peering: support peering establishment over mesh gateways, remove ability to pass external addresses to token generation endpoint

.circleci/config.yml

@@ -520,7 +520,7 @@ jobs:
             - ~/.go_workspace/pkg/mod
       - run: mkdir -p $TEST_RESULTS
       - run-acceptance-tests:
-          failfast: true
+          failfast: false
           additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -consul-image=hashicorppreview/consul-enterprise:1.14-dev
       - store_test_results:
           path: /tmp/test-results
@@ -1065,7 +1065,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-openshift -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.14-dev
+          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-openshift -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.14-dev -run TestPeering_Connect
 
       - store_test_results:
           path: /tmp/test-results
@@ -1296,6 +1296,21 @@ workflows:
 #          context: consul-ci
 #          requires:
 #            - dev-upload-docker
+      - cleanup-gcp-resources
+      - cleanup-azure-resources
+      - cleanup-eks-resources
+      - acceptance-gke-1-23:
+          requires:
+            - cleanup-gcp-resources
+            - dev-upload-docker
+      - acceptance-eks-1-21:
+          requires:
+            - cleanup-eks-resources
+            - dev-upload-docker
+      - acceptance-aks-1-22:
+          requires:
+            - cleanup-azure-resources
+            - dev-upload-docker
   nightly-acceptance-tests:
     triggers:
       - schedule:

CHANGELOG.md

@@ -1,7 +1,10 @@
 ## UNRELEASED
 
 FEATURES:
-* Peering: Add support for `PeerThroughMeshGateways` in Mesh CRD. [[GH-1478](https://github.com/hashicorp/consul-k8s/pull/1478)]
+* Peering:
+  * Add support for `PeerThroughMeshGateways` in Mesh CRD. [[GH-1478](https://github.com/hashicorp/consul-k8s/pull/1478)]
+  * move support for customizing the server addresses in peering token generation. Instead, mesh gateways should be used
+    to establish peering connections if the server pods are not directly reachable. [[GH-1610](https://github.com/hashicorp/consul-k8s/pull/1610)]
 
 BREAKING CHANGES:
 * Helm:

acceptance/framework/k8s/deploy.go

@@ -96,7 +96,7 @@ func CheckStaticServerConnectionMultipleFailureMessages(t *testing.T, options *k
 		expectedOutput = expectedSuccessOutput
 	}
 
-	retrier := &retry.Timer{Timeout: 160 * time.Second, Wait: 2 * time.Second}
+	retrier := &retry.Timer{Timeout: 320 * time.Second, Wait: 2 * time.Second}
 
 	args := []string{"exec", "deploy/" + sourceApp, "-c", sourceApp, "--", "curl", "-vvvsSf"}
 	args = append(args, curlArgs...)

acceptance/tests/fixtures/bases/mesh-peering/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - meshpeering.yaml

acceptance/tests/fixtures/bases/mesh-peering/meshpeering.yaml

@@ -0,0 +1,7 @@
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+  name: mesh
+spec:
+  peering:
+    peerThroughMeshGateways: true

acceptance/tests/peering/peering_connect_namespaces_test.go

@@ -97,6 +97,9 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 			staticClientPeerClusterContext := env.Context(t, environment.SecondaryContextName)
 
 			commonHelmValues := map[string]string{
+				"global.imageK8S": "ndhanushkodi/consul-k8s-dev:pmgw1",
+				"global.image":    "ndhanushkodi/consul-dev:peermeshgw2",
+
 				"global.peering.enabled":        "true",
 				"global.enableConsulNamespaces": "true",
 
@@ -135,8 +138,6 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 				staticServerPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true"
 				staticServerPeerHelmValues["meshGateway.service.type"] = "NodePort"
 				staticServerPeerHelmValues["meshGateway.service.nodePort"] = "30100"
-				staticServerPeerHelmValues["server.exposeService.type"] = "NodePort"
-				staticServerPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200"
 			}
 
 			releaseName := helpers.RandomName()
@@ -159,8 +160,6 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 				staticClientPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true"
 				staticClientPeerHelmValues["meshGateway.service.type"] = "NodePort"
 				staticClientPeerHelmValues["meshGateway.service.nodePort"] = "30100"
-				staticClientPeerHelmValues["server.exposeService.type"] = "NodePort"
-				staticClientPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200"
 			}
 
 			helpers.MergeMaps(staticClientPeerHelmValues, commonHelmValues)
@@ -169,6 +168,20 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 			staticClientPeerCluster := consul.NewHelmCluster(t, staticClientPeerHelmValues, staticClientPeerClusterContext, cfg, releaseName)
 			staticClientPeerCluster.Create(t)
 
+			// Create Mesh resource to use mesh gateways.
+			logger.Log(t, "creating mesh config")
+			kustomizeMeshDir := "../fixtures/bases/mesh-peering"
+
+			k8s.KubectlApplyK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
+				k8s.KubectlDeleteK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			})
+
+			k8s.KubectlApplyK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
+				k8s.KubectlDeleteK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			})
+
 			// Create the peering acceptor on the client peer.
 			k8s.KubectlApply(t, staticClientPeerClusterContext.KubectlOptions(t), "../fixtures/bases/peering/peering-acceptor.yaml")
 			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {

acceptance/tests/peering/peering_connect_test.go

@@ -53,10 +53,14 @@ func TestPeering_Connect(t *testing.T) {
 
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
+			fmt.Println("starting test")
 			staticServerPeerClusterContext := env.DefaultContext(t)
 			staticClientPeerClusterContext := env.Context(t, environment.SecondaryContextName)
 
 			commonHelmValues := map[string]string{
+				"global.imageK8S": "ndhanushkodi/consul-k8s-dev:pmgw1",
+				"global.image":    "ndhanushkodi/consul-dev:peermeshgw2",
+
 				"global.peering.enabled": "true",
 
 				"global.tls.enabled":   "true",
@@ -73,6 +77,7 @@ func TestPeering_Connect(t *testing.T) {
 
 				"dns.enabled":           "true",
 				"dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy),
+				"peering.tokenGeneration.serverAddresses.source": "consul",
 			}
 
 			staticServerPeerHelmValues := map[string]string{
@@ -90,14 +95,13 @@ func TestPeering_Connect(t *testing.T) {
 				staticServerPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true"
 				staticServerPeerHelmValues["meshGateway.service.type"] = "NodePort"
 				staticServerPeerHelmValues["meshGateway.service.nodePort"] = "30100"
-				staticServerPeerHelmValues["server.exposeService.type"] = "NodePort"
-				staticServerPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200"
 			}
 
 			releaseName := helpers.RandomName()
 
 			helpers.MergeMaps(staticServerPeerHelmValues, commonHelmValues)
 
+			fmt.Println("install first peer")
 			// Install the first peer where static-server will be deployed in the static-server kubernetes context.
 			staticServerPeerCluster := consul.NewHelmCluster(t, staticServerPeerHelmValues, staticServerPeerClusterContext, cfg, releaseName)
 			staticServerPeerCluster.Create(t)
@@ -107,23 +111,38 @@ func TestPeering_Connect(t *testing.T) {
 			}
 
 			if !cfg.UseKind {
-				staticServerPeerHelmValues["server.replicas"] = "3"
+				staticClientPeerHelmValues["server.replicas"] = "3"
 			}
 
 			if cfg.UseKind {
 				staticClientPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true"
 				staticClientPeerHelmValues["meshGateway.service.type"] = "NodePort"
 				staticClientPeerHelmValues["meshGateway.service.nodePort"] = "30100"
-				staticClientPeerHelmValues["server.exposeService.type"] = "NodePort"
-				staticClientPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200"
 			}
 
 			helpers.MergeMaps(staticClientPeerHelmValues, commonHelmValues)
 
+			fmt.Println("install second (client) peer")
 			// Install the second peer where static-client will be deployed in the static-client kubernetes context.
 			staticClientPeerCluster := consul.NewHelmCluster(t, staticClientPeerHelmValues, staticClientPeerClusterContext, cfg, releaseName)
 			staticClientPeerCluster.Create(t)
 
+			fmt.Println("configure mesh resource so peering token will have mesh gateway addrs")
+			// Create Mesh resource to use mesh gateways.
+			logger.Log(t, "creating mesh config")
+			kustomizeMeshDir := "../fixtures/bases/mesh-peering"
+
+			k8s.KubectlApplyK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
+				k8s.KubectlDeleteK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			})
+
+			k8s.KubectlApplyK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
+				k8s.KubectlDeleteK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir)
+			})
+
+			fmt.Println("create acceptor on (client) peer")
 			// Create the peering acceptor on the client peer.
 			k8s.KubectlApply(t, staticClientPeerClusterContext.KubectlOptions(t), "../fixtures/bases/peering/peering-acceptor.yaml")
 			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
@@ -138,9 +157,13 @@ func TestPeering_Connect(t *testing.T) {
 				require.NotEmpty(r, acceptorSecretName)
 			})
 
+			fmt.Println("copying secret from client peer to server peer, printing contents:")
 			// Copy secret from client peer to server peer.
 			k8s.CopySecret(t, staticClientPeerClusterContext, staticServerPeerClusterContext, "api-token")
+			resp, _ := k8s.RunKubectlAndGetOutputE(t, staticClientPeerClusterContext.KubectlOptions(t), "secret", "api-token", "-o", "yaml")
+			fmt.Println(resp)
 
+			fmt.Println("creating peering dialer on server peer")
 			// Create the peering dialer on the server peer.
 			k8s.KubectlApply(t, staticServerPeerClusterContext.KubectlOptions(t), "../fixtures/bases/peering/peering-dialer.yaml")
 			helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
@@ -261,6 +284,7 @@ func TestPeering_Connect(t *testing.T) {
 			} else {
 				k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, "http://localhost:1234")
 			}
+
 		})
 	}
 }

charts/consul/templates/connect-inject-deployment.yaml

@@ -4,8 +4,7 @@
 {{ template "consul.validateVaultWebhookCertConfiguration" . }}
 {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }}
 {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
-{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") (or .Values.global.peering.enabled .Values.global.adminPartitions.enabled))) -}}
-{{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }}
+{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}}
 {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
 {{ template "consul.validateCloudConfiguration" . }}
 # The deployment for running the Connect sidecar injector
@@ -141,23 +140,6 @@ spec:
                 -enable-cni={{ .Values.connectInject.cni.enabled }} \
                 {{- if .Values.global.peering.enabled }}
                 -enable-peering=true \
-                {{- if (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") }}
-                {{- if (and $serverEnabled $serverExposeServiceEnabled) }}
-                -read-server-expose-service=true \
-                {{- else }}
-                {{- if .Values.externalServers.enabled }}
-                {{- $port := .Values.externalServers.grpcPort }}
-                {{- range $h := .Values.externalServers.hosts }}
-                -token-server-address="{{ $h }}:{{ $port }}" \
-                {{- end }}
-                {{- end }}
-                {{- end }}
-                {{- end }}
-                {{- if (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") }}
-                {{- range $addr := .Values.global.peering.tokenGeneration.serverAddresses.static }}
-                -token-server-address="{{ $addr }}" \
-                {{- end }}
-                {{- end }}
                 {{- end }}
                 {{- if .Values.global.openshift.enabled }}
                 -enable-openshift \

charts/consul/templates/mesh-gateway-deployment.yaml

@@ -237,7 +237,7 @@ spec:
             {{- if .Values.global.adminPartitions.enabled }}
             -service-partition={{ .Values.global.adminPartitions.name }} \
             {{- end }}
-            -log-level={{ default .Values.global.logLevel }} \
+            -log-level="trace" \
             -log-json={{ .Values.global.logJSON }}
         livenessProbe:
           tcpSocket:

charts/consul/templates/server-config-configmap.yaml

@@ -27,7 +27,12 @@ data:
       "data_dir": "/consul/data",
       "domain": "{{ .Values.global.domain }}",
       "ports": {
+        {{- if not .Values.global.tls.enabled }}
         "grpc": 8502,
+        {{- end }}
+        {{- if .Values.global.tls.enabled }}
+        "grpc_tls": 8502,
+        {{- end }}
         "serf_lan": {{ .Values.server.ports.serflan.port }}
       },
       "recursors": {{ .Values.global.recursors | toJson }},