources (#19902)
* NET-6663 Modify sidecarproxy controller to skip xGateway resources

* Check workload metadata after nil-check for workload

* Add test asserting that workloads with meta gateway-kind are ignored

* Use more common pattern for map access to increase readability
2023-12-18 21:54:41 +00:00
aahel ae998a698a
added computed failover policy resource (#19975) 2023-12-18 05:52:24 +00:00
aahel a6496898de
added tenancy to TestBuildL4TrafficPermissions (#19932) 2023-12-14 10:41:24 +05:30
Matt Keeler 123bc95e1a
Add Common Controller Caching Infrastructure (#19767)
* Add Common Controller Caching Infrastructure
2023-12-13 10:06:39 -05:00
Ganesh S 90010587f0
Move enterprise multicluster types to Register function (#19913)
* Move enterprise types to Register function

* Fix function name

* Address comments
2023-12-12 17:05:10 +05:30
Ganesh S 173fe11c2b
Refactor exported services controller tests (#19906) 2023-12-12 10:57:27 +05:30
Tauhid Anjum 1484c6db47
NET-6771 - Adding sameness group protobuff in consul CE (#19883)
Adding sameness group protobuff in consul CE
2023-12-12 10:43:20 +05:30
Matt Keeler bfad6a4e07
Ensure that the default namespace always exists even prior to resource creation (#19852) 2023-12-07 13:23:06 -05:00
Matt Keeler efe279f802
Retry lint fixes (#19151)
* Add a make target to run lint-consul-retry on all the modules
* Cleanup sdk/testutil/retry
* Fix a bunch of retry.Run* usage to not use the outer testing.T
* Fix some more recent retry lint issues and pin to v1.4.0 of lint-consul-retry
* Fix codegen copywrite lint issues
* Don’t perform cleanup after each retry attempt by default.
* Use the common testutil.TestingTB interface in test-integ/tenancy
* Fix retry tests
* Update otel access logging extension test to perform requests within the retry block
2023-12-06 12:11:32 -05:00
Semir Patel c1bbda8128
resource: block default namespace deletion + test refactorings (#19822) 2023-12-05 14:00:06 -05:00
lornasong edf4610ed9
[Cloud][CC-6925] Updates to pushing server state (#19682)
* Upgrade hcp-sdk-go to latest version v0.73

Changes:
- go get github.com/hashicorp/hcp-sdk-go
- go mod tidy

* From upgrade: regenerate protobufs for upgrade from 1.30 to 1.31

Ran: `make proto`

Slack: https://hashicorp.slack.com/archives/C0253EQ5B40/p1701105418579429

* From upgrade: fix mock interface implementation

After upgrading, there is the following compile error:

cannot use &mockHCPCfg{} (value of type *mockHCPCfg) as "github.com/hashicorp/hcp-sdk-go/config".HCPConfig value in return statement: *mockHCPCfg does not implement "github.com/hashicorp/hcp-sdk-go/config".HCPConfig (missing method Logout)

Solution: update the mock to have the missing Logout method

* From upgrade: Lint: remove usage of deprecated req.ServerState.TLS

Due to upgrade, linting is erroring due to usage of a newly deprecated field

22:47:56 [consul]: make lint
--> Running golangci-lint (.)
agent/hcp/testing.go:157:24: SA1019: req.ServerState.TLS is deprecated: use server_tls.internal_rpc instead. (staticcheck)
                time.Until(time.Time(req.ServerState.TLS.CertExpiry)).Hours()/24,
                                     ^

* From upgrade: adjust oidc error message

From the upgrade, this test started failing:

=== FAIL: internal/go-sso/oidcauth TestOIDC_ClaimsFromAuthCode/failed_code_exchange (re-run 2) (0.01s)
    oidc_test.go:393: unexpected error: Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"

Prior to the upgrade, the error returned was:
```
Provider login failed: Error exchanging oidc code: oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"unexpected auth code\"}\n
```

Now the error returned is as below and does not contain "cannot fetch token"
```
Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"

```

* Update AgentPushServerState structs with new fields

HCP-side changes for the new fields are in:
https://github.com/hashicorp/cloud-global-network-manager-service/pull/1195/files

* Minor refactor for hcpServerStatus to abstract tlsInfo into struct

This will make it easier to set the same tls-info information to both
 - status.TLS (deprecated field)
 - status.ServerTLSMetadata (new field to use instead)

* Update hcpServerStatus to parse out information for new fields

Changes:
 - Improve error message and handling (encountered some issues and was confused)
 - Set new field TLSInfo.CertIssuer
 - Collect certificate authority metadata and set on TLSInfo.CertificateAuthorities
 - Set TLSInfo on both server.TLS and server.ServerTLSMetadata.InternalRPC

* Update serverStatusToHCP to convert new fields to GNM rpc

* Add changelog

* Feedback: connect.ParseCert, caCerts

* Feedback: refactor and unit test server status

* Feedback: test to use expected struct

* Feedback: certificate with intermediate

* Feedback: catch no leaf, remove expectedErr

* Feedback: update todos with jira ticket

* Feedback: mock tlsConfigurator
2023-12-04 10:25:18 -05:00
aahel 7936e55807
added node health resource (#19803) 2023-12-02 11:14:03 +05:30
Ashesh Vidyut 82f6a8d7f3
Net 6585 (#19797)
Add multi tenancy to sidecar proxy controller
2023-12-01 21:28:57 +05:30
aahel ac9261ac3e
made node parition scoped (#19794)
* made node parition scoped

* removed namespace from node testdata
2023-12-01 07:42:29 +00:00
Semir Patel 2d1f308138
resource: add v2tenancy feature flag to deployer tests (#19774) 2023-11-30 11:41:30 -06:00
Michael Zalimeni d1f2fa1841
[NET-6725] test: Address occasional flakes in sidecarproxy/controller_test.go (#19760)
test: Address occasional flakes in sidecarproxy/controller_test.go

We've observed an occasional flake in this test where some state check
fails. Adding in some wait wrappers to these state checks will hopefully
address the issue, assuming it is a simple flake.
2023-11-29 16:56:14 +00:00
Thomas Eckert 419677cc9e
[NET-6420] Add MeshConfiguration Controller stub (#19745)
* Add meshconfiguration/controller

* Add MeshConfiguration Registration function

* Fix the TODOs on the RegisterMeshGateway function

* Call RegisterMeshConfiguration

* Add comment to MeshConfigurationRegistration

* Add a test for Reconcile and some comments
2023-11-28 18:56:07 +00:00
Chris S. Kim 5107764115
Move test setup out of subtest (#19753) 2023-11-28 18:39:37 +00:00
Semir Patel 5930748cb0
resource: ListByOwner returns empty list on non-existent tenancy (#19742) 2023-11-27 14:56:08 -06:00
Ganesh S ba2422596f
Add tenancy tests for routes controller (#19706) 2023-11-22 21:52:10 +05:30
Semir Patel 0fdc2ac5e9
v2tenancy: namespace deletion using finalizers (#19714) 2023-11-22 10:06:11 -06:00
aahel a28f4b7f37
optimized fetching services in exported service controller (#19695)
* optimized fetching services in exported service controller

* added aliases for some complex types
2023-11-21 12:21:22 +05:30
Michael Zalimeni 58cc6eded4
[SECVULN-1532] chore: Remove TODO comments for OIDC/JWT auth (#19700)
chore: Remove TODO comments for OIDC/JWT auth

Remove old TODO comments and update remaining comments for clarity.
2023-11-20 21:34:48 +00:00
Semir Patel 75c2def1ca
resource: preserve deferred deletion metadata on non-CAS writes (#19674) 2023-11-17 10:51:25 -06:00
Ganesh S c061168aca
Add tests for traffic permissions controller (#19672) 2023-11-17 17:59:28 +05:30
John Murret 2591318c82
Skip tests with p95 greater than 30 seconds outside of main and release branches. (#19628)
Skip tests with p95 greater than 30 seconds.
2023-11-15 13:43:33 -07:00
Semir Patel 1eed205286
resource: freeze resources after marked for deletion (4 of 5) (#19603) 2023-11-15 10:58:27 -06:00
Ganesh S 4020c002d6
Add tenancy tests for proxy cfg controller (#19649) 2023-11-15 21:36:08 +05:30
Ganesh S 2e28aecff8
Added tenancy tests for endpoints controller (#19650) 2023-11-15 21:32:26 +05:30
Ashesh Vidyut d68a23aa85
NET 6539 - Add tenancy tests for folder - internal/mesh/internal/controllers/sidecarproxy (#19646)
* Add tenancy tests for folder - internal/mesh/internal/controllers/sidecarproxy

* removed rej files

* added missed out file
2023-11-15 13:49:40 +05:30
Ashesh Vidyut 443461318a
NET 6525 (#19645)
Removed resourcetest func
2023-11-15 06:32:15 +00:00
Ashesh Vidyut fbc2a58733
NET 6442 - Add tenancy to explicit destinations controller (#19644)
Add tenancy to explicit destinations controller
2023-11-15 06:11:56 +00:00
R.B. Boyer b21851c903
test: add test helper to detect if the current build is enterprise (#19201)
This can help conditionally change test behavior if the test is executing in enterprise without the need to split the test with build tags.
2023-11-13 10:30:07 -06:00
Kumar Kavish 68e7f27fd2
[NET-6438] Add tenancy to xDS Tests (#19551)
* [NET-6438] Add tenancy to xDS Tests

* [NET-6438] Add tenancy to xDS Tests
- Fixing imports

* [NET-6438] Add tenancy to xDS Tests
- Added cleanup post test run

* [NET-6356] Add tenancy to xDS Tests
- Added cleanup post test run

* [NET-6438] Add tenancy to xDS Tests
- using t.Cleanup instead of defer delete

* [NET-6438] Add tenancy to xDS Tests
- rebased

* [NET-6438] Add tenancy to xDS Tests
- rebased
2023-11-10 15:32:36 +05:30
aahel 005e1b9926
added exported svc controller (#19589)
* added exported svc controller

* added license headers
2023-11-10 07:27:53 +05:30
Nathan Coleman 40c57f10a0
NET-6391 Initialize controller for MeshGateway resource (#19552)
* Generate resource_types for MeshGateway by specifying spec option

* Register MeshGateway type w/ TODOs for hooks

* Initialize controller for MeshGateway resources

* Add meshgateway to list of v2 resource dependencies for golden test

* Scope MeshGateway resource to partition
2023-11-09 16:33:14 -05:00
Kumar Kavish 3df8b58479
[NET-6444] Add tenancy to Reaper Tests (#19550) 2023-11-10 01:14:33 +05:30
Kumar Kavish f09dbb99e9
[NET-6356] Add tenancy to Failover Tests (#19547)
* [NET-6356] Add tenancy to Failover Tests

* [NET-6438] Add tenancy to xDS Tests
- Added cleanup post test run

* [NET-6356] Add tenancy to failover Tests
- using t.Cleanup instead of defer delete
2023-11-10 01:14:09 +05:30
Ashesh Vidyut 515eed8c7c
Net 6439 (#19517)
* node health controller tenancy

* some prog

* some fixes

* revert

* pr comment resolved

* removed name

* Add namespace and tenancy in sidecar proxy controller test

* revert node health controller

* clean up data

* fix local

* copy from ENT

* removed dup code

* removed tenancy

* add test tenancies
2023-11-09 11:47:19 +05:30
Matt Keeler a7774a9538
Introduce randomized timings and reproducible randomization into controller integration tests. (#19393)
As the V2 architecture hinges on eventual consistency and controllers reconciling the existing state in response to writes, there are potential issues we could run into regarding ordering and timing of operations. We want to be able to guarantee that given a set of resources the system will always eventually get to the desired correct state. The order of resource writes and delays in performing those writes should not alter the final outcome of reaching the desired state.

To that end, this commit introduces arbitrary randomized delays before performing resources writes into the `resourcetest.Client`. Its `PublishResources` method was already randomizing the order of resource writes. By default, no delay is added to normal writes and deletes but tests can opt-in via either passing hard coded options when creating the `resourcetest.Client` or using the `resourcetest.ConfigureTestCLIFlags` function to allow processing of CLI parameters.

In addition to allowing configurability of the request delay min and max, the client also has a configurable random number generator seed. When Using the CLI parameter helpers, a test log will be written noting the currently used settings. If the test fails then you can reproduce the same delays and order randomizations by providing the seed during the previous test failure.
2023-11-08 10:45:25 -05:00
Ashesh Vidyut 985aa76da3
NET 6354 - Add tenancy in Node Health Controller (#19457)
* node health controller tenancy

* some prog

* some fixes

* revert

* pr comment resolved

* removed name

* cleanup nodes

* some fixes

* merge main
2023-11-08 13:01:17 +05:30
John Murret caaff73337
add DeliverLatest as common function for use by Manager and ProxyTracker Open (#19564)
Open
add DeliverLatest as common function for use by Manager and ProxyTracker
2023-11-07 23:03:37 +00:00
Semir Patel 2da7dd077a
v2tenancy: register tenancy controller deps (#19531) 2023-11-07 08:06:10 -06:00
Ganesh S 5352ff945c
Added tenancy tests for WorkloadHealth controller (#19530) 2023-11-07 09:09:15 +05:30
Poonam Jadhav c3c836edae
Net-6291/fix/watch resources (#19467)
* fix: update watch endpoint to default based on scope

* test: additional test

* refactor: rename list validate function

* refactor: rename validate<Op>Request() -> ensure<Op>RequestValid() for consistency
2023-11-03 16:03:07 -04:00
John Murret d94d316204
NET-6319 - L7 routes have statePrefix of upstream. and should have a full path (#19473) 2023-11-02 19:58:54 -06:00
Semir Patel aaac20f4a8
resource: misc finalizer apis (#19474) 2023-11-02 15:56:02 -05:00
John Murret 77e9a50f8b
Source / local_app golden tests to include all protocols. (#19436)
* cover all protocols in local_app golden tests

* fix xds tests

* updating latest

* fix broken test

* add sorting of routers to TestBuildLocalApp to get rid of the flaking
2023-11-02 18:31:06 +00:00
skpratt 896d8f5ec5
temporarily disallow L7 traffic permissions (#19322) 2023-11-02 13:16:08 -05:00
Semir Patel 0abd96c0d9
resource: resource service now checks for `v2tenancy` feature flag (#19400) 2023-10-27 08:55:02 -05:00
Matt Keeler 5698353652
Resource Hook Pre-Decode Utilities (#18548)
Add some generic type hook wrappers to first decode the data

There seems to be a pattern for Validation, Mutation and Write Authorization hooks where they first need to decode the Any data before doing the domain specific work.

This PR introduces 3 new functions to generate wrappers around the other hooks to pre-decode the data into a DecodedResource and pass that in instead of the original pbresource.Resource.

This PR also updates the various catalog data types to use the new hook generators.
2023-10-26 16:39:06 -04:00
Ashesh Vidyut 0295b959c9
Net 5875 - Create the Exported Services Resources (#19117)
* init

* computed exported service

* make proto

* exported services resource

* exported services test

* added some tests and namespace exported service

* partition exported services

* computed service

* computed services tests

* register types

* fix comment

* make proto lint

* fix proto format make proto

* make codegen

* Update proto-public/pbmulticluster/v1alpha1/computed_exported_services.proto

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

* Update internal/multicluster/internal/types/computed_exported_services.go

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

* using different way of resource creation in tests

* make proto

* fix computed exported services test

* fix tests

* differnet validation for computed services for ent and ce

* Acls for exported services

* added validations for enterprise features in ce

* fix error

* fix acls test

* Update internal/multicluster/internal/types/validation_exported_services_ee.go

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

* removed the create method

* update proto

* removed namespace

* created seperate function for ce and ent

* test files updated and validations fixed

* added nil checks

* fix tests

* added comments

* removed tenancy check

* added mutation function

* fix mutation method

* fix list permissions in test

* fix pr comments

* fix tests

* lisence

* busl license

* Update internal/multicluster/internal/types/helpers_ce.go

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

* Update internal/multicluster/internal/types/helpers_ce.go

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

* Update internal/multicluster/internal/types/helpers_ce.go

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

* make proto

* some pr comments addressed

* some pr comments addressed

* acls helper

* some comment changes

* removed unused files

* fixes

* fix function in file

* caps

* some positioing

* added test for validation error

* fix names

* made valid a function

* remvoed patch

* removed mutations

* v2 beta1

* v2beta1

* rmeoved v1alpha1

* validate error

* merge ent

* some nits

* removed dup func

* removed nil check

---------

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>
2023-10-26 19:34:15 +05:30
Poonam Jadhav b5023b69c3
feat: read resource namespace (#19320)
* test: add missing tests for read resource namespace

* refactor: remove redundant test

* refactor: rename import aliases

* fix: typo var name

* refctor: remove another redundant test
2023-10-26 09:28:36 -04:00
Michael Zalimeni a7803bd829
[NET-6305] xds: Ensure v2 route match and protocol are populated for gRPC (#19343)
* xds: Ensure v2 route match is populated for gRPC

Similar to HTTP, ensure that route match config (which is required by
Envoy) is populated when default values are used.

Because the default matches generated for gRPC contain a single empty
`GRPCRouteMatch`, and that proto does not directly support prefix-based
config, an interpretation of the empty struct is needed to generate the
same output that the `HTTPRouteMatch` is explicitly configured to
provide in internal/mesh/internal/controllers/routes/generate.go.

* xds: Ensure protocol set for gRPC resources

Add explicit protocol in `ProxyStateTemplate` builders and validate it
is always set on clusters. This ensures that HTTP filters and
`http2_protocol_options` are populated in all the necessary places for
gRPC traffic and prevents future unintended omissions of non-TCP
protocols.

Co-authored-by: John Murret <john.murret@hashicorp.com>

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-10-25 17:43:58 +00:00
John Murret 59d4962564
NET-6079 - wire up sidecarproxy golden file inputs into xds controller - sources (#19241)
* NET-5397 - wire up golden tests from sidecar-proxy controller for xds controller and xdsv2

* WIP

* WIP

* everything matching except leafCerts.  need to mock those

* single port destinations working except mixed destinations

* golden test input to xds controller tests for destinations

* proposed fix for failover group naming errors

* clean up test to use helper.

* clean up test to use helper.

* fix test file

* add docstring for test function.

* add docstring for test function.

* fix linting error

* fixing test after route fix merged into main

* first source test works

* WIP

* modify all source files

* source tests pass

* fixing tests after bug fix in main
2023-10-24 10:21:53 -06:00
John Murret 9775758d0c
NET-5397 - wire up destination golden tests from sidecar-proxy controller for xds controller and xdsv2 (#19167)
* NET-5397 - wire up golden tests from sidecar-proxy controller for xds controller and xdsv2

* WIP

* WIP

* everything matching except leafCerts.  need to mock those

* single port destinations working except mixed destinations

* golden test input to xds controller tests for destinations

* proposed fix for failover group naming errors

* clean up test to use helper.

* clean up test to use helper.

* fix test file

* add docstring for test function.

* add docstring for test function.

* fix linting error

* fixing test after route fix merged into main
2023-10-24 09:33:23 -06:00
Iryna Shustava 809bf1deb8
mesh: ensure route configs are named uniquely per port (#19323) 2023-10-20 16:59:18 -06:00
Dhia Ayachi d5c9f11b59
Tenancy Bridge v2 (#19220)
* tenancy bridge v2 for v2 resources

* add missing copywrite headers
2023-10-20 14:49:54 -04:00
Nitya Dhanushkodi def66ddf0e
mesh: provide missing domain to route configurations in ProxyStateTemplate (#19298)
* add empty domains

* update unit tests
2023-10-19 17:14:16 -04:00
Iryna Shustava dfea3a0efe
acls,catalog,mesh: properly authorize workload selectors on writes (#19260)
To properly enforce writes on resources that have workload selectors with prefixes, we need another service authorization rule that allows us to check whether read is allowed within a given prefix. Specifically we need to only allow writes if the policy prefix allows for a wider set of names than the prefix selector on the resource. We should also not allow policies with exact names for prefix matches.

Part of [NET-3993]
2023-10-19 11:09:41 -06:00
Eric Haberkorn f45be222bb
Prevent circular dependencies between v2 resources and generate a mermaid diagram with their dependencies (#19230) 2023-10-18 10:55:32 -04:00
Nitya Dhanushkodi 51b58cd910
fix expose paths (#19257)
When testing adding http probes to apps, I ran into some issues which I fixed here:
- The listener should be listening on the exposed listener port, updated that.
- The listener and route names were pointing to the path of the exposed path. In my test, the path was "/" resulting in an empty string path. Also, the path may not be unique across exposed path listeners, so I decided to use the path+exposed port as the unique identifier.
2023-10-17 14:47:21 -07:00