single port destinations working except mixed destinations

internal/mesh/internal/controllers/xds/controller_test.go

@@ -1006,9 +1006,9 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() {
 	path := "../sidecarproxy/builder/testdata"
 	cases := []string{
 		"destination/l4-single-destination-ip-port-bind-address",
-		//"destination/l4-single-destination-unix-socket-bind-address",
-		//"destination/l4-multi-destination",
-		//"destination/mixed-multi-destination",
+		"destination/l4-single-destination-unix-socket-bind-address",
+		"destination/l4-multi-destination",
+		"destination/mixed-multi-destination",
 	}
 
 	for _, name := range cases {
@@ -1093,8 +1093,18 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() {
 			require.NotNil(suite.T(), proxyStateTemplate)
 
 			reconciledPS := suite.updater.Get(proxyStateTemplate.Id.Name)
-			actual := prototest.ProtoToJSON(suite.T(), reconciledPS)
 
+			// Verify leaf cert contents then hard code them for comparison
+			// and downstream tests since they change from test run to test run.
+			require.NotEmpty(suite.T(), reconciledPS.LeafCertificates)
+			reconciledPS.LeafCertificates = map[string]*pbproxystate.LeafCertificate{
+				"test-identity": {
+					Cert: "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n",
+					Key:  "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n",
+				},
+			}
+
+			actual := prototest.ProtoToJSON(suite.T(), reconciledPS)
 			expected := golden.Get(suite.T(), actual, name+".golden")
 
 			require.JSONEq(suite.T(), expected, actual)

internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden

@@ -0,0 +1,296 @@
+{
+  "clusters": {
+    "null_route_cluster": {
+      "endpointGroup": {
+        "static": {
+          "config": {
+            "connectTimeout": "10s"
+          }
+        }
+      },
+      "name": "null_route_cluster"
+    },
+    "tcp.api-1.default.dc1.internal.foo.consul": {
+      "altStatName": "tcp.api-1.default.dc1.internal.foo.consul",
+      "endpointGroup": {
+        "dynamic": {
+          "config": {
+            "connectTimeout": "5s",
+            "disablePanicThreshold": true
+          },
+          "outboundTls": {
+            "alpnProtocols": [
+              "consul~tcp"
+            ],
+            "outboundMesh": {
+              "identityKey": "test-identity",
+              "sni": "api-1.default.dc1.internal.foo.consul",
+              "validationContext": {
+                "spiffeIds": [
+                  "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
+                ],
+                "trustBundlePeerNameKey": "local"
+              }
+            }
+          }
+        }
+      },
+      "name": "tcp.api-1.default.dc1.internal.foo.consul"
+    },
+    "tcp.api-2.default.dc1.internal.foo.consul": {
+      "altStatName": "tcp.api-2.default.dc1.internal.foo.consul",
+      "endpointGroup": {
+        "dynamic": {
+          "config": {
+            "connectTimeout": "5s",
+            "disablePanicThreshold": true
+          },
+          "outboundTls": {
+            "alpnProtocols": [
+              "consul~tcp"
+            ],
+            "outboundMesh": {
+              "identityKey": "test-identity",
+              "sni": "api-2.default.dc1.internal.foo.consul",
+              "validationContext": {
+                "spiffeIds": [
+                  "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity"
+                ],
+                "trustBundlePeerNameKey": "local"
+              }
+            }
+          }
+        }
+      },
+      "name": "tcp.api-2.default.dc1.internal.foo.consul"
+    },
+    "tcp2.api-1.default.dc1.internal.foo.consul": {
+      "altStatName": "tcp2.api-1.default.dc1.internal.foo.consul",
+      "endpointGroup": {
+        "dynamic": {
+          "config": {
+            "connectTimeout": "5s",
+            "disablePanicThreshold": true
+          },
+          "outboundTls": {
+            "alpnProtocols": [
+              "consul~tcp2"
+            ],
+            "outboundMesh": {
+              "identityKey": "test-identity",
+              "sni": "api-1.default.dc1.internal.foo.consul",
+              "validationContext": {
+                "spiffeIds": [
+                  "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
+                ],
+                "trustBundlePeerNameKey": "local"
+              }
+            }
+          }
+        }
+      },
+      "name": "tcp2.api-1.default.dc1.internal.foo.consul"
+    },
+    "tcp2.api-2.default.dc1.internal.foo.consul": {
+      "altStatName": "tcp2.api-2.default.dc1.internal.foo.consul",
+      "endpointGroup": {
+        "dynamic": {
+          "config": {
+            "connectTimeout": "5s",
+            "disablePanicThreshold": true
+          },
+          "outboundTls": {
+            "alpnProtocols": [
+              "consul~tcp2"
+            ],
+            "outboundMesh": {
+              "identityKey": "test-identity",
+              "sni": "api-2.default.dc1.internal.foo.consul",
+              "validationContext": {
+                "spiffeIds": [
+                  "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity"
+                ],
+                "trustBundlePeerNameKey": "local"
+              }
+            }
+          }
+        }
+      },
+      "name": "tcp2.api-2.default.dc1.internal.foo.consul"
+    }
+  },
+  "identity": {
+    "name": "test-identity",
+    "tenancy": {
+      "namespace": "default",
+      "partition": "default",
+      "peerName": "local"
+    },
+    "type": {
+      "group": "auth",
+      "groupVersion": "v2beta1",
+      "kind": "WorkloadIdentity"
+    }
+  },
+  "listeners": [
+    {
+      "direction": "DIRECTION_OUTBOUND",
+      "hostPort": {
+        "host": "1.1.1.1",
+        "port": 1234
+      },
+      "name": "default/local/default/api-1:tcp:1.1.1.1:1234",
+      "routers": [
+        {
+          "l4": {
+            "statPrefix": "upstream.tcp.api-1.default.default.dc1",
+            "weightedClusters": {
+              "clusters": [
+                {
+                  "name": "tcp.api-2.default.dc1.internal.foo.consul",
+                  "weight": 60
+                },
+                {
+                  "name": "tcp.api-1.default.dc1.internal.foo.consul",
+                  "weight": 40
+                },
+                {
+                  "name": "null_route_cluster",
+                  "weight": 10
+                }
+              ]
+            }
+          }
+        }
+      ]
+    },
+    {
+      "direction": "DIRECTION_OUTBOUND",
+      "name": "default/local/default/api-2:tcp:/path/to/socket",
+      "routers": [
+        {
+          "l4": {
+            "cluster": {
+              "name": "tcp.api-2.default.dc1.internal.foo.consul"
+            },
+            "statPrefix": "upstream.tcp.api-2.default.default.dc1"
+          }
+        }
+      ],
+      "unixSocket": {
+        "mode": "0666",
+        "path": "/path/to/socket"
+      }
+    },
+    {
+      "direction": "DIRECTION_OUTBOUND",
+      "hostPort": {
+        "host": "1.1.1.1",
+        "port": 2345
+      },
+      "name": "default/local/default/api-1:tcp2:1.1.1.1:2345",
+      "routers": [
+        {
+          "l4": {
+            "statPrefix": "upstream.tcp2.api-1.default.default.dc1",
+            "weightedClusters": {
+              "clusters": [
+                {
+                  "name": "tcp2.api-2.default.dc1.internal.foo.consul",
+                  "weight": 60
+                },
+                {
+                  "name": "tcp2.api-1.default.dc1.internal.foo.consul",
+                  "weight": 40
+                },
+                {
+                  "name": "null_route_cluster",
+                  "weight": 10
+                }
+              ]
+            }
+          }
+        }
+      ]
+    },
+    {
+      "direction": "DIRECTION_OUTBOUND",
+      "name": "default/local/default/api-2:tcp2:/path/to/socket",
+      "routers": [
+        {
+          "l4": {
+            "cluster": {
+              "name": "tcp2.api-2.default.dc1.internal.foo.consul"
+            },
+            "statPrefix": "upstream.tcp2.api-2.default.default.dc1"
+          }
+        }
+      ],
+      "unixSocket": {
+        "mode": "0666",
+        "path": "/path/to/socket"
+      }
+    }
+  ],
+  "endpoints": {
+    "tcp.api-1.default.dc1.internal.foo.consul": {
+      "endpoints": [
+        {
+          "healthStatus": "HEALTH_STATUS_HEALTHY",
+          "hostPort": {
+            "host": "10.1.1.1",
+            "port": 20000
+          }
+        }
+      ]
+    },
+    "tcp.api-2.default.dc1.internal.foo.consul": {
+      "endpoints": [
+        {
+          "healthStatus": "HEALTH_STATUS_HEALTHY",
+          "hostPort": {
+            "host": "10.1.1.1",
+            "port": 20000
+          }
+        }
+      ]
+    },
+    "tcp2.api-1.default.dc1.internal.foo.consul": {
+      "endpoints": [
+        {
+          "healthStatus": "HEALTH_STATUS_HEALTHY",
+          "hostPort": {
+            "host": "10.1.1.1",
+            "port": 20000
+          }
+        }
+      ]
+    },
+    "tcp2.api-2.default.dc1.internal.foo.consul": {
+      "endpoints": [
+        {
+          "healthStatus": "HEALTH_STATUS_HEALTHY",
+          "hostPort": {
+            "host": "10.1.1.1",
+            "port": 20000
+          }
+        }
+      ]
+    }
+  },
+  "trustBundles": {
+    "local": {
+      "roots": [
+        "some-root",
+        "some-other-root"
+      ],
+      "trustDomain": "some-trust-domain"
+    }
+  },
+  "leafCertificates": {
+    "test-identity": {
+      "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n",
+      "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n"
+    }
+  }
+}