Skip to content

Commit d65060e

Browse files
author
David Yu
authored
Merge branch 'main' into docs/webhook-certs-tutorial-fixes
2 parents ddcee84 + e4c9793 commit d65060e

File tree

14 files changed

+309
-67
lines changed

14 files changed

+309
-67
lines changed

agent/xds/listeners_test.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1109,6 +1109,15 @@ func TestListenersFromSnapshot(t *testing.T) {
11091109
nil)
11101110
},
11111111
},
1112+
{
1113+
name: "connect-proxy-without-tproxy-and-permissive-mtls",
1114+
create: func(t testinf.T) *proxycfg.ConfigSnapshot {
1115+
return proxycfg.TestConfigSnapshot(t, func(ns *structs.NodeService) {
1116+
ns.Proxy.MutualTLSMode = structs.MutualTLSModePermissive
1117+
},
1118+
nil)
1119+
},
1120+
},
11121121
}
11131122

11141123
tests = append(tests, makeListenerDiscoChainTests(false)...)

agent/xds/testdata/listeners/connect-proxy-without-tproxy-and-permissive-mtls.latest.golden

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
{
2+
"versionInfo": "00000001",
3+
"resources": [
4+
{
5+
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
6+
"name": "db:127.0.0.1:9191",
7+
"address": {
8+
"socketAddress": {
9+
"address": "127.0.0.1",
10+
"portValue": 9191
11+
}
12+
},
13+
"filterChains": [
14+
{
15+
"filters": [
16+
{
17+
"name": "envoy.filters.network.tcp_proxy",
18+
"typedConfig": {
19+
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
20+
"statPrefix": "upstream.db.default.default.dc1",
21+
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
22+
}
23+
}
24+
]
25+
}
26+
],
27+
"trafficDirection": "OUTBOUND"
28+
},
29+
{
30+
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
31+
"name": "prepared_query:geo-cache:127.10.10.10:8181",
32+
"address": {
33+
"socketAddress": {
34+
"address": "127.10.10.10",
35+
"portValue": 8181
36+
}
37+
},
38+
"filterChains": [
39+
{
40+
"filters": [
41+
{
42+
"name": "envoy.filters.network.tcp_proxy",
43+
"typedConfig": {
44+
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
45+
"statPrefix": "upstream.prepared_query_geo-cache",
46+
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
47+
}
48+
}
49+
]
50+
}
51+
],
52+
"trafficDirection": "OUTBOUND"
53+
},
54+
{
55+
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
56+
"name": "public_listener:0.0.0.0:9999",
57+
"address": {
58+
"socketAddress": {
59+
"address": "0.0.0.0",
60+
"portValue": 9999
61+
}
62+
},
63+
"filterChains": [
64+
{
65+
"filters": [
66+
{
67+
"name": "envoy.filters.network.rbac",
68+
"typedConfig": {
69+
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
70+
"rules": {},
71+
"statPrefix": "connect_authz"
72+
}
73+
},
74+
{
75+
"name": "envoy.filters.network.tcp_proxy",
76+
"typedConfig": {
77+
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
78+
"statPrefix": "public_listener",
79+
"cluster": "local_app"
80+
}
81+
}
82+
],
83+
"transportSocket": {
84+
"name": "tls",
85+
"typedConfig": {
86+
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
87+
"commonTlsContext": {
88+
"tlsParams": {},
89+
"tlsCertificates": [
90+
{
91+
"certificateChain": {
92+
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
93+
},
94+
"privateKey": {
95+
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
96+
}
97+
}
98+
],
99+
"validationContext": {
100+
"trustedCa": {
101+
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
102+
}
103+
}
104+
},
105+
"requireClientCertificate": true
106+
}
107+
}
108+
}
109+
],
110+
"trafficDirection": "INBOUND"
111+
}
112+
],
113+
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
114+
"nonce": "00000001"
115+
}

docs/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ Also see the [FAQ](./faq.md).
4040

4141
1. [Integration Tests](../test/integration/connect/envoy/README.md)
4242
1. [Upgrade Tests](../test/integration/consul-container/test/upgrade/README.md)
43+
1. [Remote Debugging Integration Tests](../test/integration/consul-container/test/debugging.md)
4344

4445
## Important Directories
4546

test/integration/connect/envoy/case-property-override/setup.sh

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,12 +53,30 @@ EnvoyExtensions = [
5353
Path = "/upstream_connection_options/tcp_keepalive/keepalive_probes"
5454
Value = 1234
5555
},
56+
{
57+
ResourceFilter = {
58+
ResourceType = "cluster"
59+
TrafficDirection = "outbound"
60+
}
61+
Op = "add"
62+
Path = "/outlier_detection/max_ejection_time/seconds"
63+
Value = 120
64+
},
65+
{
66+
ResourceFilter = {
67+
ResourceType = "cluster"
68+
TrafficDirection = "outbound"
69+
}
70+
Op = "add"
71+
Path = "/outlier_detection/max_ejection_time_jitter/seconds"
72+
Value = 1
73+
},
5674
{
5775
ResourceFilter = {
5876
ResourceType = "cluster"
5977
TrafficDirection = "outbound"
6078
Services = [{
61-
Name = "s2"
79+
Name = "s3"
6280
}]
6381
}
6482
Op = "remove"

test/integration/connect/envoy/case-property-override/verify.bats

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,14 @@ load helpers
1919
[ "$status" == 0 ]
2020

2121
[ "$(echo "$output" | jq -r '.upstream_connection_options.tcp_keepalive.keepalive_probes')" == "1234" ]
22-
[ "$(echo "$output" | jq -r '.outlier_detection')" == "null" ]
22+
[ "$(echo "$output" | jq -r '.outlier_detection.max_ejection_time')" == "120s" ]
23+
[ "$(echo "$output" | jq -r '.outlier_detection.max_ejection_time_jitter')" == "1s" ]
2324

2425
run get_envoy_cluster_config localhost:19000 s3
2526
[ "$status" == 0 ]
2627

2728
[ "$(echo "$output" | jq -r '.upstream_connection_options.tcp_keepalive.keepalive_probes')" == "1234" ]
28-
[ "$(echo "$output" | jq -r '.outlier_detection')" == "{}" ]
29+
[ "$(echo "$output" | jq -r '.outlier_detection')" == "null" ]
2930
}
3031

3132
@test "s2 proxy is configured with the expected envoy patches" {

test/integration/consul-container/test/debugging.md

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
# Remote Debugging Integration Tests
2+
3+
- [Introduction](#introduction)
4+
- [How it works](#how-it-works)
5+
- [Getting Started](#getting-started)
6+
- [Prerequisites](#prerequisites)
7+
- [Running Upgrade integration tests](#debugging-integration-tests)
8+
- [Building images](#building-images)
9+
- [Remote debugging using GoLand](#remote-debugging-using-goland)
10+
11+
12+
## Introduction
13+
14+
Remote debugging integration tests allows you to attach your debugger to the consul container and debug go code running on that container.
15+
16+
### How it works
17+
The `dev-docker-dbg` Make target will build consul docker container that has the following:
18+
- [delve (dlv) debugger](https://github.com/go-delve/delve) installed.
19+
- a port exposed on the container that allows a debugger from your development environment to connect and attach to the consul process and debug it remotely.
20+
- logs out the host and port information so that you have the information needed to connect to the port.
21+
22+
The integration tests have been modified to expose the `--debug` flag that will switch the test from using a `consul:local` image that can be built using `make dev-docker` to using the `consul-dbg:local` image that was build from `make dev-docker-dbg`.
23+
24+
The test is run in debug mode with a breakpoint set to just after the cluster is created and you can retrieve the port information. From there, you can set up a remote debugging session that connects to this port.
25+
26+
## Getting Started
27+
### Prerequisites
28+
To run/debug integration tests locally, the following tools are required on your machine:
29+
- Install [Go](https://go.dev/) (the version should match that of our CI config's Go image).
30+
- Install [`Makefile`](https://www.gnu.org/software/make/manual/make.html).
31+
- Install [`Docker`](https://docs.docker.com/get-docker/) required to run tests locally.
32+
33+
### Debugging integration tests
34+
#### Building images
35+
- Build a consul image with dlv installed and a port exposed that the debugger can attach to.
36+
```
37+
make dev-docker-dbg
38+
```
39+
- Build a consul-envoy container image from the consul root directory that is required for testing but not for debugging.
40+
```
41+
docker build consul-envoy:target-version --build-arg CONSUL_IMAGE=consul:local --build-arg ENVOY_VERSION=1.24.6 -f ./test/integration/consul-container/assets/Dockerfile-consul-envoy ./test/integration/consul-container/assets
42+
```
43+
44+
#### Remote debugging using GoLand
45+
(For additional information, see [GoLand's documentation on remote debugging](https://www.jetbrains.com/help/go/attach-to-running-go-processes-with-debugger.html#attach-to-a-process-on-a-remote-machine).)
46+
##### Set up the Debug Configuration for your test
47+
- Create the configuration for debugging the test. (You may have to debug the test once so GoLand creates the configuration for you.)
48+
- Go to `Run > Edit Configurations` and select the appropriate configuration.
49+
- Add `--debug` to `Program arguments` and click OK.
50+
51+
<img src="./util/test_debug_configuration.png" alt="isolated" width="550"/>
52+
##### Obtain the debug port of your container
53+
(This is required every time a test is debugged.)
54+
55+
- Put a breakpoint in the test that you are running right after the cluster has been created. This should be on the line after the call to `topology.NewCluster()`.
56+
- Debug the test and wait for the debug session to stop on the breakpoint in the test.
57+
- In the Debug window, search for `debug info` on the Console tab and note the host and port.
58+
59+
<img src="./util/test_debug_info.png" alt="isolated" width="550"/>
60+
- Go to `Run > Edit Configurations` and add a `Go Remote` configuration with the host and port that your test has exposed. Click OK.
61+
62+
<img src="./util/test_debug_remote_configuration.png" alt="isolated" width="550"/>
63+
- Debug the configuration that you just created. Verify that it shows as connected in the `Debugger` of this configuration in the `Debug` window.
64+
65+
<img src="./util/test_debug_remote_connected.png" alt="isolated" width="550"/>
66+
##### Debug the consul backend
67+
- Set an appropriate breakpoint in the backend code of the endpoint that your test will call and that you wish to debug.
68+
- Go to the test debugging tab for the integration test in the `Debug` window and `Resume Program`.
69+
70+
<img src="./util/test_debug_resume_program.png" alt="isolated" width="350"/>
71+
- The remote debugging session should stop on the breakpoint, and you can freely debug the code path.
72+
73+
<img src="./util/test_debug_breakpoint_hit.png" alt="isolated" width="550"/>
74+
75+
#### Remote debugging using VSCode
76+
(For additional information, see [VSCode's documentation on remote debugging](https://github.com/golang/vscode-go/blob/master/docs/debugging.md#remote-debugging).)
77+
78+
[comment]: <> (TODO: Openly looking for someone to add VSCode specific instructions.)

test/integration/consul-container/test/util/test_debug_breakpoint_hit.png

640 KB
Loading

test/integration/consul-container/test/util/test_debug_configuration.png

287 KB
Loading

test/integration/consul-container/test/util/test_debug_info.png

608 KB
Loading

test/integration/consul-container/test/util/test_debug_remote_configuration.png

279 KB
Loading

0 commit comments

Comments
 (0)