From abe6f6b29534575f1c086efc79d348bd54ede025 Mon Sep 17 00:00:00 2001 From: John Murret Date: Thu, 12 Oct 2023 16:16:12 +0000 Subject: [PATCH 1/7] backport of commit f142c779564785fa1303af58502e0313cab4c538 --- .../controllers/xds/controller_test.go | 76 ++++++++++++++++++- internal/testing/golden/golden.go | 10 ++- 2 files changed, 83 insertions(+), 3 deletions(-) diff --git a/internal/mesh/internal/controllers/xds/controller_test.go b/internal/mesh/internal/controllers/xds/controller_test.go index 6bb5f85c990..52ac884b67a 100644 --- a/internal/mesh/internal/controllers/xds/controller_test.go +++ b/internal/mesh/internal/controllers/xds/controller_test.go @@ -7,10 +7,12 @@ import ( "context" "crypto/x509" "encoding/pem" - "testing" - + "fmt" + "github.com/hashicorp/consul/internal/testing/golden" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" + "google.golang.org/protobuf/encoding/protojson" + "testing" svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing" "github.com/hashicorp/consul/agent/leafcert" @@ -995,3 +997,73 @@ func (suite *xdsControllerTestSuite) TestReconcile_prevWatchesToCancel() { func TestXdsController(t *testing.T) { suite.Run(t, new(xdsControllerTestSuite)) } + +func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { + path := "../sidecarproxy/builder/testdata" + cases := []string{ + "destination/l4-single-destination-ip-port-bind-address", + "destination/l4-single-destination-unix-socket-bind-address", + "destination/l4-multi-destination", + "destination/mixed-multi-destination", + } + + for _, name := range cases { + suite.Run(name, func() { + // Create ProxyStateTemplate from the golden file. + pst := JSONToProxyTemplate(suite.T(), + golden.GetBytesAtFilePath(suite.T(), fmt.Sprintf("%s/%s.golden", path, name))) + + // Store the initial ProxyStateTemplate and track it in the mapper. + proxyStateTemplate := resourcetest.Resource(pbmesh.ProxyStateTemplateType, "test"). + WithData(suite.T(), pst). + Write(suite.T(), suite.client) + + suite.mapper.TrackItem(proxyStateTemplate.Id, []resource.ReferenceOrID{}) + for idx, ep := range pst.ProxyState.Endpoints { + resourcetest.Resource(pbcatalog.ServiceEndpointsType, fmt.Sprintf("test-%d", idx)). + WithData(suite.T(), ep). + Write(suite.T(), suite.client) + } + + // Run the reconcile, and since no ProxyStateTemplate is stored, this simulates a deletion. + err := suite.ctl.Reconcile(context.Background(), suite.runtime, controller.Request{ + ID: proxyStateTemplate.Id, + }) + require.NoError(suite.T(), err) + + require.NotNil(suite.T(), proxyStateTemplate) + //require.JSONEq(suite.T(), expected, actual) + }) + } +} + +func (suite *xdsControllerTestSuite) TestBuildImplicitDestinations() { + + cases := []string{ + "destination/l4-single-implicit-destination-tproxy", + "destination/l4-multiple-implicit-destinations-tproxy", + "destination/l4-implicit-and-explicit-destinations-tproxy", + } + + for _, name := range cases { + suite.Run(name, func() { + //proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", false, proxyCfg). + // BuildDestinations(c.destinations). + // Build() + // + //actual := protoToJSON(t, proxyTmpl) + //expected := golden.Get(t, actual, name+".golden") + // + //require.JSONEq(t, expected, actual) + }) + } +} + +func JSONToProxyTemplate(t *testing.T, json []byte) *pbmesh.ProxyStateTemplate { + t.Helper() + proxyTemplate := &pbmesh.ProxyStateTemplate{} + m := protojson.UnmarshalOptions{} + err := m.Unmarshal(json, proxyTemplate) + require.NoError(t, err) + return proxyTemplate +} diff --git a/internal/testing/golden/golden.go b/internal/testing/golden/golden.go index 8145d16814b..a4d971d0d09 100644 --- a/internal/testing/golden/golden.go +++ b/internal/testing/golden/golden.go @@ -42,7 +42,15 @@ func GetBytes(t *testing.T, actual, filename string) []byte { require.NoError(t, err) } - expected, err := os.ReadFile(path) + return GetBytesAtFilePath(t, path) +} + +// GetBytes reads the expected value from the file at filepath and returns the +// value as a byte array. filepath is relative to the ./testdata directory. +func GetBytesAtFilePath(t *testing.T, filepath string) []byte { + t.Helper() + + expected, err := os.ReadFile(filepath) require.NoError(t, err) return expected } From 6d43b88aef178071217b7ea4bbbb69c0d17e8e41 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 13 Oct 2023 16:51:58 +0000 Subject: [PATCH 2/7] backport of commit 79eadd1afd947673fc70570a75f8646784f6b23b --- .../controllers/xds/controller_test.go | 79 ++++++++- ...le-destination-ip-port-bind-address.golden | 162 ++++++++++++++++++ 2 files changed, 232 insertions(+), 9 deletions(-) create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden diff --git a/internal/mesh/internal/controllers/xds/controller_test.go b/internal/mesh/internal/controllers/xds/controller_test.go index 52ac884b67a..45f9341a9ec 100644 --- a/internal/mesh/internal/controllers/xds/controller_test.go +++ b/internal/mesh/internal/controllers/xds/controller_test.go @@ -12,6 +12,7 @@ import ( "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" "google.golang.org/protobuf/encoding/protojson" + "strings" "testing" svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing" @@ -1002,9 +1003,9 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { path := "../sidecarproxy/builder/testdata" cases := []string{ "destination/l4-single-destination-ip-port-bind-address", - "destination/l4-single-destination-unix-socket-bind-address", - "destination/l4-multi-destination", - "destination/mixed-multi-destination", + //"destination/l4-single-destination-unix-socket-bind-address", + //"destination/l4-multi-destination", + //"destination/mixed-multi-destination", } for _, name := range cases { @@ -1013,17 +1014,73 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { pst := JSONToProxyTemplate(suite.T(), golden.GetBytesAtFilePath(suite.T(), fmt.Sprintf("%s/%s.golden", path, name))) + //get service data + serviceData := &pbcatalog.Service{} + var vp uint32 = 7000 + svcNames := map[string]map[string]string + + // get service name and ports + for name := range pst.RequiredEndpoints { + vp++ + nameSplit := strings.Split(name, ".") + port := nameSplit[0] + svcNames[nameSplit[1]] = name + serviceData.Ports = append(serviceData.Ports, &pbcatalog.ServicePort{ + TargetPort: port, + VirtualPort: vp, + Protocol: pbcatalog.Protocol_PROTOCOL_TCP, + }) + } + + svc := resourcetest.Resource(pbcatalog.ServiceType, svcName). + WithData(suite.T(), &pbcatalog.Service{}). + Write(suite.T(), suite.client) + + eps := resourcetest.Resource(pbcatalog.ServiceEndpointsType, svcName). + WithData(suite.T(), &pbcatalog.ServiceEndpoints{Endpoints: []*pbcatalog.Endpoint{ + { + Ports: map[string]*pbcatalog.WorkloadPort{ + "mesh": { + Port: 20000, + Protocol: pbcatalog.Protocol_PROTOCOL_MESH, + }, + }, + Addresses: []*pbcatalog.WorkloadAddress{ + { + Host: "10.1.1.1", + Ports: []string{"mesh"}, + }, + }, + }, + }}). + WithOwner(svc.Id). + Write(suite.T(), suite.client) + // + requiredEps := make(map[string]*pbproxystate.EndpointRef) + for epName := range pst.RequiredEndpoints { + requiredEps[epName] = &pbproxystate.EndpointRef{ + Id: eps.Id, + Port: "mesh", + } + } + + wiLeafs := make(map[string]*pbproxystate.LeafCertificateRef) + wiLeafs["wi-workload-identity"] = &pbproxystate.LeafCertificateRef{ + Name: "wi-workload-identity", + } + + pst.RequiredEndpoints = requiredEps + // Store the initial ProxyStateTemplate and track it in the mapper. proxyStateTemplate := resourcetest.Resource(pbmesh.ProxyStateTemplateType, "test"). WithData(suite.T(), pst). Write(suite.T(), suite.client) + retry.Run(suite.T(), func(r *retry.R) { + suite.client.RequireResourceExists(r, proxyStateTemplate.Id) + }) + suite.mapper.TrackItem(proxyStateTemplate.Id, []resource.ReferenceOrID{}) - for idx, ep := range pst.ProxyState.Endpoints { - resourcetest.Resource(pbcatalog.ServiceEndpointsType, fmt.Sprintf("test-%d", idx)). - WithData(suite.T(), ep). - Write(suite.T(), suite.client) - } // Run the reconcile, and since no ProxyStateTemplate is stored, this simulates a deletion. err := suite.ctl.Reconcile(context.Background(), suite.runtime, controller.Request{ @@ -1032,7 +1089,11 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { require.NoError(suite.T(), err) require.NotNil(suite.T(), proxyStateTemplate) - //require.JSONEq(suite.T(), expected, actual) + + actual := prototest.ProtoToJSON(suite.T(), proxyStateTemplate.Data) + expected := golden.Get(suite.T(), actual, name+".golden") + + require.JSONEq(suite.T(), expected, actual) }) } } diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden new file mode 100644 index 00000000000..7ba71112355 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden @@ -0,0 +1,162 @@ +{ + "proxyState": { + "clusters": { + "null_route_cluster": { + "endpointGroup": { + "static": { + "config": { + "connectTimeout": "10s" + } + } + }, + "name": "null_route_cluster" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + } + ] + }, + "requiredEndpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "id": { + "name": "api-1", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "catalog", + "groupVersion": "v2beta1", + "kind": "ServiceEndpoints" + } + }, + "port": "mesh" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "id": { + "name": "api-2", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "catalog", + "groupVersion": "v2beta1", + "kind": "ServiceEndpoints" + } + }, + "port": "mesh" + } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } + } +} \ No newline at end of file From d424d4d5b207db40e73a5c9ffa2052c03ee985b6 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 13 Oct 2023 19:58:49 +0000 Subject: [PATCH 3/7] backport of commit d269c63a99396b9bd62055a1f18b7842fd775326 --- .../controllers/xds/controller_test.go | 59 ++--- ...le-destination-ip-port-bind-address.golden | 236 +++++++----------- 2 files changed, 124 insertions(+), 171 deletions(-) diff --git a/internal/mesh/internal/controllers/xds/controller_test.go b/internal/mesh/internal/controllers/xds/controller_test.go index 45f9341a9ec..f69b908d2ba 100644 --- a/internal/mesh/internal/controllers/xds/controller_test.go +++ b/internal/mesh/internal/controllers/xds/controller_test.go @@ -1017,48 +1017,47 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { //get service data serviceData := &pbcatalog.Service{} var vp uint32 = 7000 - svcNames := map[string]map[string]string + requiredEps := make(map[string]*pbproxystate.EndpointRef) // get service name and ports - for name := range pst.RequiredEndpoints { + for name := range pst.ProxyState.Clusters { + if name == "null_route_cluster" { + continue + } vp++ nameSplit := strings.Split(name, ".") port := nameSplit[0] - svcNames[nameSplit[1]] = name + svcName := nameSplit[1] serviceData.Ports = append(serviceData.Ports, &pbcatalog.ServicePort{ TargetPort: port, VirtualPort: vp, Protocol: pbcatalog.Protocol_PROTOCOL_TCP, }) - } - svc := resourcetest.Resource(pbcatalog.ServiceType, svcName). - WithData(suite.T(), &pbcatalog.Service{}). - Write(suite.T(), suite.client) - - eps := resourcetest.Resource(pbcatalog.ServiceEndpointsType, svcName). - WithData(suite.T(), &pbcatalog.ServiceEndpoints{Endpoints: []*pbcatalog.Endpoint{ - { - Ports: map[string]*pbcatalog.WorkloadPort{ - "mesh": { - Port: 20000, - Protocol: pbcatalog.Protocol_PROTOCOL_MESH, + svc := resourcetest.Resource(pbcatalog.ServiceType, svcName). + WithData(suite.T(), &pbcatalog.Service{}). + Write(suite.T(), suite.client) + + eps := resourcetest.Resource(pbcatalog.ServiceEndpointsType, svcName). + WithData(suite.T(), &pbcatalog.ServiceEndpoints{Endpoints: []*pbcatalog.Endpoint{ + { + Ports: map[string]*pbcatalog.WorkloadPort{ + "mesh": { + Port: 20000, + Protocol: pbcatalog.Protocol_PROTOCOL_MESH, + }, }, - }, - Addresses: []*pbcatalog.WorkloadAddress{ - { - Host: "10.1.1.1", - Ports: []string{"mesh"}, + Addresses: []*pbcatalog.WorkloadAddress{ + { + Host: "10.1.1.1", + Ports: []string{"mesh"}, + }, }, }, - }, - }}). - WithOwner(svc.Id). - Write(suite.T(), suite.client) - // - requiredEps := make(map[string]*pbproxystate.EndpointRef) - for epName := range pst.RequiredEndpoints { - requiredEps[epName] = &pbproxystate.EndpointRef{ + }}). + WithOwner(svc.Id). + Write(suite.T(), suite.client) + requiredEps[name] = &pbproxystate.EndpointRef{ Id: eps.Id, Port: "mesh", } @@ -1090,7 +1089,9 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { require.NotNil(suite.T(), proxyStateTemplate) - actual := prototest.ProtoToJSON(suite.T(), proxyStateTemplate.Data) + reconciledPS := suite.updater.Get(proxyStateTemplate.Id.Name) + actual := prototest.ProtoToJSON(suite.T(), reconciledPS) + expected := golden.Get(suite.T(), actual, name+".golden") require.JSONEq(suite.T(), expected, actual) diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden index 7ba71112355..c614f009d69 100644 --- a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden @@ -1,162 +1,114 @@ { - "proxyState": { - "clusters": { - "null_route_cluster": { - "endpointGroup": { - "static": { - "config": { - "connectTimeout": "10s" - } + "clusters": { + "null_route_cluster": { + "endpointGroup": { + "static": { + "config": { + "connectTimeout": "10s" } - }, - "name": "null_route_cluster" - }, - "tcp.api-1.default.dc1.internal.foo.consul": { - "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", - "endpointGroup": { - "dynamic": { - "config": { - "connectTimeout": "5s", - "disablePanicThreshold": true - }, - "outboundTls": { - "alpnProtocols": [ - "consul~tcp" - ], - "outboundMesh": { - "identityKey": "test-identity", - "sni": "api-1.default.dc1.internal.foo.consul", - "validationContext": { - "spiffeIds": [ - "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ], - "trustBundlePeerNameKey": "local" - } - } - } - } - }, - "name": "tcp.api-1.default.dc1.internal.foo.consul" - }, - "tcp.api-2.default.dc1.internal.foo.consul": { - "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", - "endpointGroup": { - "dynamic": { - "config": { - "connectTimeout": "5s", - "disablePanicThreshold": true - }, - "outboundTls": { - "alpnProtocols": [ - "consul~tcp" - ], - "outboundMesh": { - "identityKey": "test-identity", - "sni": "api-2.default.dc1.internal.foo.consul", - "validationContext": { - "spiffeIds": [ - "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" - ], - "trustBundlePeerNameKey": "local" - } - } - } - } - }, - "name": "tcp.api-2.default.dc1.internal.foo.consul" - } - }, - "identity": { - "name": "test-identity", - "tenancy": { - "namespace": "default", - "partition": "default", - "peerName": "local" + } }, - "type": { - "group": "auth", - "groupVersion": "v2beta1", - "kind": "WorkloadIdentity" - } + "name": "null_route_cluster" }, - "listeners": [ - { - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "1.1.1.1", - "port": 1234 - }, - "name": "default/local/default/api-1:tcp:1.1.1.1:1234", - "routers": [ - { - "l4": { - "statPrefix": "upstream.tcp.api-1.default.default.dc1", - "weightedClusters": { - "clusters": [ - { - "name": "tcp.api-2.default.dc1.internal.foo.consul", - "weight": 60 - }, - { - "name": "tcp.api-1.default.dc1.internal.foo.consul", - "weight": 40 - }, - { - "name": "null_route_cluster", - "weight": 10 - } - ] + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" } } } - ] - } - ] - }, - "requiredEndpoints": { - "tcp.api-1.default.dc1.internal.foo.consul": { - "id": { - "name": "api-1", - "tenancy": { - "namespace": "default", - "partition": "default", - "peerName": "local" - }, - "type": { - "group": "catalog", - "groupVersion": "v2beta1", - "kind": "ServiceEndpoints" } }, - "port": "mesh" + "name": "tcp.api-1.default.dc1.internal.foo.consul" }, "tcp.api-2.default.dc1.internal.foo.consul": { - "id": { - "name": "api-2", - "tenancy": { - "namespace": "default", - "partition": "default", - "peerName": "local" - }, - "type": { - "group": "catalog", - "groupVersion": "v2beta1", - "kind": "ServiceEndpoints" + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } } }, - "port": "mesh" + "name": "tcp.api-2.default.dc1.internal.foo.consul" } }, - "requiredLeafCertificates": { - "test-identity": { - "name": "test-identity", + "identity": { + "name": "test-identity", + "tenancy": { "namespace": "default", - "partition": "default" + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" } }, - "requiredTrustBundles": { - "local": { - "peer": "local" + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] } - } + ] } \ No newline at end of file From 3e24a7a30fd758af76ce8856e536ce0dbb9ab559 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 16 Oct 2023 15:49:00 +0000 Subject: [PATCH 4/7] backport of commit 532aad4dbfb6936aedde84cf519d07036100fdec --- ...le-destination-ip-port-bind-address.golden | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden index c614f009d69..d63cfb62cd0 100644 --- a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden @@ -65,6 +65,30 @@ "name": "tcp.api-2.default.dc1.internal.foo.consul" } }, + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, "identity": { "name": "test-identity", "tenancy": { @@ -78,6 +102,12 @@ "kind": "WorkloadIdentity" } }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDzCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTU0MzQxWhcNMjMxMDE2MTU1MzQxWjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAECjAS1priKKg5DX2byiWj7rP/javtusIwUXXNZjLcL93d\nt1/TJ3BeGQjcye7Tj4fg7u1xKQe4zzzl9jzhNImDbqOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQgm9EL7d6QLgSa4XcBMrJe254kOIyY4qeEG1XkyHxgNqgw\nKwYDVR0jBCQwIoAgrxX5IdfjyCYUhGtC4FxnuPtk2WpVnEJvN7Tb+0dORfcwbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNIADBFAiEAsQylgvCf1TuK7Efng1VZ\nlYyP8fHV3ndNjq7DxGHBp9kCIHkDszWused6R5GAsRBNp3nwzK7fGWncrEQJGetp\nCNtQ\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIPYFUcC4ZIeQRE/PfF7DsK5CeL4uEh2C6aFIyLYg2734oAoGCCqGSM49\nAwEHoUQDQgAECjAS1priKKg5DX2byiWj7rP/javtusIwUXXNZjLcL93dt1/TJ3Be\nGQjcye7Tj4fg7u1xKQe4zzzl9jzhNImDbg==\n-----END EC PRIVATE KEY-----\n" + } + }, "listeners": [ { "direction": "DIRECTION_OUTBOUND", @@ -110,5 +140,14 @@ } ] } - ] + ], + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + } } \ No newline at end of file From f97952b3f0172fe35af543968bf8057d215d50d4 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 16 Oct 2023 16:29:18 +0000 Subject: [PATCH 5/7] backport of commit 2de83d470fba555de31360770d383a635b33b200 --- .../controllers/xds/controller_test.go | 18 +- .../destination/l4-multi-destination.golden | 296 ++++++++++++++ ...le-destination-ip-port-bind-address.golden | 60 +-- ...estination-unix-socket-bind-address.golden | 92 +++++ .../mixed-multi-destination.golden | 371 ++++++++++++++++++ 5 files changed, 803 insertions(+), 34 deletions(-) create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-unix-socket-bind-address.golden create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/mixed-multi-destination.golden diff --git a/internal/mesh/internal/controllers/xds/controller_test.go b/internal/mesh/internal/controllers/xds/controller_test.go index f69b908d2ba..42976387dd0 100644 --- a/internal/mesh/internal/controllers/xds/controller_test.go +++ b/internal/mesh/internal/controllers/xds/controller_test.go @@ -1003,9 +1003,9 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { path := "../sidecarproxy/builder/testdata" cases := []string{ "destination/l4-single-destination-ip-port-bind-address", - //"destination/l4-single-destination-unix-socket-bind-address", - //"destination/l4-multi-destination", - //"destination/mixed-multi-destination", + "destination/l4-single-destination-unix-socket-bind-address", + "destination/l4-multi-destination", + "destination/mixed-multi-destination", } for _, name := range cases { @@ -1090,8 +1090,18 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { require.NotNil(suite.T(), proxyStateTemplate) reconciledPS := suite.updater.Get(proxyStateTemplate.Id.Name) - actual := prototest.ProtoToJSON(suite.T(), reconciledPS) + // Verify leaf cert contents then hard code them for comparison + // and downstream tests since they change from test run to test run. + require.NotEmpty(suite.T(), reconciledPS.LeafCertificates) + reconciledPS.LeafCertificates = map[string]*pbproxystate.LeafCertificate{ + "test-identity": { + Cert: "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + Key: "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n", + }, + } + + actual := prototest.ProtoToJSON(suite.T(), reconciledPS) expected := golden.Get(suite.T(), actual, name+".golden") require.JSONEq(suite.T(), expected, actual) diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden new file mode 100644 index 00000000000..50589a07020 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multi-destination.golden @@ -0,0 +1,296 @@ +{ + "clusters": { + "null_route_cluster": { + "endpointGroup": { + "static": { + "config": { + "connectTimeout": "10s" + } + } + }, + "name": "null_route_cluster" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "tcp2.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-1.default.dc1.internal.foo.consul" + }, + "tcp2.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + }, + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + }, + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 2345 + }, + "name": "default/local/default/api-1:tcp2:1.1.1.1:2345", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp2.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp2.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp2.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + }, + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp2:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp2.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden index d63cfb62cd0..a1e052854d7 100644 --- a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-ip-port-bind-address.golden @@ -65,30 +65,6 @@ "name": "tcp.api-2.default.dc1.internal.foo.consul" } }, - "endpoints": { - "tcp.api-1.default.dc1.internal.foo.consul": { - "endpoints": [ - { - "healthStatus": "HEALTH_STATUS_HEALTHY", - "hostPort": { - "host": "10.1.1.1", - "port": 20000 - } - } - ] - }, - "tcp.api-2.default.dc1.internal.foo.consul": { - "endpoints": [ - { - "healthStatus": "HEALTH_STATUS_HEALTHY", - "hostPort": { - "host": "10.1.1.1", - "port": 20000 - } - } - ] - } - }, "identity": { "name": "test-identity", "tenancy": { @@ -102,12 +78,6 @@ "kind": "WorkloadIdentity" } }, - "leafCertificates": { - "test-identity": { - "cert": "-----BEGIN CERTIFICATE-----\nMIICDzCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTU0MzQxWhcNMjMxMDE2MTU1MzQxWjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAECjAS1priKKg5DX2byiWj7rP/javtusIwUXXNZjLcL93d\nt1/TJ3BeGQjcye7Tj4fg7u1xKQe4zzzl9jzhNImDbqOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQgm9EL7d6QLgSa4XcBMrJe254kOIyY4qeEG1XkyHxgNqgw\nKwYDVR0jBCQwIoAgrxX5IdfjyCYUhGtC4FxnuPtk2WpVnEJvN7Tb+0dORfcwbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNIADBFAiEAsQylgvCf1TuK7Efng1VZ\nlYyP8fHV3ndNjq7DxGHBp9kCIHkDszWused6R5GAsRBNp3nwzK7fGWncrEQJGetp\nCNtQ\n-----END CERTIFICATE-----\n", - "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIPYFUcC4ZIeQRE/PfF7DsK5CeL4uEh2C6aFIyLYg2734oAoGCCqGSM49\nAwEHoUQDQgAECjAS1priKKg5DX2byiWj7rP/javtusIwUXXNZjLcL93dt1/TJ3Be\nGQjcye7Tj4fg7u1xKQe4zzzl9jzhNImDbg==\n-----END EC PRIVATE KEY-----\n" - } - }, "listeners": [ { "direction": "DIRECTION_OUTBOUND", @@ -141,6 +111,30 @@ ] } ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, "trustBundles": { "local": { "roots": [ @@ -149,5 +143,11 @@ ], "trustDomain": "some-trust-domain" } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-unix-socket-bind-address.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-unix-socket-bind-address.golden new file mode 100644 index 00000000000..99a94f7efff --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-destination-unix-socket-bind-address.golden @@ -0,0 +1,92 @@ +{ + "clusters": { + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + } + ], + "endpoints": { + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/mixed-multi-destination.golden b/internal/mesh/internal/controllers/xds/testdata/destination/mixed-multi-destination.golden new file mode 100644 index 00000000000..7c5cab23d23 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/mixed-multi-destination.golden @@ -0,0 +1,371 @@ +{ + "clusters": { + "http.api-1.default.dc1.internal.foo.consul": { + "altStatName": "http.api-1.default.dc1.internal.foo.consul", + "failoverGroup": { + "config": { + "connectTimeout": "55s", + "useAltStatName": true + }, + "endpointGroups": [ + { + "dynamic": { + "config": { + "connectTimeout": "55s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "backup-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/backup1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + }, + "name": "failover-target~0~http.api-1.default.dc1.internal.foo.consul" + } + ] + }, + "name": "http.api-1.default.dc1.internal.foo.consul" + }, + "http.api-2.default.dc1.internal.foo.consul": { + "altStatName": "http.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-2.default.dc1.internal.foo.consul" + }, + "null_route_cluster": { + "endpointGroup": { + "static": { + "config": { + "connectTimeout": "10s" + } + } + }, + "name": "null_route_cluster" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + }, + { + "direction": "DIRECTION_OUTBOUND", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + } + } + ], + "unixSocket": { + "mode": "0666", + "path": "/path/to/socket" + } + }, + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:http:1.1.1.1:1234", + "routers": [ + { + "l7": { + "route": { + "name": "default/local/default/api-1:http:1.1.1.1:1234" + }, + "statPrefix": "upstream." + } + } + ] + } + ], + "routes": { + "default/local/default/api-1:http:1.1.1.1:1234": { + "virtualHosts": [ + { + "name": "default/local/default/api-1:http:1.1.1.1:1234", + "routeRules": [ + { + "destination": { + "destinationConfiguration": { + "timeoutConfig": { + "timeout": "77s" + } + }, + "weightedClusters": { + "clusters": [ + { + "name": "http.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "http.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + }, + "match": { + "pathMatch": { + "prefix": "/split" + } + } + }, + { + "destination": { + "cluster": { + "name": "http.api-1.default.dc1.internal.foo.consul" + }, + "destinationConfiguration": { + "retryPolicy": { + "numRetries": 4, + "retryOn": "connect-failure" + }, + "timeoutConfig": { + "timeout": "606s" + } + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + }, + { + "destination": { + "cluster": { + "name": "null_route_cluster" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file From 11e6c2b0403b75d5b3a2c9ae8a4071d3072978e9 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 16 Oct 2023 18:35:19 +0000 Subject: [PATCH 6/7] backport of commit c8af477a308677eacdc592d2e2896ea4e1a81ead --- .../controllers/xds/controller_test.go | 39 +- ...it-and-explicit-destinations-tproxy.golden | 182 +++++++ ...ltiple-implicit-destinations-tproxy.golden | 181 +++++++ ...-single-implicit-destination-tproxy.golden | 122 +++++ ...ltiple-implicit-destinations-tproxy.golden | 453 ++++++++++++++++++ ...-single-implicit-destination-tproxy.golden | 255 ++++++++++ ...tion-with-multiple-workloads-tproxy.golden | 255 ++++++++++ 7 files changed, 1462 insertions(+), 25 deletions(-) create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/l4-single-implicit-destination-tproxy.golden create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden create mode 100644 internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden diff --git a/internal/mesh/internal/controllers/xds/controller_test.go b/internal/mesh/internal/controllers/xds/controller_test.go index 42976387dd0..4f0f8a4f86e 100644 --- a/internal/mesh/internal/controllers/xds/controller_test.go +++ b/internal/mesh/internal/controllers/xds/controller_test.go @@ -999,13 +999,24 @@ func TestXdsController(t *testing.T) { suite.Run(t, new(xdsControllerTestSuite)) } -func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { +func (suite *xdsControllerTestSuite) TestReconcile_SidecarProxyGoldenFileInputs() { path := "../sidecarproxy/builder/testdata" cases := []string{ + // destinations "destination/l4-single-destination-ip-port-bind-address", "destination/l4-single-destination-unix-socket-bind-address", + "destination/l4-single-implicit-destination-tproxy", "destination/l4-multi-destination", - "destination/mixed-multi-destination", + "destination/l4-multiple-implicit-destinations-tproxy", + "destination/l4-implicit-and-explicit-destinations-tproxy", + // TODO(jm): resolve the endpoint group naming issue + //"destination/mixed-multi-destination", + "destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy", + "destination/multiport-l4-and-l7-single-implicit-destination-tproxy", + "destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy", + + //sources + } for _, name := range cases { @@ -1021,7 +1032,7 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { // get service name and ports for name := range pst.ProxyState.Clusters { - if name == "null_route_cluster" { + if name == "null_route_cluster" || name == "original-destination" { continue } vp++ @@ -1109,28 +1120,6 @@ func (suite *xdsControllerTestSuite) TestBuildExplicitDestinations() { } } -func (suite *xdsControllerTestSuite) TestBuildImplicitDestinations() { - - cases := []string{ - "destination/l4-single-implicit-destination-tproxy", - "destination/l4-multiple-implicit-destinations-tproxy", - "destination/l4-implicit-and-explicit-destinations-tproxy", - } - - for _, name := range cases { - suite.Run(name, func() { - //proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", false, proxyCfg). - // BuildDestinations(c.destinations). - // Build() - // - //actual := protoToJSON(t, proxyTmpl) - //expected := golden.Get(t, actual, name+".golden") - // - //require.JSONEq(t, expected, actual) - }) - } -} - func JSONToProxyTemplate(t *testing.T, json []byte) *pbmesh.ProxyStateTemplate { t.Helper() proxyTemplate := &pbmesh.ProxyStateTemplate{} diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden new file mode 100644 index 00000000000..45b981a955d --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -0,0 +1,182 @@ +{ + "clusters": { + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-1.default.default.dc1" + } + } + ] + }, + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..42561f15e7e --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,181 @@ +{ + "clusters": { + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-1.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp.api-2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-2.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..6735fc7de59 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/l4-single-implicit-destination-tproxy.golden @@ -0,0 +1,122 @@ +{ + "clusters": { + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-1.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-1.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-1.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-1.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "endpoints": { + "tcp.api-1.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..47911d19a9c --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,453 @@ +{ + "clusters": { + "http.api-app.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app.default.dc1.internal.foo.consul" + }, + "http.api-app2.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app2.default.dc1.internal.foo.consul" + }, + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "tcp.api-app2.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app2.default.dc1.internal.foo.consul" + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "tcp2.api-app2.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app2.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app2.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app2.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp.api-app2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app2.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app2" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app2.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app2.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "routes": { + "default/local/default/api-app": { + "virtualHosts": [ + { + "name": "default/local/default/api-app", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + }, + "default/local/default/api-app2": { + "virtualHosts": [ + { + "name": "default/local/default/api-app2", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app2.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp.api-app2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app2.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..b4e04bd0991 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden @@ -0,0 +1,255 @@ +{ + "clusters": { + "http.api-app.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app.default.dc1.internal.foo.consul" + }, + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "routes": { + "default/local/default/api-app": { + "virtualHosts": [ + { + "name": "default/local/default/api-app", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file diff --git a/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden new file mode 100644 index 00000000000..b4e04bd0991 --- /dev/null +++ b/internal/mesh/internal/controllers/xds/testdata/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -0,0 +1,255 @@ +{ + "clusters": { + "http.api-app.default.dc1.internal.foo.consul": { + "altStatName": "http.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~http" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "http.api-app.default.dc1.internal.foo.consul" + }, + "original-destination": { + "endpointGroup": { + "passthrough": { + "config": { + "connectTimeout": "5s" + } + } + }, + "name": "original-destination" + }, + "tcp.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "altStatName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpointGroup": { + "dynamic": { + "config": { + "connectTimeout": "5s", + "disablePanicThreshold": true + }, + "outboundTls": { + "alpnProtocols": [ + "consul~tcp2" + ], + "outboundMesh": { + "identityKey": "test-identity", + "sni": "api-app.default.dc1.internal.foo.consul", + "validationContext": { + "spiffeIds": [ + "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + ], + "trustBundlePeerNameKey": "local" + } + } + } + } + }, + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + }, + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_TRANSPARENT" + ], + "defaultRouter": { + "l4": { + "cluster": { + "name": "original-destination" + }, + "statPrefix": "upstream.original-destination" + } + }, + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "127.0.0.1", + "port": 15001 + }, + "name": "outbound_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l7": { + "route": { + "name": "default/local/default/api-app" + }, + "statPrefix": "upstream." + }, + "match": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + }, + { + "l4": { + "cluster": { + "name": "tcp2.api-app.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp2.api-app.default.default.dc1" + }, + "match": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + } + } + ] + } + ], + "routes": { + "default/local/default/api-app": { + "virtualHosts": [ + { + "name": "default/local/default/api-app", + "routeRules": [ + { + "destination": { + "cluster": { + "name": "http.api-app.default.dc1.internal.foo.consul" + } + }, + "match": { + "pathMatch": { + "prefix": "/" + } + } + } + ] + } + ] + } + }, + "endpoints": { + "tcp.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "tcp2.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + }, + "http.api-app.default.dc1.internal.foo.consul": { + "endpoints": [ + { + "healthStatus": "HEALTH_STATUS_HEALTHY", + "hostPort": { + "host": "10.1.1.1", + "port": 20000 + } + } + ] + } + }, + "trustBundles": { + "local": { + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } +} \ No newline at end of file From 5839e295e9127940650ec3fb577d9ae3cd9cab83 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 24 Oct 2023 10:23:27 -0600 Subject: [PATCH 7/7] NET-6080 - xds controller golden file inputs into xds resources - destinations (#19244) * NET-5397 - wire up golden tests from sidecar-proxy controller for xds controller and xdsv2 * WIP * WIP * everything matching except leafCerts. need to mock those * single port destinations working except mixed destinations * golden test input to xds controller tests for destinations * proposed fix for failover group naming errors * clean up test to use helper. * clean up test to use helper. * fix test file * add docstring for test function. * add docstring for test function. * fix linting error * fixing test after route fix merged into main * first source test works * WIP * modify all source files * source tests pass * fixing tests after bug fix in main * got first destination working. * adding destinations * fix docstring for test * fixing tests after bug fix in main --- agent/xdsv2/resources_test.go | 178 +++++++---- ...it-and-explicit-destinations-tproxy.golden | 110 +++++++ .../destination/l4-multi-destination.golden | 205 ++++++++++++ ...ltiple-implicit-destinations-tproxy.golden | 110 +++++++ ...le-destination-ip-port-bind-address.golden | 109 +++++++ ...estination-unix-socket-bind-address.golden | 55 ++++ ...-single-implicit-destination-tproxy.golden | 62 ++++ .../mixed-multi-destination.golden | 157 +++++++++ ...ltiple-implicit-destinations-tproxy.golden | 302 ++++++++++++++++++ ...-single-implicit-destination-tproxy.golden | 158 +++++++++ ...tion-with-multiple-workloads-tproxy.golden | 158 +++++++++ ...it-and-explicit-destinations-tproxy.golden | 49 +++ .../destination/l4-multi-destination.golden | 91 ++++++ ...ltiple-implicit-destinations-tproxy.golden | 49 +++ ...le-destination-ip-port-bind-address.golden | 49 +++ ...estination-unix-socket-bind-address.golden | 28 ++ ...-single-implicit-destination-tproxy.golden | 28 ++ .../mixed-multi-destination.golden | 91 ++++++ ...ltiple-implicit-destinations-tproxy.golden | 133 ++++++++ ...-single-implicit-destination-tproxy.golden | 70 ++++ ...tion-with-multiple-workloads-tproxy.golden | 70 ++++ ...-single-implicit-destination-tproxy.golden | 110 ------- ...it-and-explicit-destinations-tproxy.golden | 90 ++++++ .../destination/l4-multi-destination.golden | 137 ++++++++ ...ltiple-implicit-destinations-tproxy.golden | 86 +++++ ...le-destination-ip-port-bind-address.golden | 47 +++ ...estination-unix-socket-bind-address.golden | 32 ++ ...-single-implicit-destination-tproxy.golden | 26 +- .../mixed-multi-destination.golden | 119 +++++++ ...ltiple-implicit-destinations-tproxy.golden | 222 +++++++++++++ ...-single-implicit-destination-tproxy.golden | 125 ++++++++ ...tion-with-multiple-workloads-tproxy.golden | 125 ++++++++ ...-single-implicit-destination-tproxy.golden | 56 ---- ...it-and-explicit-destinations-tproxy.golden | 5 + .../destination/l4-multi-destination.golden | 5 + ...ltiple-implicit-destinations-tproxy.golden | 5 + ...le-destination-ip-port-bind-address.golden | 5 + ...estination-unix-socket-bind-address.golden | 5 + ...-single-implicit-destination-tproxy.golden | 5 + .../mixed-multi-destination.golden | 65 ++++ ...ltiple-implicit-destinations-tproxy.golden | 49 +++ ...-single-implicit-destination-tproxy.golden | 28 ++ ...tion-with-multiple-workloads-tproxy.golden | 28 ++ 43 files changed, 3388 insertions(+), 249 deletions(-) create mode 100644 agent/xdsv2/testdata/clusters/destination/l4-implicit-and-explicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/l4-multi-destination.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/l4-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/l4-single-destination-ip-port-bind-address.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/l4-single-destination-unix-socket-bind-address.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/l4-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/mixed-multi-destination.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/l4-implicit-and-explicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/l4-multi-destination.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/l4-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/l4-single-destination-ip-port-bind-address.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/l4-single-destination-unix-socket-bind-address.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/l4-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/mixed-multi-destination.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden delete mode 100644 agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/l4-implicit-and-explicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/l4-multi-destination.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/l4-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/l4-single-destination-ip-port-bind-address.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/l4-single-destination-unix-socket-bind-address.golden rename agent/xdsv2/testdata/{output/listeners => listeners/destination}/l4-single-implicit-destination-tproxy.golden (78%) create mode 100644 agent/xdsv2/testdata/listeners/destination/mixed-multi-destination.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden delete mode 100644 agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/routes/destination/l4-implicit-and-explicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/routes/destination/l4-multi-destination.golden create mode 100644 agent/xdsv2/testdata/routes/destination/l4-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/routes/destination/l4-single-destination-ip-port-bind-address.golden create mode 100644 agent/xdsv2/testdata/routes/destination/l4-single-destination-unix-socket-bind-address.golden create mode 100644 agent/xdsv2/testdata/routes/destination/l4-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/routes/destination/mixed-multi-destination.golden create mode 100644 agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden create mode 100644 agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden create mode 100644 agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden diff --git a/agent/xdsv2/resources_test.go b/agent/xdsv2/resources_test.go index e84e9bdb513..c1afbda705b 100644 --- a/agent/xdsv2/resources_test.go +++ b/agent/xdsv2/resources_test.go @@ -4,8 +4,11 @@ package xdsv2 import ( - "os" - "path/filepath" + "fmt" + envoy_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" + envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" + "github.com/hashicorp/consul/internal/testing/golden" "sort" "testing" @@ -23,62 +26,111 @@ import ( "google.golang.org/protobuf/proto" ) -func TestResources_ImplicitDestinations(t *testing.T) { +var testTypeUrlToPrettyName = map[string]string{ + xdscommon.ListenerType: "listeners", + xdscommon.RouteType: "routes", + xdscommon.ClusterType: "clusters", + xdscommon.EndpointType: "endpoints", + xdscommon.SecretType: "secrets", +} - cases := map[string]struct { - }{ - "l4-single-implicit-destination-tproxy": {}, +// TestAllResourcesFromIR_XDSGoldenFileInputs tests the AllResourcesFromIR() by +// using the golden test output/expected files from the XDS controller tests as +// inputs to the XDSV2 resources generation. +func TestAllResourcesFromIR_XDSGoldenFileInputs(t *testing.T) { + inputPath := "../../internal/mesh/internal/controllers/xds" + + cases := []string{ + // destinations - please add in alphabetical order + "destination/l4-single-destination-ip-port-bind-address", + "destination/l4-single-destination-unix-socket-bind-address", + "destination/l4-single-implicit-destination-tproxy", + "destination/l4-multi-destination", + "destination/l4-multiple-implicit-destinations-tproxy", + "destination/l4-implicit-and-explicit-destinations-tproxy", + "destination/mixed-multi-destination", + "destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy", + "destination/multiport-l4-and-l7-single-implicit-destination-tproxy", + "destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy", + + //sources - please add in alphabetical order + //"source/l4-multiple-workload-addresses-with-specific-ports", + //"source/l4-multiple-workload-addresses-without-ports", + //"source/l4-single-workload-address-without-ports", + //"source/l7-expose-paths", + //"source/local-and-inbound-connections", + //"source/multiport-l4-multiple-workload-addresses-with-specific-ports", + //"source/multiport-l4-multiple-workload-addresses-without-ports", + //"source/multiport-l4-workload-with-only-mesh-port", + //"source/multiport-l7-multiple-workload-addresses-with-specific-ports", + //"source/multiport-l7-multiple-workload-addresses-without-ports", + //"source/multiport-l7-multiple-workload-addresses-without-ports", } - for name := range cases { - goldenValueInput := goldenValueJSON(t, name, "input") - - proxyTemplate := jsonToProxyTemplate(t, goldenValueInput) - generator := NewResourceGenerator(testutil.Logger(t)) - - resources, err := generator.AllResourcesFromIR(&proxytracker.ProxyState{ProxyState: proxyTemplate.ProxyState}) - require.NoError(t, err) - - verifyClusterResourcesToGolden(t, resources, name) - verifyListenerResourcesToGolden(t, resources, name) - + for _, name := range cases { + t.Run(name, func(t *testing.T) { + // Arrange - paths to input and output golden files. + testFile := fmt.Sprintf("%s.golden", name) + inputFilePath := fmt.Sprintf("%s/testdata/%s", inputPath, testFile) + inputValueInput := golden.GetBytesAtFilePath(t, inputFilePath) + + // Act. + ps := jsonToProxyState(t, inputValueInput) + generator := NewResourceGenerator(testutil.Logger(t)) + resources, err := generator.AllResourcesFromIR(&proxytracker.ProxyState{ProxyState: ps}) + require.NoError(t, err) + + // Assert. + // Assert all resources were generated. + typeUrls := []string{ + xdscommon.ListenerType, + xdscommon.RouteType, + xdscommon.ClusterType, + xdscommon.EndpointType, + // TODO(proxystate): add in future + //xdscommon.SecretType, + } + require.Len(t, resources, len(typeUrls)) + + // Assert each resource type has actual XDS matching expected XDS. + for _, typeUrl := range typeUrls { + prettyName := testTypeUrlToPrettyName[typeUrl] + t.Run(prettyName, func(t *testing.T) { + items, ok := resources[typeUrl] + require.True(t, ok) + + // sort resources so they don't show up as flakey tests as + // ordering in JSON is not guaranteed. + sort.Slice(items, func(i, j int) bool { + switch typeUrl { + case xdscommon.ListenerType: + return items[i].(*envoy_listener_v3.Listener).Name < items[j].(*envoy_listener_v3.Listener).Name + case xdscommon.RouteType: + return items[i].(*envoy_route_v3.RouteConfiguration).Name < items[j].(*envoy_route_v3.RouteConfiguration).Name + case xdscommon.ClusterType: + return items[i].(*envoy_cluster_v3.Cluster).Name < items[j].(*envoy_cluster_v3.Cluster).Name + case xdscommon.EndpointType: + return items[i].(*envoy_endpoint_v3.ClusterLoadAssignment).ClusterName < items[j].(*envoy_endpoint_v3.ClusterLoadAssignment).ClusterName + case xdscommon.SecretType: + return items[i].(*envoy_tls_v3.Secret).Name < items[j].(*envoy_tls_v3.Secret).Name + default: + panic("not possible") + } + }) + + // Compare actual to expected. + resp, err := response.CreateResponse(typeUrl, "00000001", "00000001", items) + require.NoError(t, err) + gotJSON := protoToJSON(t, resp) + + expectedJSON := golden.Get(t, gotJSON, fmt.Sprintf("%s/%s", prettyName, testFile)) + require.JSONEq(t, expectedJSON, gotJSON) + }) + } + }) } } -func verifyClusterResourcesToGolden(t *testing.T, resources map[string][]proto.Message, testName string) { - clusters := resources[xdscommon.ClusterType] - - // The order of clusters returned via CDS isn't relevant, so it's safe - // to sort these for the purposes of test comparisons. - sort.Slice(clusters, func(i, j int) bool { - return clusters[i].(*envoy_cluster_v3.Cluster).Name < clusters[j].(*envoy_cluster_v3.Cluster).Name - }) - - resp, err := response.CreateResponse(xdscommon.ClusterType, "00000001", "00000001", clusters) - require.NoError(t, err) - gotJSON := protoToJSON(t, resp) - - expectedJSON := goldenValue(t, filepath.Join("clusters", testName), "output") - require.JSONEq(t, expectedJSON, gotJSON) -} - -func verifyListenerResourcesToGolden(t *testing.T, resources map[string][]proto.Message, testName string) { - listeners := resources[xdscommon.ListenerType] - - // The order of clusters returned via CDS isn't relevant, so it's safe - // to sort these for the purposes of test comparisons. - sort.Slice(listeners, func(i, j int) bool { - return listeners[i].(*envoy_listener_v3.Listener).Name < listeners[j].(*envoy_listener_v3.Listener).Name - }) - - resp, err := response.CreateResponse(xdscommon.ListenerType, "00000001", "00000001", listeners) - require.NoError(t, err) - gotJSON := protoToJSON(t, resp) - - expectedJSON := goldenValue(t, filepath.Join("listeners", testName), "output") - require.JSONEq(t, expectedJSON, gotJSON) -} - func protoToJSON(t *testing.T, pb proto.Message) string { t.Helper() m := protojson.MarshalOptions{ @@ -89,25 +141,11 @@ func protoToJSON(t *testing.T, pb proto.Message) string { return string(gotJSON) } -func jsonToProxyTemplate(t *testing.T, json []byte) *meshv2beta1.ProxyStateTemplate { +func jsonToProxyState(t *testing.T, json []byte) *meshv2beta1.ProxyState { t.Helper() um := protojson.UnmarshalOptions{} - proxyTemplate := &meshv2beta1.ProxyStateTemplate{} - err := um.Unmarshal(json, proxyTemplate) - require.NoError(t, err) - return proxyTemplate -} - -func goldenValueJSON(t *testing.T, goldenFile, inputOutput string) []byte { - t.Helper() - goldenPath := filepath.Join("testdata", inputOutput, goldenFile) + ".golden" - - content, err := os.ReadFile(goldenPath) + ps := &meshv2beta1.ProxyState{} + err := um.Unmarshal(json, ps) require.NoError(t, err) - return content -} - -func goldenValue(t *testing.T, goldenFile, inputOutput string) string { - t.Helper() - return string(goldenValueJSON(t, goldenFile, inputOutput)) + return ps } diff --git a/agent/xdsv2/testdata/clusters/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/agent/xdsv2/testdata/clusters/destination/l4-implicit-and-explicit-destinations-tproxy.golden new file mode 100644 index 00000000000..089bfb7c200 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -0,0 +1,110 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/l4-multi-destination.golden b/agent/xdsv2/testdata/clusters/destination/l4-multi-destination.golden new file mode 100644 index 00000000000..c88d7770d85 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/l4-multi-destination.golden @@ -0,0 +1,205 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "null_route_cluster", + "type": "STATIC", + "connectTimeout": "10s" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp2.api-1.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp2" + ] + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp2.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp2" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/l4-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/clusters/destination/l4-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..089bfb7c200 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,110 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/l4-single-destination-ip-port-bind-address.golden b/agent/xdsv2/testdata/clusters/destination/l4-single-destination-ip-port-bind-address.golden new file mode 100644 index 00000000000..293416e3737 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/l4-single-destination-ip-port-bind-address.golden @@ -0,0 +1,109 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "null_route_cluster", + "type": "STATIC", + "connectTimeout": "10s" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/l4-single-destination-unix-socket-bind-address.golden b/agent/xdsv2/testdata/clusters/destination/l4-single-destination-unix-socket-bind-address.golden new file mode 100644 index 00000000000..742dbd0ea83 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/l4-single-destination-unix-socket-bind-address.golden @@ -0,0 +1,55 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/clusters/destination/l4-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..0c86051ad7d --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/l4-single-implicit-destination-tproxy.golden @@ -0,0 +1,62 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/mixed-multi-destination.golden b/agent/xdsv2/testdata/clusters/destination/mixed-multi-destination.golden new file mode 100644 index 00000000000..280f42b8581 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/mixed-multi-destination.golden @@ -0,0 +1,157 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "http.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~http" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "null_route_cluster", + "type": "STATIC", + "connectTimeout": "10s" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-1.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-2.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..ec39ef35787 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,302 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "http.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~http" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "http.api-app2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~http" + ] + }, + "sni": "api-app2.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-app2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-app2.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp2.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp2" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp2.api-app2.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp2" + ] + }, + "sni": "api-app2.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..d8cad46e790 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden @@ -0,0 +1,158 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "http.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~http" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp2.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp2" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden b/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden new file mode 100644 index 00000000000..d8cad46e790 --- /dev/null +++ b/agent/xdsv2/testdata/clusters/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -0,0 +1,158 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "http.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~http" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "tcp2.api-app.default.dc1.internal.foo.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity" + } + ] + }, + "alpnProtocols": [ + "consul~tcp2" + ] + }, + "sni": "api-app.default.dc1.internal.foo.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/agent/xdsv2/testdata/endpoints/destination/l4-implicit-and-explicit-destinations-tproxy.golden new file mode 100644 index 00000000000..f7d569dc226 --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -0,0 +1,49 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/l4-multi-destination.golden b/agent/xdsv2/testdata/endpoints/destination/l4-multi-destination.golden new file mode 100644 index 00000000000..f8bca7ea321 --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/l4-multi-destination.golden @@ -0,0 +1,91 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp2.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp2.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/l4-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/endpoints/destination/l4-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..f7d569dc226 --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,49 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/l4-single-destination-ip-port-bind-address.golden b/agent/xdsv2/testdata/endpoints/destination/l4-single-destination-ip-port-bind-address.golden new file mode 100644 index 00000000000..f7d569dc226 --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/l4-single-destination-ip-port-bind-address.golden @@ -0,0 +1,49 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/l4-single-destination-unix-socket-bind-address.golden b/agent/xdsv2/testdata/endpoints/destination/l4-single-destination-unix-socket-bind-address.golden new file mode 100644 index 00000000000..8075b842d96 --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/l4-single-destination-unix-socket-bind-address.golden @@ -0,0 +1,28 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/endpoints/destination/l4-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..333765ea0cb --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/l4-single-implicit-destination-tproxy.golden @@ -0,0 +1,28 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/mixed-multi-destination.golden b/agent/xdsv2/testdata/endpoints/destination/mixed-multi-destination.golden new file mode 100644 index 00000000000..e22812cafe4 --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/mixed-multi-destination.golden @@ -0,0 +1,91 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "http.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "http.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-1.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..56ff9fb5884 --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,133 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "http.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "http.api-app2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-app2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp2.api-app2.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..52f227f9d4b --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden @@ -0,0 +1,70 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "http.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden b/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden new file mode 100644 index 00000000000..52f227f9d4b --- /dev/null +++ b/agent/xdsv2/testdata/endpoints/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -0,0 +1,70 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "http.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "tcp2.api-app.default.dc1.internal.foo.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.1.1.1", + "portValue": 20000 + } + } + }, + "healthStatus": "HEALTHY" + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden deleted file mode 100644 index feaa68bd3c2..00000000000 --- a/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden +++ /dev/null @@ -1,110 +0,0 @@ -{ - "proxyState": { - "identity": { - "tenancy": { - "partition": "default", - "namespace": "default", - "peerName": "local" - }, - "name": "test-identity" - }, - "listeners": [ - { - "name": "outbound_listener", - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "127.0.0.1", - "port": 15001 - }, - "routers": [ - { - "match": { - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ], - "destinationPort": 8080 - }, - "l4": { - "cluster": { - "name": "tcp.api-1.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-1.default.default.dc1" - } - } - ], - "capabilities": [ - "CAPABILITY_TRANSPARENT" - ], - "defaultRouter": { - "l4": { - "cluster": { - "name": "original-destination" - }, - "statPrefix": "upstream.original-destination" - } - } - } - ], - "clusters": { - "tcp.api-1.default.dc1.internal.foo.consul": { - "endpointGroup": { - "dynamic": { - "config": { - "disablePanicThreshold": true - }, - "outboundTls": { - "outboundMesh": { - "identityKey": "test-identity", - "validationContext": { - "spiffeIds": [ - "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - ], - "trustBundlePeerNameKey": "local" - }, - "sni": "api-1.default.dc1.internal.foo.consul" - }, - "alpnProtocols": [ - "consul~tcp" - ] - } - } - } - } - }, - "leafCertificates": { - "test-identity": { - "cert": "cert1", - "key": "key1" - } - }, - "trustBundles": { - "local": { - "trustDomain": "foo.consul", - "roots": [ - "root1" - ] - } - } - }, - "requiredEndpoints": { - "api-1.default.dc1.internal.foo.consul": { - "id": { - "name": "api-1", - "type": { - "group": "catalog", - "groupVersion": "v1alpha1", - "kind": "ServiceEndpoints" - }, - "tenancy": { - "partition": "default", - "namespace": "default", - "peerName": "local" - } - }, - "port": "mesh" - } - } -} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/agent/xdsv2/testdata/listeners/destination/l4-implicit-and-explicit-destinations-tproxy.golden new file mode 100644 index 00000000000..35304ea0d7f --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -0,0 +1,90 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "address": { + "socketAddress": { + "address": "1.1.1.1", + "portValue": 1234 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "cluster": "tcp.api-1.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "outbound_listener", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-2.default.default.dc1", + "cluster": "tcp.api-2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "defaultFilterChain": { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + }, + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst" + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/l4-multi-destination.golden b/agent/xdsv2/testdata/listeners/destination/l4-multi-destination.golden new file mode 100644 index 00000000000..105b508ef52 --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/l4-multi-destination.golden @@ -0,0 +1,137 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-1:tcp2:1.1.1.1:2345", + "address": { + "socketAddress": { + "address": "1.1.1.1", + "portValue": 2345 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp2.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp2.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp2.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "address": { + "socketAddress": { + "address": "1.1.1.1", + "portValue": 1234 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-2:tcp2:/path/to/socket", + "address": { + "pipe": { + "path": "/path/to/socket", + "mode": 438 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp2.api-2.default.default.dc1", + "cluster": "tcp2.api-2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "address": { + "pipe": { + "path": "/path/to/socket", + "mode": 438 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-2.default.default.dc1", + "cluster": "tcp.api-2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/l4-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/listeners/destination/l4-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..7901233ae95 --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,86 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "outbound_listener", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "cluster": "tcp.api-1.default.dc1.internal.foo.consul" + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-2.default.default.dc1", + "cluster": "tcp.api-2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "defaultFilterChain": { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + }, + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst" + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/l4-single-destination-ip-port-bind-address.golden b/agent/xdsv2/testdata/listeners/destination/l4-single-destination-ip-port-bind-address.golden new file mode 100644 index 00000000000..5f78003e3fd --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/l4-single-destination-ip-port-bind-address.golden @@ -0,0 +1,47 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "address": { + "socketAddress": { + "address": "1.1.1.1", + "portValue": 1234 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/l4-single-destination-unix-socket-bind-address.golden b/agent/xdsv2/testdata/listeners/destination/l4-single-destination-unix-socket-bind-address.golden new file mode 100644 index 00000000000..cf468d7fbbc --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/l4-single-destination-unix-socket-bind-address.golden @@ -0,0 +1,32 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "address": { + "pipe": { + "path": "/path/to/socket", + "mode": 438 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-2.default.default.dc1", + "cluster": "tcp.api-2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/output/listeners/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/listeners/destination/l4-single-implicit-destination-tproxy.golden similarity index 78% rename from agent/xdsv2/testdata/output/listeners/l4-single-implicit-destination-tproxy.golden rename to agent/xdsv2/testdata/listeners/destination/l4-single-implicit-destination-tproxy.golden index d34b4e61079..ce759b6b021 100644 --- a/agent/xdsv2/testdata/output/listeners/l4-single-implicit-destination-tproxy.golden +++ b/agent/xdsv2/testdata/listeners/destination/l4-single-implicit-destination-tproxy.golden @@ -10,22 +10,10 @@ "portValue": 15001 } }, - "defaultFilterChain": { - "filters": [ - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "cluster": "original-destination", - "statPrefix": "upstream.original-destination" - } - } - ] - }, "filterChains": [ { "filterChainMatch": { - "destinationPort": 8080, + "destinationPort": 7070, "prefixRanges": [ { "addressPrefix": "1.1.1.1", @@ -45,6 +33,18 @@ ] } ], + "defaultFilterChain": { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + }, "listenerFilters": [ { "name": "envoy.filters.listener.original_dst", diff --git a/agent/xdsv2/testdata/listeners/destination/mixed-multi-destination.golden b/agent/xdsv2/testdata/listeners/destination/mixed-multi-destination.golden new file mode 100644 index 00000000000..23dd5e4c647 --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/mixed-multi-destination.golden @@ -0,0 +1,119 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-1:http:1.1.1.1:1234", + "address": { + "socketAddress": { + "address": "1.1.1.1", + "portValue": 1234 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "upstream.", + "rds": { + "configSource": { + "ads": {}, + "resourceApiVersion": "V3" + }, + "routeConfigName": "default/local/default/api-1:http:1.1.1.1:1234" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "tracing": { + "randomSampling": {} + }, + "upgradeConfigs": [ + { + "upgradeType": "websocket" + } + ] + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-1:tcp:1.1.1.1:1234", + "address": { + "socketAddress": { + "address": "1.1.1.1", + "portValue": 1234 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-1.default.default.dc1", + "weightedClusters": { + "clusters": [ + { + "name": "tcp.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "tcp.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + } + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "default/local/default/api-2:tcp:/path/to/socket", + "address": { + "pipe": { + "path": "/path/to/socket", + "mode": 438 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-2.default.default.dc1", + "cluster": "tcp.api-2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..9cd146e6ef0 --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,222 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "outbound_listener", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-app.default.default.dc1", + "cluster": "tcp.api-app.default.dc1.internal.foo.consul" + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "upstream.", + "rds": { + "configSource": { + "ads": {}, + "resourceApiVersion": "V3" + }, + "routeConfigName": "default/local/default/api-app:http" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "tracing": { + "randomSampling": {} + }, + "upgradeConfigs": [ + { + "upgradeType": "websocket" + } + ] + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp2.api-app.default.default.dc1", + "cluster": "tcp2.api-app.default.dc1.internal.foo.consul" + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-app2.default.default.dc1", + "cluster": "tcp.api-app2.default.dc1.internal.foo.consul" + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "upstream.", + "rds": { + "configSource": { + "ads": {}, + "resourceApiVersion": "V3" + }, + "routeConfigName": "default/local/default/api-app2:http" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "tracing": { + "randomSampling": {} + }, + "upgradeConfigs": [ + { + "upgradeType": "websocket" + } + ] + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "2.2.2.2", + "prefixLen": 32 + }, + { + "addressPrefix": "3.3.3.3", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp2.api-app2.default.default.dc1", + "cluster": "tcp2.api-app2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "defaultFilterChain": { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + }, + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst" + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..71dec1b4db4 --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden @@ -0,0 +1,125 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "outbound_listener", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-app.default.default.dc1", + "cluster": "tcp.api-app.default.dc1.internal.foo.consul" + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "upstream.", + "rds": { + "configSource": { + "ads": {}, + "resourceApiVersion": "V3" + }, + "routeConfigName": "default/local/default/api-app:http" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "tracing": { + "randomSampling": {} + }, + "upgradeConfigs": [ + { + "upgradeType": "websocket" + } + ] + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp2.api-app.default.default.dc1", + "cluster": "tcp2.api-app.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "defaultFilterChain": { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + }, + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst" + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden b/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden new file mode 100644 index 00000000000..71dec1b4db4 --- /dev/null +++ b/agent/xdsv2/testdata/listeners/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -0,0 +1,125 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "outbound_listener", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "destinationPort": 7070, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp.api-app.default.default.dc1", + "cluster": "tcp.api-app.default.dc1.internal.foo.consul" + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8080, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "upstream.", + "rds": { + "configSource": { + "ads": {}, + "resourceApiVersion": "V3" + }, + "routeConfigName": "default/local/default/api-app:http" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + } + ], + "tracing": { + "randomSampling": {} + }, + "upgradeConfigs": [ + { + "upgradeType": "websocket" + } + ] + } + } + ] + }, + { + "filterChainMatch": { + "destinationPort": 8081, + "prefixRanges": [ + { + "addressPrefix": "1.1.1.1", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.tcp2.api-app.default.default.dc1", + "cluster": "tcp2.api-app.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "defaultFilterChain": { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + }, + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst" + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden deleted file mode 100644 index 611c863c3af..00000000000 --- a/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden +++ /dev/null @@ -1,56 +0,0 @@ -{ - "versionInfo": "00000001", - "resources": [ - { - "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "name": "tcp.api-1.default.dc1.internal.foo.consul", - "type": "EDS", - "edsClusterConfig": { - "edsConfig": { - "ads": {}, - "resourceApiVersion": "V3" - } - }, - "commonLbConfig": { - "healthyPanicThreshold": {} - }, - "name": "tcp.api-1.default.dc1.internal.foo.consul", - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", - "commonTlsContext": { - "alpnProtocols": [ - "consul~tcp" - ], - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "cert1\n" - }, - "privateKey": { - "inlineString": "key1\n" - } - } - ], - "tlsParams": {}, - "validationContext": { - "matchSubjectAltNames": [ - { - "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity" - } - ], - "trustedCa": { - "inlineString": "root1\n" - } - } - }, - "sni": "api-1.default.dc1.internal.foo.consul" - } - }, - "type": "EDS" - } - ], - "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "nonce": "00000001" -} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/agent/xdsv2/testdata/routes/destination/l4-implicit-and-explicit-destinations-tproxy.golden new file mode 100644 index 00000000000..306f5220e7b --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/l4-multi-destination.golden b/agent/xdsv2/testdata/routes/destination/l4-multi-destination.golden new file mode 100644 index 00000000000..306f5220e7b --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/l4-multi-destination.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/l4-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/routes/destination/l4-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..306f5220e7b --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/l4-single-destination-ip-port-bind-address.golden b/agent/xdsv2/testdata/routes/destination/l4-single-destination-ip-port-bind-address.golden new file mode 100644 index 00000000000..306f5220e7b --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/l4-single-destination-ip-port-bind-address.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/l4-single-destination-unix-socket-bind-address.golden b/agent/xdsv2/testdata/routes/destination/l4-single-destination-unix-socket-bind-address.golden new file mode 100644 index 00000000000..306f5220e7b --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/l4-single-destination-unix-socket-bind-address.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/routes/destination/l4-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..306f5220e7b --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/l4-single-implicit-destination-tproxy.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/mixed-multi-destination.golden b/agent/xdsv2/testdata/routes/destination/mixed-multi-destination.golden new file mode 100644 index 00000000000..ed7ec13bdcd --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/mixed-multi-destination.golden @@ -0,0 +1,65 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "name": "default/local/default/api-1:http:1.1.1.1:1234", + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-1:http:1.1.1.1:1234", + "routes": [ + { + "match": { + "prefix": "/split" + }, + "route": { + "weightedClusters": { + "clusters": [ + { + "name": "http.api-2.default.dc1.internal.foo.consul", + "weight": 60 + }, + { + "name": "http.api-1.default.dc1.internal.foo.consul", + "weight": 40 + }, + { + "name": "null_route_cluster", + "weight": 10 + } + ] + }, + "timeout": "77s" + } + }, + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "http.api-1.default.dc1.internal.foo.consul", + "timeout": "606s", + "retryPolicy": { + "retryOn": "connect-failure", + "numRetries": 4 + } + } + }, + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "null_route_cluster" + } + } + ] + } + ], + "validateClusters": true + } + ], + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden b/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden new file mode 100644 index 00000000000..f1b71f1009f --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-multiple-implicit-destinations-tproxy.golden @@ -0,0 +1,49 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "name": "default/local/default/api-app2:http", + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app2:http", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "http.api-app2.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "validateClusters": true + }, + { + "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "name": "default/local/default/api-app:http", + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app:http", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "http.api-app.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "validateClusters": true + } + ], + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden new file mode 100644 index 00000000000..f61d7864756 --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-tproxy.golden @@ -0,0 +1,28 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "name": "default/local/default/api-app:http", + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app:http", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "http.api-app.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "validateClusters": true + } + ], + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden b/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden new file mode 100644 index 00000000000..f61d7864756 --- /dev/null +++ b/agent/xdsv2/testdata/routes/destination/multiport-l4-and-l7-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -0,0 +1,28 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "name": "default/local/default/api-app:http", + "virtualHosts": [ + { + "domains": ["*"], + "name": "default/local/default/api-app:http", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "http.api-app.default.dc1.internal.foo.consul" + } + } + ] + } + ], + "validateClusters": true + } + ], + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file