[OSS] test: improve xDS listener code coverage (#18138)

test: improve xDS listener code coverage
hashicorp · Jul 17, 2023 · 33d898b · 33d898b
1 parent e52ea0e
commit 33d898b
Show file tree

Hide file tree

Showing 33 changed files with 2,425 additions and 160 deletions.
diff --git a/agent/proxycfg/testing_connect_proxy.go b/agent/proxycfg/testing_connect_proxy.go
@@ -227,6 +227,14 @@ func TestConfigSnapshotExposeConfig(t testing.T, nsFn func(ns *structs.NodeServi
 }
 
 func TestConfigSnapshotExposeChecks(t testing.T) *ConfigSnapshot {
+	return testConfigSnapshotExposedChecks(t, false)
+}
+
+func TestConfigSnapshotExposeChecksWithBindOverride(t testing.T) *ConfigSnapshot {
+	return testConfigSnapshotExposedChecks(t, true)
+}
+
+func testConfigSnapshotExposedChecks(t testing.T, overrideBind bool) *ConfigSnapshot {
 	return TestConfigSnapshot(t,
 		func(ns *structs.NodeService) {
 			ns.Address = "1.2.3.4"
@@ -235,6 +243,12 @@ func TestConfigSnapshotExposeChecks(t testing.T) *ConfigSnapshot {
 			ns.Proxy.Expose = structs.ExposeConfig{
 				Checks: true,
 			}
+			if overrideBind {
+				if ns.Proxy.Config == nil {
+					ns.Proxy.Config = map[string]any{}
+				}
+				ns.Proxy.Config["bind_address"] = "6.7.8.9"
+			}
 		},
 		[]UpdateEvent{
 			{
@@ -253,6 +267,32 @@ func TestConfigSnapshotExposeChecks(t testing.T) *ConfigSnapshot {
 	)
 }
 
+func TestConfigSnapshotExposeChecksGRPC(t testing.T) *ConfigSnapshot {
+	return TestConfigSnapshot(t,
+		func(ns *structs.NodeService) {
+			ns.Address = "1.2.3.4"
+			ns.Port = 9090
+			ns.Proxy.Upstreams = nil
+			ns.Proxy.Expose = structs.ExposeConfig{
+				Checks: true,
+			}
+		},
+		[]UpdateEvent{
+			{
+				CorrelationID: svcChecksWatchIDPrefix + structs.ServiceIDString("web", nil),
+				Result: []structs.CheckType{{
+					CheckID:   types.CheckID("grpc"),
+					Name:      "grpc",
+					GRPC:      "localhost:9090/v1.Health",
+					ProxyGRPC: "localhost:21501/myservice",
+					Interval:  10 * time.Second,
+					Timeout:   1 * time.Second,
+				}},
+			},
+		},
+	)
+}
+
 func TestConfigSnapshotGRPCExposeHTTP1(t testing.T) *ConfigSnapshot {
 	roots, leaf := TestCerts(t)
 

diff --git a/agent/proxycfg/testing_ingress_gateway.go b/agent/proxycfg/testing_ingress_gateway.go
@@ -1888,8 +1888,8 @@ func TestConfigSnapshotIngressGateway_TLSMixedMinVersionListeners(t testing.T) *
 			entry.TLS.Enabled = true
 			entry.TLS.TLSMinVersion = types.TLSv1_2
 
-			// One listener disables TLS, one inherits TLS minimum version from the gateway
-			// config, two others set different versions
+			// One listener should inherit TLS minimum version from the gateway config,
+			// two others each set explicit TLS minimum versions
 			entry.Listeners = []structs.IngressListener{
 				{
 					Port:     8080,
@@ -1925,8 +1925,6 @@ func TestConfigSnapshotIngressGateway_TLSMixedMinVersionListeners(t testing.T) *
 			{
 				CorrelationID: gatewayServicesWatchID,
 				Result: &structs.IndexedGatewayServices{
-					// One listener should inherit TLS minimum version from the gateway config,
-					// two others each set explicit TLS minimum versions
 					Services: []*structs.GatewayService{
 						{
 							Service:  s1,
@@ -1984,3 +1982,208 @@ func TestConfigSnapshotIngressGateway_TLSMixedMinVersionListeners(t testing.T) *
 			},
 		})
 }
+
+func TestConfigSnapshotIngressGateway_TLSMixedMaxVersionListeners(t testing.T) *ConfigSnapshot {
+	var (
+		s1      = structs.NewServiceName("s1", nil)
+		s1UID   = NewUpstreamIDFromServiceName(s1)
+		s1Chain = discoverychain.TestCompileConfigEntries(t, "s1", "default", "default", "dc1", connect.TestClusterID+".consul", nil, nil)
+
+		s2      = structs.NewServiceName("s2", nil)
+		s2UID   = NewUpstreamIDFromServiceName(s2)
+		s2Chain = discoverychain.TestCompileConfigEntries(t, "s2", "default", "default", "dc1", connect.TestClusterID+".consul", nil, nil)
+
+		s3      = structs.NewServiceName("s3", nil)
+		s3UID   = NewUpstreamIDFromServiceName(s3)
+		s3Chain = discoverychain.TestCompileConfigEntries(t, "s3", "default", "default", "dc1", connect.TestClusterID+".consul", nil, nil)
+	)
+
+	return TestConfigSnapshotIngressGateway(t, true, "tcp", "default", nil,
+		func(entry *structs.IngressGatewayConfigEntry) {
+			entry.TLS.Enabled = true
+			entry.TLS.TLSMaxVersion = types.TLSv1_2
+
+			// One listener should inherit TLS maximum version from the gateway config,
+			// two others each set explicit TLS maximum versions
+			entry.Listeners = []structs.IngressListener{
+				{
+					Port:     8080,
+					Protocol: "http",
+					Services: []structs.IngressService{
+						{Name: "s1"},
+					},
+				},
+				{
+					Port:     8081,
+					Protocol: "http",
+					Services: []structs.IngressService{
+						{Name: "s2"},
+					},
+					TLS: &structs.GatewayTLSConfig{
+						Enabled:       true,
+						TLSMaxVersion: types.TLSv1_0,
+					},
+				},
+				{
+					Port:     8082,
+					Protocol: "http",
+					Services: []structs.IngressService{
+						{Name: "s3"},
+					},
+					TLS: &structs.GatewayTLSConfig{
+						Enabled:       true,
+						TLSMaxVersion: types.TLSv1_3,
+					},
+				},
+			}
+		}, []UpdateEvent{
+			{
+				CorrelationID: gatewayServicesWatchID,
+				Result: &structs.IndexedGatewayServices{
+					Services: []*structs.GatewayService{
+						{
+							Service:  s1,
+							Port:     8080,
+							Protocol: "http",
+						},
+						{
+							Service:  s2,
+							Port:     8081,
+							Protocol: "http",
+						},
+						{
+							Service:  s3,
+							Port:     8082,
+							Protocol: "http",
+						},
+					},
+				},
+			},
+			{
+				CorrelationID: "discovery-chain:" + s1UID.String(),
+				Result: &structs.DiscoveryChainResponse{
+					Chain: s1Chain,
+				},
+			},
+			{
+				CorrelationID: "discovery-chain:" + s2UID.String(),
+				Result: &structs.DiscoveryChainResponse{
+					Chain: s2Chain,
+				},
+			},
+			{
+				CorrelationID: "discovery-chain:" + s3UID.String(),
+				Result: &structs.DiscoveryChainResponse{
+					Chain: s3Chain,
+				},
+			},
+			{
+				CorrelationID: "upstream-target:" + s1Chain.ID() + ":" + s1UID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestUpstreamNodes(t, "s1"),
+				},
+			},
+			{
+				CorrelationID: "upstream-target:" + s2Chain.ID() + ":" + s2UID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestUpstreamNodes(t, "s2"),
+				},
+			},
+			{
+				CorrelationID: "upstream-target:" + s3Chain.ID() + ":" + s3UID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestUpstreamNodes(t, "s3"),
+				},
+			},
+		})
+}
+
+func TestConfigSnapshotIngressGateway_TLSMixedCipherVersionListeners(t testing.T) *ConfigSnapshot {
+	var (
+		s1      = structs.NewServiceName("s1", nil)
+		s1UID   = NewUpstreamIDFromServiceName(s1)
+		s1Chain = discoverychain.TestCompileConfigEntries(t, "s1", "default", "default", "dc1", connect.TestClusterID+".consul", nil, nil)
+
+		s2      = structs.NewServiceName("s2", nil)
+		s2UID   = NewUpstreamIDFromServiceName(s2)
+		s2Chain = discoverychain.TestCompileConfigEntries(t, "s2", "default", "default", "dc1", connect.TestClusterID+".consul", nil, nil)
+	)
+
+	return TestConfigSnapshotIngressGateway(t, true, "tcp", "default", nil,
+		func(entry *structs.IngressGatewayConfigEntry) {
+			entry.TLS.Enabled = true
+			entry.TLS.CipherSuites = []types.TLSCipherSuite{
+				types.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			}
+
+			// One listener should inherit TLS Ciphers from the gateway config,
+			// the other should be set explicitly from the listener config
+			entry.Listeners = []structs.IngressListener{
+				{
+					Port:     8080,
+					Protocol: "http",
+					Services: []structs.IngressService{
+						{Name: "s1"},
+					},
+				},
+				{
+					Port:     8081,
+					Protocol: "http",
+					Services: []structs.IngressService{
+						{Name: "s2"},
+					},
+					TLS: &structs.GatewayTLSConfig{
+						Enabled: true,
+						CipherSuites: []types.TLSCipherSuite{
+							types.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+							types.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+						},
+					},
+				},
+			}
+		}, []UpdateEvent{
+			{
+				CorrelationID: gatewayServicesWatchID,
+				Result: &structs.IndexedGatewayServices{
+					// One listener should inherit TLS minimum version from the gateway config,
+					// two others each set explicit TLS minimum versions
+					Services: []*structs.GatewayService{
+						{
+							Service:  s1,
+							Port:     8080,
+							Protocol: "http",
+						},
+						{
+							Service:  s2,
+							Port:     8081,
+							Protocol: "http",
+						},
+					},
+				},
+			},
+			{
+				CorrelationID: "discovery-chain:" + s1UID.String(),
+				Result: &structs.DiscoveryChainResponse{
+					Chain: s1Chain,
+				},
+			},
+			{
+				CorrelationID: "discovery-chain:" + s2UID.String(),
+				Result: &structs.DiscoveryChainResponse{
+					Chain: s2Chain,
+				},
+			},
+			{
+				CorrelationID: "upstream-target:" + s1Chain.ID() + ":" + s1UID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestUpstreamNodes(t, "s1"),
+				},
+			},
+			{
+				CorrelationID: "upstream-target:" + s2Chain.ID() + ":" + s2UID.String(),
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: TestUpstreamNodes(t, "s2"),
+				},
+			},
+		})
+}
diff --git a/agent/proxycfg/testing_mesh_gateway.go b/agent/proxycfg/testing_mesh_gateway.go
@@ -23,9 +23,10 @@ func TestConfigSnapshotMeshGateway(t testing.T, variant string, nsFn func(ns *st
 	roots, _ := TestCertsForMeshGateway(t)
 
 	var (
-		populateServices    = true
-		useFederationStates = false
-		deleteCrossDCEntry  = false
+		populateServices      = true
+		useFederationStates   = false
+		deleteCrossDCEntry    = false
+		meshGatewayFederation = false
 	)
 
 	switch variant {
@@ -34,6 +35,11 @@ func TestConfigSnapshotMeshGateway(t testing.T, variant string, nsFn func(ns *st
 		populateServices = true
 		useFederationStates = true
 		deleteCrossDCEntry = true
+	case "mesh-gateway-federation":
+		populateServices = true
+		useFederationStates = true
+		deleteCrossDCEntry = true
+		meshGatewayFederation = true
 	case "newer-info-in-federation-states":
 		populateServices = true
 		useFederationStates = true
@@ -447,6 +453,63 @@ func TestConfigSnapshotMeshGateway(t testing.T, variant string, nsFn func(ns *st
 		})
 	}
 
+	var serverSNIFn ServerSNIFunc
+	if meshGatewayFederation {
+
+		// reproduced from tlsutil/config.go
+		serverSNIFn = func(dc, nodeName string) string {
+			// Strip the trailing '.' from the domain if any
+			domain := "consul"
+
+			if nodeName == "" || nodeName == "*" {
+				return "server." + dc + "." + domain
+			}
+
+			return nodeName + ".server." + dc + "." + domain
+		}
+
+		baseEvents = testSpliceEvents(baseEvents, []UpdateEvent{
+			{
+				CorrelationID: consulServerListWatchID,
+				Result: &structs.IndexedCheckServiceNodes{
+					Nodes: structs.CheckServiceNodes{
+						{
+							Node: &structs.Node{
+								Datacenter: "dc1",
+								Node:       "node1",
+								Address:    "127.0.0.1",
+							},
+							Service: &structs.NodeService{
+								ID:      structs.ConsulServiceID,
+								Service: structs.ConsulServiceName,
+								Meta: map[string]string{
+									"grpc_port":     "8502",
+									"grpc_tls_port": "8503",
+								},
+							},
+						},
+						{
+							Node: &structs.Node{
+								Datacenter: "dc1",
+								Node:       "node2",
+								Address:    "127.0.0.2",
+							},
+							Service: &structs.NodeService{
+								ID:      structs.ConsulServiceID,
+								Service: structs.ConsulServiceName,
+								Meta: map[string]string{
+									"grpc_port":     "8502",
+									"grpc_tls_port": "8503",
+								},
+							},
+						},
+					},
+				},
+			},
+		})
+
+	}
+
 	return testConfigSnapshotFixture(t, &structs.NodeService{
 		Kind:    structs.ServiceKindMeshGateway,
 		Service: "mesh-gateway",
@@ -466,7 +529,7 @@ func TestConfigSnapshotMeshGateway(t testing.T, variant string, nsFn func(ns *st
 				Port:    443,
 			},
 		},
-	}, nsFn, nil, testSpliceEvents(baseEvents, extraUpdates))
+	}, nsFn, serverSNIFn, testSpliceEvents(baseEvents, extraUpdates))
 }
 
 func TestConfigSnapshotPeeredMeshGateway(t testing.T, variant string, nsFn func(ns *structs.NodeService), extraUpdates []UpdateEvent) *ConfigSnapshot {