Add envoyExtensions field to serviceDefaults and proxyDefaults CRDs (#…

…1823)

* updated consul api to the latest

* added new ServiceDefault fields to the serviceDefaults CRD
- Added fields to support EnvoyExtensions
- Added missing BalanceInboundConnections field

* added EnvoyExtensions to proxyDefaults CRD
- most of these changes are parallel to what was done in serviceDefaults
- proxyDefaults makes use of the envoyExtension(s) definition in serviceDefaults and also makes use of the validation/toConsul logic defined there

* added tests for new fields
- Added tests for proxyDefault
- Added tests for serviceDefault
- EnvoyExtension test cases should be basically the same for both CRDs

* generate the manifests and generate deepcopy

* updated the changelog

* added CI test to catch bad terraform formatting

* formatted terraform files

* update contributing doc

.github/workflows/test.yml

@@ -10,6 +10,20 @@ env:
   CONSUL_ENT_DOCKER_IMAGE: hashicorppreview/consul-enterprise:1.14-dev # Consul's enterprise version to use in tests
 
 jobs:
+  terraform-fmt-check:
+    name: "Terraform format check"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: TERRAFORM_VERSION
+          terraform_wrapper: false
+      - name: Run Terraform checks
+        run: |
+          make terraform-fmt-check TERRAFORM_DIR="${{ github.workspace }}"
+
   get-go-version:
     name: "Determine Go toolchain version"
     runs-on: ubuntu-latest

CHANGELOG.md

@@ -4,6 +4,8 @@ IMPROVEMENTS:
 * Helm:
   * Add a `global.extraLabels` stanza to allow setting global Kubernetes labels for all components deployed by the `consul-k8s` Helm chart. [[GH-1778](https://github.com/hashicorp/consul-k8s/pull/1778)]
   * Add the `accessLogs` field to the `ProxyDefaults` CRD. [[GH-1816](https://github.com/hashicorp/consul-k8s/pull/1816)]
+  * Add the `envoyExtensions` field to the `ProxyDefaults` and `ServiceDefaults` CRD. [[GH-1823]](https://github.com/hashicorp/consul-k8s/pull/1823)
+  * Add the `balanceInboundConnections` field to the `ServiceDefaults` CRD. [[GH-1823]](https://github.com/hashicorp/consul-k8s/pull/1823)
 * Control-Plane
   * Add support for the annotation `consul.hashicorp.com/use-proxy-health-check`. [[GH-1824](https://github.com/hashicorp/consul-k8s/pull/1824)]
 

CONTRIBUTING.md

@@ -424,20 +424,27 @@ rebase the branch on main, fixing any conflicts along the way before the code ca
    manage your resource type.
 
 ### Testing A New CRD
-1. Build a Docker image for consul-k8s via `make dev-docker` and tagging your image appropriately. Remember to CD into the `control-plane` directory!
+1. Build a Docker image for consul-k8s via `make control-plane-dev-docker` and push to a docker repository:
+    ```
+    docker tag consul-k8s-control-plane-dev <DOCKER-HUB-USERNAME>/consul-k8s-control-plane-dev:<version>
+    docker push <DOCKER-HUB-USERNAME>/consul-k8s-control-plane-dev:<version>
+    ```
 1. Install using the updated Helm repository, with a values like:
     ```yaml
     global:
-      imageK8S: ghcr.io/lkysow/consul-k8s-dev:nov26
+      imageK8S: lkysow/consul-k8s-control-plane-dev:nov26
       name: consul
     server:
       replicas: 1
       bootstrapExpect: 1
-    controller:
+    ui:
+      enabled: true
+    connectInject:
       enabled: true
     ```
-1. `kubectl apply` your sample CRD.
-1. Check its synced status:
+1. Create a sample CRD
+1. Run `kubectl apply -f <path-to-crd>` to apply your sample CRD.
+1. Check its synced status (for example CRD called ingressgateway):
     ```bash
     kubectl get ingressgateway
     NAME                    SYNCED   AGE

Makefile

@@ -75,6 +75,16 @@ kind-cni:
 	kind create cluster --config=$(CURDIR)/acceptance/framework/environment/cni-kind/kind.config --name dc2 --image kindest/node:v1.23.6
 	make kind-cni-calico
 
+# Perform a terraform fmt check but don't change anything
+terraform-fmt-check:
+	@$(CURDIR)/control-plane/build-support/scripts/terraformfmtcheck.sh $(TERRAFORM_DIR)
+.PHONY: terraform-fmt-check
+
+# Format all terraform files according to terraform fmt
+terraform-fmt:
+	@terraform fmt -recursive
+.PHONY: terraform-fmt
+
 
 # ===========> CLI Targets
 

charts/consul/templates/crd-proxydefaults.yaml

@@ -95,6 +95,22 @@ spec:
                   globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              envoyExtensions:
+                description: EnvoyExtensions are a list of extensions to modify Envoy
+                  proxy configuration.
+                items:
+                  description: EnvoyExtension has configuration for an extension that
+                    patches Envoy resources.
+                  properties:
+                    arguments:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    name:
+                      type: string
+                    required:
+                      type: boolean
+                  type: object
+                type: array
               expose:
                 description: Expose controls the default expose path configuration
                   for Envoy.

charts/consul/templates/crd-servicedefaults.yaml

@@ -57,6 +57,12 @@ spec:
           spec:
             description: ServiceDefaultsSpec defines the desired state of ServiceDefaults.
             properties:
+              balanceInboundConnections:
+                description: BalanceInboundConnections sets the strategy for allocating
+                  inbound connections to the service across proxy threads. The only
+                  supported value is exact_balance. By default, no connection balancing
+                  is used. Refer to the Envoy Connection Balance config for details.
+                type: string
               destination:
                 description: Destination is an address(es)/port combination that represents
                   an endpoint outside the mesh. This is only valid when the mesh is
@@ -76,6 +82,22 @@ spec:
                     format: int32
                     type: integer
                 type: object
+              envoyExtensions:
+                description: EnvoyExtensions are a list of extensions to modify Envoy
+                  proxy configuration.
+                items:
+                  description: EnvoyExtension has configuration for an extension that
+                    patches Envoy resources.
+                  properties:
+                    arguments:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    name:
+                      type: string
+                    required:
+                      type: boolean
+                  type: object
+                type: array
               expose:
                 description: Expose controls the default expose path configuration
                   for Envoy.
@@ -114,15 +136,15 @@ spec:
                   with an external system.
                 type: string
               localConnectTimeoutMs:
-                description: The number of milliseconds allowed to make connections
-                  to the local application instance before timing out. Defaults to
-                  5000.
+                description: LocalConnectTimeoutMs is the number of milliseconds allowed
+                  to make connections to the local application instance before timing
+                  out. Defaults to 5000.
                 type: integer
               localRequestTimeoutMs:
-                description: In milliseconds, the timeout for HTTP requests to the
-                  local application instance. Applies to HTTP-based protocols only.
-                  If not specified, inherits the Envoy default for route timeouts
-                  (15s).
+                description: LocalRequestTimeoutMs is the timeout for HTTP requests
+                  to the local application instance in milliseconds. Applies to HTTP-based
+                  protocols only. If not specified, inherits the Envoy default for
+                  route timeouts (15s).
                 type: integer
               maxInboundConnections:
                 description: MaxInboundConnections is the maximum number of concurrent

charts/consul/test/terraform/aks/variables.tf

@@ -27,7 +27,7 @@ variable "cluster_count" {
 }
 
 variable "tags" {
-  type        = map
+  type        = map(any)
   default     = {}
   description = "Tags to attach to the created resources."
 }

charts/consul/test/terraform/eks/main.tf

@@ -53,8 +53,8 @@ module "vpc" {
 module "eks" {
   count = var.cluster_count
 
-  source  = "terraform-aws-modules/eks/aws"
-  version = "17.24.0"
+  source                 = "terraform-aws-modules/eks/aws"
+  version                = "17.24.0"
   kubeconfig_api_version = "client.authentication.k8s.io/v1beta1"
 
   cluster_name    = "consul-k8s-${random_id.suffix[count.index].dec}"

charts/consul/test/terraform/eks/variables.tf

@@ -21,7 +21,7 @@ variable "role_arn" {
 }
 
 variable "tags" {
-  type        = map
+  type        = map(any)
   default     = {}
   description = "Tags to attach to the created resources."
 }

charts/consul/test/terraform/gke/variables.tf

@@ -30,7 +30,7 @@ variable "cluster_count" {
 }
 
 variable "labels" {
-  type        = map
+  type        = map(any)
   default     = {}
   description = "Labels to attach to the created resources."
 }

charts/consul/test/terraform/openshift/variables.tf

@@ -9,7 +9,7 @@ variable "cluster_count" {
 }
 
 variable "tags" {
-  type        = map
+  type        = map(any)
   default     = {}
   description = "Tags to attach to the created resources."
 }

control-plane/api/v1alpha1/proxydefaults_types.go

@@ -77,6 +77,8 @@ type ProxyDefaultsSpec struct {
 	Expose Expose `json:"expose,omitempty"`
 	// AccessLogs controls all envoy instances' access logging configuration.
 	AccessLogs *AccessLogs `json:"accessLogs,omitempty"`
+	// EnvoyExtensions are a list of extensions to modify Envoy proxy configuration.
+	EnvoyExtensions EnvoyExtensions `json:"envoyExtensions,omitempty"`
 }
 
 func (in *ProxyDefaults) GetObjectMeta() metav1.ObjectMeta {
@@ -168,6 +170,7 @@ func (in *ProxyDefaults) ToConsul(datacenter string) capi.ConfigEntry {
 		Config:           consulConfig,
 		TransparentProxy: in.Spec.TransparentProxy.toConsul(),
 		AccessLogs:       in.Spec.AccessLogs.toConsul(),
+		EnvoyExtensions:  in.Spec.EnvoyExtensions.toConsul(),
 		Meta:             meta(datacenter),
 	}
 }
@@ -202,6 +205,8 @@ func (in *ProxyDefaults) Validate(_ common.ConsulMeta) error {
 		allErrs = append(allErrs, err)
 	}
 	allErrs = append(allErrs, in.Spec.Expose.validate(path.Child("expose"))...)
+	allErrs = append(allErrs, in.Spec.EnvoyExtensions.validate(path.Child("envoyExtensions"))...)
+
 	if len(allErrs) > 0 {
 		return apierrors.NewInvalid(
 			schema.GroupKind{Group: ConsulHashicorpGroup, Kind: ProxyDefaultsKubeKind},
@@ -239,7 +244,7 @@ func (in *ProxyDefaults) validateConfig(path *field.Path) *field.Error {
 	}
 	var outConfig map[string]interface{}
 	if err := json.Unmarshal(in.Spec.Config, &outConfig); err != nil {
-		return field.Invalid(path, in.Spec.Config, fmt.Sprintf(`must be valid map value: %s`, err))
+		return field.Invalid(path, string(in.Spec.Config), fmt.Sprintf(`must be valid map value: %s`, err))
 	}
 	return nil
 }