diff --git a/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden b/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden index ebfeb266a8b6..4c7119d63fa3 100644 --- a/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden +++ b/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden @@ -14,7 +14,79 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~http2" + "consul~tcp" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": {}, + "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" + } + } + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app:tcp" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + } + } + }, + "requireClientCertificate": true + } + } + }, + { + "filterChainMatch": { + "applicationProtocols": [ + "consul~http" ] }, "filters": [ @@ -24,10 +96,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:http2", + "name": "public_listener:http", "virtualHosts": [ { - "name": "public_listener:http2", + "name": "public_listener:http", "domains": [ "*" ], @@ -37,7 +109,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:http2" + "cluster": "local_app:http" } } ] @@ -84,7 +156,6 @@ "tracing": { "randomSampling": {} }, - "http2ProtocolOptions": {}, "upgradeConfigs": [ { "upgradeType": "websocket" @@ -115,7 +186,6 @@ } }, "alpnProtocols": [ - "h2", "http/1.1" ] }, @@ -126,7 +196,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~grpc" + "consul~http2" ] }, "filters": [ @@ -136,10 +206,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:grpc", + "name": "public_listener:http2", "virtualHosts": [ { - "name": "public_listener:grpc", + "name": "public_listener:http2", "domains": [ "*" ], @@ -149,7 +219,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:grpc" + "cluster": "local_app:http2" } } ] @@ -157,19 +227,6 @@ ] }, "httpFilters": [ - { - "name": "envoy.filters.http.grpc_stats", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", - "statsForAllMethods": true - } - }, - { - "name": "envoy.filters.http.grpc_http1_bridge", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" - } - }, { "name": "envoy.filters.http.rbac", "typedConfig": { @@ -251,79 +308,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~tcp" - ] - }, - "filters": [ - { - "name": "envoy.filters.network.rbac", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", - "rules": { - "policies": { - "consul-intentions-layer4": { - "permissions": [ - { - "any": true - } - ], - "principals": [ - { - "authenticated": { - "principalName": { - "safeRegex": { - "googleRe2": {}, - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - } - } - ] - } - } - }, - "statPrefix": "connect_authz" - } - }, - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "public_listener", - "cluster": "local_app:tcp" - } - } - ], - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", - "commonTlsContext": { - "tlsParams": {}, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "trustedCa": { - "inlineString": "some-root\nsome-other-root\n" - } - } - }, - "requireClientCertificate": true - } - } - }, - { - "filterChainMatch": { - "applicationProtocols": [ - "consul~http" + "consul~grpc" ] }, "filters": [ @@ -333,10 +318,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:http", + "name": "public_listener:grpc", "virtualHosts": [ { - "name": "public_listener:http", + "name": "public_listener:grpc", "domains": [ "*" ], @@ -346,7 +331,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:http" + "cluster": "local_app:grpc" } } ] @@ -354,6 +339,19 @@ ] }, "httpFilters": [ + { + "name": "envoy.filters.http.grpc_stats", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", + "statsForAllMethods": true + } + }, + { + "name": "envoy.filters.http.grpc_http1_bridge", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" + } + }, { "name": "envoy.filters.http.rbac", "typedConfig": { @@ -393,6 +391,7 @@ "tracing": { "randomSampling": {} }, + "http2ProtocolOptions": {}, "upgradeConfigs": [ { "upgradeType": "websocket" @@ -423,6 +422,7 @@ } }, "alpnProtocols": [ + "h2", "http/1.1" ] }, diff --git a/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden b/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden index d5b325713709..fc42b2e7b3fb 100644 --- a/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden +++ b/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden @@ -11,6 +11,56 @@ } }, "filterChains": [ + { + "filterChainMatch": { + "applicationProtocols": [ + "consul~tcp" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": {}, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app:tcp" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + } + } + }, + "requireClientCertificate": true + } + } + }, { "filterChainMatch": { "applicationProtocols": [ @@ -291,56 +341,6 @@ "requireClientCertificate": true } } - }, - { - "filterChainMatch": { - "applicationProtocols": [ - "consul~tcp" - ] - }, - "filters": [ - { - "name": "envoy.filters.network.rbac", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", - "rules": {}, - "statPrefix": "connect_authz" - } - }, - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "public_listener", - "cluster": "local_app:tcp" - } - } - ], - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", - "commonTlsContext": { - "tlsParams": {}, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "trustedCa": { - "inlineString": "some-root\nsome-other-root\n" - } - } - }, - "requireClientCertificate": true - } - } } ], "listenerFilters": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden index b210cf8199e6..3316d7161ead 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden @@ -108,18 +108,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } }, @@ -134,16 +132,17 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "route": { + "name": "public_listener:http" }, "statPrefix": "public_listener", + "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~http" ] } }, @@ -159,8 +158,9 @@ } }, "l7": { + "protocol": "L7_PROTOCOL_HTTP2", "route": { - "name": "public_listener:http" + "name": "public_listener:http2" }, "statPrefix": "public_listener", "staticRoute": true, @@ -168,7 +168,7 @@ }, "match": { "alpnProtocols": [ - "consul~http" + "consul~http2" ] } }, @@ -184,9 +184,9 @@ } }, "l7": { - "protocol": "L7_PROTOCOL_HTTP2", + "protocol": "L7_PROTOCOL_GRPC", "route": { - "name": "public_listener:http2" + "name": "public_listener:grpc" }, "statPrefix": "public_listener", "staticRoute": true, @@ -194,7 +194,7 @@ }, "match": { "alpnProtocols": [ - "consul~http2" + "consul~grpc" ] } } diff --git a/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden index 013ddaf47e6f..b5d20a1a4c66 100644 --- a/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden @@ -113,18 +113,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } }, @@ -139,16 +137,17 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "route": { + "name": "public_listener:http" }, "statPrefix": "public_listener", + "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~http" ] } }, @@ -164,8 +163,9 @@ } }, "l7": { + "protocol": "L7_PROTOCOL_HTTP2", "route": { - "name": "public_listener:http" + "name": "public_listener:http2" }, "statPrefix": "public_listener", "staticRoute": true, @@ -173,7 +173,7 @@ }, "match": { "alpnProtocols": [ - "consul~http" + "consul~http2" ] } }, @@ -189,9 +189,9 @@ } }, "l7": { - "protocol": "L7_PROTOCOL_HTTP2", + "protocol": "L7_PROTOCOL_GRPC", "route": { - "name": "public_listener:http2" + "name": "public_listener:grpc" }, "statPrefix": "public_listener", "staticRoute": true, @@ -199,7 +199,7 @@ }, "match": { "alpnProtocols": [ - "consul~http2" + "consul~grpc" ] } }