Commit graph

126 commits

Author SHA1 Message Date
Chris S. Kim d85d16a0c9
Fix integration test with updated file perms (#11916) 2021-12-23 19:00:02 -05:00
freddygv a1c1e36be7 Allow cross-partition references in disco chain
* Add partition fields to targets like service route destinations
* Update validation to prevent cross-DC + cross-partition references
* Handle partitions when reading config entries for disco chain
* Encode partition in compiled targets
2021-12-06 12:32:19 -07:00
freddygv d32bc117d8 Fix integ test 2021-12-03 17:02:57 -07:00
R.B. Boyer 83bf7ab3ff
re-run gofmt on 1.17 (#11579)
This should let freshly recompiled golangci-lint binaries using Go 1.17
pass 'make lint'
2021-11-16 12:04:01 -06:00
freddygv 42d9542ac3 Add cross-partition integration test 2021-11-12 14:45:50 -07:00
freddygv 2d2ff0ae39 Bump retry time for cross-DC RPC
The secondary DC now takes longer to populate the MGW snapshot because
it needs to wait for the secondary CA to be initialized before it can
receive roots and generate xDS config.

Previously MGWs could receive empty roots before the CA was
initialized. This wasn't necessarily a problem since the cluster ID in
the trust domain isn't verified.
2021-11-10 12:00:00 -07:00
Evan Culver b3c92f22b1
connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
Evan Culver 98acbfa79c
connect: Add support for Envoy 1.20 (#11277) 2021-10-27 18:38:10 -07:00
R.B. Boyer 63c50e58a0
test: pin the version of bats to one that works on CircleCI (#11401) 2021-10-22 17:06:25 -05:00
R.B. Boyer f7932b4ffa
test: remove some envoy integ test warnings (#11369)
We launch one container as part of the test with --pid=host but
apparently within that container it launches a copy of "tini" as a
process supervisor that prefers to be PID 1.

Because it's not PID 1 it logs a warning message about this to the envoy
integration test logs that can lead to thinking somehow that a test
failure is related when in fact it's completely unrelated.

Adding this environment variable avoids the warning.
2021-10-20 15:50:45 -05:00
Evan Culver e2363c13ff
Merge branch 'main' into eculver/envoy-1.19.1 2021-09-28 11:54:33 -07:00
Paul Banks 8c8cde524e Add Envoy integration test for split-route SDS case 2021-09-23 10:17:03 +01:00
Paul Banks 626232e4cd Minor improvements to SDS server from review 2021-09-23 10:13:41 +01:00
Paul Banks 3b2a4fc458 Allow skipping v2 compat tests for SDS as it's only the SDS server integration that doesn't support v2 2021-09-23 10:12:37 +01:00
Paul Banks cd6491ea71 Fix integration tests in CI - serve SDS certs from the Docker image not a mounted path 2021-09-23 10:12:37 +01:00
Paul Banks c2174260bc Fix integration test for older Envoy versions 2021-09-23 10:12:37 +01:00
Paul Banks 1f62bca08b Add basic integration test for Envoy ingress with SDS 2021-09-23 10:08:02 +01:00
Evan Culver b104b7719c
add envoy 1.19.1 2021-09-21 15:39:36 -07:00
Paul Banks 46400a033f Add Envoy integration test to show Header manip can interpolate Envoy variables 2021-09-10 21:09:24 +01:00
Paul Banks bc1c86df96 Integration tests for all new header manip features 2021-09-10 21:09:24 +01:00
Freddy 11672defaf
connect: update envoy supported versions to latest patch release
(#10961)

Relevant advisory: 
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h
2021-08-31 10:39:18 -06:00
Kyle Havlovitz 98969c018a oss: Rename default partition 2021-08-12 14:31:37 -07:00
Matt Keeler 58b934133d hcs-1936: Prepare for adding license auto-retrieval to auto-config in enterprise 2021-05-24 13:20:30 -04:00
R.B. Boyer 05b52a3d63
connect: update supported envoy versions to 1.18.3, 1.17.3, 1.16.4, and 1.15.5 (#10231) 2021-05-12 14:06:06 -05:00
Daniel Nephin 61525f9a95 fix failing integration tests
The new IDs include a leading slash for the partition ID section
2021-05-06 13:30:07 -04:00
R.B. Boyer 97e57aedfb
connect: update supported envoy versions to 1.18.2, 1.17.2, 1.16.3, and 1.15.4 (#10101)
The only thing that needed fixing up pertained to this section of the 1.18.x release notes:

> grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default.

For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default.

Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.
2021-04-29 15:22:03 -05:00
R.B. Boyer 91bee6246f
Support Incremental xDS mode (#9855)
This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged.

Union of all commit messages follows to give an overarching summary:

xds: exclusively support incremental xDS when using xDS v3

Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail.
Work around a strange older envoy behavior involving empty CDS responses over incremental xDS.
xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support

Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead.
Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client.
xds: pull out checkStreamACLs method in advance of a later commit

xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings

In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty.

This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10.

xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 13:54:05 -05:00
R.B. Boyer 6924586874
test: switch envoy integration tests to use pkill instead of ps+grep+awk+kill (#10097) 2021-04-23 13:23:33 -05:00
Freddy 7682aa341e
Check for optionally prepended namespace in upstream assertion (#10049) 2021-04-15 18:31:28 -06:00
Yong Wen Chua db406b700c
Update assertion to not check for port 2021-04-06 17:10:38 +08:00
Yong Wen Chua 85aa7f2785
Merge branch 'master' of github.com:hashicorp/consul into tg-rewrite 2021-04-06 17:05:26 +08:00
R.B. Boyer 503041f216
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658)
- Also add support for envoy 1.17.0
2021-02-26 16:23:15 -06:00
Yong Wen Chua e73781948d
Add integration test check 2021-02-24 16:24:32 +08:00
R.B. Boyer cdc5e99184
xds: remove deprecated usages of xDS (#9602)
Note that this does NOT upgrade to xDS v3. That will come in a future PR.

Additionally:

- Ignored staticcheck warnings about how github.com/golang/protobuf is deprecated.
- Shuffled some agent/xds imports in advance of a later xDS v3 upgrade.
- Remove support for envoy 1.13.x but don't add in 1.17.x yet. We have to wait until the xDS v3 support is added in a follow-up PR.

Fixes #8425
2021-02-22 15:00:15 -06:00
R.B. Boyer e87d2bb24f
xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel (#9765)
Fixes #9311

This only fails if the kernel has ipv6 hard-disabled. It is not sufficient to merely not provide an ipv6 address for a network interface.
2021-02-19 14:38:43 -06:00
Alvin Huang e3a4d843da
remove reference to docker/ path for old docker mirror (#9783) 2021-02-17 18:37:31 -05:00
Michele Degges 005c48d641
Remove jfrog references (#9782) 2021-02-17 18:21:52 -05:00
R.B. Boyer 194fb0d144
connect: update supported envoy point releases to 1.16.2, 1.15.3, 1.14.6, 1.13.7 (#9737) 2021-02-10 13:11:15 -06:00
Daniel Nephin 0fa754f490 Pin alpine/socat image to a version.
To fix failing integration tests. The latest version (`1.7.4.0-r0`)
appears to not be catting all the bytes, so the expected metrics are
missing in the output.
2021-01-06 18:01:39 -05:00
Freddy 2763833d32
Add DC and NS support for Envoy metrics (#9207)
This PR updates the tags that we generate for Envoy stats.

Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
2020-11-16 16:37:19 -07:00
R.B. Boyer adff2316c9
test: use direct service registration in envoy integration tests (#9138)
This has the biggest impact on enterprise test cases that use namespaced
registrations, which prior to this change sometimes failed the initial
registration because the namespace was not yet created.
2020-11-09 13:59:46 -06:00
R.B. Boyer 9b37ea7dcb
Revert "Add namespace support for metrics (OSS) (#9117)" (#9124)
This reverts commit 06b3b017d326853dbb53bc0ec08ce371265c5ce9.
2020-11-06 10:24:32 -06:00
Freddy 874efe705f
Add namespace support for metrics (OSS) (#9117) 2020-11-05 18:24:29 -07:00
R.B. Boyer 5c6d322872
use the docker proxy for more envoy integration test containers (#9085) 2020-11-02 14:52:33 -06:00
R.B. Boyer b8a623d3d2
wait_for_namespace should take two args (#9086) 2020-11-02 14:31:19 -06:00
Alvin Huang 102aefdb49
use hashicorp docker mirror in envoy helper (#9080) 2020-11-02 11:37:03 -06:00
R.B. Boyer cf5e9872ce
fix envoy integ test wait_for_namespace to actually work on CI (#9082) 2020-11-02 11:14:48 -06:00
Alvin Huang d6652b0bc9
use hashicorp docker mirror to prevent rate limit (#9070) 2020-10-30 17:59:13 -04:00
R.B. Boyer c8c87ec317
agent: introduce path allow list for requests going through the metrics proxy (#9059)
Added a new option `ui_config.metrics_proxy.path_allowlist`. This defaults to `["/api/v1/query", "/api/v1/query_range"]` when the metrics provider is set to `prometheus`.

Requests that do not use one of the allow-listed paths (via exact match) get a 403 Forbidden response instead.
2020-10-30 16:49:54 -05:00
R.B. Boyer e3e1d687df
add namespace waiting function to envoy integration tests (#9051) 2020-10-28 11:58:40 -05:00