diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/destinations.go b/internal/mesh/internal/controllers/sidecarproxy/builder/destinations.go index 6031d72cfd96..ac6015a73835 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/destinations.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destinations.go @@ -290,7 +290,6 @@ func (b *Builder) buildDestination( clusterName := fmt.Sprintf("%s.%s", portName, sni) egName := "" - if details.FailoverConfig != nil { egName = fmt.Sprintf("%s%d~%s", xdscommon.FailoverClusterNamePrefix, 0, clusterName) } diff --git a/internal/mesh/internal/controllers/xds/controller_test.go b/internal/mesh/internal/controllers/xds/controller_test.go index 8d4799e2da28..21b71b8a8c3f 100644 --- a/internal/mesh/internal/controllers/xds/controller_test.go +++ b/internal/mesh/internal/controllers/xds/controller_test.go @@ -7,10 +7,14 @@ import ( "context" "crypto/x509" "encoding/pem" + "fmt" + "strings" "testing" + "github.com/hashicorp/consul/internal/testing/golden" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" + "google.golang.org/protobuf/encoding/protojson" svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing" "github.com/hashicorp/consul/agent/leafcert" @@ -998,3 +1002,158 @@ func (suite *xdsControllerTestSuite) TestReconcile_prevWatchesToCancel() { func TestXdsController(t *testing.T) { suite.Run(t, new(xdsControllerTestSuite)) } + +// TestReconcile_SidecarProxyGoldenFileInputs tests the Reconcile() by using +// the golden test output/expected files from the sidecar proxy tests as inputs +// to the XDS controller reconciliation. +// XDS controller reconciles the full ProxyStateTemplate object. The fields +// that things that it focuses on are leaf certs, endpoints, and trust bundles, +// which is just a subset of the ProxyStateTemplate struct. Prior to XDS controller +// reconciliation, the sidecar proxy controller will have reconciled the other parts +// of the ProxyStateTemplate. +// Since the XDS controller does act on the ProxyStateTemplate, the tests +// utilize that entire object rather than just the parts that XDS controller +// internals reconciles. Namely, by using checking the full ProxyStateTemplate +// rather than just endpoints, leaf certs, and trust bundles, the test also ensures +// side effects or change in scope to XDS controller are not introduce mistakenly. +func (suite *xdsControllerTestSuite) TestReconcile_SidecarProxyGoldenFileInputs() { + path := "../sidecarproxy/builder/testdata" + cases := []string{ + // destinations + "destination/l4-single-destination-ip-port-bind-address", + "destination/l4-single-destination-unix-socket-bind-address", + "destination/l4-single-implicit-destination-tproxy", + "destination/l4-multi-destination", + "destination/l4-multiple-implicit-destinations-tproxy", + "destination/l4-implicit-and-explicit-destinations-tproxy", + "destination/mixed-multi-destination", + "destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy", + "destination/multiport-l4-and-l7-single-implicit-destination-tproxy", + "destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy", + + //sources + + } + + for _, name := range cases { + suite.Run(name, func() { + // Create ProxyStateTemplate from the golden file. + pst := JSONToProxyTemplate(suite.T(), + golden.GetBytesAtFilePath(suite.T(), fmt.Sprintf("%s/%s.golden", path, name))) + + // Destinations will need endpoint refs set up. + if strings.Split(name, "/")[0] == "destination" && len(pst.ProxyState.Endpoints) == 0 { + suite.addRequiredEndpointsAndRefs(pst) + } + + // Store the initial ProxyStateTemplate. + proxyStateTemplate := resourcetest.Resource(pbmesh.ProxyStateTemplateType, "test"). + WithData(suite.T(), pst). + Write(suite.T(), suite.client) + + // Check with resource service that it exists. + retry.Run(suite.T(), func(r *retry.R) { + suite.client.RequireResourceExists(r, proxyStateTemplate.Id) + }) + + // Track it in the mapper. + suite.mapper.TrackItem(proxyStateTemplate.Id, []resource.ReferenceOrID{}) + + // Run the reconcile, and since no ProxyStateTemplate is stored, this simulates a deletion. + err := suite.ctl.Reconcile(context.Background(), suite.runtime, controller.Request{ + ID: proxyStateTemplate.Id, + }) + require.NoError(suite.T(), err) + require.NotNil(suite.T(), proxyStateTemplate) + + // Get the reconciled proxyStateTemplate to check the reconcile results. + reconciledPS := suite.updater.Get(proxyStateTemplate.Id.Name) + + // Verify leaf cert contents then hard code them for comparison + // and downstream tests since they change from test run to test run. + require.NotEmpty(suite.T(), reconciledPS.LeafCertificates) + reconciledPS.LeafCertificates = map[string]*pbproxystate.LeafCertificate{ + "test-identity": { + Cert: "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + Key: "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n", + }, + } + + // Compare actual vs expected. + actual := prototest.ProtoToJSON(suite.T(), reconciledPS) + expected := golden.Get(suite.T(), actual, name+".golden") + require.JSONEq(suite.T(), expected, actual) + }) + } +} + +func (suite *xdsControllerTestSuite) addRequiredEndpointsAndRefs(pst *pbmesh.ProxyStateTemplate) { + //get service data + serviceData := &pbcatalog.Service{} + var vp uint32 = 7000 + requiredEps := make(map[string]*pbproxystate.EndpointRef) + + // iterate through clusters and set up endpoints for cluster/mesh port. + for clusterName := range pst.ProxyState.Clusters { + if clusterName == "null_route_cluster" || clusterName == "original-destination" { + continue + } + + //increment the random port number. + vp++ + clusterNameSplit := strings.Split(clusterName, ".") + port := clusterNameSplit[0] + svcName := clusterNameSplit[1] + + // set up service data with port info. + serviceData.Ports = append(serviceData.Ports, &pbcatalog.ServicePort{ + TargetPort: port, + VirtualPort: vp, + Protocol: pbcatalog.Protocol_PROTOCOL_TCP, + }) + + // create service. + svc := resourcetest.Resource(pbcatalog.ServiceType, svcName). + WithData(suite.T(), &pbcatalog.Service{}). + Write(suite.T(), suite.client) + + // create endpoints with svc as owner. + eps := resourcetest.Resource(pbcatalog.ServiceEndpointsType, svcName). + WithData(suite.T(), &pbcatalog.ServiceEndpoints{Endpoints: []*pbcatalog.Endpoint{ + { + Ports: map[string]*pbcatalog.WorkloadPort{ + "mesh": { + Port: 20000, + Protocol: pbcatalog.Protocol_PROTOCOL_MESH, + }, + }, + Addresses: []*pbcatalog.WorkloadAddress{ + { + Host: "10.1.1.1", + Ports: []string{"mesh"}, + }, + }, + }, + }}). + WithOwner(svc.Id). + Write(suite.T(), suite.client) + + // add to working list of required endpoints. + requiredEps[clusterName] = &pbproxystate.EndpointRef{ + Id: eps.Id, + Port: "mesh", + } + } + + // set working list of required endpoints as proxy state's RequiredEndpoints. + pst.RequiredEndpoints = requiredEps +} + +func JSONToProxyTemplate(t *testing.T, json []byte) *pbmesh.ProxyStateTemplate { + t.Helper() + proxyTemplate := &pbmesh.ProxyStateTemplate{} + m := protojson.UnmarshalOptions{} + err := m.Unmarshal(json, proxyTemplate) + require.NoError(t, err) + return proxyTemplate +} diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden new file mode 100644 index 000000000000..45b981a955d7 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -0,0 +1,182 @@ +{ + "clusters": { + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-1.default.default.dc1" + } + } + ] + }, + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden new file mode 100644 index 000000000000..50589a070201 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden @@ -0,0 +1,296 @@ +{ + "clusters": { + "null_route_cluster": { + "endpointGroup": { + "static": { + "config": { + "connectTimeout": "10s" + } + } + }, + "name": "null_route_cluster" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "tcp2.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-1.default.dc1.internal.foo.consul" + }, + "tcp2.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + }, + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + }, + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 2345 + }, + "name": "default/local/default/api-1:tcp2:1.1.1.1:2345", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp2.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp2.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp2.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + }, + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp2:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp2.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 000000000000..42561f15e7ec --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,181 @@ +{ + "clusters": { + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-1.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden new file mode 100644 index 000000000000..a1e052854d71 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden @@ -0,0 +1,153 @@ +{ + "clusters": { + "null_route_cluster": { + "endpointGroup": { + "static": { + "config": { + "connectTimeout": "10s" + } + } + }, + "name": "null_route_cluster" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-unix-socket-bind-address.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-unix-socket-bind-address.golden new file mode 100644 index 000000000000..99a94f7efff3 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-unix-socket-bind-address.golden @@ -0,0 +1,92 @@ +{ + "clusters": { + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + } + ], + "endpoints": { + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-implicit-destination-tproxy.golden new file mode 100644 index 000000000000..6735fc7de59d --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-implicit-destination-tproxy.golden @@ -0,0 +1,122 @@ +{ + "clusters": { + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-1.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/mixed-multi-destination.golden b/internal/mesh/internal/controllers/xds/testdata/destination/mixed-multi-destination.golden new file mode 100644 index 000000000000..78953c017b95 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/mixed-multi-destination.golden @@ -0,0 +1,373 @@ +{ + "clusters": { + "http.api-1.default.dc1.internal.foo.consul": { + "altStatName": "http.api-1.default.dc1.internal.foo.consul", + "failoverGroup": { + "config": { + "connectTimeout": "55s", + "useAltStatName": true + }, + "endpointGroups": [ + { + "dynamic": { + "config": { + "connectTimeout": "55s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + }, + "name": "failover-target~0~http.api-1.default.dc1.internal.foo.consul" + }, + { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "backup-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/backup1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + }, + "name": "failover-target~1~http.api-1.default.dc1.internal.foo.consul" + } + ] + }, + "name": "http.api-1.default.dc1.internal.foo.consul" + }, + "http.api-2.default.dc1.internal.foo.consul": { + "altStatName": "http.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-2.default.dc1.internal.foo.consul" + }, + "null_route_cluster": { + "endpointGroup": { + "static": { + "config": { + "connectTimeout": "10s" + } + } + }, + "name": "null_route_cluster" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + }, + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + }, + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:http:1.1.1.1:1234", + "routers": [ + { + "l7": { + "route": { + "name": "default/local/default/api-1:http:1.1.1.1:1234" + }, + "statPrefix": "upstream." + } + } + ] + } + ], + "routes": { + "default/local/default/api-1:http:1.1.1.1:1234": { + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-1:http:1.1.1.1:1234", + "routeRules": [ + { + "destination": { + "destinationConfiguration": { + "timeoutConfig": { + "timeout": "77s" + } + }, + "weightedClusters": { + "clusters": [ + { + "name": "http.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "http.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + }, + "match": { + "pathMatch": { + "prefix": "/split" + } + } + }, + { + "destination": { + "cluster": { + "name": "http.api-1.default.dc1.internal.foo.consul" + }, + "destinationConfiguration": { + "retryPolicy": { + "numRetries": 4, + "retryOn": "connect-failure" + }, + "timeoutConfig": { + "timeout": "606s" + } + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + }, + { + "destination": { + "cluster": { + "name": "null_route_cluster" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 000000000000..900eb95744b0 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,455 @@ +{ + "clusters": { + "http.api-app.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app.default.dc1.internal.foo.consul" + }, + "http.api-app2.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app2.default.dc1.internal.foo.consul" + }, + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "tcp.api-app2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app2.default.dc1.internal.foo.consul" + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "tcp2.api-app2.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp.api-app2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app2.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app:http" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app2:http" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app2.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "routes": { + "default/local/default/api-app:http": { + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app:http", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + }, + "default/local/default/api-app2:http": { + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app2:http", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app2.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-app2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden new file mode 100644 index 000000000000..3647d43cab6f --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden @@ -0,0 +1,256 @@ +{ + "clusters": { + "http.api-app.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app.default.dc1.internal.foo.consul" + }, + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app:http" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "routes": { + "default/local/default/api-app:http": { + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app:http", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden new file mode 100644 index 000000000000..3647d43cab6f --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -0,0 +1,256 @@ +{ + "clusters": { + "http.api-app.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app.default.dc1.internal.foo.consul" + }, + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app:http" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "routes": { + "default/local/default/api-app:http": { + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app:http", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/testing/golden/golden.go b/internal/testing/golden/golden.go index 8145d16814bf..a4d971d0d096 100644 --- a/internal/testing/golden/golden.go +++ b/internal/testing/golden/golden.go @@ -42,7 +42,15 @@ func GetBytes(t *testing.T, actual, filename string) []byte { require.NoError(t, err) } - expected, err := os.ReadFile(path) + return GetBytesAtFilePath(t, path) +} + +// GetBytes reads the expected value from the file at filepath and returns the +// value as a byte array. filepath is relative to the ./testdata directory. +func GetBytesAtFilePath(t *testing.T, filepath string) []byte { + t.Helper() + + expected, err := os.ReadFile(filepath) require.NoError(t, err) return expected }