peering: default to false

agent/cache-types/trust_bundles.go

@@ -8,6 +8,8 @@ import (
 
 	"github.com/mitchellh/hashstructure"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 
 	"github.com/hashicorp/consul/agent/cache"
 	external "github.com/hashicorp/consul/agent/grpc-external"
@@ -87,6 +89,13 @@ func (t *TrustBundles) Fetch(_ cache.FetchOptions, req cache.Request) (cache.Fet
 	// Fetch
 	reply, err := t.Client.TrustBundleListByService(external.ContextWithToken(context.Background(), reqReal.Token), reqReal.Request)
 	if err != nil {
+		// Return an empty result if the error is due to peering being disabled.
+		// This allows mesh gateways to receive an update and confirm that the watch is set.
+		if e, ok := status.FromError(err); ok && e.Code() == codes.FailedPrecondition {
+			result.Index = 1
+			result.Value = &pbpeering.TrustBundleListByServiceResponse{Index: 1}
+			return result, nil
+		}
 		return result, err
 	}
 

agent/cache-types/trust_bundles_test.go

@@ -7,6 +7,8 @@ import (
 
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	grpcstatus "google.golang.org/grpc/status"
 
 	"github.com/hashicorp/consul/agent/cache"
 	"github.com/hashicorp/consul/proto/pbpeering"
@@ -48,6 +50,29 @@ func TestTrustBundles(t *testing.T) {
 	}, result)
 }
 
+func TestTrustBundles_PeeringDisabled(t *testing.T) {
+	client := NewMockTrustBundleLister(t)
+	typ := &TrustBundles{Client: client}
+
+	var resp *pbpeering.TrustBundleListByServiceResponse
+
+	// Expect the proper call.
+	// This also returns the canned response above.
+	client.On("TrustBundleListByService", mock.Anything, mock.Anything).
+		Return(resp, grpcstatus.Error(codes.FailedPrecondition, "peering must be enabled to use this endpoint"))
+
+	// Fetch and assert against the result.
+	result, err := typ.Fetch(cache.FetchOptions{}, &TrustBundleListRequest{
+		Request: &pbpeering.TrustBundleListByServiceRequest{
+			ServiceName: "foo",
+		},
+	})
+	require.NoError(t, err)
+	require.NotNil(t, result)
+	require.EqualValues(t, 1, result.Index)
+	require.NotNil(t, result.Value)
+}
+
 func TestTrustBundles_badReqType(t *testing.T) {
 	client := pbpeering.NewPeeringServiceClient(nil)
 	typ := &TrustBundles{Client: client}

agent/config/default.go

@@ -104,9 +104,6 @@ func DefaultSource() Source {
 			kv_max_value_size = ` + strconv.FormatInt(raft.SuggestedMaxDataSize, 10) + `
 			txn_max_req_len = ` + strconv.FormatInt(raft.SuggestedMaxDataSize, 10) + `
 		}
-		peering = {
-			enabled = true
-		}
 		performance = {
 			leave_drain_time = "5s"
 			raft_multiplier = ` + strconv.Itoa(int(consul.DefaultRaftMultiplier)) + `

agent/config/runtime_test.go

@@ -5548,16 +5548,6 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			"tls.grpc was provided but TLS will NOT be enabled on the gRPC listener without an HTTPS listener configured (e.g. via ports.https)",
 		},
 	})
-	run(t, testCase{
-		desc: "peering.enabled defaults to true",
-		args: []string{
-			`-data-dir=` + dataDir,
-		},
-		expected: func(rt *RuntimeConfig) {
-			rt.DataDir = dataDir
-			rt.PeeringEnabled = true
-		},
-	})
 }
 
 func (tc testCase) run(format string, dataDir string) func(t *testing.T) {

agent/consul/config.go

@@ -517,7 +517,6 @@ func DefaultConfig() *Config {
 		DefaultQueryTime:         300 * time.Second,
 		MaxQueryTime:             600 * time.Second,
 
-		PeeringEnabled:                    true,
 		PeeringTestAllowPeerRegistrations: false,
 
 		EnterpriseConfig: DefaultEnterpriseConfig(),

agent/consul/server_test.go

@@ -179,6 +179,7 @@ func testServerConfig(t *testing.T) (string, *Config) {
 			"IntermediateCertTTL": "288h",
 		},
 	}
+	config.PeeringEnabled = true
 	return dir, config
 }
 

agent/rpc/peering/service_test.go

@@ -1283,6 +1283,7 @@ func newTestServer(t *testing.T, cb func(conf *consul.Config)) testingServer {
 
 	ports := freeport.GetN(t, 4) // {rpc, serf_lan, serf_wan, grpc}
 
+	conf.PeeringEnabled = true
 	conf.Bootstrap = true
 	conf.Datacenter = "dc1"
 	conf.DataDir = dir

agent/testagent.go

@@ -138,6 +138,9 @@ func TestConfigHCL(nodeID string) string {
 		}
 		performance {
 			raft_multiplier = 1
+		}
+		peering {
+			enabled = true
 		}`, nodeID, connect.TestClusterID,
 	)
 }

sdk/testutil/server.go

@@ -105,6 +105,7 @@ type TestServerConfig struct {
 	Connect             map[string]interface{} `json:"connect,omitempty"`
 	EnableDebug         bool                   `json:"enable_debug,omitempty"`
 	SkipLeaveOnInt      bool                   `json:"skip_leave_on_interrupt"`
+	Peering             *TestPeeringConfig     `json:"peering,omitempty"`
 	ReadyTimeout        time.Duration          `json:"-"`
 	StopTimeout         time.Duration          `json:"-"`
 	Stdout              io.Writer              `json:"-"`
@@ -139,6 +140,10 @@ type TestTokens struct {
 	AgentRecovery string `json:"agent_master,omitempty"`
 }
 
+type TestPeeringConfig struct {
+	Enabled bool `json:"enabled,omitempty"`
+}
+
 // ServerConfigCallback is a function interface which can be
 // passed to NewTestServerConfig to modify the server config.
 type ServerConfigCallback func(c *TestServerConfig)
@@ -192,8 +197,9 @@ func defaultServerConfig(t TestingTB) *TestServerConfig {
 		ReturnPorts: func() {
 			freeport.Return(ports)
 		},
-		Stdout: logBuffer,
-		Stderr: logBuffer,
+		Stdout:  logBuffer,
+		Stderr:  logBuffer,
+		Peering: &TestPeeringConfig{Enabled: true},
 	}
 }
 

test/integration/connect/envoy/case-cross-peers-http-router/alpha/base.hcl

@@ -1,2 +1,5 @@
 primary_datacenter = "alpha"
 log_level          = "trace"
+peering {
+  enabled = true
+}

test/integration/connect/envoy/case-cross-peers-http-router/primary/base.hcl

@@ -0,0 +1,3 @@
+peering {
+  enabled = true
+}

test/integration/connect/envoy/case-cross-peers-http/alpha/base.hcl

@@ -1,2 +1,5 @@
 primary_datacenter = "alpha"
 log_level          = "trace"
+peering {
+  enabled = true
+}

test/integration/connect/envoy/case-cross-peers-http/primary/base.hcl

@@ -0,0 +1,3 @@
+peering {
+  enabled = true
+}

test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/alpha/base.hcl

@@ -1,2 +1,5 @@
 primary_datacenter = "alpha"
 log_level          = "trace"
+peering {
+  enabled = true
+}

test/integration/connect/envoy/case-cross-peers-resolver-redirect-tcp/primary/base.hcl

@@ -0,0 +1,3 @@
+peering {
+  enabled = true
+}

test/integration/connect/envoy/case-cross-peers/alpha/base.hcl

@@ -1,2 +1,5 @@
 primary_datacenter = "alpha"
 log_level          = "trace"
+peering {
+  enabled = true
+}

test/integration/connect/envoy/case-cross-peers/primary/base.hcl

@@ -0,0 +1,3 @@
+peering {
+  enabled = true
+}

website/content/docs/agent/config/config-files.mdx

@@ -555,7 +555,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
 
   The following sub-keys are available:
 
-  - `enabled` ((#peering_enabled)) (Defaults to `true`) Controls whether cluster peering is enabled.
+  - `enabled` ((#peering_enabled)) (Defaults to `false`) Controls whether cluster peering is enabled.
     When disabled, the UI won't show peering, all peering APIs will return
     an error, any peerings stored in Consul already will be ignored (but they will not be deleted),
     and all peering connections from other clusters will be rejected. This was added in Consul 1.13.0.