Register mesh-gateways using the endpoints controller. (#1464)

* Register mesh-gateways using the endpoints controller. - Use consul-dataplane to configure the mesh-gateway proxy and remove envoy container. - Remove instances of client and auto-encrypt from the deployment. * Replace ioutil.ReadFile with os.ReadFile
hashicorp · Sep 28, 2022 · f357a02 · f357a02
1 parent fe7507b
commit f357a02
Show file tree

Hide file tree

Showing 4 changed files with 215 additions and 6 deletions.
diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go
@@ -27,6 +27,8 @@ const staticClientNamespace = "ns2"
 
 // Test that Connect works in installations for X-Peers networking.
 func TestPeering_ConnectNamespaces(t *testing.T) {
+	t.Skipf("currently unsupported in agentless")
+
 	env := suite.Environment()
 	cfg := suite.Config()
 

diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go
@@ -22,6 +22,8 @@ import (
 
 // Test that Connect works in installations for X-Peers networking.
 func TestPeering_Connect(t *testing.T) {
+	t.Skipf("currently unsupported in agentless")
+
 	env := suite.Environment()
 	cfg := suite.Config()
 

diff --git a/control-plane/connect-inject/endpoints_controller_ent_test.go b/control-plane/connect-inject/endpoints_controller_ent_test.go
@@ -111,6 +111,14 @@ func TestReconcileCreateEndpointWithNamespaces(t *testing.T) {
 										Namespace: testCase.SourceKubeNS,
 									},
 								},
+								{
+									IP: "3.3.3.3",
+									TargetRef: &corev1.ObjectReference{
+										Kind:      "Pod",
+										Name:      "mesh-gateway",
+										Namespace: testCase.SourceKubeNS,
+									},
+								},
 							},
 						},
 					},
@@ -134,6 +142,25 @@ func TestReconcileCreateEndpointWithNamespaces(t *testing.T) {
 					ServiceTags:    []string{},
 					Namespace:      testCase.ExpConsulNS,
 				},
+				{
+					ServiceID:      "mesh-gateway",
+					ServiceName:    "mesh-gateway",
+					ServiceAddress: "3.3.3.3",
+					ServiceMeta:    map[string]string{MetaKeyPodName: "mesh-gateway", MetaKeyKubeServiceName: "service-created", MetaKeyKubeNS: testCase.SourceKubeNS, MetaKeyManagedBy: managedByValue},
+					ServiceTags:    []string{},
+					ServicePort:    8443,
+					ServiceTaggedAddresses: map[string]api.ServiceAddress{
+						"lan": {
+							Address: "3.3.3.3",
+							Port:    8443,
+						},
+						"wan": {
+							Address: "2.3.4.5",
+							Port:    443,
+						},
+					},
+					Namespace: "default",
+				},
 			},
 			expectedProxySvcInstances: []*api.CatalogService{
 				{
@@ -204,6 +231,16 @@ func TestReconcileCreateEndpointWithNamespaces(t *testing.T) {
 					Type:        ConsulKubernetesCheckType,
 					Namespace:   testCase.ExpConsulNS,
 				},
+				{
+					CheckID:     fmt.Sprintf("%s/mesh-gateway", testCase.SourceKubeNS),
+					ServiceName: "mesh-gateway",
+					ServiceID:   "mesh-gateway",
+					Name:        ConsulKubernetesCheckName,
+					Status:      api.HealthPassing,
+					Output:      kubernetesSuccessReasonMsg,
+					Type:        ConsulKubernetesCheckType,
+					Namespace:   "default",
+				},
 			},
 		}
 		t.Run(name, func(t *testing.T) {
@@ -253,6 +290,9 @@ func TestReconcileCreateEndpointWithNamespaces(t *testing.T) {
 			// After reconciliation, Consul should have the service with the correct number of instances.
 			serviceInstances, _, err := consulClient.Catalog().Service(setup.consulSvcName, "", &api.QueryOptions{Namespace: testCase.ExpConsulNS})
 			require.NoError(t, err)
+			service, _, err := consulClient.Catalog().Service("mesh-gateway", "", &api.QueryOptions{Namespace: "default"})
+			require.NoError(t, err)
+			serviceInstances = append(serviceInstances, service...)
 			require.Len(t, serviceInstances, len(setup.expectedConsulSvcInstances))
 			for i, instance := range serviceInstances {
 				require.Equal(t, setup.expectedConsulSvcInstances[i].ServiceID, instance.ServiceID)
@@ -283,6 +323,10 @@ func TestReconcileCreateEndpointWithNamespaces(t *testing.T) {
 				var checks api.HealthChecks
 				filter := fmt.Sprintf("CheckID == `%s`", expectedCheck.CheckID)
 				checks, _, err := consulClient.Health().Checks(expectedCheck.ServiceName, &api.QueryOptions{Filter: filter})
+				if expectedCheck.ServiceName == "mesh-gateway" {
+					checks, _, err = consulClient.Health().Checks("mesh-gateway", &api.QueryOptions{Namespace: "default"})
+					require.NoError(t, err)
+				}
 				require.NoError(t, err)
 				require.Equal(t, len(checks), 1)
 				var ignoredFields = []string{"Node", "Definition", "Partition", "CreateIndex", "ModifyIndex", "ServiceTags"}
@@ -1711,6 +1755,68 @@ func TestReconcileDeleteEndpointWithNamespaces(t *testing.T) {
 				},
 				enableACLs: true,
 			},
+			{
+				name:          "mesh-gateway",
+				consulSvcName: "service-deleted",
+				initialConsulSvcs: []*api.AgentService{
+					{
+						ID:      "mesh-gateway",
+						Kind:    api.ServiceKindMeshGateway,
+						Service: "mesh-gateway",
+						Port:    80,
+						Address: "1.2.3.4",
+						Meta: map[string]string{
+							MetaKeyKubeServiceName: "service-deleted",
+							MetaKeyKubeNS:          ts.SourceKubeNS,
+							MetaKeyManagedBy:       managedByValue,
+							MetaKeyPodName:         "mesh-gateway",
+						},
+						TaggedAddresses: map[string]api.ServiceAddress{
+							"lan": {
+								Address: "1.2.3.4",
+								Port:    80,
+							},
+							"wan": {
+								Address: "5.6.7.8",
+								Port:    8080,
+							},
+						},
+						Namespace: "default",
+					},
+				},
+				enableACLs: false,
+			},
+			{
+				name:          "mesh-gateway with ACLs enabled",
+				consulSvcName: "service-deleted",
+				initialConsulSvcs: []*api.AgentService{
+					{
+						ID:      "mesh-gateway",
+						Kind:    api.ServiceKindMeshGateway,
+						Service: "mesh-gateway",
+						Port:    80,
+						Address: "1.2.3.4",
+						Meta: map[string]string{
+							MetaKeyKubeServiceName: "service-deleted",
+							MetaKeyKubeNS:          ts.SourceKubeNS,
+							MetaKeyManagedBy:       managedByValue,
+							MetaKeyPodName:         "mesh-gateway",
+						},
+						TaggedAddresses: map[string]api.ServiceAddress{
+							"lan": {
+								Address: "1.2.3.4",
+								Port:    80,
+							},
+							"wan": {
+								Address: "5.6.7.8",
+								Port:    8080,
+							},
+						},
+						Namespace: "default",
+					},
+				},
+				enableACLs: true,
+			},
 		}
 		for _, tt := range cases {
 			t.Run(fmt.Sprintf("%s:%s", name, tt.name), func(t *testing.T) {
@@ -1798,12 +1904,18 @@ func TestReconcileDeleteEndpointWithNamespaces(t *testing.T) {
 				require.NoError(t, err)
 
 				// After reconciliation, Consul should not have any instances of service-deleted.
-				serviceInstances, _, err := consulClient.Catalog().Service(tt.consulSvcName, "", &api.QueryOptions{Namespace: ts.ExpConsulNS})
-				require.NoError(t, err)
-				require.Empty(t, serviceInstances)
-				proxyServiceInstances, _, err := consulClient.Catalog().Service(fmt.Sprintf("%s-sidecar-proxy", tt.consulSvcName), "", &api.QueryOptions{Namespace: ts.ExpConsulNS})
-				require.NoError(t, err)
-				require.Empty(t, proxyServiceInstances)
+				if tt.consulSvcName == "mesh-gateway" {
+					gatewayInstances, _, err := consulClient.Catalog().Service(tt.consulSvcName, "", &api.QueryOptions{Namespace: "default"})
+					require.NoError(t, err)
+					require.Empty(t, gatewayInstances)
+				} else {
+					serviceInstances, _, err := consulClient.Catalog().Service(tt.consulSvcName, "", &api.QueryOptions{Namespace: ts.ExpConsulNS})
+					require.NoError(t, err)
+					require.Empty(t, serviceInstances)
+					proxyServiceInstances, _, err := consulClient.Catalog().Service(fmt.Sprintf("%s-sidecar-proxy", tt.consulSvcName), "", &api.QueryOptions{Namespace: ts.ExpConsulNS})
+					require.NoError(t, err)
+					require.Empty(t, proxyServiceInstances)
+				}
 
 				if tt.enableACLs {
 					_, _, err = consulClient.ACL().TokenRead(token.AccessorID, nil)

diff --git a/control-plane/subcommand/connect-init/command_test.go b/control-plane/subcommand/connect-init/command_test.go
@@ -618,6 +618,99 @@ func TestRun_Gateways_Errors(t *testing.T) {
 	}
 }
 
+// TestRun_Gateways_Errors tests that when registered services could not be found,
+// we error out.
+func TestRun_Gateways_Errors(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name     string
+		services []api.AgentServiceRegistration
+	}{
+		{
+			name: "gateway without pod-name or k8s-namespace meta",
+			services: []api.AgentServiceRegistration{
+				{
+					ID:      "mesh-gateway",
+					Name:    "mesh-gateway",
+					Kind:    "mesh-gateway",
+					Port:    9999,
+					Address: "127.0.0.1",
+				},
+			},
+		},
+		{
+			name: "gateway with pod-name meta but without k8s-namespace meta",
+			services: []api.AgentServiceRegistration{
+				{
+					ID:      "mesh-gateway",
+					Name:    "mesh-gateway",
+					Kind:    "mesh-gateway",
+					Port:    9999,
+					Address: "127.0.0.1",
+					Meta: map[string]string{
+						metaKeyPodName: "mesh-gateway",
+					},
+				},
+			},
+		},
+		{
+			name: "service and proxy with k8s-namespace meta but pod-name meta",
+			services: []api.AgentServiceRegistration{
+				{
+					ID:      "mesh-gateway",
+					Name:    "mesh-gateway",
+					Kind:    "mesh-gateway",
+					Port:    9999,
+					Address: "127.0.0.1",
+					Meta: map[string]string{
+						metaKeyKubeNS: "default-ns",
+					},
+				},
+			}},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			proxyFile := fmt.Sprintf("/tmp/%d", rand.Int())
+			t.Cleanup(func() {
+				os.Remove(proxyFile)
+			})
+
+			// Start Consul server.
+			server, err := testutil.NewTestServerConfigT(t, nil)
+			require.NoError(t, err)
+			defer server.Stop()
+			server.WaitForLeader(t)
+			consulClient, err := api.NewClient(&api.Config{Address: server.HTTPAddr})
+			require.NoError(t, err)
+
+			// Register Consul services.
+			for _, svc := range c.services {
+				require.NoError(t, consulClient.Agent().ServiceRegister(&svc))
+			}
+
+			ui := cli.NewMockUi()
+			cmd := Command{
+				UI:                                 ui,
+				serviceRegistrationPollingAttempts: 1,
+			}
+			flags := []string{
+				"-http-addr", server.HTTPAddr,
+				"-gateway-kind", "mesh-gateway",
+				"-pod-name", testPodName,
+				"-pod-namespace", testPodNamespace,
+				"-proxy-id-file", proxyFile,
+				"-consul-api-timeout", "5s",
+				"-consul-node-name", connectinject.ConsulNodeName,
+			}
+
+			code := cmd.Run(flags)
+			require.Equal(t, 1, code)
+		})
+	}
+}
+
 // TestRun_RetryServicePolling runs the command but does not register the consul service
 // for 2 seconds and then asserts that the proxyid file gets written correctly.
 func TestRun_RetryServicePolling(t *testing.T) {