From ca3240a1956f639515a9a17f5f6e1b2ddcdd638f Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 16 Oct 2023 15:35:21 -0600 Subject: [PATCH] WIP --- .../controllers/xds/controller_test.go | 1 + ...kload-addresses-with-specific-ports.golden | 150 ++++++------- ...le-workload-addresses-without-ports.golden | 209 ++++++++++++------ 3 files changed, 213 insertions(+), 147 deletions(-) diff --git a/internal/mesh/internal/controllers/xds/controller_test.go b/internal/mesh/internal/controllers/xds/controller_test.go index c94f9f97e424..10f00828778b 100644 --- a/internal/mesh/internal/controllers/xds/controller_test.go +++ b/internal/mesh/internal/controllers/xds/controller_test.go @@ -1033,6 +1033,7 @@ func (suite *xdsControllerTestSuite) TestReconcile_SidecarProxyGoldenFileInputs( //sources - please add in alphabetical order "source/l4-multiple-workload-addresses-with-specific-ports", + "source/l4-multiple-workload-addresses-without-ports", } for _, name := range cases { diff --git a/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden index 9f403bea3da1..542ac1c550ca 100644 --- a/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden +++ b/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden @@ -1,88 +1,88 @@ { - "clusters": { - "local_app:port1": { - "endpointGroup": { - "static": {} - }, - "name": "local_app:port1" - } - }, - "endpoints": { - "local_app:port1": { - "endpoints": [ - { - "hostPort": { - "host": "127.0.0.1", - "port": 8080 - } + "clusters": { + "local_app:port1": { + "endpointGroup": { + "static": {} + }, + "name": "local_app:port1" + } + }, + "endpoints": { + "local_app:port1": { + "endpoints": [ + { + "hostPort": { + "host": "127.0.0.1", + "port": 8080 } - ] - } + } + ] + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" }, - "identity": { - "name": "test-identity", - "tenancy": { - "namespace": "default", - "partition": "default", - "peerName": "local" + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], + "direction": "DIRECTION_INBOUND", + "hostPort": { + "host": "10.0.0.2", + "port": 20000 }, - "type": { - "group": "auth", - "groupVersion": "v2beta1", - "kind": "WorkloadIdentity" - } - }, - "listeners": [ - { - "capabilities": [ - "CAPABILITY_L4_TLS_INSPECTION" - ], - "direction": "DIRECTION_INBOUND", - "hostPort": { - "host": "10.0.0.2", - "port": 20000 - }, - "name": "public_listener", - "routers": [ - { - "inboundTls": { - "inboundMesh": { - "identityKey": "test-identity", - "validationContext": { - "trustBundlePeerNameKeys": [ - "local" - ] - } - } - }, - "l4": { - "cluster": { - "name": "local_app:port1" - }, - "statPrefix": "public_listener", - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } + "name": "public_listener", + "routers": [ + { + "inboundTls": { + "inboundMesh": { + "identityKey": "test-identity", + "validationContext": { + "trustBundlePeerNameKeys": [ + "local" ] } + } + }, + "l4": { + "cluster": { + "name": "local_app:port1" }, - "match": { - "alpnProtocols": [ - "consul~port1" + "statPrefix": "public_listener", + "trafficPermissions": { + "allowPermissions": [ + { + "principals": [ + { + "spiffe": { + "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" + } + } + ] + } ] } + }, + "match": { + "alpnProtocols": [ + "consul~port1" + ] } - ] - } - ], + } + ] + } + ], "trustBundles": { "local": { "roots": [ diff --git a/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-without-ports.golden index 1c7d58988f6d..21251b60aaee 100644 --- a/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-without-ports.golden +++ b/internal/mesh/internal/controllers/xds/testdata/source/l4-multiple-workload-addresses-without-ports.golden @@ -1,88 +1,153 @@ { - "proxyState": { - "clusters": { - "local_app:port1": { - "endpointGroup": { - "static": {} - }, - "name": "local_app:port1" - } + "clusters": { + "local_app:port1": { + "endpointGroup": { + "static": {} + }, + "name": "local_app:port1" + } + }, + "endpoints": { + "local_app:port1": { + "endpoints": [ + { + "hostPort": { + "host": "127.0.0.1", + "port": 8080 + } + } + ] + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" }, - "endpoints": { - "local_app:port1": { - "endpoints": [ - { - "hostPort": { - "host": "127.0.0.1", - "port": 8080 + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], + "direction": "DIRECTION_INBOUND", + "hostPort": { + "host": "10.0.0.1", + "port": 20000 + }, + "name": "public_listener", + "routers": [ + { + "inboundTls": { + "inboundMesh": { + "identityKey": "test-identity", + "validationContext": { + "trustBundlePeerNameKeys": [ + "local" + ] + } } + }, + "l4": { + "cluster": { + "name": "local_app:port1" + }, + "statPrefix": "public_listener", + "trafficPermissions": {} + }, + "match": { + "alpnProtocols": [ + "consul~port1" + ] } - ] - } + } + ] + } + ], + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" }, - "identity": { - "name": "test-identity", - "tenancy": { - "namespace": "default", - "partition": "default", - "peerName": "local" + "type": { + "group": "auth", + "groupVersion": "v2beta1", + "kind": "WorkloadIdentity" + } + }, + "listeners": [ + { + "capabilities": [ + "CAPABILITY_L4_TLS_INSPECTION" + ], + "direction": "DIRECTION_INBOUND", + "hostPort": { + "host": "10.0.0.2", + "port": 20000 }, - "type": { - "group": "auth", - "groupVersion": "v2beta1", - "kind": "WorkloadIdentity" - } - }, - "listeners": [ - { - "capabilities": [ - "CAPABILITY_L4_TLS_INSPECTION" - ], - "direction": "DIRECTION_INBOUND", - "hostPort": { - "host": "10.0.0.1", - "port": 20000 - }, - "name": "public_listener", - "routers": [ - { - "inboundTls": { - "inboundMesh": { - "identityKey": "test-identity", - "validationContext": { - "trustBundlePeerNameKeys": [ - "local" - ] - } + "name": "public_listener", + "routers": [ + { + "inboundTls": { + "inboundMesh": { + "identityKey": "test-identity", + "validationContext": { + "trustBundlePeerNameKeys": [ + "local" + ] } + } + }, + "l4": { + "cluster": { + "name": "local_app:port1" }, - "l4": { - "cluster": { - "name": "local_app:port1" - }, - "statPrefix": "public_listener", - "trafficPermissions": {} - }, - "match": { - "alpnProtocols": [ - "consul~port1" + "statPrefix": "public_listener", + "trafficPermissions": { + "allowPermissions": [ + { + "principals": [ + { + "spiffe": { + "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" + } + } + ] + } ] } + }, + "match": { + "alpnProtocols": [ + "consul~port1" + ] } - ] - } - ] - }, - "requiredLeafCertificates": { - "test-identity": { - "name": "test-identity", - "namespace": "default", - "partition": "default" + } + ] } - }, - "requiredTrustBundles": { + ], + "trustBundles": { "local": { - "peer": "local" + "roots": [ + "some-root", + "some-other-root" + ], + "trustDomain": "some-trust-domain" + } + }, + "leafCertificates": { + "test-identity": { + "cert": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n", + "key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" } } } \ No newline at end of file