diff --git a/agent/cache-types/trust_bundles.go b/agent/cache-types/trust_bundles.go index 70c63cb4be6..eddc8dabbee 100644 --- a/agent/cache-types/trust_bundles.go +++ b/agent/cache-types/trust_bundles.go @@ -8,6 +8,8 @@ import ( "github.com/mitchellh/hashstructure" "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" "github.com/hashicorp/consul/agent/cache" external "github.com/hashicorp/consul/agent/grpc-external" @@ -87,6 +89,13 @@ func (t *TrustBundles) Fetch(_ cache.FetchOptions, req cache.Request) (cache.Fet // Fetch reply, err := t.Client.TrustBundleListByService(external.ContextWithToken(context.Background(), reqReal.Token), reqReal.Request) if err != nil { + // Return an empty result if the error is due to peering being disabled. + // This allows mesh gateways to receive an update and confirm that the watch is set. + if e, ok := status.FromError(err); ok && e.Code() == codes.FailedPrecondition { + result.Index = 1 + result.Value = &pbpeering.TrustBundleListByServiceResponse{Index: 1} + return result, nil + } return result, err } diff --git a/agent/cache-types/trust_bundles_test.go b/agent/cache-types/trust_bundles_test.go index 09d8a80bcb3..85248dba1da 100644 --- a/agent/cache-types/trust_bundles_test.go +++ b/agent/cache-types/trust_bundles_test.go @@ -7,6 +7,8 @@ import ( "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" + "google.golang.org/grpc/codes" + grpcstatus "google.golang.org/grpc/status" "github.com/hashicorp/consul/agent/cache" "github.com/hashicorp/consul/proto/pbpeering" @@ -48,6 +50,29 @@ func TestTrustBundles(t *testing.T) { }, result) } +func TestTrustBundles_PeeringDisabled(t *testing.T) { + client := NewMockTrustBundleLister(t) + typ := &TrustBundles{Client: client} + + var resp *pbpeering.TrustBundleListByServiceResponse + + // Expect the proper call. + // This also returns the canned response above. + client.On("TrustBundleListByService", mock.Anything, mock.Anything). + Return(resp, grpcstatus.Error(codes.FailedPrecondition, "peering must be enabled to use this endpoint")) + + // Fetch and assert against the result. + result, err := typ.Fetch(cache.FetchOptions{}, &TrustBundleListRequest{ + Request: &pbpeering.TrustBundleListByServiceRequest{ + ServiceName: "foo", + }, + }) + require.NoError(t, err) + require.NotNil(t, result) + require.EqualValues(t, 1, result.Index) + require.NotNil(t, result.Value) +} + func TestTrustBundles_badReqType(t *testing.T) { client := pbpeering.NewPeeringServiceClient(nil) typ := &TrustBundles{Client: client} diff --git a/agent/config/default.go b/agent/config/default.go index bb78218513f..861db9e3bac 100644 --- a/agent/config/default.go +++ b/agent/config/default.go @@ -104,9 +104,6 @@ func DefaultSource() Source { kv_max_value_size = ` + strconv.FormatInt(raft.SuggestedMaxDataSize, 10) + ` txn_max_req_len = ` + strconv.FormatInt(raft.SuggestedMaxDataSize, 10) + ` } - peering = { - enabled = true - } performance = { leave_drain_time = "5s" raft_multiplier = ` + strconv.Itoa(int(consul.DefaultRaftMultiplier)) + ` diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index b05b3149190..e0266811e38 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -5548,16 +5548,6 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { "tls.grpc was provided but TLS will NOT be enabled on the gRPC listener without an HTTPS listener configured (e.g. via ports.https)", }, }) - run(t, testCase{ - desc: "peering.enabled defaults to true", - args: []string{ - `-data-dir=` + dataDir, - }, - expected: func(rt *RuntimeConfig) { - rt.DataDir = dataDir - rt.PeeringEnabled = true - }, - }) } func (tc testCase) run(format string, dataDir string) func(t *testing.T) { diff --git a/agent/consul/config.go b/agent/consul/config.go index 64bf90257c9..b897c4f232e 100644 --- a/agent/consul/config.go +++ b/agent/consul/config.go @@ -517,7 +517,6 @@ func DefaultConfig() *Config { DefaultQueryTime: 300 * time.Second, MaxQueryTime: 600 * time.Second, - PeeringEnabled: true, PeeringTestAllowPeerRegistrations: false, EnterpriseConfig: DefaultEnterpriseConfig(), diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index b9f9cc4f147..35bbe720e27 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -179,6 +179,7 @@ func testServerConfig(t *testing.T) (string, *Config) { "IntermediateCertTTL": "288h", }, } + config.PeeringEnabled = true return dir, config } diff --git a/agent/rpc/peering/service_test.go b/agent/rpc/peering/service_test.go index a4acd945e03..54770d6a616 100644 --- a/agent/rpc/peering/service_test.go +++ b/agent/rpc/peering/service_test.go @@ -1283,6 +1283,7 @@ func newTestServer(t *testing.T, cb func(conf *consul.Config)) testingServer { ports := freeport.GetN(t, 4) // {rpc, serf_lan, serf_wan, grpc} + conf.PeeringEnabled = true conf.Bootstrap = true conf.Datacenter = "dc1" conf.DataDir = dir diff --git a/agent/testagent.go b/agent/testagent.go index af6ac87dc1c..5701834b7cc 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -138,6 +138,9 @@ func TestConfigHCL(nodeID string) string { } performance { raft_multiplier = 1 + } + peering { + enabled = true }`, nodeID, connect.TestClusterID, ) } diff --git a/sdk/testutil/server.go b/sdk/testutil/server.go index 77fd90e8245..db5834c3a85 100644 --- a/sdk/testutil/server.go +++ b/sdk/testutil/server.go @@ -105,6 +105,7 @@ type TestServerConfig struct { Connect map[string]interface{} `json:"connect,omitempty"` EnableDebug bool `json:"enable_debug,omitempty"` SkipLeaveOnInt bool `json:"skip_leave_on_interrupt"` + Peering *TestPeeringConfig `json:"peering,omitempty"` ReadyTimeout time.Duration `json:"-"` StopTimeout time.Duration `json:"-"` Stdout io.Writer `json:"-"` @@ -139,6 +140,10 @@ type TestTokens struct { AgentRecovery string `json:"agent_master,omitempty"` } +type TestPeeringConfig struct { + Enabled bool `json:"enabled,omitempty"` +} + // ServerConfigCallback is a function interface which can be // passed to NewTestServerConfig to modify the server config. type ServerConfigCallback func(c *TestServerConfig) @@ -192,8 +197,9 @@ func defaultServerConfig(t TestingTB) *TestServerConfig { ReturnPorts: func() { freeport.Return(ports) }, - Stdout: logBuffer, - Stderr: logBuffer, + Stdout: logBuffer, + Stderr: logBuffer, + Peering: &TestPeeringConfig{Enabled: true}, } } diff --git a/test/integration/connect/envoy/case-cross-peers-http-router/alpha/base.hcl b/test/integration/connect/envoy/case-cross-peers-http-router/alpha/base.hcl index 68265638f9c..f81ab0edd6e 100644 --- a/test/integration/connect/envoy/case-cross-peers-http-router/alpha/base.hcl +++ b/test/integration/connect/envoy/case-cross-peers-http-router/alpha/base.hcl @@ -1,2 +1,5 @@ primary_datacenter = "alpha" log_level = "trace" +peering { + enabled = true +} diff --git a/test/integration/connect/envoy/case-cross-peers-http-router/primary/base.hcl b/test/integration/connect/envoy/case-cross-peers-http-router/primary/base.hcl new file mode 100644 index 00000000000..c1e134d5a25 --- /dev/null +++ b/test/integration/connect/envoy/case-cross-peers-http-router/primary/base.hcl @@ -0,0 +1,3 @@ +peering { + enabled = true +} diff --git a/test/integration/connect/envoy/case-cross-peers-http/alpha/base.hcl b/test/integration/connect/envoy/case-cross-peers-http/alpha/base.hcl index 68265638f9c..f81ab0edd6e 100644 --- a/test/integration/connect/envoy/case-cross-peers-http/alpha/base.hcl +++ b/test/integration/connect/envoy/case-cross-peers-http/alpha/base.hcl @@ -1,2 +1,5 @@ primary_datacenter = "alpha" log_level = "trace" +peering { + enabled = true +} diff --git a/test/integration/connect/envoy/case-cross-peers-http/primary/base.hcl b/test/integration/connect/envoy/case-cross-peers-http/primary/base.hcl new file mode 100644 index 00000000000..c1e134d5a25 --- /dev/null +++ b/test/integration/connect/envoy/case-cross-peers-http/primary/base.hcl @@ -0,0 +1,3 @@ +peering { + enabled = true +} diff --git a/test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/alpha/base.hcl b/test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/alpha/base.hcl index 68265638f9c..f81ab0edd6e 100644 --- a/test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/alpha/base.hcl +++ b/test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/alpha/base.hcl @@ -1,2 +1,5 @@ primary_datacenter = "alpha" log_level = "trace" +peering { + enabled = true +} diff --git a/test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/primary/base.hcl b/test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/primary/base.hcl new file mode 100644 index 00000000000..c1e134d5a25 --- /dev/null +++ b/test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/primary/base.hcl @@ -0,0 +1,3 @@ +peering { + enabled = true +} diff --git a/test/integration/connect/envoy/case-cross-peers/alpha/base.hcl b/test/integration/connect/envoy/case-cross-peers/alpha/base.hcl index 68265638f9c..f81ab0edd6e 100644 --- a/test/integration/connect/envoy/case-cross-peers/alpha/base.hcl +++ b/test/integration/connect/envoy/case-cross-peers/alpha/base.hcl @@ -1,2 +1,5 @@ primary_datacenter = "alpha" log_level = "trace" +peering { + enabled = true +} diff --git a/test/integration/connect/envoy/case-cross-peers/primary/base.hcl b/test/integration/connect/envoy/case-cross-peers/primary/base.hcl new file mode 100644 index 00000000000..c1e134d5a25 --- /dev/null +++ b/test/integration/connect/envoy/case-cross-peers/primary/base.hcl @@ -0,0 +1,3 @@ +peering { + enabled = true +} diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx index c886775084b..5c4f7b909d9 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/agent/config/config-files.mdx @@ -555,7 +555,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." The following sub-keys are available: - - `enabled` ((#peering_enabled)) (Defaults to `true`) Controls whether cluster peering is enabled. + - `enabled` ((#peering_enabled)) (Defaults to `false`) Controls whether cluster peering is enabled. When disabled, the UI won't show peering, all peering APIs will return an error, any peerings stored in Consul already will be ignored (but they will not be deleted), and all peering connections from other clusters will be rejected. This was added in Consul 1.13.0.