4626b65124
Mesh gateways can use hostnames in their tagged addresses (#7999). This is useful if you were to expose a mesh gateway using a cloud networking load balancer appliance that gives you a DNS name but no reliable static IPs. Envoy cannot accept hostnames via EDS and those must be configured using CDS. There was already logic when configuring gateways in other locations in the code, but given the illusions in play for peering the downstream of a peered service wasn't aware that it should be doing that. Also: - ensuring that we always try to use wan-like addresses to cross peer boundaries.
111 lines
2.9 KiB
Go
111 lines
2.9 KiB
Go
package proxycfg
|
|
|
|
import (
|
|
"github.com/mitchellh/go-testing-interface"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/consul/proto/pbpeering"
|
|
)
|
|
|
|
func TestConfigSnapshotPeering(t testing.T) *ConfigSnapshot {
|
|
var (
|
|
paymentsUpstream = structs.Upstream{
|
|
DestinationName: "payments",
|
|
DestinationPeer: "cloud",
|
|
LocalBindPort: 9090,
|
|
}
|
|
paymentsUID = NewUpstreamID(&paymentsUpstream)
|
|
|
|
refundsUpstream = structs.Upstream{
|
|
DestinationName: "refunds",
|
|
DestinationPeer: "cloud",
|
|
LocalBindPort: 9090,
|
|
}
|
|
refundsUID = NewUpstreamID(&refundsUpstream)
|
|
)
|
|
|
|
const peerTrustDomain = "1c053652-8512-4373-90cf-5a7f6263a994.consul"
|
|
|
|
return TestConfigSnapshot(t, func(ns *structs.NodeService) {
|
|
ns.Proxy.Upstreams = structs.Upstreams{
|
|
paymentsUpstream,
|
|
refundsUpstream,
|
|
}
|
|
}, []UpdateEvent{
|
|
{
|
|
CorrelationID: peerTrustBundleIDPrefix + "cloud",
|
|
Result: &pbpeering.TrustBundleReadResponse{
|
|
Bundle: TestPeerTrustBundles(t).Bundles[0],
|
|
},
|
|
},
|
|
{
|
|
CorrelationID: upstreamPeerWatchIDPrefix + paymentsUID.String(),
|
|
Result: &structs.IndexedCheckServiceNodes{
|
|
Nodes: []structs.CheckServiceNode{
|
|
{
|
|
Node: &structs.Node{
|
|
Address: "85.252.102.31",
|
|
Datacenter: "cloud-dc",
|
|
},
|
|
Service: &structs.NodeService{
|
|
Service: "payments-sidecar-proxy",
|
|
Kind: structs.ServiceKindConnectProxy,
|
|
Port: 443,
|
|
TaggedAddresses: map[string]structs.ServiceAddress{
|
|
structs.TaggedAddressLAN: {
|
|
Address: "85.252.102.31",
|
|
Port: 443,
|
|
},
|
|
structs.TaggedAddressWAN: {
|
|
Address: "123.us-east-1.elb.notaws.com",
|
|
Port: 8443,
|
|
},
|
|
},
|
|
Connect: structs.ServiceConnect{
|
|
PeerMeta: &structs.PeeringServiceMeta{
|
|
SNI: []string{
|
|
"payments.default.default.cloud.external." + peerTrustDomain,
|
|
},
|
|
SpiffeID: []string{
|
|
"spiffe://" + peerTrustDomain + "/ns/default/dc/cloud-dc/svc/payments",
|
|
},
|
|
Protocol: "tcp",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
CorrelationID: upstreamPeerWatchIDPrefix + refundsUID.String(),
|
|
Result: &structs.IndexedCheckServiceNodes{
|
|
Nodes: []structs.CheckServiceNode{
|
|
{
|
|
Node: &structs.Node{
|
|
Address: "106.96.90.233",
|
|
Datacenter: "cloud-dc",
|
|
},
|
|
Service: &structs.NodeService{
|
|
Service: "refunds-sidecar-proxy",
|
|
Kind: structs.ServiceKindConnectProxy,
|
|
Port: 443,
|
|
Connect: structs.ServiceConnect{
|
|
PeerMeta: &structs.PeeringServiceMeta{
|
|
SNI: []string{
|
|
"refunds.default.default.cloud.external." + peerTrustDomain,
|
|
},
|
|
SpiffeID: []string{
|
|
"spiffe://" + peerTrustDomain + "/ns/default/dc/cloud-dc/svc/refunds",
|
|
},
|
|
Protocol: "tcp",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
})
|
|
}
|