3892 lines
109 KiB
Go
3892 lines
109 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package state
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
"time"
|
|
|
|
memdb "github.com/hashicorp/go-memdb"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
"github.com/hashicorp/consul/agent/configentry"
|
|
"github.com/hashicorp/consul/agent/consul/discoverychain"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/consul/proto/private/pbpeering"
|
|
"github.com/hashicorp/consul/proto/private/prototest"
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
|
)
|
|
|
|
func TestStore_ConfigEntry(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
expected := &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: "global",
|
|
Config: map[string]interface{}{
|
|
"DestinationServiceName": "foo",
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, expected))
|
|
|
|
idx, config, err := s.ConfigEntry(nil, structs.ProxyDefaults, "global", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(0), idx)
|
|
require.Equal(t, expected, config)
|
|
|
|
// Update
|
|
updated := &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: "global",
|
|
Config: map[string]interface{}{
|
|
"DestinationServiceName": "bar",
|
|
},
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(1, updated))
|
|
|
|
idx, config, err = s.ConfigEntry(nil, structs.ProxyDefaults, "global", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(1), idx)
|
|
require.Equal(t, updated, config)
|
|
|
|
// Delete
|
|
require.NoError(t, s.DeleteConfigEntry(2, structs.ProxyDefaults, "global", nil))
|
|
|
|
idx, config, err = s.ConfigEntry(nil, structs.ProxyDefaults, "global", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(2), idx)
|
|
require.Nil(t, config)
|
|
|
|
// Set up a watch.
|
|
serviceConf := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "foo",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(3, serviceConf))
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.ConfigEntry(ws, structs.ServiceDefaults, "foo", nil)
|
|
require.NoError(t, err)
|
|
|
|
// Make an unrelated modification and make sure the watch doesn't fire.
|
|
require.NoError(t, s.EnsureConfigEntry(4, updated))
|
|
require.False(t, watchFired(ws))
|
|
|
|
// Update the watched config and make sure it fires.
|
|
serviceConf.Protocol = "http"
|
|
require.NoError(t, s.EnsureConfigEntry(5, serviceConf))
|
|
require.True(t, watchFired(ws))
|
|
|
|
}
|
|
func TestStore_ConfigEntryCAS(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
expected := &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: "global",
|
|
Config: map[string]interface{}{
|
|
"DestinationServiceName": "foo",
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(1, expected))
|
|
|
|
idx, config, err := s.ConfigEntry(nil, structs.ProxyDefaults, "global", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(1), idx)
|
|
require.Equal(t, expected, config)
|
|
|
|
// Update with invalid index
|
|
updated := &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: "global",
|
|
Config: map[string]interface{}{
|
|
"DestinationServiceName": "bar",
|
|
},
|
|
}
|
|
ok, err := s.EnsureConfigEntryCAS(2, 99, updated)
|
|
require.False(t, ok)
|
|
require.NoError(t, err)
|
|
|
|
// Entry should not be changed
|
|
idx, config, err = s.ConfigEntry(nil, structs.ProxyDefaults, "global", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(1), idx)
|
|
require.Equal(t, expected, config)
|
|
|
|
// Update with a valid index
|
|
ok, err = s.EnsureConfigEntryCAS(2, 1, updated)
|
|
require.True(t, ok)
|
|
require.NoError(t, err)
|
|
|
|
// Entry should be updated
|
|
idx, config, err = s.ConfigEntry(nil, structs.ProxyDefaults, "global", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(2), idx)
|
|
require.Equal(t, updated, config)
|
|
}
|
|
|
|
func TestStore_ConfigEntry_DeleteCAS(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
entry := &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: "global",
|
|
Config: map[string]interface{}{
|
|
"DestinationServiceName": "foo",
|
|
},
|
|
}
|
|
|
|
// Attempt to delete the entry before it exists.
|
|
ok, err := s.DeleteConfigEntryCAS(1, 0, entry)
|
|
require.NoError(t, err)
|
|
require.False(t, ok)
|
|
|
|
// Create the entry.
|
|
require.NoError(t, s.EnsureConfigEntry(1, entry))
|
|
|
|
// Attempt to delete with an invalid index.
|
|
ok, err = s.DeleteConfigEntryCAS(2, 99, entry)
|
|
require.NoError(t, err)
|
|
require.False(t, ok)
|
|
|
|
// Entry should not be deleted.
|
|
_, config, err := s.ConfigEntry(nil, entry.Kind, entry.Name, nil)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, config)
|
|
|
|
// Attempt to delete with a valid index.
|
|
ok, err = s.DeleteConfigEntryCAS(2, 1, entry)
|
|
require.NoError(t, err)
|
|
require.True(t, ok)
|
|
|
|
// Entry should be deleted.
|
|
_, config, err = s.ConfigEntry(nil, entry.Kind, entry.Name, nil)
|
|
require.NoError(t, err)
|
|
require.Nil(t, config)
|
|
}
|
|
|
|
func TestStore_ConfigEntry_UpdateOver(t *testing.T) {
|
|
// This test uses ServiceIntentions because they are the only
|
|
// kind that implements UpdateOver() at this time.
|
|
|
|
s := testConfigStateStore(t)
|
|
|
|
var (
|
|
idA = testUUID()
|
|
idB = testUUID()
|
|
|
|
loc = time.FixedZone("UTC-8", -8*60*60)
|
|
timeA = time.Date(1955, 11, 5, 6, 15, 0, 0, loc)
|
|
timeB = time.Date(1985, 10, 26, 1, 35, 0, 0, loc)
|
|
)
|
|
require.NotEqual(t, idA, idB)
|
|
|
|
initial := &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{
|
|
LegacyID: idA,
|
|
Name: "web",
|
|
Action: structs.IntentionActionAllow,
|
|
LegacyCreateTime: &timeA,
|
|
LegacyUpdateTime: &timeA,
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
nextIndex := uint64(1)
|
|
require.NoError(t, s.EnsureConfigEntry(nextIndex, initial.Clone()))
|
|
|
|
idx, raw, err := s.ConfigEntry(nil, structs.ServiceIntentions, "api", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, nextIndex, idx)
|
|
|
|
got, ok := raw.(*structs.ServiceIntentionsConfigEntry)
|
|
require.True(t, ok)
|
|
initial.RaftIndex = got.RaftIndex
|
|
require.Equal(t, initial, got)
|
|
|
|
t.Run("update and fail change legacyID", func(t *testing.T) {
|
|
// Update
|
|
updated := &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{
|
|
LegacyID: idB,
|
|
Name: "web",
|
|
Action: structs.IntentionActionDeny,
|
|
LegacyCreateTime: &timeB,
|
|
LegacyUpdateTime: &timeB,
|
|
},
|
|
},
|
|
}
|
|
|
|
nextIndex++
|
|
err := s.EnsureConfigEntry(nextIndex, updated.Clone())
|
|
testutil.RequireErrorContains(t, err, "cannot set this field to a different value")
|
|
})
|
|
|
|
t.Run("update and do not update create time", func(t *testing.T) {
|
|
// Update
|
|
updated := &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{
|
|
LegacyID: idA,
|
|
Name: "web",
|
|
Action: structs.IntentionActionDeny,
|
|
LegacyCreateTime: &timeB,
|
|
LegacyUpdateTime: &timeB,
|
|
},
|
|
},
|
|
}
|
|
|
|
nextIndex++
|
|
require.NoError(t, s.EnsureConfigEntry(nextIndex, updated.Clone()))
|
|
|
|
// check
|
|
idx, raw, err = s.ConfigEntry(nil, structs.ServiceIntentions, "api", nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, nextIndex, idx)
|
|
|
|
got, ok = raw.(*structs.ServiceIntentionsConfigEntry)
|
|
require.True(t, ok)
|
|
updated.RaftIndex = got.RaftIndex
|
|
updated.Sources[0].LegacyCreateTime = &timeA // UpdateOver will not replace this
|
|
require.Equal(t, updated, got)
|
|
})
|
|
}
|
|
|
|
func TestStore_ConfigEntries(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
// Create some config entries.
|
|
entry1 := &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: "test1",
|
|
}
|
|
entry2 := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "test2",
|
|
}
|
|
entry3 := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "test3",
|
|
}
|
|
|
|
require.NoError(t, s.EnsureConfigEntry(0, entry1))
|
|
require.NoError(t, s.EnsureConfigEntry(1, entry2))
|
|
require.NoError(t, s.EnsureConfigEntry(2, entry3))
|
|
|
|
// Get all entries
|
|
idx, entries, err := s.ConfigEntries(nil, nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(2), idx)
|
|
require.Equal(t, []structs.ConfigEntry{entry1, entry2, entry3}, entries)
|
|
|
|
// Get all proxy entries
|
|
idx, entries, err = s.ConfigEntriesByKind(nil, structs.ProxyDefaults, nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(2), idx)
|
|
require.Equal(t, []structs.ConfigEntry{entry1}, entries)
|
|
|
|
// Get all service entries
|
|
ws := memdb.NewWatchSet()
|
|
idx, entries, err = s.ConfigEntriesByKind(ws, structs.ServiceDefaults, nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(2), idx)
|
|
require.Equal(t, []structs.ConfigEntry{entry2, entry3}, entries)
|
|
|
|
// Watch should not have fired
|
|
require.False(t, watchFired(ws))
|
|
|
|
// Now make an update and make sure the watch fires.
|
|
require.NoError(t, s.EnsureConfigEntry(3, &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "test2",
|
|
Protocol: "tcp",
|
|
}))
|
|
require.True(t, watchFired(ws))
|
|
|
|
}
|
|
|
|
func TestStore_ServiceDefaults_Kind_Destination(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
Gtwy := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "Gtwy1",
|
|
Services: []structs.LinkedService{
|
|
{
|
|
Name: "dest1",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, Gtwy))
|
|
|
|
destination := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "dest1",
|
|
Destination: &structs.DestinationConfig{},
|
|
}
|
|
|
|
_, gatewayServices, err := s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, destination))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindDestination)
|
|
|
|
_, kindServices, err := s.ServiceNamesOfKind(ws, structs.ServiceKindDestination)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 1)
|
|
require.Equal(t, kindServices[0].Kind, structs.ServiceKindDestination)
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, s.DeleteConfigEntry(6, structs.ServiceDefaults, destination.Name, &destination.EnterpriseMeta))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, structs.GatewayServiceKindUnknown, gatewayServices[0].ServiceKind)
|
|
|
|
_, kindServices, err = s.ServiceNamesOfKind(ws, structs.ServiceKindDestination)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 0)
|
|
|
|
}
|
|
|
|
func TestStore_ServiceDefaults_Kind_NotDestination(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
Gtwy := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "Gtwy1",
|
|
Services: []structs.LinkedService{
|
|
{
|
|
Name: "dest1",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, Gtwy))
|
|
|
|
destination := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "dest1",
|
|
}
|
|
|
|
_, gatewayServices, err := s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, destination))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.False(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, s.DeleteConfigEntry(6, structs.ServiceDefaults, destination.Name, &destination.EnterpriseMeta))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.False(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
}
|
|
|
|
func TestStore_Service_TerminatingGateway_Kind_Service_Destination(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
Gtwy := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "Gtwy1",
|
|
Services: []structs.LinkedService{
|
|
{
|
|
Name: "web",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, Gtwy))
|
|
|
|
service := &structs.NodeService{
|
|
Kind: structs.ServiceKindTypical,
|
|
Service: "web",
|
|
}
|
|
destination := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Destination: &structs.DestinationConfig{},
|
|
}
|
|
|
|
_, gatewayServices, err := s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureNode(0, &structs.Node{Node: "node1"}))
|
|
require.NoError(t, s.EnsureService(0, "node1", service))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindService)
|
|
|
|
_, kindServices, err := s.ServiceNamesOfKind(ws, structs.ServiceKindTypical)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 1)
|
|
require.Equal(t, kindServices[0].Kind, structs.ServiceKindTypical)
|
|
|
|
require.NoError(t, s.EnsureConfigEntry(0, destination))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindService)
|
|
|
|
_, kindServices, err = s.ServiceNamesOfKind(ws, structs.ServiceKindTypical)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 1)
|
|
require.Equal(t, kindServices[0].Kind, structs.ServiceKindTypical)
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, s.DeleteService(6, "node1", service.ID, &service.EnterpriseMeta, ""))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindDestination)
|
|
|
|
_, kindServices, err = s.ServiceNamesOfKind(ws, structs.ServiceKindDestination)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 1)
|
|
require.Equal(t, kindServices[0].Kind, structs.ServiceKindDestination)
|
|
|
|
}
|
|
|
|
func TestStore_Service_TerminatingGateway_Kind_Destination_Service(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
Gtwy := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "Gtwy1",
|
|
Services: []structs.LinkedService{
|
|
{
|
|
Name: "web",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, Gtwy))
|
|
|
|
service := &structs.NodeService{
|
|
Kind: structs.ServiceKindTypical,
|
|
Service: "web",
|
|
}
|
|
destination := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Destination: &structs.DestinationConfig{},
|
|
}
|
|
|
|
_, gatewayServices, err := s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, destination))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindDestination)
|
|
|
|
_, kindServices, err := s.ServiceNamesOfKind(ws, structs.ServiceKindDestination)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 1)
|
|
require.Equal(t, kindServices[0].Kind, structs.ServiceKindDestination)
|
|
|
|
require.NoError(t, s.EnsureNode(0, &structs.Node{Node: "node1"}))
|
|
require.NoError(t, s.EnsureService(0, "node1", service))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindService)
|
|
|
|
_, kindServices, err = s.ServiceNamesOfKind(ws, structs.ServiceKindTypical)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 1)
|
|
require.Equal(t, kindServices[0].Kind, structs.ServiceKindTypical)
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, s.DeleteService(6, "node1", service.ID, &service.EnterpriseMeta, ""))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindDestination)
|
|
|
|
_, kindServices, err = s.ServiceNamesOfKind(ws, structs.ServiceKindDestination)
|
|
require.NoError(t, err)
|
|
require.Len(t, kindServices, 1)
|
|
require.Equal(t, kindServices[0].Kind, structs.ServiceKindDestination)
|
|
|
|
}
|
|
|
|
func TestStore_Service_TerminatingGateway_Kind_Service(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
Gtwy := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "Gtwy1",
|
|
Services: []structs.LinkedService{
|
|
{
|
|
Name: "web",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, Gtwy))
|
|
|
|
service := &structs.NodeService{
|
|
Kind: structs.ServiceKindTypical,
|
|
Service: "web",
|
|
}
|
|
|
|
_, gatewayServices, err := s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureNode(0, &structs.Node{Node: "node1"}))
|
|
require.NoError(t, s.EnsureService(0, "node1", service))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindService)
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, s.DeleteService(6, "node1", service.ID, &service.EnterpriseMeta, ""))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindUnknown)
|
|
|
|
}
|
|
|
|
func TestStore_ServiceDefaults_Kind_Destination_Wildcard(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
Gtwy := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "Gtwy1",
|
|
Services: []structs.LinkedService{
|
|
{
|
|
Name: "*",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, Gtwy))
|
|
|
|
destination := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "dest1",
|
|
Destination: &structs.DestinationConfig{},
|
|
}
|
|
|
|
_, gatewayServices, err := s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 0)
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, destination))
|
|
require.NoError(t, err)
|
|
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindDestination)
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, s.DeleteConfigEntry(6, structs.ServiceDefaults, destination.Name, &destination.EnterpriseMeta))
|
|
|
|
// Watch is fired because we deleted the destination - now the mapping should be gone.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 0)
|
|
|
|
t.Run("delete service instance before config entry", func(t *testing.T) {
|
|
// Set up a service with both a real instance and destination from a config entry.
|
|
require.NoError(t, s.EnsureNode(7, &structs.Node{Node: "foo", Address: "127.0.0.1"}))
|
|
require.NoError(t, s.EnsureService(8, "foo", &structs.NodeService{ID: "dest2", Service: "dest2", Tags: nil, Address: "", Port: 5000}))
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, structs.GatewayServiceKindService, gatewayServices[0].ServiceKind)
|
|
|
|
// Register destination; shouldn't change the gateway mapping.
|
|
destination2 := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "dest2",
|
|
Destination: &structs.DestinationConfig{},
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(9, destination2))
|
|
require.False(t, watchFired(ws))
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
expected := structs.GatewayServices{
|
|
{
|
|
Service: structs.NewServiceName("dest2", nil),
|
|
Gateway: structs.NewServiceName("Gtwy1", nil),
|
|
ServiceKind: structs.GatewayServiceKindService,
|
|
GatewayKind: structs.ServiceKindTerminatingGateway,
|
|
FromWildcard: true,
|
|
RaftIndex: structs.RaftIndex{
|
|
CreateIndex: 8,
|
|
ModifyIndex: 8,
|
|
},
|
|
},
|
|
}
|
|
require.Equal(t, expected, gatewayServices)
|
|
|
|
// Delete the service, mapping should still exist.
|
|
require.NoError(t, s.DeleteService(10, "foo", "dest2", nil, ""))
|
|
require.False(t, watchFired(ws))
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, expected, gatewayServices)
|
|
|
|
// Delete the config entry, mapping should be gone.
|
|
require.NoError(t, s.DeleteConfigEntry(11, structs.ServiceDefaults, "dest2", &destination.EnterpriseMeta))
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Empty(t, gatewayServices)
|
|
})
|
|
|
|
t.Run("delete config entry before service instance", func(t *testing.T) {
|
|
// Set up a service with both a real instance and destination from a config entry.
|
|
destination2 := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "dest2",
|
|
Destination: &structs.DestinationConfig{},
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(7, destination2))
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
expected := structs.GatewayServices{
|
|
{
|
|
Service: structs.NewServiceName("dest2", nil),
|
|
Gateway: structs.NewServiceName("Gtwy1", nil),
|
|
ServiceKind: structs.GatewayServiceKindDestination,
|
|
GatewayKind: structs.ServiceKindTerminatingGateway,
|
|
FromWildcard: true,
|
|
RaftIndex: structs.RaftIndex{
|
|
CreateIndex: 7,
|
|
ModifyIndex: 7,
|
|
},
|
|
},
|
|
}
|
|
require.Equal(t, expected, gatewayServices)
|
|
|
|
// Register service, only ServiceKind should have changed on the gateway mapping.
|
|
require.NoError(t, s.EnsureNode(8, &structs.Node{Node: "foo", Address: "127.0.0.1"}))
|
|
require.NoError(t, s.EnsureService(9, "foo", &structs.NodeService{ID: "dest2", Service: "dest2", Tags: nil, Address: "", Port: 5000}))
|
|
require.True(t, watchFired(ws))
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
expected = structs.GatewayServices{
|
|
{
|
|
Service: structs.NewServiceName("dest2", nil),
|
|
Gateway: structs.NewServiceName("Gtwy1", nil),
|
|
ServiceKind: structs.GatewayServiceKindService,
|
|
GatewayKind: structs.ServiceKindTerminatingGateway,
|
|
FromWildcard: true,
|
|
RaftIndex: structs.RaftIndex{
|
|
CreateIndex: 7,
|
|
ModifyIndex: 9,
|
|
},
|
|
},
|
|
}
|
|
require.Equal(t, expected, gatewayServices)
|
|
|
|
// Delete the config entry, mapping should still exist.
|
|
require.NoError(t, s.DeleteConfigEntry(10, structs.ServiceDefaults, "dest2", &destination.EnterpriseMeta))
|
|
require.False(t, watchFired(ws))
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, expected, gatewayServices)
|
|
|
|
// Delete the service, mapping should be gone.
|
|
require.NoError(t, s.DeleteService(11, "foo", "dest2", nil, ""))
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Empty(t, gatewayServices)
|
|
})
|
|
}
|
|
|
|
func TestStore_Service_TerminatingGateway_Kind_Service_Wildcard(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
Gtwy := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "Gtwy1",
|
|
Services: []structs.LinkedService{
|
|
{
|
|
Name: "*",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureConfigEntry(0, Gtwy))
|
|
|
|
service := &structs.NodeService{
|
|
Kind: structs.ServiceKindTypical,
|
|
Service: "web",
|
|
}
|
|
|
|
_, gatewayServices, err := s.GatewayServices(nil, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 0)
|
|
|
|
ws := memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
// Create
|
|
require.NoError(t, s.EnsureNode(0, &structs.Node{Node: "node1"}))
|
|
require.NoError(t, s.EnsureService(0, "node1", service))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 1)
|
|
require.Equal(t, gatewayServices[0].ServiceKind, structs.GatewayServiceKindService)
|
|
|
|
ws = memdb.NewWatchSet()
|
|
_, _, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.NoError(t, s.DeleteService(6, "node1", service.ID, &service.EnterpriseMeta, ""))
|
|
|
|
//Watch is fired because we transitioned to a destination, by default we assume it's not.
|
|
require.True(t, watchFired(ws))
|
|
|
|
_, gatewayServices, err = s.GatewayServices(ws, "Gtwy1", nil)
|
|
require.NoError(t, err)
|
|
require.Len(t, gatewayServices, 0)
|
|
}
|
|
|
|
func TestStore_ConfigEntry_GraphValidation(t *testing.T) {
|
|
ensureConfigEntry := func(s *Store, idx uint64, entry structs.ConfigEntry) error {
|
|
if err := entry.Normalize(); err != nil {
|
|
return err
|
|
}
|
|
if err := entry.Validate(); err != nil {
|
|
return err
|
|
}
|
|
return s.EnsureConfigEntry(idx, entry)
|
|
}
|
|
|
|
type tcase struct {
|
|
entries []structs.ConfigEntry
|
|
opAdd structs.ConfigEntry
|
|
opDelete configentry.KindName
|
|
expectErr string
|
|
expectGraphErr bool
|
|
}
|
|
|
|
EMPTY_KN := configentry.KindName{}
|
|
|
|
run := func(t *testing.T, tc tcase) {
|
|
s := testConfigStateStore(t)
|
|
for _, entry := range tc.entries {
|
|
require.NoError(t, ensureConfigEntry(s, 0, entry))
|
|
}
|
|
|
|
nOps := 0
|
|
if tc.opAdd != nil {
|
|
nOps++
|
|
}
|
|
if tc.opDelete != EMPTY_KN {
|
|
nOps++
|
|
}
|
|
require.Equal(t, 1, nOps, "exactly one operation is required")
|
|
|
|
var err error
|
|
switch {
|
|
case tc.opAdd != nil:
|
|
err = ensureConfigEntry(s, 0, tc.opAdd)
|
|
case tc.opDelete != EMPTY_KN:
|
|
kn := tc.opDelete
|
|
err = s.DeleteConfigEntry(0, kn.Kind, kn.Name, &kn.EnterpriseMeta)
|
|
default:
|
|
t.Fatal("not possible")
|
|
}
|
|
|
|
if tc.expectErr != "" {
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), tc.expectErr)
|
|
_, ok := err.(*structs.ConfigEntryGraphError)
|
|
if tc.expectGraphErr {
|
|
require.True(t, ok, "%T is not a *ConfigEntryGraphError", err)
|
|
} else {
|
|
require.False(t, ok, "did not expect a *ConfigEntryGraphError here: %v", err)
|
|
}
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
}
|
|
|
|
cases := map[string]tcase{
|
|
"splitter fails without default protocol": {
|
|
entries: []structs.ConfigEntry{},
|
|
opAdd: &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100},
|
|
},
|
|
},
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
"splitter fails with tcp protocol": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "tcp",
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100},
|
|
},
|
|
},
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
"splitter works with http protocol": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "tcp", // loses
|
|
},
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
"v2": {
|
|
Filter: "Service.Meta.version == v2",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, ServiceSubset: "v1"},
|
|
{Weight: 10, ServiceSubset: "v2"},
|
|
},
|
|
EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
|
|
},
|
|
},
|
|
"splitter works with http protocol (from proxy-defaults)": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
"v2": {
|
|
Filter: "Service.Meta.version == v2",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, ServiceSubset: "v1"},
|
|
{Weight: 10, ServiceSubset: "v2"},
|
|
},
|
|
},
|
|
},
|
|
"router fails with tcp protocol": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "tcp",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"other": {
|
|
Filter: "Service.Meta.version == other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/other",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
ServiceSubset: "other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
"router fails without default protocol": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"other": {
|
|
Filter: "Service.Meta.version == other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/other",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
ServiceSubset: "other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
/////////////////////////////////////////////////
|
|
"cannot remove default protocol after splitter created": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
"v2": {
|
|
Filter: "Service.Meta.version == v2",
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, ServiceSubset: "v1"},
|
|
{Weight: 10, ServiceSubset: "v2"},
|
|
},
|
|
},
|
|
},
|
|
opDelete: configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
"cannot remove global default protocol after splitter created": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
"v2": {
|
|
Filter: "Service.Meta.version == v2",
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, ServiceSubset: "v1"},
|
|
{Weight: 10, ServiceSubset: "v2"},
|
|
},
|
|
},
|
|
},
|
|
opDelete: configentry.NewKindName(structs.ProxyDefaults, structs.ProxyConfigGlobal, nil),
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
"can remove global default protocol after splitter created if service default overrides it": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
"v2": {
|
|
Filter: "Service.Meta.version == v2",
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, ServiceSubset: "v1"},
|
|
{Weight: 10, ServiceSubset: "v2"},
|
|
},
|
|
},
|
|
},
|
|
opDelete: configentry.NewKindName(structs.ProxyDefaults, structs.ProxyConfigGlobal, nil),
|
|
},
|
|
"cannot change to tcp protocol after splitter created": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
"v2": {
|
|
Filter: "Service.Meta.version == v2",
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, ServiceSubset: "v1"},
|
|
{Weight: 10, ServiceSubset: "v2"},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "tcp",
|
|
},
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
"cannot remove default protocol after router created": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"other": {
|
|
Filter: "Service.Meta.version == other",
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/other",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
ServiceSubset: "other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opDelete: configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
"cannot change to tcp protocol after router created": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"other": {
|
|
Filter: "Service.Meta.version == other",
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/other",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
ServiceSubset: "other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "tcp",
|
|
},
|
|
expectErr: "does not permit advanced routing or splitting behavior",
|
|
expectGraphErr: true,
|
|
},
|
|
/////////////////////////////////////////////////
|
|
"cannot split to a service using tcp": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "tcp",
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90},
|
|
{Weight: 10, Service: "other"},
|
|
},
|
|
},
|
|
expectErr: "uses inconsistent protocols",
|
|
expectGraphErr: true,
|
|
},
|
|
"cannot route to a service using tcp": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "tcp",
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/other",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
Service: "other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectErr: "uses inconsistent protocols",
|
|
expectGraphErr: true,
|
|
},
|
|
/////////////////////////////////////////////////
|
|
"cannot failover to a service using a different protocol": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "grpc",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "tcp",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
ConnectTimeout: 33 * time.Second,
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Service: "other",
|
|
},
|
|
},
|
|
},
|
|
expectErr: "uses inconsistent protocols",
|
|
expectGraphErr: true,
|
|
},
|
|
"cannot redirect to a service using a different protocol": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "grpc",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "tcp",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
ConnectTimeout: 33 * time.Second,
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
},
|
|
},
|
|
expectErr: "uses inconsistent protocols",
|
|
expectGraphErr: true,
|
|
},
|
|
/////////////////////////////////////////////////
|
|
"redirect to a subset that does exist is fine": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "other",
|
|
ConnectTimeout: 33 * time.Second,
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
ServiceSubset: "v1",
|
|
},
|
|
},
|
|
},
|
|
"cannot redirect to a subset that does not exist": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "other",
|
|
ConnectTimeout: 33 * time.Second,
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
ServiceSubset: "v1",
|
|
},
|
|
},
|
|
expectErr: `does not have a subset named "v1"`,
|
|
expectGraphErr: true,
|
|
},
|
|
/////////////////////////////////////////////////
|
|
"cannot introduce circular resolver redirect": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "other",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "main",
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
},
|
|
},
|
|
expectErr: `detected circular resolver redirect`,
|
|
expectGraphErr: true,
|
|
},
|
|
"cannot introduce circular split": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: "service-splitter",
|
|
Name: "other",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100, Service: "main"},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceSplitterConfigEntry{
|
|
Kind: "service-splitter",
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100, Service: "other"},
|
|
},
|
|
},
|
|
expectErr: `detected circular reference`,
|
|
expectGraphErr: true,
|
|
},
|
|
/////////////////////////////////////////////////
|
|
"cannot peer export cross-dc redirect": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: "service-resolver",
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Datacenter: "dc3",
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
expectErr: `contains cross-datacenter resolver redirect`,
|
|
},
|
|
"cannot peer export cross-dc redirect via wildcard": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: "service-resolver",
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Datacenter: "dc3",
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "*",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
expectErr: `contains cross-datacenter resolver redirect`,
|
|
},
|
|
"cannot peer export cross-dc failover": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: "service-resolver",
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Datacenters: []string{"dc3"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
expectErr: `contains cross-datacenter failover`,
|
|
},
|
|
"cannot peer export cross-dc failover via wildcard": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: "service-resolver",
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Datacenters: []string{"dc3"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "*",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
expectErr: `contains cross-datacenter failover`,
|
|
},
|
|
"cannot redirect a peer exported tcp service": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
},
|
|
},
|
|
expectErr: `cannot introduce new discovery chain targets like`,
|
|
},
|
|
"can redirect a peer exported http service to another service": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
},
|
|
},
|
|
},
|
|
"cannot redirect a peer exported http service to another peer service": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
Peer: "something",
|
|
},
|
|
},
|
|
expectErr: `contains cross-peer resolver redirect`,
|
|
},
|
|
"cannot redirect a peer exported http service to a service in another datacenter": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "other",
|
|
Datacenter: "dc12",
|
|
},
|
|
},
|
|
expectErr: `contains cross-datacenter resolver redirect`,
|
|
},
|
|
"can failover a peer exported http service to another service": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Service: "other",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
"can failover a peer exported http service to another peer service": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Targets: []structs.ServiceResolverFailoverTarget{
|
|
{
|
|
Service: "other",
|
|
Peer: "some-peer",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
"can't failover a peer exported http service to another service in a different datacenter": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Service: "other",
|
|
Datacenters: []string{"dc12"},
|
|
},
|
|
},
|
|
},
|
|
expectErr: `contains cross-datacenter failover`,
|
|
},
|
|
"can't failover a peer exported http service to another service in a different datacenter using targets": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "other",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Targets: []structs.ServiceResolverFailoverTarget{
|
|
{
|
|
Service: "other",
|
|
Datacenter: "dc12",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectErr: `contains cross-datacenter failover`,
|
|
},
|
|
"can failover a peer exported tcp service": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Targets: []structs.ServiceResolverFailoverTarget{
|
|
{
|
|
Service: "other",
|
|
},
|
|
{
|
|
Service: "other",
|
|
Peer: "cluster-01",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
"can failover a peer exported tcp service from a redirect": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ExportedServicesConfigEntry{
|
|
Name: "default",
|
|
Services: []structs.ExportedService{{
|
|
Name: "main",
|
|
Consumers: []structs.ServiceConsumer{{Peer: "my-peer"}},
|
|
}},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "other",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "main",
|
|
},
|
|
},
|
|
},
|
|
opAdd: &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Targets: []structs.ServiceResolverFailoverTarget{
|
|
{
|
|
Service: "another",
|
|
},
|
|
{
|
|
Service: "other",
|
|
Peer: "cluster-01",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for name, tc := range cases {
|
|
t.Run(name, func(t *testing.T) {
|
|
run(t, tc)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStore_ReadDiscoveryChainConfigEntries_Overrides(t *testing.T) {
|
|
for _, tc := range []struct {
|
|
name string
|
|
entries []structs.ConfigEntry
|
|
expectBefore []configentry.KindName
|
|
overrides map[configentry.KindName]structs.ConfigEntry
|
|
expectAfter []configentry.KindName
|
|
expectAfterErr string
|
|
checkAfter func(t *testing.T, entrySet *configentry.DiscoveryChainSet)
|
|
}{
|
|
{
|
|
name: "mask service-defaults",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "tcp",
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil): nil,
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
// nothing
|
|
},
|
|
},
|
|
{
|
|
name: "edit service-defaults",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "tcp",
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil): &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "grpc",
|
|
},
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
},
|
|
checkAfter: func(t *testing.T, entrySet *configentry.DiscoveryChainSet) {
|
|
defaults := entrySet.GetService(structs.NewServiceID("main", nil))
|
|
require.NotNil(t, defaults)
|
|
require.Equal(t, "grpc", defaults.Protocol)
|
|
},
|
|
},
|
|
|
|
{
|
|
name: "mask service-router",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
configentry.NewKindName(structs.ServiceRouter, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceRouter, "main", nil): nil,
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
},
|
|
},
|
|
{
|
|
name: "edit service-router",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {Filter: "Service.Meta.version == v1"},
|
|
"v2": {Filter: "Service.Meta.version == v2"},
|
|
"v3": {Filter: "Service.Meta.version == v3"},
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/admin",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
ServiceSubset: "v2",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
configentry.NewKindName(structs.ServiceResolver, "main", nil),
|
|
configentry.NewKindName(structs.ServiceRouter, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceRouter, "main", nil): &structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "main",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/admin",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
ServiceSubset: "v3",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
configentry.NewKindName(structs.ServiceResolver, "main", nil),
|
|
configentry.NewKindName(structs.ServiceRouter, "main", nil),
|
|
},
|
|
checkAfter: func(t *testing.T, entrySet *configentry.DiscoveryChainSet) {
|
|
router := entrySet.GetRouter(structs.NewServiceID("main", nil))
|
|
require.NotNil(t, router)
|
|
require.Len(t, router.Routes, 1)
|
|
|
|
expect := structs.ServiceRoute{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/admin",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
ServiceSubset: "v3",
|
|
},
|
|
}
|
|
require.Equal(t, expect, router.Routes[0])
|
|
},
|
|
},
|
|
|
|
{
|
|
name: "mask service-splitter",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100},
|
|
},
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
configentry.NewKindName(structs.ServiceSplitter, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceSplitter, "main", nil): nil,
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
},
|
|
},
|
|
{
|
|
name: "edit service-splitter",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100},
|
|
},
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
configentry.NewKindName(structs.ServiceSplitter, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceSplitter, "main", nil): &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 85, ServiceSubset: "v1"},
|
|
{Weight: 15, ServiceSubset: "v2"},
|
|
},
|
|
},
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceDefaults, "main", nil),
|
|
configentry.NewKindName(structs.ServiceSplitter, "main", nil),
|
|
},
|
|
checkAfter: func(t *testing.T, entrySet *configentry.DiscoveryChainSet) {
|
|
splitter := entrySet.GetSplitter(structs.NewServiceID("main", nil))
|
|
require.NotNil(t, splitter)
|
|
require.Len(t, splitter.Splits, 2)
|
|
|
|
expect := []structs.ServiceSplit{
|
|
{Weight: 85, ServiceSubset: "v1"},
|
|
{Weight: 15, ServiceSubset: "v2"},
|
|
}
|
|
require.Equal(t, expect, splitter.Splits)
|
|
},
|
|
},
|
|
|
|
{
|
|
name: "mask service-resolver",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceResolver, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceResolver, "main", nil): nil,
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
// nothing
|
|
},
|
|
},
|
|
{
|
|
name: "edit service-resolver",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
},
|
|
},
|
|
expectBefore: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceResolver, "main", nil),
|
|
},
|
|
overrides: map[configentry.KindName]structs.ConfigEntry{
|
|
configentry.NewKindName(structs.ServiceResolver, "main", nil): &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
ConnectTimeout: 33 * time.Second,
|
|
},
|
|
},
|
|
expectAfter: []configentry.KindName{
|
|
configentry.NewKindName(structs.ServiceResolver, "main", nil),
|
|
},
|
|
checkAfter: func(t *testing.T, entrySet *configentry.DiscoveryChainSet) {
|
|
resolver := entrySet.GetResolver(structs.NewServiceID("main", nil))
|
|
require.NotNil(t, resolver)
|
|
require.Equal(t, 33*time.Second, resolver.ConnectTimeout)
|
|
},
|
|
},
|
|
} {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
for _, entry := range tc.entries {
|
|
require.NoError(t, s.EnsureConfigEntry(0, entry))
|
|
}
|
|
|
|
t.Run("without override", func(t *testing.T) {
|
|
_, entrySet, err := s.readDiscoveryChainConfigEntries(nil, "main", nil, nil)
|
|
require.NoError(t, err)
|
|
got := entrySetToKindNames(entrySet)
|
|
require.ElementsMatch(t, tc.expectBefore, got)
|
|
})
|
|
|
|
t.Run("with override", func(t *testing.T) {
|
|
_, entrySet, err := s.readDiscoveryChainConfigEntries(nil, "main", tc.overrides, nil)
|
|
|
|
if tc.expectAfterErr != "" {
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), tc.expectAfterErr)
|
|
} else {
|
|
require.NoError(t, err)
|
|
got := entrySetToKindNames(entrySet)
|
|
require.ElementsMatch(t, tc.expectAfter, got)
|
|
|
|
if tc.checkAfter != nil {
|
|
tc.checkAfter(t, entrySet)
|
|
}
|
|
}
|
|
})
|
|
})
|
|
}
|
|
}
|
|
|
|
func entrySetToKindNames(entrySet *configentry.DiscoveryChainSet) []configentry.KindName {
|
|
var out []configentry.KindName
|
|
for _, entry := range entrySet.Routers {
|
|
out = append(out, configentry.NewKindName(
|
|
entry.Kind,
|
|
entry.Name,
|
|
&entry.EnterpriseMeta,
|
|
))
|
|
}
|
|
for _, entry := range entrySet.Splitters {
|
|
out = append(out, configentry.NewKindName(
|
|
entry.Kind,
|
|
entry.Name,
|
|
&entry.EnterpriseMeta,
|
|
))
|
|
}
|
|
for _, entry := range entrySet.Resolvers {
|
|
out = append(out, configentry.NewKindName(
|
|
entry.Kind,
|
|
entry.Name,
|
|
&entry.EnterpriseMeta,
|
|
))
|
|
}
|
|
for _, entry := range entrySet.Services {
|
|
out = append(out, configentry.NewKindName(
|
|
entry.Kind,
|
|
entry.Name,
|
|
&entry.EnterpriseMeta,
|
|
))
|
|
}
|
|
for _, entry := range entrySet.ProxyDefaults {
|
|
out = append(out, configentry.NewKindName(
|
|
entry.Kind,
|
|
entry.Name,
|
|
&entry.EnterpriseMeta,
|
|
))
|
|
}
|
|
return out
|
|
}
|
|
|
|
func TestStore_ReadDiscoveryChainConfigEntries_SubsetSplit(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
entries := []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Subsets: map[string]structs.ServiceResolverSubset{
|
|
"v1": {
|
|
Filter: "Service.Meta.version == v1",
|
|
},
|
|
"v2": {
|
|
Filter: "Service.Meta.version == v2",
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "main",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, ServiceSubset: "v1"},
|
|
{Weight: 10, ServiceSubset: "v2"},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, entry := range entries {
|
|
require.NoError(t, s.EnsureConfigEntry(0, entry))
|
|
}
|
|
|
|
_, entrySet, err := s.readDiscoveryChainConfigEntries(nil, "main", nil, nil)
|
|
require.NoError(t, err)
|
|
|
|
require.Len(t, entrySet.Routers, 0)
|
|
require.Len(t, entrySet.Splitters, 1)
|
|
require.Len(t, entrySet.Resolvers, 1)
|
|
require.Len(t, entrySet.Services, 1)
|
|
}
|
|
|
|
func TestStore_ReadDiscoveryChainConfigEntries_FetchPeers(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
entries := []structs.ConfigEntry{
|
|
&structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "main",
|
|
Protocol: "http",
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "main",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Targets: []structs.ServiceResolverFailoverTarget{
|
|
{Peer: "cluster-01"},
|
|
{Peer: "cluster-02"}, // Non-existant
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, entry := range entries {
|
|
require.NoError(t, s.EnsureConfigEntry(0, entry))
|
|
}
|
|
|
|
cluster01Peering := &pbpeering.Peering{
|
|
ID: testFooPeerID,
|
|
Name: "cluster-01",
|
|
}
|
|
err := s.PeeringWrite(0, &pbpeering.PeeringWriteRequest{Peering: cluster01Peering})
|
|
require.NoError(t, err)
|
|
|
|
_, entrySet, err := s.readDiscoveryChainConfigEntries(nil, "main", nil, nil)
|
|
require.NoError(t, err)
|
|
|
|
require.Len(t, entrySet.Routers, 0)
|
|
require.Len(t, entrySet.Splitters, 0)
|
|
require.Len(t, entrySet.Resolvers, 1)
|
|
require.Len(t, entrySet.Services, 1)
|
|
prototest.AssertDeepEqual(t, entrySet.Peers, map[string]*pbpeering.Peering{
|
|
"cluster-01": cluster01Peering,
|
|
"cluster-02": nil,
|
|
})
|
|
}
|
|
|
|
// TODO(rb): add ServiceIntentions tests
|
|
|
|
func TestStore_ValidateGatewayNamesCannotBeShared(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
ingress := &structs.IngressGatewayConfigEntry{
|
|
Kind: structs.IngressGateway,
|
|
Name: "gateway",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(0, ingress))
|
|
|
|
terminating := &structs.TerminatingGatewayConfigEntry{
|
|
Kind: structs.TerminatingGateway,
|
|
Name: "gateway",
|
|
}
|
|
// Cannot have 2 gateways with same service name
|
|
require.Error(t, s.EnsureConfigEntry(1, terminating))
|
|
|
|
ingress = &structs.IngressGatewayConfigEntry{
|
|
Kind: structs.IngressGateway,
|
|
Name: "gateway",
|
|
Listeners: []structs.IngressListener{
|
|
{Port: 8080},
|
|
},
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(2, ingress))
|
|
require.NoError(t, s.DeleteConfigEntry(3, structs.IngressGateway, "gateway", nil))
|
|
|
|
// Adding the terminating gateway with same name should now work
|
|
require.NoError(t, s.EnsureConfigEntry(4, terminating))
|
|
|
|
// Cannot have 2 gateways with same service name
|
|
require.Error(t, s.EnsureConfigEntry(5, ingress))
|
|
}
|
|
|
|
func TestStore_ValidateIngressGatewayErrorOnMismatchedProtocols(t *testing.T) {
|
|
newIngress := func(protocol, name string) *structs.IngressGatewayConfigEntry {
|
|
return &structs.IngressGatewayConfigEntry{
|
|
Kind: structs.IngressGateway,
|
|
Name: "gateway",
|
|
Listeners: []structs.IngressListener{
|
|
{
|
|
Port: 8080,
|
|
Protocol: protocol,
|
|
Services: []structs.IngressService{
|
|
{Name: name},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
t.Run("http ingress fails with http upstream later changed to tcp", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
// First set the target service as http
|
|
expected := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Protocol: "http",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(0, expected))
|
|
|
|
// Next configure http ingress to route to the http service
|
|
require.NoError(t, s.EnsureConfigEntry(1, newIngress("http", "web")))
|
|
|
|
t.Run("via modification", func(t *testing.T) {
|
|
// Now redefine the target service as tcp
|
|
expected = &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Protocol: "tcp",
|
|
}
|
|
|
|
err := s.EnsureConfigEntry(2, expected)
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `has protocol "tcp"`)
|
|
})
|
|
t.Run("via deletion", func(t *testing.T) {
|
|
// This will fall back to the default tcp.
|
|
err := s.DeleteConfigEntry(2, structs.ServiceDefaults, "web", nil)
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `has protocol "tcp"`)
|
|
})
|
|
})
|
|
|
|
t.Run("tcp ingress ok with tcp upstream (defaulted) later changed to http", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
// First configure tcp ingress to route to a defaulted tcp service
|
|
require.NoError(t, s.EnsureConfigEntry(0, newIngress("tcp", "web")))
|
|
|
|
// Now redefine the target service as http
|
|
expected := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Protocol: "http",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(1, expected))
|
|
})
|
|
|
|
t.Run("tcp ingress fails with tcp upstream (defaulted) later changed to http", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
// First configure tcp ingress to route to a defaulted tcp service
|
|
require.NoError(t, s.EnsureConfigEntry(0, newIngress("tcp", "web")))
|
|
|
|
// Now redefine the target service as http
|
|
expected := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Protocol: "http",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(1, expected))
|
|
|
|
t.Run("and a router defined", func(t *testing.T) {
|
|
// This part should fail.
|
|
expected2 := &structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "web",
|
|
}
|
|
err := s.EnsureConfigEntry(2, expected2)
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `has protocol "http"`)
|
|
})
|
|
|
|
t.Run("and a splitter defined", func(t *testing.T) {
|
|
// This part should fail.
|
|
expected2 := &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "web",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100},
|
|
},
|
|
}
|
|
err := s.EnsureConfigEntry(2, expected2)
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `has protocol "http"`)
|
|
})
|
|
})
|
|
|
|
t.Run("http ingress fails with tcp upstream (defaulted)", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
err := s.EnsureConfigEntry(0, newIngress("http", "web"))
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `has protocol "tcp"`)
|
|
})
|
|
|
|
t.Run("http ingress fails with http2 upstream (via proxy-defaults)", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
expected := &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: "global",
|
|
Config: map[string]interface{}{
|
|
"protocol": "http2",
|
|
},
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(0, expected))
|
|
|
|
err := s.EnsureConfigEntry(1, newIngress("http", "web"))
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `has protocol "http2"`)
|
|
})
|
|
|
|
t.Run("http ingress fails with grpc upstream (via service-defaults)", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
expected := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Protocol: "grpc",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(1, expected))
|
|
err := s.EnsureConfigEntry(2, newIngress("http", "web"))
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `has protocol "grpc"`)
|
|
})
|
|
|
|
t.Run("http ingress ok with http upstream (via service-defaults)", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
expected := &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "web",
|
|
Protocol: "http",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(2, expected))
|
|
require.NoError(t, s.EnsureConfigEntry(3, newIngress("http", "web")))
|
|
})
|
|
|
|
t.Run("http ingress ignores wildcard specifier", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
require.NoError(t, s.EnsureConfigEntry(4, newIngress("http", "*")))
|
|
})
|
|
|
|
t.Run("deleting ingress config entry ok", func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
require.NoError(t, s.EnsureConfigEntry(1, newIngress("tcp", "web")))
|
|
require.NoError(t, s.DeleteConfigEntry(5, structs.IngressGateway, "gateway", nil))
|
|
})
|
|
}
|
|
|
|
func TestSourcesForTarget(t *testing.T) {
|
|
defaultMeta := *structs.DefaultEnterpriseMetaInDefaultPartition()
|
|
|
|
type expect struct {
|
|
idx uint64
|
|
names []structs.ServiceName
|
|
}
|
|
tt := []struct {
|
|
name string
|
|
entries []structs.ConfigEntry
|
|
expect expect
|
|
}{
|
|
{
|
|
name: "no relevant config entries",
|
|
entries: []structs.ConfigEntry{},
|
|
expect: expect{
|
|
idx: 1,
|
|
names: []structs.ServiceName{
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "from route match",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "web",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/sink",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
names: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "from redirect",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "web",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
names: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "from failover",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "web",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Service: "sink",
|
|
Datacenters: []string{"dc2", "dc3"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
names: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "from splitter",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "web",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, Service: "web"},
|
|
{Weight: 10, Service: "sink"},
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
names: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "chained route redirect",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "source",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/route",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
Service: "routed",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "routed",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 3,
|
|
names: []structs.ServiceName{
|
|
{Name: "source", EnterpriseMeta: defaultMeta},
|
|
{Name: "routed", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "kitchen sink with multiple services referencing sink directly",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "routed",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/sink",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "redirected",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "failed-over",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Service: "sink",
|
|
Datacenters: []string{"dc2", "dc3"},
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "split",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, Service: "no-op"},
|
|
{Weight: 10, Service: "sink"},
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "unrelated",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, Service: "zip"},
|
|
{Weight: 10, Service: "zop"},
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 6,
|
|
names: []structs.ServiceName{
|
|
{Name: "split", EnterpriseMeta: defaultMeta},
|
|
{Name: "failed-over", EnterpriseMeta: defaultMeta},
|
|
{Name: "redirected", EnterpriseMeta: defaultMeta},
|
|
{Name: "routed", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tc := range tt {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
s := testStateStore(t)
|
|
ws := memdb.NewWatchSet()
|
|
|
|
ca := &structs.CAConfiguration{
|
|
Provider: "consul",
|
|
}
|
|
err := s.CASetConfig(0, ca)
|
|
require.NoError(t, err)
|
|
|
|
var i uint64 = 1
|
|
for _, entry := range tc.entries {
|
|
require.NoError(t, entry.Normalize())
|
|
require.NoError(t, s.EnsureConfigEntry(i, entry))
|
|
i++
|
|
}
|
|
|
|
tx := s.db.ReadTxn()
|
|
defer tx.Abort()
|
|
|
|
sn := structs.NewServiceName("sink", structs.DefaultEnterpriseMetaInDefaultPartition())
|
|
idx, names, err := s.discoveryChainSourcesTxn(tx, ws, "dc1", sn)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, tc.expect.idx, idx)
|
|
require.ElementsMatch(t, tc.expect.names, names)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestTargetsForSource(t *testing.T) {
|
|
defaultMeta := *structs.DefaultEnterpriseMetaInDefaultPartition()
|
|
|
|
type expect struct {
|
|
idx uint64
|
|
ids []structs.ServiceName
|
|
}
|
|
tt := []struct {
|
|
name string
|
|
entries []structs.ConfigEntry
|
|
expect expect
|
|
}{
|
|
{
|
|
name: "from route match",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "web",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/sink",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
ids: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "from redirect",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "web",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
ids: []structs.ServiceName{
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "from failover",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "web",
|
|
Failover: map[string]structs.ServiceResolverFailover{
|
|
"*": {
|
|
Service: "remote-web",
|
|
Datacenters: []string{"dc2", "dc3"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
ids: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "from splitter",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: "web",
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 90, Service: "web"},
|
|
{Weight: 10, Service: "sink"},
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 2,
|
|
ids: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "chained route redirect",
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
},
|
|
&structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: "web",
|
|
Routes: []structs.ServiceRoute{
|
|
{
|
|
Match: &structs.ServiceRouteMatch{
|
|
HTTP: &structs.ServiceRouteHTTPMatch{
|
|
PathExact: "/route",
|
|
},
|
|
},
|
|
Destination: &structs.ServiceRouteDestination{
|
|
Service: "routed",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
&structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "routed",
|
|
Redirect: &structs.ServiceResolverRedirect{
|
|
Service: "sink",
|
|
},
|
|
},
|
|
},
|
|
expect: expect{
|
|
idx: 3,
|
|
ids: []structs.ServiceName{
|
|
{Name: "web", EnterpriseMeta: defaultMeta},
|
|
{Name: "sink", EnterpriseMeta: defaultMeta},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tc := range tt {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
s := testStateStore(t)
|
|
ws := memdb.NewWatchSet()
|
|
|
|
ca := &structs.CAConfiguration{
|
|
Provider: "consul",
|
|
}
|
|
err := s.CASetConfig(0, ca)
|
|
require.NoError(t, err)
|
|
|
|
var i uint64 = 1
|
|
for _, entry := range tc.entries {
|
|
require.NoError(t, entry.Normalize())
|
|
require.NoError(t, s.EnsureConfigEntry(i, entry))
|
|
i++
|
|
}
|
|
|
|
tx := s.db.ReadTxn()
|
|
defer tx.Abort()
|
|
|
|
idx, ids, err := s.discoveryChainTargetsTxn(tx, ws, "dc1", "web", nil)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, tc.expect.idx, idx)
|
|
require.ElementsMatch(t, tc.expect.ids, ids)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStore_ValidateServiceIntentionsErrorOnIncompatibleProtocols(t *testing.T) {
|
|
l7perms := []*structs.IntentionPermission{
|
|
{
|
|
Action: structs.IntentionActionAllow,
|
|
HTTP: &structs.IntentionHTTPPermission{
|
|
PathPrefix: "/v2/",
|
|
},
|
|
},
|
|
}
|
|
|
|
serviceDefaults := func(service, protocol string) *structs.ServiceConfigEntry {
|
|
return &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: service,
|
|
Protocol: protocol,
|
|
}
|
|
}
|
|
|
|
proxyDefaults := func(protocol string) *structs.ProxyConfigEntry {
|
|
return &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": protocol,
|
|
},
|
|
}
|
|
}
|
|
|
|
type operation struct {
|
|
entry structs.ConfigEntry
|
|
deletion bool
|
|
}
|
|
|
|
type testcase struct {
|
|
ops []operation
|
|
expectLastErr string
|
|
}
|
|
|
|
cases := map[string]testcase{
|
|
"L4 intention cannot upgrade to L7 when tcp": {
|
|
ops: []operation{
|
|
{ // set the target service as tcp
|
|
entry: serviceDefaults("api", "tcp"),
|
|
},
|
|
{ // create an L4 intention
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Action: structs.IntentionActionAllow},
|
|
},
|
|
},
|
|
},
|
|
{ // Should fail if converted to L7
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Permissions: l7perms},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectLastErr: `has protocol "tcp"`,
|
|
},
|
|
"L4 intention can upgrade to L7 when made http via service-defaults": {
|
|
ops: []operation{
|
|
{ // set the target service as tcp
|
|
entry: serviceDefaults("api", "tcp"),
|
|
},
|
|
{ // create an L4 intention
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Action: structs.IntentionActionAllow},
|
|
},
|
|
},
|
|
},
|
|
{ // set the target service as http
|
|
entry: serviceDefaults("api", "http"),
|
|
},
|
|
{ // Should succeed if converted to L7
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Permissions: l7perms},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
"L4 intention can upgrade to L7 when made http via proxy-defaults": {
|
|
ops: []operation{
|
|
{ // set the target service as tcp
|
|
entry: proxyDefaults("tcp"),
|
|
},
|
|
{ // create an L4 intention
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Action: structs.IntentionActionAllow},
|
|
},
|
|
},
|
|
},
|
|
{ // set the target service as http
|
|
entry: proxyDefaults("http"),
|
|
},
|
|
{ // Should succeed if converted to L7
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Permissions: l7perms},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
"L7 intention cannot have protocol downgraded to tcp via modification via service-defaults": {
|
|
ops: []operation{
|
|
{ // set the target service as http
|
|
entry: serviceDefaults("api", "http"),
|
|
},
|
|
{ // create an L7 intention
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Permissions: l7perms},
|
|
},
|
|
},
|
|
},
|
|
{ // setting the target service as tcp should fail
|
|
entry: serviceDefaults("api", "tcp"),
|
|
},
|
|
},
|
|
expectLastErr: `has protocol "tcp"`,
|
|
},
|
|
"L7 intention cannot have protocol downgraded to tcp via modification via proxy-defaults": {
|
|
ops: []operation{
|
|
{ // set the target service as http
|
|
entry: proxyDefaults("http"),
|
|
},
|
|
{ // create an L7 intention
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Permissions: l7perms},
|
|
},
|
|
},
|
|
},
|
|
{ // setting the target service as tcp should fail
|
|
entry: proxyDefaults("tcp"),
|
|
},
|
|
},
|
|
expectLastErr: `has protocol "tcp"`,
|
|
},
|
|
"L7 intention cannot have protocol downgraded to tcp via deletion of service-defaults": {
|
|
ops: []operation{
|
|
{ // set the target service as http
|
|
entry: serviceDefaults("api", "http"),
|
|
},
|
|
{ // create an L7 intention
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Permissions: l7perms},
|
|
},
|
|
},
|
|
},
|
|
{ // setting the target service as tcp should fail
|
|
entry: serviceDefaults("api", "tcp"),
|
|
deletion: true,
|
|
},
|
|
},
|
|
expectLastErr: `has protocol "tcp"`,
|
|
},
|
|
"L7 intention cannot have protocol downgraded to tcp via deletion of proxy-defaults": {
|
|
ops: []operation{
|
|
{ // set the target service as http
|
|
entry: proxyDefaults("http"),
|
|
},
|
|
{ // create an L7 intention
|
|
entry: &structs.ServiceIntentionsConfigEntry{
|
|
Kind: structs.ServiceIntentions,
|
|
Name: "api",
|
|
Sources: []*structs.SourceIntention{
|
|
{Name: "web", Permissions: l7perms},
|
|
},
|
|
},
|
|
},
|
|
{ // setting the target service as tcp should fail
|
|
entry: proxyDefaults("tcp"),
|
|
deletion: true,
|
|
},
|
|
},
|
|
expectLastErr: `has protocol "tcp"`,
|
|
},
|
|
}
|
|
|
|
for name, tc := range cases {
|
|
tc := tc
|
|
t.Run(name, func(t *testing.T) {
|
|
s := testStateStore(t)
|
|
|
|
var nextIndex = uint64(1)
|
|
|
|
for i, op := range tc.ops {
|
|
isLast := (i == len(tc.ops)-1)
|
|
|
|
var err error
|
|
if op.deletion {
|
|
err = s.DeleteConfigEntry(nextIndex, op.entry.GetKind(), op.entry.GetName(), nil)
|
|
} else {
|
|
err = s.EnsureConfigEntry(nextIndex, op.entry)
|
|
}
|
|
|
|
if isLast && tc.expectLastErr != "" {
|
|
testutil.RequireErrorContains(t, err, `has protocol "tcp"`)
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStateStore_ConfigEntry_VirtualIP(t *testing.T) {
|
|
createServiceInstance := func(t *testing.T, s *Store, name string) {
|
|
ns1 := &structs.NodeService{
|
|
ID: name,
|
|
Service: name,
|
|
Address: "1.1.1.1",
|
|
Port: 1111,
|
|
Connect: structs.ServiceConnect{Native: true},
|
|
}
|
|
require.NoError(t, s.EnsureService(0, "node1", ns1))
|
|
}
|
|
deleteServiceInstance := func(t *testing.T, s *Store, name string) {
|
|
require.NoError(t, s.DeleteService(0, "node1", name, nil, ""))
|
|
}
|
|
createServiceResolver := func(t *testing.T, s *Store, name string) {
|
|
require.NoError(t, s.EnsureConfigEntry(0, &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: name,
|
|
}))
|
|
}
|
|
createServiceRouter := func(t *testing.T, s *Store, name string) {
|
|
require.NoError(t, s.EnsureConfigEntry(0, &structs.ServiceRouterConfigEntry{
|
|
Kind: structs.ServiceRouter,
|
|
Name: name,
|
|
}))
|
|
}
|
|
createServiceSplitter := func(t *testing.T, s *Store, name string) {
|
|
require.NoError(t, s.EnsureConfigEntry(0, &structs.ServiceSplitterConfigEntry{
|
|
Kind: structs.ServiceSplitter,
|
|
Name: name,
|
|
Splits: []structs.ServiceSplit{
|
|
{Weight: 100},
|
|
},
|
|
}))
|
|
}
|
|
deleteConfigEntry := func(t *testing.T, s *Store, kind, name string) {
|
|
require.NoError(t, s.DeleteConfigEntry(0, kind, name, nil))
|
|
}
|
|
ensureVirtualIP := func(t *testing.T, s *Store, service string, value string) {
|
|
vip, err := s.VirtualIPForService(structs.PeeredServiceName{ServiceName: structs.ServiceName{Name: service}})
|
|
require.NoError(t, err)
|
|
require.Equal(t, value, vip)
|
|
}
|
|
|
|
testVIPStateStore := func(t *testing.T) *Store {
|
|
s := testStateStore(t)
|
|
setVirtualIPFlags(t, s)
|
|
testRegisterNode(t, s, 0, "node1")
|
|
s.EnsureConfigEntry(0, &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
Config: map[string]interface{}{
|
|
"protocol": "http",
|
|
},
|
|
})
|
|
return s
|
|
}
|
|
|
|
cases := []struct {
|
|
kind string
|
|
createFunc func(*testing.T, *Store, string)
|
|
}{
|
|
{
|
|
kind: structs.ServiceResolver,
|
|
createFunc: createServiceResolver,
|
|
},
|
|
{
|
|
kind: structs.ServiceRouter,
|
|
createFunc: createServiceRouter,
|
|
},
|
|
{
|
|
kind: structs.ServiceSplitter,
|
|
createFunc: createServiceSplitter,
|
|
},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(fmt.Sprintf("create and delete %s with no service instances", tc.kind), func(t *testing.T) {
|
|
s := testVIPStateStore(t)
|
|
|
|
// Create unrelated service instance
|
|
createServiceInstance(t, s, "unrelated")
|
|
|
|
// Create the config entry and make sure a virtual ip is allocated
|
|
ensureVirtualIP(t, s, "foo", "")
|
|
tc.createFunc(t, s, "foo")
|
|
ensureVirtualIP(t, s, "foo", "240.0.0.2")
|
|
|
|
// Delete the config entry and make sure the virtual ip is freed and reused
|
|
ensureVirtualIP(t, s, "bar", "")
|
|
deleteConfigEntry(t, s, tc.kind, "foo")
|
|
ensureVirtualIP(t, s, "foo", "")
|
|
tc.createFunc(t, s, "bar")
|
|
ensureVirtualIP(t, s, "bar", "240.0.0.2")
|
|
})
|
|
|
|
t.Run(fmt.Sprintf("create and delete %s with service instances", tc.kind), func(t *testing.T) {
|
|
s := testVIPStateStore(t)
|
|
|
|
// Create a foo service instance and an unrelated service instance
|
|
createServiceInstance(t, s, "foo")
|
|
|
|
// Creating the config entry should not affect the service virtual IP
|
|
ensureVirtualIP(t, s, "foo", "240.0.0.1")
|
|
tc.createFunc(t, s, "foo")
|
|
ensureVirtualIP(t, s, "foo", "240.0.0.1")
|
|
|
|
// Deleting should also not affect the service virtual IP because there are still existing
|
|
// service instances that need the VIP.
|
|
deleteConfigEntry(t, s, tc.kind, "foo")
|
|
ensureVirtualIP(t, s, "foo", "240.0.0.1")
|
|
|
|
// Now delete the service instance, which should free up the virtual IP
|
|
deleteServiceInstance(t, s, "foo")
|
|
ensureVirtualIP(t, s, "foo", "")
|
|
|
|
// Make sure the free address can be reused
|
|
tc.createFunc(t, s, "bar")
|
|
ensureVirtualIP(t, s, "bar", "240.0.0.1")
|
|
})
|
|
|
|
t.Run(fmt.Sprintf("create and delete service instance while %s still exists", tc.kind), func(t *testing.T) {
|
|
s := testVIPStateStore(t)
|
|
|
|
// Create the config entry to get the virtual IP
|
|
tc.createFunc(t, s, "foo")
|
|
ensureVirtualIP(t, s, "foo", "240.0.0.1")
|
|
|
|
// Creating service instance should not affect virtual IP
|
|
createServiceInstance(t, s, "foo")
|
|
ensureVirtualIP(t, s, "foo", "240.0.0.1")
|
|
|
|
// Deleting should also not affect the service virtual IP because the config entry still exists.
|
|
deleteServiceInstance(t, s, "foo")
|
|
ensureVirtualIP(t, s, "foo", "240.0.0.1")
|
|
|
|
// Now delete the config entry, which should free up the ip
|
|
deleteConfigEntry(t, s, tc.kind, "foo")
|
|
ensureVirtualIP(t, s, "foo", "")
|
|
|
|
// Make sure the free address can be reused
|
|
tc.createFunc(t, s, "bar")
|
|
ensureVirtualIP(t, s, "bar", "240.0.0.1")
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStore_MutualTLSMode_Validation_InitialWrite(t *testing.T) {
|
|
cases := []struct {
|
|
// setup
|
|
mesh *structs.MeshConfigEntry
|
|
|
|
mtlsMode structs.MutualTLSMode
|
|
expErr error
|
|
}{
|
|
// Mesh config entry does not exist. Should default to AllowEnablingPermissiveMutualTLS=false.
|
|
{
|
|
mtlsMode: structs.MutualTLSModeDefault,
|
|
},
|
|
{
|
|
mtlsMode: structs.MutualTLSModeStrict,
|
|
},
|
|
{
|
|
mtlsMode: structs.MutualTLSModePermissive,
|
|
expErr: permissiveModeNotAllowedError,
|
|
},
|
|
|
|
// Mesh config entry contains AllowEnablingPermissiveMutualTLS=false
|
|
{
|
|
mesh: &structs.MeshConfigEntry{},
|
|
mtlsMode: structs.MutualTLSModeDefault,
|
|
},
|
|
{
|
|
mesh: &structs.MeshConfigEntry{},
|
|
mtlsMode: structs.MutualTLSModeStrict,
|
|
},
|
|
{
|
|
mesh: &structs.MeshConfigEntry{},
|
|
mtlsMode: structs.MutualTLSModePermissive,
|
|
expErr: permissiveModeNotAllowedError,
|
|
},
|
|
|
|
// Mesh config entry exists with AllowEnablingPermissiveMutualTLS=true.
|
|
{
|
|
mesh: &structs.MeshConfigEntry{AllowEnablingPermissiveMutualTLS: true},
|
|
mtlsMode: structs.MutualTLSModeDefault,
|
|
},
|
|
{
|
|
mesh: &structs.MeshConfigEntry{AllowEnablingPermissiveMutualTLS: true},
|
|
mtlsMode: structs.MutualTLSModeStrict,
|
|
},
|
|
{
|
|
mesh: &structs.MeshConfigEntry{AllowEnablingPermissiveMutualTLS: true},
|
|
mtlsMode: structs.MutualTLSModePermissive,
|
|
},
|
|
}
|
|
for _, c := range cases {
|
|
c := c
|
|
var name string
|
|
if c.mesh == nil {
|
|
name = fmt.Sprintf("when mesh config entry not found")
|
|
} else {
|
|
name = fmt.Sprintf("when AllowEnablingPermissiveMutualTLS=%v", c.mesh.AllowEnablingPermissiveMutualTLS)
|
|
}
|
|
if c.expErr != nil {
|
|
name += " cannot"
|
|
} else {
|
|
name += " can"
|
|
}
|
|
name += fmt.Sprintf(" set MutualTLSMode=%q", c.mtlsMode)
|
|
t.Run(name, func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
var err error
|
|
var idx uint64
|
|
if c.mesh != nil {
|
|
idx, err = writeConfigAndBumpIndexForTest(s, idx, c.mesh)
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
idx, err = writeConfigAndBumpIndexForTest(s, idx, &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
MutualTLSMode: c.mtlsMode,
|
|
})
|
|
require.Equal(t, c.expErr, err)
|
|
|
|
_, err = writeConfigAndBumpIndexForTest(s, idx, &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "test-svc",
|
|
MutualTLSMode: c.mtlsMode,
|
|
})
|
|
require.Equal(t, c.expErr, err)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStore_MutualTLSMode_Validation_SubsequentWrite(t *testing.T) {
|
|
cases := []struct {
|
|
allowPermissive bool
|
|
initialModes []structs.MutualTLSMode
|
|
transitions map[structs.MutualTLSMode]error
|
|
}{
|
|
{
|
|
allowPermissive: false,
|
|
initialModes: []structs.MutualTLSMode{
|
|
structs.MutualTLSModeDefault,
|
|
structs.MutualTLSModeStrict,
|
|
},
|
|
transitions: map[structs.MutualTLSMode]error{
|
|
structs.MutualTLSModeDefault: nil,
|
|
structs.MutualTLSModeStrict: nil,
|
|
// Cannot transition from "" -> "permissive"
|
|
// Cannot transition from "strict" -> "permissive"
|
|
structs.MutualTLSModePermissive: permissiveModeNotAllowedError,
|
|
},
|
|
},
|
|
{
|
|
allowPermissive: false,
|
|
initialModes: []structs.MutualTLSMode{
|
|
structs.MutualTLSModePermissive,
|
|
},
|
|
transitions: map[structs.MutualTLSMode]error{
|
|
structs.MutualTLSModeDefault: nil,
|
|
structs.MutualTLSModeStrict: nil,
|
|
// Can transition from "permissive" -> "permissive"
|
|
structs.MutualTLSModePermissive: nil,
|
|
},
|
|
},
|
|
{
|
|
allowPermissive: true,
|
|
initialModes: []structs.MutualTLSMode{
|
|
structs.MutualTLSModeDefault,
|
|
structs.MutualTLSModeStrict,
|
|
structs.MutualTLSModePermissive,
|
|
},
|
|
transitions: map[structs.MutualTLSMode]error{
|
|
// Can transition from any mode to any other mode when allowPermissive=true
|
|
structs.MutualTLSModeDefault: nil,
|
|
structs.MutualTLSModeStrict: nil,
|
|
structs.MutualTLSModePermissive: nil,
|
|
},
|
|
},
|
|
}
|
|
for _, c := range cases {
|
|
c := c
|
|
|
|
for _, initialMode := range c.initialModes {
|
|
for newMode, expErr := range c.transitions {
|
|
name := fmt.Sprintf("when AllowEnablingPermissiveMutualTLS=%v", c.allowPermissive)
|
|
if expErr != nil {
|
|
name += " cannot"
|
|
} else {
|
|
name += " can"
|
|
}
|
|
name += fmt.Sprintf(" transition MutualTLSMode from %q to %q", initialMode, newMode)
|
|
t.Run(name, func(t *testing.T) {
|
|
s := testConfigStateStore(t)
|
|
|
|
// Setup initial state.
|
|
idx, err := writeConfigAndBumpIndexForTest(s, 0, &structs.MeshConfigEntry{
|
|
AllowEnablingPermissiveMutualTLS: true, // set to true to allow writing any initial mode.
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
idx, err = writeConfigAndBumpIndexForTest(s, idx, &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
MutualTLSMode: initialMode,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
idx, err = writeConfigAndBumpIndexForTest(s, idx, &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "test-svc",
|
|
MutualTLSMode: initialMode,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
// Set AllowEnablingPermissiveMutualTLS for the test case.
|
|
idx, err = writeConfigAndBumpIndexForTest(s, idx, &structs.MeshConfigEntry{
|
|
AllowEnablingPermissiveMutualTLS: c.allowPermissive,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
// Test switching to the other mode.
|
|
idx, err = writeConfigAndBumpIndexForTest(s, idx, &structs.ProxyConfigEntry{
|
|
Kind: structs.ProxyDefaults,
|
|
Name: structs.ProxyConfigGlobal,
|
|
MutualTLSMode: newMode,
|
|
})
|
|
require.Equal(t, expErr, err)
|
|
|
|
_, err = writeConfigAndBumpIndexForTest(s, idx, &structs.ServiceConfigEntry{
|
|
Kind: structs.ServiceDefaults,
|
|
Name: "test-svc",
|
|
MutualTLSMode: newMode,
|
|
})
|
|
require.Equal(t, expErr, err)
|
|
})
|
|
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func writeConfigAndBumpIndexForTest(s *Store, idx uint64, entry structs.ConfigEntry) (uint64, error) {
|
|
err := s.EnsureConfigEntry(idx, entry)
|
|
if err == nil {
|
|
idx++
|
|
}
|
|
return idx, err
|
|
}
|
|
|
|
func TestStateStore_DiscoveryChain_AttachVirtualIPs(t *testing.T) {
|
|
s := testStateStore(t)
|
|
setVirtualIPFlags(t, s)
|
|
|
|
ca := &structs.CAConfiguration{
|
|
Provider: "consul",
|
|
}
|
|
err := s.CASetConfig(0, ca)
|
|
require.NoError(t, err)
|
|
|
|
// Attempt to assign manual virtual IPs to a service that doesn't exist - should be a no-op.
|
|
psn := structs.PeeredServiceName{ServiceName: structs.ServiceName{Name: "foo", EnterpriseMeta: *acl.DefaultEnterpriseMeta()}}
|
|
|
|
// Register a service via config entry.
|
|
s.EnsureConfigEntry(1, &structs.ServiceResolverConfigEntry{
|
|
Kind: structs.ServiceResolver,
|
|
Name: "foo",
|
|
})
|
|
|
|
vip, err := s.VirtualIPForService(psn)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "240.0.0.1", vip)
|
|
|
|
// Assign manual virtual IPs for foo
|
|
found, _, err := s.AssignManualServiceVIPs(2, psn, []string{"2.2.2.2", "3.3.3.3"})
|
|
require.NoError(t, err)
|
|
require.True(t, found)
|
|
|
|
serviceVIP, err := s.ServiceManualVIPs(psn)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(2), serviceVIP.ModifyIndex)
|
|
require.Equal(t, "0.0.0.1", serviceVIP.IP.String())
|
|
require.Equal(t, []string{"2.2.2.2", "3.3.3.3"}, serviceVIP.ManualIPs)
|
|
|
|
req := discoverychain.CompileRequest{
|
|
ServiceName: "foo",
|
|
EvaluateInNamespace: psn.ServiceName.NamespaceOrDefault(),
|
|
EvaluateInPartition: psn.ServiceName.PartitionOrDefault(),
|
|
EvaluateInDatacenter: "dc1",
|
|
}
|
|
idx, chain, _, err := s.ServiceDiscoveryChain(nil, "foo", structs.DefaultEnterpriseMetaInDefaultPartition(), req)
|
|
require.NoError(t, err)
|
|
require.Equal(t, uint64(1), idx)
|
|
require.Equal(t, []string{"240.0.0.1"}, chain.AutoVirtualIPs)
|
|
require.Equal(t, []string{"2.2.2.2", "3.3.3.3"}, chain.ManualVirtualIPs)
|
|
|
|
}
|
|
|
|
func TestFindJWTProviderNameReferences(t *testing.T) {
|
|
oktaProvider := structs.IntentionJWTProvider{Name: "okta"}
|
|
auth0Provider := structs.IntentionJWTProvider{Name: "auth0"}
|
|
cases := map[string]struct {
|
|
entries []structs.ConfigEntry
|
|
providerName string
|
|
expectedError string
|
|
}{
|
|
"no jwt at any level": {
|
|
entries: []structs.ConfigEntry{},
|
|
providerName: "okta",
|
|
},
|
|
"provider not referenced": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceIntentionsConfigEntry{
|
|
Kind: "service-intentions",
|
|
Name: "api-intention",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{&oktaProvider, &auth0Provider},
|
|
},
|
|
},
|
|
},
|
|
providerName: "fake-provider",
|
|
},
|
|
"only top level jwt with no permissions": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceIntentionsConfigEntry{
|
|
Kind: "service-intentions",
|
|
Name: "api-intention",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{&oktaProvider, &auth0Provider},
|
|
},
|
|
},
|
|
},
|
|
providerName: "okta",
|
|
expectedError: "cannot delete jwt provider config entry referenced by an intention. Provider name: okta, intention name: api-intention",
|
|
},
|
|
"top level jwt with permissions": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceIntentionsConfigEntry{
|
|
Kind: "service-intentions",
|
|
Name: "api-intention",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{&oktaProvider},
|
|
},
|
|
Sources: []*structs.SourceIntention{
|
|
{
|
|
Name: "api",
|
|
Action: "allow",
|
|
Permissions: []*structs.IntentionPermission{
|
|
{
|
|
Action: "allow",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{&oktaProvider},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "serv",
|
|
Action: "allow",
|
|
Permissions: []*structs.IntentionPermission{
|
|
{
|
|
Action: "allow",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{&auth0Provider},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "web",
|
|
Action: "allow",
|
|
Permissions: []*structs.IntentionPermission{
|
|
{Action: "allow"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
providerName: "auth0",
|
|
expectedError: "cannot delete jwt provider config entry referenced by an intention. Provider name: auth0, intention name: api-intention",
|
|
},
|
|
"no top level jwt and existing permissions": {
|
|
entries: []structs.ConfigEntry{
|
|
&structs.ServiceIntentionsConfigEntry{
|
|
Kind: "service-intentions",
|
|
Name: "api-intention",
|
|
Sources: []*structs.SourceIntention{
|
|
{
|
|
Name: "api",
|
|
Action: "allow",
|
|
Permissions: []*structs.IntentionPermission{
|
|
{
|
|
Action: "allow",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{&oktaProvider},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "serv",
|
|
Action: "allow",
|
|
Permissions: []*structs.IntentionPermission{
|
|
{
|
|
Action: "allow",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{&auth0Provider},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "web",
|
|
Action: "allow",
|
|
Permissions: []*structs.IntentionPermission{
|
|
{Action: "allow"},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
providerName: "okta",
|
|
expectedError: "cannot delete jwt provider config entry referenced by an intention. Provider name: okta, intention name: api-intention",
|
|
},
|
|
}
|
|
|
|
for name, tt := range cases {
|
|
tt := tt
|
|
t.Run(name, func(t *testing.T) {
|
|
err := findJWTProviderNameReferences(tt.entries, tt.providerName)
|
|
|
|
if tt.expectedError != "" {
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), tt.expectedError)
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStore_ValidateJWTProviderIsReferenced(t *testing.T) {
|
|
s := testStateStore(t)
|
|
|
|
// First create a config entry
|
|
provider := &structs.JWTProviderConfigEntry{
|
|
Kind: structs.JWTProvider,
|
|
Name: "okta",
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(0, provider))
|
|
|
|
// create a service intention referencing the config entry
|
|
ixn := &structs.ServiceIntentionsConfigEntry{
|
|
Name: "api",
|
|
JWT: &structs.IntentionJWTRequirement{
|
|
Providers: []*structs.IntentionJWTProvider{
|
|
{Name: provider.Name},
|
|
},
|
|
},
|
|
}
|
|
require.NoError(t, s.EnsureConfigEntry(1, ixn))
|
|
|
|
// attempt deleting a referenced provider
|
|
err := s.DeleteConfigEntry(0, structs.JWTProvider, provider.Name, nil)
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), `cannot delete jwt provider config entry referenced by an intention. Provider name: okta, intention name: api`)
|
|
|
|
// delete the intention
|
|
require.NoError(t, s.DeleteConfigEntry(1, structs.ServiceIntentions, ixn.Name, nil))
|
|
// successfully delete the provider after deleting the intention
|
|
require.NoError(t, s.DeleteConfigEntry(0, structs.JWTProvider, provider.Name, nil))
|
|
}
|