Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc

config: rename `ports.grpc` to `ports.xds`

.changelog/10588.txt

@@ -0,0 +1,4 @@
+```release-note:deprecation
+config: the `ports.grpc` and `addresses.grpc` configuration settings have been renamed to `ports.xds` and `addresses.xds` to better match their function.
+```
+

agent/agent.go

@@ -617,8 +617,7 @@ func (a *Agent) Start(ctx context.Context) error {
 		a.apiServers.Start(srv)
 	}
 
-	// Start gRPC server.
-	if err := a.listenAndServeGRPC(); err != nil {
+	if err := a.listenAndServeXDS(); err != nil {
 		return err
 	}
 
@@ -661,8 +660,8 @@ func (a *Agent) Failed() <-chan struct{} {
 	return a.apiServers.failed
 }
 
-func (a *Agent) listenAndServeGRPC() error {
-	if len(a.config.GRPCAddrs) < 1 {
+func (a *Agent) listenAndServeXDS() error {
+	if len(a.config.XDSAddrs) < 1 {
 		return nil
 	}
 
@@ -682,13 +681,9 @@ func (a *Agent) listenAndServeGRPC() error {
 	if a.config.HTTPSPort <= 0 {
 		tlsConfig = nil
 	}
-	var err error
-	a.grpcServer, err = xdsServer.GRPCServer(tlsConfig)
-	if err != nil {
-		return err
-	}
+	a.grpcServer = xds.NewGRPCServer(xdsServer, tlsConfig)
 
-	ln, err := a.startListeners(a.config.GRPCAddrs)
+	ln, err := a.startListeners(a.config.XDSAddrs)
 	if err != nil {
 		return err
 	}

agent/agent_endpoint.go

@@ -38,11 +38,12 @@ type Self struct {
 	Member      serf.Member
 	Stats       map[string]map[string]string
 	Meta        map[string]string
-	XDS         *xdsSelf `json:"xDS,omitempty"`
+	XDS         *XDSSelf `json:"xDS,omitempty"`
 }
 
-type xdsSelf struct {
+type XDSSelf struct {
 	SupportedProxies map[string][]string
+	Port             int
 }
 
 func (s *HTTPHandlers) AgentSelf(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
@@ -65,12 +66,13 @@ func (s *HTTPHandlers) AgentSelf(resp http.ResponseWriter, req *http.Request) (i
 		}
 	}
 
-	var xds *xdsSelf
+	var xds *XDSSelf
 	if s.agent.grpcServer != nil {
-		xds = &xdsSelf{
+		xds = &XDSSelf{
 			SupportedProxies: map[string][]string{
 				"envoy": proxysupport.EnvoyVersions,
 			},
+			Port: s.agent.config.XDSPort,
 		}
 	}
 
@@ -91,9 +93,14 @@ func (s *HTTPHandlers) AgentSelf(resp http.ResponseWriter, req *http.Request) (i
 		Server:            s.agent.config.ServerMode,
 		Version:           s.agent.config.Version,
 	}
+	debugConfig := s.agent.config.Sanitized()
+	// Backwards compat for the envoy command. Never use DebugConfig for
+	// programmatic access to data.
+	debugConfig["GRPCPort"] = s.agent.config.XDSPort
+
 	return Self{
 		Config:      config,
-		DebugConfig: s.agent.config.Sanitized(),
+		DebugConfig: debugConfig,
 		Coord:       cs[s.agent.config.SegmentName],
 		Member:      s.agent.LocalMember(),
 		Stats:       s.agent.Stats(),

agent/config/builder.go

@@ -428,7 +428,10 @@ func (b *builder) Build() (rt RuntimeConfig, err error) {
 	httpPort := b.portVal("ports.http", c.Ports.HTTP)
 	httpsPort := b.portVal("ports.https", c.Ports.HTTPS)
 	serverPort := b.portVal("ports.server", c.Ports.Server)
-	grpcPort := b.portVal("ports.grpc", c.Ports.GRPC)
+	if c.Ports.XDS == nil {
+		c.Ports.XDS = c.Ports.GRPC
+	}
+	xdsPort := b.portVal("ports.xds", c.Ports.XDS)
 	serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN)
 	serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN)
 	proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort)
@@ -555,7 +558,10 @@ func (b *builder) Build() (rt RuntimeConfig, err error) {
 	dnsAddrs := b.makeAddrs(b.expandAddrs("addresses.dns", c.Addresses.DNS), clientAddrs, dnsPort)
 	httpAddrs := b.makeAddrs(b.expandAddrs("addresses.http", c.Addresses.HTTP), clientAddrs, httpPort)
 	httpsAddrs := b.makeAddrs(b.expandAddrs("addresses.https", c.Addresses.HTTPS), clientAddrs, httpsPort)
-	grpcAddrs := b.makeAddrs(b.expandAddrs("addresses.grpc", c.Addresses.GRPC), clientAddrs, grpcPort)
+	if c.Addresses.XDS == nil {
+		c.Addresses.XDS = c.Addresses.GRPC
+	}
+	xdsAddrs := b.makeAddrs(b.expandAddrs("addresses.xds", c.Addresses.XDS), clientAddrs, xdsPort)
 
 	for _, a := range dnsAddrs {
 		if x, ok := a.(*net.TCPAddr); ok {
@@ -1013,8 +1019,8 @@ func (b *builder) Build() (rt RuntimeConfig, err error) {
 		EncryptKey:                 stringVal(c.EncryptKey),
 		EncryptVerifyIncoming:      boolVal(c.EncryptVerifyIncoming),
 		EncryptVerifyOutgoing:      boolVal(c.EncryptVerifyOutgoing),
-		GRPCPort:                   grpcPort,
-		GRPCAddrs:                  grpcAddrs,
+		XDSPort:                    xdsPort,
+		XDSAddrs:                   xdsAddrs,
 		HTTPMaxConnsPerClient:      intVal(c.Limits.HTTPMaxConnsPerClient),
 		HTTPSHandshakeTimeout:      b.durationVal("limits.https_handshake_timeout", c.Limits.HTTPSHandshakeTimeout),
 		KeyFile:                    stringVal(c.KeyFile),

agent/config/config.go

@@ -340,7 +340,10 @@ type Addresses struct {
 	DNS   *string `mapstructure:"dns"`
 	HTTP  *string `mapstructure:"http"`
 	HTTPS *string `mapstructure:"https"`
-	GRPC  *string `mapstructure:"grpc"`
+	XDS   *string `mapstructure:"xds"`
+
+	// Deprecated: replaced by XDS
+	GRPC *string `mapstructure:"grpc"`
 }
 
 type AdvertiseAddrsConfig struct {
@@ -690,13 +693,16 @@ type Ports struct {
 	SerfLAN        *int `mapstructure:"serf_lan"`
 	SerfWAN        *int `mapstructure:"serf_wan"`
 	Server         *int `mapstructure:"server"`
-	GRPC           *int `mapstructure:"grpc"`
+	XDS            *int `mapstructure:"xds"`
 	ProxyMinPort   *int `mapstructure:"proxy_min_port"`
 	ProxyMaxPort   *int `mapstructure:"proxy_max_port"`
 	SidecarMinPort *int `mapstructure:"sidecar_min_port"`
 	SidecarMaxPort *int `mapstructure:"sidecar_max_port"`
 	ExposeMinPort  *int `mapstructure:"expose_min_port"`
 	ExposeMaxPort  *int `mapstructure:"expose_max_port"`
+
+	// Deprecated: replaced by XDS
+	GRPC *int `mapstructure:"grpc"`
 }
 
 type UnixSocket struct {

agent/config/flags.go

@@ -53,7 +53,8 @@ func AddFlags(fs *flag.FlagSet, f *LoadOpts) {
 	add(&f.FlagValues.EnableLocalScriptChecks, "enable-local-script-checks", "Enables health check scripts from configuration file.")
 	add(&f.FlagValues.HTTPConfig.AllowWriteHTTPFrom, "allow-write-http-from", "Only allow write endpoint calls from given network. CIDR format, can be specified multiple times.")
 	add(&f.FlagValues.EncryptKey, "encrypt", "Provides the gossip encryption key.")
-	add(&f.FlagValues.Ports.GRPC, "grpc-port", "Sets the gRPC API port to listen on (currently needed for Envoy xDS only).")
+	add(&f.FlagValues.Ports.XDS, "grpc-port", "Deprecated, use xds-port")
+	add(&f.FlagValues.Ports.XDS, "xds-port", "Sets the xDS gRPC port to listen on (used by Envoy proxies).")
 	add(&f.FlagValues.Ports.HTTP, "http-port", "Sets the HTTP API port to listen on.")
 	add(&f.FlagValues.Ports.HTTPS, "https-port", "Sets the HTTPS API port to listen on.")
 	add(&f.FlagValues.StartJoinAddrsLAN, "join", "Address of an agent to join at start time. Can be specified multiple times.")

agent/config/flags_test.go

@@ -49,7 +49,7 @@ func TestAddFlags_WithParse(t *testing.T) {
 		},
 		{
 			args:     []string{`-grpc-port`, `1`},
-			expected: LoadOpts{FlagValues: Config{Ports: Ports{GRPC: pInt(1)}}},
+			expected: LoadOpts{FlagValues: Config{Ports: Ports{XDS: pInt(1)}}},
 		},
 		{
 			args:     []string{`-http-port`, `1`},

agent/config/runtime.go

@@ -715,27 +715,27 @@ type RuntimeConfig struct {
 	// hcl: encrypt_verify_outgoing = (true|false)
 	EncryptVerifyOutgoing bool
 
-	// GRPCPort is the port the gRPC server listens on. Currently this only
+	// XDSPort is the port the xDS gRPC server listens on. This port only
 	// exposes the xDS and ext_authz APIs for Envoy and it is disabled by default.
 	//
-	// hcl: ports { grpc = int }
-	// flags: -grpc-port int
-	GRPCPort int
+	// hcl: ports { xds = int }
+	// flags: -xds-port int
+	XDSPort int
 
-	// GRPCAddrs contains the list of TCP addresses and UNIX sockets the gRPC
-	// server will bind to. If the gRPC endpoint is disabled (ports.grpc <= 0)
+	// XDSAddrs contains the list of TCP addresses and UNIX sockets the xDS gRPC
+	// server will bind to. If the xDS endpoint is disabled (ports.xds <= 0)
 	// the list is empty.
 	//
-	// The addresses are taken from 'addresses.grpc' which should contain a
+	// The addresses are taken from 'addresses.xds' which should contain a
 	// space separated list of ip addresses, UNIX socket paths and/or
 	// go-sockaddr templates. UNIX socket paths must be written as
-	// 'unix://<full path>', e.g. 'unix:///var/run/consul-grpc.sock'.
+	// 'unix://<full path>', e.g. 'unix:///var/run/consul-xds.sock'.
 	//
-	// If 'addresses.grpc' was not provided the 'client_addr' addresses are
+	// If 'addresses.xds' was not provided the 'client_addr' addresses are
 	// used.
 	//
-	// hcl: client_addr = string addresses { grpc = string } ports { grpc = int }
-	GRPCAddrs []net.Addr
+	// hcl: client_addr = string addresses { xds = string } ports { xds = int }
+	XDSAddrs []net.Addr
 
 	// HTTPAddrs contains the list of TCP addresses and UNIX sockets the HTTP
 	// server will bind to. If the HTTP endpoint is disabled (ports.http <= 0)

agent/config/runtime_test.go

@@ -342,8 +342,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.GossipWANProbeTimeout = 100 * time.Millisecond
 			rt.GossipWANSuspicionMult = 3
 			rt.ConsulServerHealthInterval = 10 * time.Millisecond
-			rt.GRPCPort = 8502
-			rt.GRPCAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")}
+			rt.XDSPort = 8502
+			rt.XDSAddrs = []net.Addr{tcpAddr("127.0.0.1:8502")}
 			rt.RPCConfig.EnableStreaming = true
 		},
 	})
@@ -1056,8 +1056,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.HTTPAddrs = []net.Addr{tcpAddr("0.0.0.0:2")}
 			rt.HTTPSPort = 3
 			rt.HTTPSAddrs = []net.Addr{tcpAddr("0.0.0.0:3")}
-			rt.GRPCPort = 4
-			rt.GRPCAddrs = []net.Addr{tcpAddr("0.0.0.0:4")}
+			rt.XDSPort = 4
+			rt.XDSAddrs = []net.Addr{tcpAddr("0.0.0.0:4")}
 			rt.DataDir = dataDir
 		},
 	})
@@ -1129,8 +1129,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.HTTPAddrs = []net.Addr{tcpAddr("2.2.2.2:2")}
 			rt.HTTPSPort = 3
 			rt.HTTPSAddrs = []net.Addr{tcpAddr("3.3.3.3:3")}
-			rt.GRPCPort = 4
-			rt.GRPCAddrs = []net.Addr{tcpAddr("4.4.4.4:4")}
+			rt.XDSPort = 4
+			rt.XDSAddrs = []net.Addr{tcpAddr("4.4.4.4:4")}
 			rt.DataDir = dataDir
 		},
 	})
@@ -1153,8 +1153,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.HTTPAddrs = []net.Addr{tcpAddr("1.2.3.4:2"), tcpAddr("[2001:db8::1]:2")}
 			rt.HTTPSPort = 3
 			rt.HTTPSAddrs = []net.Addr{tcpAddr("1.2.3.4:3"), tcpAddr("[2001:db8::1]:3")}
-			rt.GRPCPort = 4
-			rt.GRPCAddrs = []net.Addr{tcpAddr("1.2.3.4:4"), tcpAddr("[2001:db8::1]:4")}
+			rt.XDSPort = 4
+			rt.XDSAddrs = []net.Addr{tcpAddr("1.2.3.4:4"), tcpAddr("[2001:db8::1]:4")}
 			rt.DataDir = dataDir
 		},
 	})
@@ -1189,8 +1189,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.HTTPAddrs = []net.Addr{tcpAddr("2.2.2.2:2"), unixAddr("unix://http"), tcpAddr("[2001:db8::20]:2")}
 			rt.HTTPSPort = 3
 			rt.HTTPSAddrs = []net.Addr{tcpAddr("3.3.3.3:3"), unixAddr("unix://https"), tcpAddr("[2001:db8::30]:3")}
-			rt.GRPCPort = 4
-			rt.GRPCAddrs = []net.Addr{tcpAddr("4.4.4.4:4"), unixAddr("unix://grpc"), tcpAddr("[2001:db8::40]:4")}
+			rt.XDSPort = 4
+			rt.XDSAddrs = []net.Addr{tcpAddr("4.4.4.4:4"), unixAddr("unix://grpc"), tcpAddr("[2001:db8::40]:4")}
 			rt.DataDir = dataDir
 		},
 	})
@@ -5458,8 +5458,8 @@ func TestLoad_FullConfig(t *testing.T) {
 		EncryptKey:                             "A4wELWqH",
 		EncryptVerifyIncoming:                  true,
 		EncryptVerifyOutgoing:                  true,
-		GRPCPort:                               4881,
-		GRPCAddrs:                              []net.Addr{tcpAddr("32.31.61.91:4881")},
+		XDSPort:                                4881,
+		XDSAddrs:                               []net.Addr{tcpAddr("32.31.61.91:4881")},
 		HTTPAddrs:                              []net.Addr{tcpAddr("83.39.91.39:7999")},
 		HTTPBlockEndpoints:                     []string{"RBvAFcGD", "fWOWFznh"},
 		AllowWriteHTTPFrom:                     []*net.IPNet{cidr("127.0.0.0/8"), cidr("22.33.44.55/32"), cidr("0.0.0.0/0")},

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -182,8 +182,6 @@
     "EnterpriseRuntimeConfig": {},
     "ExposeMaxPort": 0,
     "ExposeMinPort": 0,
-    "GRPCAddrs": [],
-    "GRPCPort": 0,
     "GossipLANGossipInterval": "0s",
     "GossipLANGossipNodes": 0,
     "GossipLANProbeInterval": "0s",
@@ -410,5 +408,7 @@
     "VerifyServerHostname": false,
     "Version": "",
     "VersionPrerelease": "",
-    "Watches": []
+    "Watches": [],
+    "XDSAddrs": [],
+    "XDSPort": 0
 }

agent/xds/server.go

@@ -543,14 +543,15 @@ func tokenFromContext(ctx context.Context) string {
 	return ""
 }
 
-// GRPCServer returns a server instance that can handle xDS requests.
-func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error) {
+// NewGRPCServer creates a grpc.Server, registers the Server, and then returns
+// the grpc.Server.
+func NewGRPCServer(s *Server, tlsConfigurator *tlsutil.Configurator) *grpc.Server {
 	opts := []grpc.ServerOption{
 		grpc.MaxConcurrentStreams(2048),
 	}
 	if tlsConfigurator != nil {
 		if tlsConfigurator.Cert() != nil {
-			creds := credentials.NewTLS(tlsConfigurator.IncomingGRPCConfig())
+			creds := credentials.NewTLS(tlsConfigurator.IncomingXDSConfig())
 			opts = append(opts, grpc.Creds(creds))
 		}
 	}
@@ -560,8 +561,7 @@ func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server
 	if !s.DisableV2Protocol {
 		envoy_discovery_v2.RegisterAggregatedDiscoveryServiceServer(srv, &adsServerV2Shim{srv: s})
 	}
-
-	return srv, nil
+	return srv
 }
 
 func (s *Server) checkStreamACLs(streamCtx context.Context, cfgSnap *proxycfg.ConfigSnapshot) error {

command/agent/agent.go

@@ -200,8 +200,8 @@ func (c *cmd) run(args []string) int {
 	}
 	ui.Info(fmt.Sprintf("    Datacenter: '%s' (Segment: '%s')", config.Datacenter, segment))
 	ui.Info(fmt.Sprintf("        Server: %v (Bootstrap: %v)", config.ServerMode, config.Bootstrap))
-	ui.Info(fmt.Sprintf("   Client Addr: %v (HTTP: %d, HTTPS: %d, gRPC: %d, DNS: %d)", config.ClientAddrs,
-		config.HTTPPort, config.HTTPSPort, config.GRPCPort, config.DNSPort))
+	ui.Info(fmt.Sprintf("   Client Addr: %v (HTTP: %d, HTTPS: %d, xDS: %d, DNS: %d)", config.ClientAddrs,
+		config.HTTPPort, config.HTTPSPort, config.XDSPort, config.DNSPort))
 	ui.Info(fmt.Sprintf("  Cluster Addr: %v (LAN: %d, WAN: %d)", config.AdvertiseAddrLAN,
 		config.SerfPortLAN, config.SerfPortWAN))
 	ui.Info(fmt.Sprintf("       Encrypt: Gossip: %v, TLS-Outgoing: %v, TLS-Incoming: %v, Auto-Encrypt-TLS: %t",

command/connect/envoy/envoy.go

@@ -426,7 +426,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) {
 		return nil, err
 	}
 
-	grpcAddr, err := c.grpcAddress(httpCfg)
+	xdsAddr, err := c.xdsAddress(httpCfg)
 	if err != nil {
 		return nil, err
 	}
@@ -471,7 +471,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) {
 	caPEM = strings.Replace(strings.Join(pems, ""), "\n", "\\n", -1)
 
 	return &BootstrapTplArgs{
-		GRPC:                  grpcAddr,
+		GRPC:                  xdsAddr,
 		ProxyCluster:          cluster,
 		ProxyID:               c.proxyID,
 		ProxySourceService:    proxySourceService,
@@ -554,13 +554,12 @@ func (c *cmd) generateConfig() ([]byte, error) {
 }
 
 // TODO: make method a function
-func (c *cmd) grpcAddress(httpCfg *api.Config) (GRPC, error) {
+func (c *cmd) xdsAddress(httpCfg *api.Config) (GRPC, error) {
 	g := GRPC{}
 
 	addr := c.grpcAddr
-	// See if we need to lookup grpcAddr
 	if addr == "" {
-		port, err := c.lookupGRPCPort()
+		port, err := c.lookupXDSPort()
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
 		}
@@ -618,11 +617,25 @@ func (c *cmd) grpcAddress(httpCfg *api.Config) (GRPC, error) {
 	return g, nil
 }
 
-func (c *cmd) lookupGRPCPort() (int, error) {
+func (c *cmd) lookupXDSPort() (int, error) {
 	self, err := c.client.Agent().Self()
 	if err != nil {
 		return 0, err
 	}
+
+	type response struct {
+		XDS struct {
+			Port int
+		}
+	}
+
+	var resp response
+	if err := mapstructure.Decode(self, &resp); err == nil && resp.XDS.Port != 0 {
+		return resp.XDS.Port, nil
+	}
+
+	// Fallback to old API for the case where a new consul CLI is being used with
+	// an older API version.
 	cfg, ok := self["DebugConfig"]
 	if !ok {
 		return 0, fmt.Errorf("unexpected agent response: no debug config")