From 68559ec26be72ef3a17c9c310cef8cb3a7530a50 Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 14 Sep 2021 18:45:39 -0600 Subject: [PATCH 1/8] Trim newlines before parenthesis end --- api/api.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/api/api.go b/api/api.go index ec4835568..488972106 100644 --- a/api/api.go +++ b/api/api.go @@ -1117,7 +1117,9 @@ func generateUnexpectedResponseCodeError(resp *http.Response) error { var buf bytes.Buffer io.Copy(&buf, resp.Body) closeResponseBody(resp) - return fmt.Errorf("Unexpected response code: %d (%s)", resp.StatusCode, buf.Bytes()) + + trimmed := strings.TrimSpace(string(buf.Bytes())) + return fmt.Errorf("Unexpected response code: %d (%s)", resp.StatusCode, trimmed) } func requireNotFoundOrOK(d time.Duration, resp *http.Response, e error) (bool, time.Duration, *http.Response, error) { From 3906d0b973cb8b9bea23b9da1116d4c5c3d9bebb Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 14 Sep 2021 19:37:11 -0600 Subject: [PATCH 2/8] Ensure Envoy can subscribe to non-default partition --- command/connect/envoy/bootstrap_config.go | 11 ++++++++++- command/connect/envoy/bootstrap_tpl.go | 5 +++++ command/connect/envoy/envoy.go | 13 +------------ ...L_HTTP_ADDR-with-https-scheme-enables-tls.golden | 5 +++++ .../connect/envoy/testdata/access-log-path.golden | 5 +++++ command/connect/envoy/testdata/defaults.golden | 5 +++++ .../testdata/deprecated-grpc-addr-config.golden | 5 +++++ .../connect/envoy/testdata/existing-ca-file.golden | 5 +++++ .../connect/envoy/testdata/existing-ca-path.golden | 5 +++++ .../connect/envoy/testdata/extra_-multiple.golden | 5 +++++ command/connect/envoy/testdata/extra_-single.golden | 5 +++++ command/connect/envoy/testdata/grpc-addr-env.golden | 5 +++++ .../connect/envoy/testdata/grpc-addr-flag.golden | 5 +++++ .../connect/envoy/testdata/grpc-addr-unix.golden | 5 +++++ .../ingress-gateway-address-specified.golden | 5 +++++ .../ingress-gateway-no-auto-register.golden | 5 +++++ ...ateway-register-with-service-and-proxy-id.golden | 5 +++++ ...ay-register-with-service-without-proxy-id.golden | 5 +++++ .../connect/envoy/testdata/ingress-gateway.golden | 5 +++++ .../envoy/testdata/prometheus-metrics.golden | 5 +++++ .../envoy/testdata/stats-config-override.golden | 1 + command/connect/envoy/testdata/token-arg.golden | 5 +++++ command/connect/envoy/testdata/token-env.golden | 5 +++++ .../connect/envoy/testdata/token-file-arg.golden | 5 +++++ .../connect/envoy/testdata/token-file-env.golden | 5 +++++ .../connect/envoy/testdata/xds-addr-config.golden | 5 +++++ .../envoy/testdata/zipkin-tracing-config.golden | 5 +++++ 27 files changed, 132 insertions(+), 13 deletions(-) diff --git a/command/connect/envoy/bootstrap_config.go b/command/connect/envoy/bootstrap_config.go index c7925a11d..45a97d872 100644 --- a/command/connect/envoy/bootstrap_config.go +++ b/command/connect/envoy/bootstrap_config.go @@ -513,12 +513,17 @@ func generateStatsTags(args *BootstrapTplArgs, initialTags []string, omitDepreca } tagJSONs = append(tagJSONs, tags...) - // Default the namespace here since it is also done for cluster SNI + // Default the namespace and partition here since it is also done for cluster SNI ns := args.Namespace if ns == "" { ns = api.IntentionDefaultNamespace } + ap := args.Partition + if ap == "" { + ap = api.IntentionDefaultNamespace + } + // Add some default tags if not already overridden. Note this is a slice not a // map since we need ordering to be deterministic. defaults := []struct { @@ -540,6 +545,10 @@ func generateStatsTags(args *BootstrapTplArgs, initialTags []string, omitDepreca name: "consul.source.namespace", val: ns, }, + { + name: "consul.source.partition", + val: ap, + }, { name: "consul.source.datacenter", val: args.Datacenter, diff --git a/command/connect/envoy/bootstrap_tpl.go b/command/connect/envoy/bootstrap_tpl.go index 1cf89b007..7c7e2a0e2 100644 --- a/command/connect/envoy/bootstrap_tpl.go +++ b/command/connect/envoy/bootstrap_tpl.go @@ -89,6 +89,10 @@ type BootstrapTplArgs struct { // as registered with the Consul agent. Namespace string + // Partition is the Consul Enterprise Partition of the proxy service instance + // as registered with the Consul agent. + Partition string + // Datacenter is the datacenter where the proxy service instance is registered. Datacenter string @@ -141,6 +145,7 @@ const bootstrapTemplate = `{ "id": "{{ .ProxyID }}", "metadata": { "namespace": "{{if ne .Namespace ""}}{{ .Namespace }}{{else}}default{{end}}", + "partition": "{{if ne .Partition ""}}{{ .Partition }}{{else}}default{{end}}", "envoy_version": "{{ .EnvoyVersion }}" } }, diff --git a/command/connect/envoy/envoy.go b/command/connect/envoy/envoy.go index a4bca3a9a..12374babe 100644 --- a/command/connect/envoy/envoy.go +++ b/command/connect/envoy/envoy.go @@ -482,6 +482,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) { Token: httpCfg.Token, LocalAgentClusterName: xds.LocalAgentClusterName, Namespace: httpCfg.Namespace, + Partition: httpCfg.Partition, EnvoyVersion: c.envoyVersion, Datacenter: httpCfg.Datacenter, PrometheusBackendPort: c.prometheusBackendPort, @@ -525,18 +526,6 @@ func (c *cmd) generateConfig() ([]byte, error) { // Set the source service name from the proxy's own registration args.ProxySourceService = svc.Service } - if svc.Namespace != "" { - // In most cases where namespaces are enabled this will already be set - // correctly because the http client that fetched this will need to have - // had the namespace set on it which is also how we initially populate - // this. However in the case of "default" namespace being accessed because - // there was no namespace argument, args.Namespace will be empty even - // though Namespaces are actually being used and the namespace of the request was - // inferred from the ACL token or defaulted to the "default" namespace. - // Overriding it here ensures that we always set the Namespace arg if the - // cluster is using namespaces regardless. - args.Namespace = svc.Namespace - } if svc.Datacenter != "" { // The agent will definitely have the definitive answer here. diff --git a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden index 3f0a9f229..dae16ddb7 100644 --- a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden +++ b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -157,6 +158,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/access-log-path.golden b/command/connect/envoy/testdata/access-log-path.golden index 5bfbf2c72..cca9e2fb5 100644 --- a/command/connect/envoy/testdata/access-log-path.golden +++ b/command/connect/envoy/testdata/access-log-path.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/defaults.golden b/command/connect/envoy/testdata/defaults.golden index a8c606d3e..b37b9ef7a 100644 --- a/command/connect/envoy/testdata/defaults.golden +++ b/command/connect/envoy/testdata/defaults.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden b/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden index 34b99ec59..7e50ee308 100644 --- a/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden +++ b/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/existing-ca-file.golden b/command/connect/envoy/testdata/existing-ca-file.golden index f4f5d89ea..e04c3caf0 100644 --- a/command/connect/envoy/testdata/existing-ca-file.golden +++ b/command/connect/envoy/testdata/existing-ca-file.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -157,6 +158,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/existing-ca-path.golden b/command/connect/envoy/testdata/existing-ca-path.golden index e877124be..9125a4f83 100644 --- a/command/connect/envoy/testdata/existing-ca-path.golden +++ b/command/connect/envoy/testdata/existing-ca-path.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -157,6 +158,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/extra_-multiple.golden b/command/connect/envoy/testdata/extra_-multiple.golden index 78f293f68..920d3a725 100644 --- a/command/connect/envoy/testdata/extra_-multiple.golden +++ b/command/connect/envoy/testdata/extra_-multiple.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -166,6 +167,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/extra_-single.golden b/command/connect/envoy/testdata/extra_-single.golden index 41257f1c4..695ac7763 100644 --- a/command/connect/envoy/testdata/extra_-single.golden +++ b/command/connect/envoy/testdata/extra_-single.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -157,6 +158,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/grpc-addr-env.golden b/command/connect/envoy/testdata/grpc-addr-env.golden index 34b99ec59..7e50ee308 100644 --- a/command/connect/envoy/testdata/grpc-addr-env.golden +++ b/command/connect/envoy/testdata/grpc-addr-env.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/grpc-addr-flag.golden b/command/connect/envoy/testdata/grpc-addr-flag.golden index 34b99ec59..7e50ee308 100644 --- a/command/connect/envoy/testdata/grpc-addr-flag.golden +++ b/command/connect/envoy/testdata/grpc-addr-flag.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/grpc-addr-unix.golden b/command/connect/envoy/testdata/grpc-addr-unix.golden index d5fada950..22d410a76 100644 --- a/command/connect/envoy/testdata/grpc-addr-unix.golden +++ b/command/connect/envoy/testdata/grpc-addr-unix.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -143,6 +144,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden index 94e668af0..5ffc76b35 100644 --- a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden +++ b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden @@ -13,6 +13,7 @@ "id": "ingress-gateway", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -230,6 +231,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden index eb486b8df..df818334d 100644 --- a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden +++ b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden @@ -13,6 +13,7 @@ "id": "ingress-gateway", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -230,6 +231,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden index d36c6a25e..0c6c65277 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden @@ -13,6 +13,7 @@ "id": "my-gateway-123", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -230,6 +231,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden index 290940196..95f1f2d1d 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden @@ -13,6 +13,7 @@ "id": "my-gateway", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -230,6 +231,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/ingress-gateway.golden b/command/connect/envoy/testdata/ingress-gateway.golden index 517d04ff4..98e6230bb 100644 --- a/command/connect/envoy/testdata/ingress-gateway.golden +++ b/command/connect/envoy/testdata/ingress-gateway.golden @@ -13,6 +13,7 @@ "id": "ingress-gateway-1", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -230,6 +231,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/prometheus-metrics.golden b/command/connect/envoy/testdata/prometheus-metrics.golden index 09d2dcc28..990a116ae 100644 --- a/command/connect/envoy/testdata/prometheus-metrics.golden +++ b/command/connect/envoy/testdata/prometheus-metrics.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -230,6 +231,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/stats-config-override.golden b/command/connect/envoy/testdata/stats-config-override.golden index d3c1cea96..a8b3a1257 100644 --- a/command/connect/envoy/testdata/stats-config-override.golden +++ b/command/connect/envoy/testdata/stats-config-override.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, diff --git a/command/connect/envoy/testdata/token-arg.golden b/command/connect/envoy/testdata/token-arg.golden index a30627352..5f6d1d6e7 100644 --- a/command/connect/envoy/testdata/token-arg.golden +++ b/command/connect/envoy/testdata/token-arg.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/token-env.golden b/command/connect/envoy/testdata/token-env.golden index a30627352..5f6d1d6e7 100644 --- a/command/connect/envoy/testdata/token-env.golden +++ b/command/connect/envoy/testdata/token-env.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/token-file-arg.golden b/command/connect/envoy/testdata/token-file-arg.golden index a30627352..5f6d1d6e7 100644 --- a/command/connect/envoy/testdata/token-file-arg.golden +++ b/command/connect/envoy/testdata/token-file-arg.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/token-file-env.golden b/command/connect/envoy/testdata/token-file-env.golden index a30627352..5f6d1d6e7 100644 --- a/command/connect/envoy/testdata/token-file-env.golden +++ b/command/connect/envoy/testdata/token-file-env.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/xds-addr-config.golden b/command/connect/envoy/testdata/xds-addr-config.golden index 34b99ec59..7e50ee308 100644 --- a/command/connect/envoy/testdata/xds-addr-config.golden +++ b/command/connect/envoy/testdata/xds-addr-config.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -144,6 +145,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" diff --git a/command/connect/envoy/testdata/zipkin-tracing-config.golden b/command/connect/envoy/testdata/zipkin-tracing-config.golden index a59742790..a58b7c3a4 100644 --- a/command/connect/envoy/testdata/zipkin-tracing-config.golden +++ b/command/connect/envoy/testdata/zipkin-tracing-config.golden @@ -13,6 +13,7 @@ "id": "test-proxy", "metadata": { "namespace": "default", + "partition": "default", "envoy_version": "1.18.4" } }, @@ -168,6 +169,10 @@ "tag_name": "consul.source.namespace", "fixed_value": "default" }, + { + "tag_name": "consul.source.partition", + "fixed_value": "default" + }, { "tag_name": "consul.source.datacenter", "fixed_value": "dc1" From a57c52ca322624fdeb7d00fd7358cd618854f57e Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 14 Sep 2021 20:43:38 -0600 Subject: [PATCH 3/8] Ensure partition is used for SAN validation --- agent/xds/clusters.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index e9b21ce4f..d2ba03efb 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -639,10 +639,9 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain( targetSpiffeID := connect.SpiffeIDService{ Host: cfgSnap.Roots.TrustDomain, Namespace: target.Namespace, + Partition: target.Partition, Datacenter: target.Datacenter, Service: target.Service, - - // TODO(partitions) Store partition } if failoverThroughMeshGateway { @@ -676,10 +675,9 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain( id := connect.SpiffeIDService{ Host: cfgSnap.Roots.TrustDomain, Namespace: target.Namespace, + Partition: target.Partition, Datacenter: target.Datacenter, Service: target.Service, - - // TODO(partitions) Store partition } // Failover targets might be subsets of the same service, so these are deduplicated. From 0cdcbbb4c9c2f73a2f0aa5593a0f66e77d727a21 Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 14 Sep 2021 22:27:39 -0600 Subject: [PATCH 4/8] Pass partition to intention match query --- agent/proxycfg/connect_proxy.go | 1 + agent/proxycfg/terminating_gateway.go | 1 + 2 files changed, 2 insertions(+) diff --git a/agent/proxycfg/connect_proxy.go b/agent/proxycfg/connect_proxy.go index 250b88705..2d2762730 100644 --- a/agent/proxycfg/connect_proxy.go +++ b/agent/proxycfg/connect_proxy.go @@ -59,6 +59,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e Entries: []structs.IntentionMatchEntry{ { Namespace: s.proxyID.NamespaceOrDefault(), + Partition: s.proxyID.PartitionOrDefault(), Name: s.proxyCfg.DestinationServiceName, }, }, diff --git a/agent/proxycfg/terminating_gateway.go b/agent/proxycfg/terminating_gateway.go index 1b9b327b2..4018c7801 100644 --- a/agent/proxycfg/terminating_gateway.go +++ b/agent/proxycfg/terminating_gateway.go @@ -121,6 +121,7 @@ func (s *handlerTerminatingGateway) handleUpdate(ctx context.Context, u cache.Up Entries: []structs.IntentionMatchEntry{ { Namespace: svc.Service.NamespaceOrDefault(), + Partition: svc.Service.PartitionOrDefault(), Name: svc.Service.Name, }, }, From dc549eca3062a7401352c90bea2d52f2d8b146bd Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 15 Sep 2021 09:37:46 -0600 Subject: [PATCH 5/8] Default partition in match endpoint --- agent/consul/intention_endpoint.go | 10 +++++++++- agent/consul/state/intention.go | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/agent/consul/intention_endpoint.go b/agent/consul/intention_endpoint.go index 25e35c891..bd763a794 100644 --- a/agent/consul/intention_endpoint.go +++ b/agent/consul/intention_endpoint.go @@ -585,7 +585,7 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In return err } - // Finish defaulting the namespace fields. + // Finish defaulting the namespace and partition fields. for i := range args.Match.Entries { if args.Match.Entries[i].Namespace == "" { args.Match.Entries[i].Namespace = entMeta.NamespaceOrDefault() @@ -594,6 +594,14 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In return fmt.Errorf("Invalid match entry namespace %q: %v", args.Match.Entries[i].Namespace, err) } + + if args.Match.Entries[i].Partition == "" { + args.Match.Entries[i].Partition = entMeta.PartitionOrDefault() + } + if err := s.srv.validateEnterpriseIntentionPartition(args.Match.Entries[i].Partition); err != nil { + return fmt.Errorf("Invalid match entry partition %q: %v", + args.Match.Entries[i].Partition, err) + } } var authzContext acl.AuthorizerContext diff --git a/agent/consul/state/intention.go b/agent/consul/state/intention.go index e74edc585..f6f79ec76 100644 --- a/agent/consul/state/intention.go +++ b/agent/consul/state/intention.go @@ -911,6 +911,7 @@ func intentionMatchOneTxn(tx ReadTxn, ws memdb.WatchSet, return result, nil } +// TODO(partitions): Update for partitions // intentionMatchGetParams returns the tx.Get parameters to find all the // intentions for a certain entry. func intentionMatchGetParams(entry structs.IntentionMatchEntry) ([][]interface{}, error) { From c5d5b44faa7a07cef247ff8172eeae48c6fbab0a Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 15 Sep 2021 15:17:11 -0600 Subject: [PATCH 6/8] Bring back entmeta args defaulting --- command/connect/envoy/envoy.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/command/connect/envoy/envoy.go b/command/connect/envoy/envoy.go index 12374babe..161588781 100644 --- a/command/connect/envoy/envoy.go +++ b/command/connect/envoy/envoy.go @@ -527,6 +527,20 @@ func (c *cmd) generateConfig() ([]byte, error) { args.ProxySourceService = svc.Service } + // In most cases where namespaces and partitions are enabled they will already be set + // correctly because the http client that fetched this will provide them explicitly. + // However, if these arguments were not provided, they will be empty even + // though Namespaces and Partitions are actually being used. + // Overriding them ensures that we always set the Namespace and Partition args + // if the cluster is using them. This prevents us from defaulting to the "default" + // when a non-default partition or namespace was inferred from the ACL token. + if svc.Namespace != "" { + args.Namespace = svc.Namespace + } + if svc.Partition != "" { + args.Partition = svc.Partition + } + if svc.Datacenter != "" { // The agent will definitely have the definitive answer here. args.Datacenter = svc.Datacenter From 7927a97c2f9fb08ebd946d4e5d80dc0796c39c50 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 15 Sep 2021 15:47:03 -0600 Subject: [PATCH 7/8] Fixup manager tests --- agent/proxycfg/manager_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/agent/proxycfg/manager_test.go b/agent/proxycfg/manager_test.go index 7c73e7abb..7ffef78f8 100644 --- a/agent/proxycfg/manager_test.go +++ b/agent/proxycfg/manager_test.go @@ -139,6 +139,7 @@ func TestManager_BasicLifecycle(t *testing.T) { Entries: []structs.IntentionMatchEntry{ { Namespace: structs.IntentionDefaultNamespace, + Partition: structs.IntentionDefaultNamespace, Name: "web", }, }, From 3eab89cc2dda8c4ccf958cb9ec4f511ffc888ed7 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 15 Sep 2021 17:22:22 -0600 Subject: [PATCH 8/8] Fixup api config and Envoy test --- api/api.go | 8 ++++++ command/connect/envoy/envoy_test.go | 40 +++++++++++++++++++++-------- 2 files changed, 38 insertions(+), 10 deletions(-) diff --git a/api/api.go b/api/api.go index 488972106..9d84c286d 100644 --- a/api/api.go +++ b/api/api.go @@ -660,6 +660,14 @@ func NewClient(config *Config) (*Client, error) { } } + if config.Namespace == "" { + config.Namespace = defConfig.Namespace + } + + if config.Partition == "" { + config.Partition = defConfig.Partition + } + parts := strings.SplitN(config.Address, "://", 2) if len(parts) == 2 { switch parts[0] { diff --git a/command/connect/envoy/envoy_test.go b/command/connect/envoy/envoy_test.go index fdf574a9d..c79f4551f 100644 --- a/command/connect/envoy/envoy_test.go +++ b/command/connect/envoy/envoy_test.go @@ -90,7 +90,7 @@ func testSetAndResetEnv(t *testing.T, env []string) func() { // save it as a nil so we know to remove again old[pair[0]] = nil } - os.Setenv(pair[0], pair[1]) + require.NoError(t, os.Setenv(pair[0], pair[1])) } // Return a func that will reset to old values return func() { @@ -106,6 +106,7 @@ func testSetAndResetEnv(t *testing.T, env []string) func() { type generateConfigTestCase struct { Name string + TLSServer bool Flags []string Env []string Files map[string]string @@ -452,9 +453,10 @@ func TestGenerateConfig(t *testing.T) { WantErr: "Error loading CA File: open some/path: no such file or directory", }, { - Name: "existing-ca-file", - Flags: []string{"-proxy-id", "test-proxy", "-ca-file", "../../../test/ca/root.cer"}, - Env: []string{"CONSUL_HTTP_SSL=1"}, + Name: "existing-ca-file", + TLSServer: true, + Flags: []string{"-proxy-id", "test-proxy", "-ca-file", "../../../test/ca/root.cer"}, + Env: []string{"CONSUL_HTTP_SSL=1"}, WantArgs: BootstrapTplArgs{ EnvoyVersion: defaultEnvoyVersion, ProxyCluster: "test-proxy", @@ -499,9 +501,10 @@ func TestGenerateConfig(t *testing.T) { WantErr: "lstat some/path: no such file or directory", }, { - Name: "existing-ca-path", - Flags: []string{"-proxy-id", "test-proxy", "-ca-path", "../../../test/ca_path/"}, - Env: []string{"CONSUL_HTTP_SSL=1"}, + Name: "existing-ca-path", + TLSServer: true, + Flags: []string{"-proxy-id", "test-proxy", "-ca-path", "../../../test/ca_path/"}, + Env: []string{"CONSUL_HTTP_SSL=1"}, WantArgs: BootstrapTplArgs{ EnvoyVersion: defaultEnvoyVersion, ProxyCluster: "test-proxy", @@ -887,15 +890,21 @@ func TestGenerateConfig(t *testing.T) { // Run a mock agent API that just always returns the proxy config in the // test. - srv := httptest.NewServer(testMockAgent(tc)) + var srv *httptest.Server + if tc.TLSServer { + srv = httptest.NewTLSServer(testMockAgent(tc)) + } else { + srv = httptest.NewServer(testMockAgent(tc)) + } defer srv.Close() - client, err := api.NewClient(&api.Config{Address: srv.URL}) - require.NoError(err) testDirPrefix := testDir + string(filepath.Separator) myEnv := copyAndReplaceAll(tc.Env, "@@TEMPDIR@@", testDirPrefix) defer testSetAndResetEnv(t, myEnv)() + client, err := api.NewClient(&api.Config{Address: srv.URL, TLSConfig: api.TLSConfig{InsecureSkipVerify: true}}) + require.NoError(err) + ui := cli.NewMockUi() c := New(ui) // explicitly set the client to one which can connect to the httptest.Server @@ -1073,6 +1082,7 @@ func testMockAgentGatewayConfig(namespacesEnabled bool) http.HandlerFunc { if namespacesEnabled { svc[string(kind)].Namespace = namespaceFromQuery(r) + svc[string(kind)].Partition = partitionFromQuery(r) } cfgJSON, err := json.Marshal(svc) @@ -1094,6 +1104,15 @@ func namespaceFromQuery(r *http.Request) string { return "default" } +func partitionFromQuery(r *http.Request) string { + // Use the partition in the request if there is one, otherwise + // use-default. + if queryAP := r.URL.Query().Get("partition"); queryAP != "" { + return queryAP + } + return "default" +} + func testMockAgentProxyConfig(cfg map[string]interface{}, namespacesEnabled bool) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { // Parse the proxy-id from the end of the URL (blindly assuming it's correct @@ -1115,6 +1134,7 @@ func testMockAgentProxyConfig(cfg map[string]interface{}, namespacesEnabled bool if namespacesEnabled { svc.Namespace = namespaceFromQuery(r) + svc.Partition = partitionFromQuery(r) } cfgJSON, err := json.Marshal(svc)