You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
consul/test/integration/connect/envoy
hc-github-team-consul-core 424f5a808a
Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x (#21839)
1 month ago
..
case-api-gateway-http-hostnames [COMPLIANCE] License changes (#18443) 1 year ago
case-api-gateway-http-simple [COMPLIANCE] License changes (#18443) 1 year ago
case-api-gateway-http-splitter-targets [COMPLIANCE] License changes (#18443) 1 year ago
case-api-gateway-http-tls-overlapping-hosts [COMPLIANCE] License changes (#18443) 1 year ago
case-api-gateway-tcp-conflicted [COMPLIANCE] License changes (#18443) 1 year ago
case-api-gateway-tcp-simple [COMPLIANCE] License changes (#18443) 1 year ago
case-api-gateway-tcp-tls-overlapping-hosts [COMPLIANCE] License changes (#18443) 1 year ago
case-badauthz [COMPLIANCE] License changes (#18443) 1 year ago
case-basic [COMPLIANCE] License changes (#18443) 1 year ago
case-centralconf [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-cluster-peering-failover [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-dc-failover-gateways-none [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-dc-failover-gateways-remote [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-defaultsubset [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-features [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-subset-onlypassing [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-subset-redirect [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-svc-failover [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-svc-redirect-http [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-resolver-svc-redirect-tcp [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-router-features Case sensitive route match (#19647) 10 months ago
case-cfg-splitter-cluster-peering [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-splitter-features [COMPLIANCE] License changes (#18443) 1 year ago
case-cfg-splitter-peering-ingress-gateways [COMPLIANCE] License changes (#18443) 1 year ago
case-consul-exec [COMPLIANCE] License changes (#18443) 1 year ago
case-cross-peer-control-plane-mgw [COMPLIANCE] License changes (#18443) 1 year ago
case-cross-peers [COMPLIANCE] License changes (#18443) 1 year ago
case-cross-peers-http [COMPLIANCE] License changes (#18443) 1 year ago
case-cross-peers-http-router [COMPLIANCE] License changes (#18443) 1 year ago
case-cross-peers-resolver-redirect-tcp [COMPLIANCE] License changes (#18443) 1 year ago
case-dogstatsd-udp [COMPLIANCE] License changes (#18443) 1 year ago
case-expose-checks [COMPLIANCE] License changes (#18443) 1 year ago
case-gateway-without-services [COMPLIANCE] License changes (#18443) 1 year ago
case-gateways-local [COMPLIANCE] License changes (#18443) 1 year ago
case-gateways-remote [COMPLIANCE] License changes (#18443) 1 year ago
case-grpc [COMPLIANCE] License changes (#18443) 1 year ago
case-http [COMPLIANCE] License changes (#18443) 1 year ago
case-http-badauthz [COMPLIANCE] License changes (#18443) 1 year ago
case-ingress-gateway-grpc [COMPLIANCE] License changes (#18443) 1 year ago
case-ingress-gateway-http [COMPLIANCE] License changes (#18443) 1 year ago
case-ingress-gateway-multiple-services [COMPLIANCE] License changes (#18443) 1 year ago
case-ingress-gateway-peering-failover [COMPLIANCE] License changes (#18443) 1 year ago
case-ingress-gateway-sds NET-6317 - update usage of deprecated fields: http2_protocol_options and access_log_path (#19940) 12 months ago
case-ingress-gateway-simple [COMPLIANCE] License changes (#18443) 1 year ago
case-ingress-gateway-tls [COMPLIANCE] License changes (#18443) 1 year ago
case-ingress-mesh-gateways-resolver [COMPLIANCE] License changes (#18443) 1 year ago
case-l7-intentions Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x (#21839) 1 month ago
case-l7-intentions-request-normalization Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x (#21839) 1 month ago
case-l7-intentions-request-normalization-disabled Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x (#21839) 1 month ago
case-lua [COMPLIANCE] License changes (#18443) 1 year ago
case-mesh-to-lambda [COMPLIANCE] License changes (#18443) 1 year ago
case-multidc-rsa-ca [COMPLIANCE] License changes (#18443) 1 year ago
case-prometheus [COMPLIANCE] License changes (#18443) 1 year ago
case-property-override [COMPLIANCE] License changes (#18443) 1 year ago
case-stats-proxy [COMPLIANCE] License changes (#18443) 1 year ago
case-statsd-udp [COMPLIANCE] License changes (#18443) 1 year ago
case-terminating-gateway-hostnames [COMPLIANCE] License changes (#18443) 1 year ago
case-terminating-gateway-simple [COMPLIANCE] License changes (#18443) 1 year ago
case-terminating-gateway-subsets [COMPLIANCE] License changes (#18443) 1 year ago
case-terminating-gateway-without-services [COMPLIANCE] License changes (#18443) 1 year ago
case-upstream-config [COMPLIANCE] License changes (#18443) 1 year ago
case-wanfed-gw [COMPLIANCE] License changes (#18443) 1 year ago
case-wasm [COMPLIANCE] License changes (#18443) 1 year ago
case-zipkin [COMPLIANCE] License changes (#18443) 1 year ago
consul-base-cfg [COMPLIANCE] License changes (#18443) 1 year ago
docs Envoy Integration Test Windows (#18007) 1 year ago
test-sds-server [NET-8601] security: upgrade vault/api to remove go-jose.v2 (#20910) 7 months ago
.gitignore
Dockerfile-bats chore(test): Update bats version 3 years ago
Dockerfile-consul-envoy Run integration tests locally using amd64 (#14365) 2 years ago
Dockerfile-consul-envoy-windows Envoy Integration Test Windows (#18007) 1 year ago
Dockerfile-tcpdump security: update alpine base image to 3.20 (#21729) 2 months ago
Dockerfile-tcpdump-windows Envoy Integration Test Windows (#18007) 1 year ago
Dockerfile-test-sds-server-windows Envoy Integration Test Windows (#18007) 1 year ago
README.md update comments and docs about running envoy integration tests with the ENVOY_VERSION set. (#18614) 1 year ago
WINDOWS-TEST.md Envoy Integration Test Windows (#18007) 1 year ago
defaults.sh [COMPLIANCE] License changes (#18443) 1 year ago
docker-windows.md Envoy Integration Test Windows (#18007) 1 year ago
down.sh [COMPLIANCE] License changes (#18443) 1 year ago
helpers.bash Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x (#21839) 1 month ago
helpers.windows.bash [NET-5916] Fix locality-aware routing config and tests (CE) (#19483) 1 year ago
main_test.go test: remove v2 integration tests (#21056) 7 months ago
run-tests.sh Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x (#21839) 1 month ago
run-tests.windows.sh Windows Integration Test Changes (#18758) 1 year ago
windows-troubleshooting.md Envoy Integration Test Windows (#18007) 1 year ago

README.md

Envoy Integration Tests

Overview

These tests validate that Consul is configuring Envoy correctly. They set up various scenarios using Docker containers and then run Bats (a Bash test framework) tests to validate the expected results.

Running Tests

To run the tests locally, cd into the root of the repo and run:

make test-envoy-integ

To run a specific test, run:

make test-envoy-integ GO_TEST_FLAGS="-run TestEnvoy/case-basic"

Where case-basic can be replaced by any directory name from this directory.

How Do These Tests Work

  1. The tests are all run through Go test via the main_test.go file. Each directory prefixed by case- is a subtest, for example, TestEnvoy/case-basic and TestEnvoy/case-wanfed-gw.
  2. The real framework for this test suite lives in run-tests.sh. Under the hood, main_test.go just runs run-tests.sh with various arguments.
  3. The tests use your local code by building a Docker image from your local directory just before executing. Note: this is implemented as the docker-envoy-integ Makefile target which is a prerequisite to the test-envoy-integ target, so if you are running the tests by invoking run-tests.sh or go test manually, be sure to rebuild the Docker image to ensure you are running your latest code.
  4. The tests run Docker containers connected by a shared Docker network. All tests have at least one Consul server running and then depending on the test case they will spin up additional services or gateways. Some tests run multiple Consul servers to test multi-DC setups. See the case-wanfed-gateway test for an example of this.
  5. At a high level, tests are set up by executing the setup.sh script in each directory. This script uses helper functions defined in helpers.bash. Once the test case is set up, the validations in verify.bats are run.
  6. If there exists a vars.sh file in the top-level of the case directory, the test runner will source it prior to invoking the run_tests, test_teardown and capture_logs phases of the test scenario.
  7. If there exists a capture.sh file in the top-level of the case directory, it will be executed after the test is done, but prior to the containers being removed. This is useful for capturing logs or Envoy snapshots for debugging test failures.
  8. Any files matching the *.hcl glob will be copied to the container $WORKDIR/$CLUSTER/consul directory prior to running the tests. This is useful for defining Consul configuration for each agent process to load on start up.
  9. In CI, the tests are executed against different Envoy versions and with both XDS_TARGET=client and XDS_TARGET=server. If set to client, a Consul server and client are run, and services are registered against the client. If set to server, only a Consul server is run, and services are registered against the server. By default, XDS_TARGET is set to server. See this comment for more information.

Investigating Test Failures

  • When tests fail in CI, logs and additional debugging data are available in the artifacts of the test run.
  • You can re-run the tests locally by running make test-envoy-integ GO_TEST_FLAGS="-run TestEnvoy/<case-directory>" where <case-directory> is replaced with the name of the directory, e.g. case-basic.
  • You can override the envoy version by specifying ENVOY_VERSION=<your envoy version> eg. ENVOY_VERSION=1.27.0 make test-envoy-integ.
  • Locally, all the logs of the failed test will be available in workdir in this directory.
  • You can run with DEBUG=1 to print out all the commands being run, e.g. DEBUG=1 make test-envoy-integ GO_TEST_FLAGS="-run TestEnvoy/case-basic".
  • If you want to prevent the Docker containers from being spun down after test failure, add a sleep 9999 to the verify.bats test case that's failing.

Creating a New Test

Below is a rough outline for creating a new test. For the example, assume our test case will be called my-feature.

  1. Create a new directory named case-my-feature
  2. If the test involves multiple datacenters/clusters, create a separate subdirectory for each cluster (eg. case-my-feature/{dc1,dc2})
  3. Add any necessary configuration to *.hcl files in the respective cluster subdirectory (or the test case directory when using a single cluster).
  4. Create a setup.sh file in the case directory
  5. Create a capture.sh file in the case directory
  6. Create a verify.bats file in the case directory
  7. Populate the setup.sh, capture.sh and verify.bats files with the appropriate code for running your test, validating its state and capturing any logs or snapshots.