From 212793a4ee65e2a4f0fef68e5fa9b2c4ef8e037b Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Mon, 18 Sep 2023 18:26:13 -0600 Subject: [PATCH] mesh: only build tproxy outbound listener once per destination (#18836) Previously, when using implicit upstreams, we'd build outbound listener per destination instead of one for all destinations. This will result in port conflicts when trying to send this config to envoy. This PR also makes sure that leaf and root references are always added (before we would only add it if there are inbound non-mesh ports). Also, black-hole traffic when there are no inbound ports other than mesh --- agent/xdsv2/cluster_resources.go | 11 +- envoyextensions/xdscommon/xdscommon.go | 4 + .../sidecarproxy/builder/builder.go | 11 + .../builder/destination_builder.go | 12 +- .../sidecarproxy/builder/local_app.go | 52 +++- .../builder/local_app_multiport_test.go | 15 +- ...it-and-explicit-destinations-tproxy.golden | 48 ++-- .../destination/l4-multi-destination.golden | 12 + ...ltiple-implicit-destinations-tproxy.golden | 63 +---- ...le-destination-ip-port-bind-address.golden | 12 + ...estination-unix-socket-bind-address.golden | 12 + ...-single-implicit-destination-tproxy.golden | 12 + .../mixed-multi-destination.golden | 12 + ...ltiple-implicit-destinations-tproxy.golden | 261 +----------------- ...-single-implicit-destination-tproxy.golden | 56 +--- ...tion-with-multiple-workloads-tproxy.golden | 56 +--- ...ort-l4-workload-with-only-mesh-port.golden | 51 ++++ 17 files changed, 276 insertions(+), 424 deletions(-) create mode 100644 internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden diff --git a/agent/xdsv2/cluster_resources.go b/agent/xdsv2/cluster_resources.go index 99209d0c34..b0a79fd0aa 100644 --- a/agent/xdsv2/cluster_resources.go +++ b/agent/xdsv2/cluster_resources.go @@ -154,14 +154,15 @@ func (pr *ProxyResources) makeEnvoyDynamicCluster(name string, protocol string, } func (pr *ProxyResources) makeEnvoyStaticCluster(name string, protocol string, static *pbproxystate.StaticEndpointGroup) (*envoy_cluster_v3.Cluster, error) { - endpointList, ok := pr.proxyState.Endpoints[name] - if !ok || endpointList == nil { - return nil, fmt.Errorf("static cluster %q is missing endpoints", name) - } cluster := &envoy_cluster_v3.Cluster{ Name: name, ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{Type: envoy_cluster_v3.Cluster_STATIC}, - LoadAssignment: makeEnvoyClusterLoadAssignment(name, endpointList.Endpoints), + } + + // todo (ishustava/v2): we need to be able to handle the case when empty endpoints are allowed on a cluster. + endpointList, ok := pr.proxyState.Endpoints[name] + if ok { + cluster.LoadAssignment = makeEnvoyClusterLoadAssignment(name, endpointList.Endpoints) } err := addHttpProtocolOptions(protocol, cluster) if err != nil { diff --git a/envoyextensions/xdscommon/xdscommon.go b/envoyextensions/xdscommon/xdscommon.go index efc2c5a87d..ae40f07021 100644 --- a/envoyextensions/xdscommon/xdscommon.go +++ b/envoyextensions/xdscommon/xdscommon.go @@ -54,6 +54,10 @@ const ( SecretType = apiTypePrefix + "envoy.extensions.transport_sockets.tls.v3.Secret" FailoverClusterNamePrefix = "failover-target~" + + // BlackHoleClusterName is the cluster we use for black-holing traffic for cases when a workload + // has no inbound ports to route to. + BlackHoleClusterName = "black-hole-cluster" ) type IndexedResources struct { diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go b/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go index a76af3b653..0c0cd0661d 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go @@ -45,6 +45,17 @@ func New( } func (b *Builder) Build() *pbmesh.ProxyStateTemplate { + workloadIdentity := b.proxyStateTemplate.ProxyState.Identity.Name + b.proxyStateTemplate.RequiredLeafCertificates[workloadIdentity] = &pbproxystate.LeafCertificateRef{ + Name: workloadIdentity, + Namespace: b.id.Tenancy.Namespace, + Partition: b.id.Tenancy.Partition, + } + + b.proxyStateTemplate.RequiredTrustBundles[b.id.Tenancy.PeerName] = &pbproxystate.TrustBundleRef{ + Peer: b.id.Tenancy.PeerName, + } + return b.proxyStateTemplate } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go index f0b02031d9..147d6a7b54 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go @@ -25,8 +25,7 @@ import ( // and adds them to the proxyState. func (b *Builder) BuildDestinations(destinations []*intermediate.Destination) *Builder { var lb *ListenerBuilder - if b.proxyCfg.GetDynamicConfig() != nil && - b.proxyCfg.DynamicConfig.Mode == pbmesh.ProxyMode_PROXY_MODE_TRANSPARENT { + if b.proxyCfg.IsTransparentProxy() { lb = b.addTransparentProxyOutboundListener(b.proxyCfg.DynamicConfig.TransparentProxy.OutboundListenerPort) } @@ -34,6 +33,10 @@ func (b *Builder) BuildDestinations(destinations []*intermediate.Destination) *B b.buildDestination(lb, destination) } + if b.proxyCfg.IsTransparentProxy() { + lb.buildListener() + } + return b } @@ -248,7 +251,10 @@ func (b *Builder) buildDestination( } } - lb.buildListener() + // Build outbound listener if the destination is explicit. + if destination.Explicit != nil { + lb.buildListener() + } if needsNullRouteCluster { b.addNullRouteCluster() diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go index bfb3f0b066..61ccccfbf7 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go @@ -25,10 +25,12 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.Comput // Note that the order of ports is non-deterministic here but the xds generation // code should make sure to send it in the same order to Envoy to avoid unnecessary // updates. + foundInboundNonMeshPorts := false for portName, port := range workload.Ports { clusterName := fmt.Sprintf("%s:%s", xdscommon.LocalAppClusterName, portName) if port.Protocol != pbcatalog.Protocol_PROTOCOL_MESH { + foundInboundNonMeshPorts = true lb.addInboundRouter(clusterName, port, portName, trafficPermissions[portName]). addInboundTLS() @@ -37,6 +39,12 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.Comput } } + // If there are no inbound ports other than the mesh port, we black-hole all inbound traffic. + if !foundInboundNonMeshPorts { + lb.addBlackHoleRouter() + b.addBlackHoleCluster() + } + return b } @@ -265,6 +273,28 @@ func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.W return l } +func (l *ListenerBuilder) addBlackHoleRouter() *ListenerBuilder { + if l.listener == nil { + return l + } + + r := &pbproxystate.Router{ + Destination: &pbproxystate.Router_L4{ + L4: &pbproxystate.L4Destination{ + Destination: &pbproxystate.L4Destination_Cluster{ + Cluster: &pbproxystate.DestinationCluster{ + Name: xdscommon.BlackHoleClusterName, + }, + }, + StatPrefix: l.listener.Name, + }, + }, + } + l.listener.Routers = append(l.listener.Routers, r) + + return l +} + func getAlpnProtocolFromPortName(portName string) string { return fmt.Sprintf("consul~%s", portName) } @@ -283,6 +313,19 @@ func (b *Builder) addLocalAppCluster(clusterName string) *Builder { return b } +func (b *Builder) addBlackHoleCluster() *Builder { + b.proxyStateTemplate.ProxyState.Clusters[xdscommon.BlackHoleClusterName] = &pbproxystate.Cluster{ + Group: &pbproxystate.Cluster_EndpointGroup{ + EndpointGroup: &pbproxystate.EndpointGroup{ + Group: &pbproxystate.EndpointGroup_Static{ + Static: &pbproxystate.StaticEndpointGroup{}, + }, + }, + }, + } + return b +} + func (b *Builder) addLocalAppStaticEndpoints(clusterName string, port *pbcatalog.WorkloadPort) *Builder { // We're adding endpoints statically as opposed to creating an endpoint ref // because this endpoint is less likely to change as we're not tracking the health. @@ -319,15 +362,6 @@ func (l *ListenerBuilder) addInboundTLS() *ListenerBuilder { }, }, } - l.builder.proxyStateTemplate.RequiredLeafCertificates[workloadIdentity] = &pbproxystate.LeafCertificateRef{ - Name: workloadIdentity, - Namespace: l.builder.id.Tenancy.Namespace, - Partition: l.builder.id.Tenancy.Partition, - } - - l.builder.proxyStateTemplate.RequiredTrustBundles[l.builder.id.Tenancy.PeerName] = &pbproxystate.TrustBundleRef{ - Peer: l.builder.id.Tenancy.PeerName, - } for i := range l.listener.Routers { l.listener.Routers[i].InboundTls = inboundTLS diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go index 816e01236a..96b795109f 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go @@ -4,10 +4,11 @@ package builder import ( - "github.com/hashicorp/consul/internal/testing/golden" "sort" "testing" + "github.com/hashicorp/consul/internal/testing/golden" + "github.com/stretchr/testify/require" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1" @@ -71,6 +72,18 @@ func TestBuildLocalApp_Multiport(t *testing.T) { }, }, }, + "source/multiport-l4-workload-with-only-mesh-port": { + workload: &pbcatalog.Workload{ + Addresses: []*pbcatalog.WorkloadAddress{ + { + Host: "10.0.0.1", + }, + }, + Ports: map[string]*pbcatalog.WorkloadPort{ + "mesh": {Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH}, + }, + }, + }, } for name, c := range cases { diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden index f18e8bcace..aee378f190 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden @@ -61,6 +61,24 @@ } }, "listeners": [ + { + "direction": "DIRECTION_OUTBOUND", + "hostPort": { + "host": "1.1.1.1", + "port": 1234 + }, + "name": "api-1:tcp:1.1.1.1:1234", + "routers": [ + { + "l4": { + "cluster": { + "name": "tcp.api-1.default.dc1.internal.foo.consul" + }, + "statPrefix": "upstream.tcp.api-1.default.default.dc1" + } + } + ] + }, { "capabilities": [ "CAPABILITY_TRANSPARENT" @@ -94,24 +112,6 @@ } } ] - }, - { - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "1.1.1.1", - "port": 1234 - }, - "name": "api-1:tcp:1.1.1.1:1234", - "routers": [ - { - "l4": { - "cluster": { - "name": "tcp.api-1.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-1.default.default.dc1" - } - } - ] } ] }, @@ -148,5 +148,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden index 0ed79095ea..1c393ec7dc 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden @@ -155,5 +155,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden index de512dd1e5..d23c1ff1c7 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden @@ -61,57 +61,6 @@ } }, "listeners": [ - { - "capabilities": [ - "CAPABILITY_TRANSPARENT" - ], - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "127.0.0.1", - "port": 15001 - }, - "name": "outbound_listener", - "routers": [ - { - "l4": { - "cluster": { - "name": "tcp.api-1.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-1.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l4": { - "cluster": { - "name": "tcp.api-2.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-2.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "2.2.2.2", - "prefixLen": 32 - }, - { - "addressPrefix": "3.3.3.3", - "prefixLen": 32 - } - ] - } - } - ] - }, { "capabilities": [ "CAPABILITY_TRANSPARENT" @@ -198,5 +147,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden index 0955589991..3ac00f37a7 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden @@ -120,5 +120,17 @@ "tcp.api-2.default.dc1.internal.foo.consul": { "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden index 8e13096902..69e075a349 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden @@ -73,5 +73,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden index 549211a135..8941ab0728 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden @@ -85,5 +85,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden index a273cd4bc3..c0394a25bc 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden @@ -284,5 +284,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden index d7e81fd8b0..f7f3c9ffa7 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden @@ -111,255 +111,6 @@ } }, "listeners": [ - { - "capabilities": [ - "CAPABILITY_TRANSPARENT" - ], - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "127.0.0.1", - "port": 15001 - }, - "name": "outbound_listener", - "routers": [ - { - "l4": { - "cluster": { - "name": "tcp.api-app.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l4": { - "cluster": { - "name": "tcp.api-app2.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app2.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "2.2.2.2", - "prefixLen": 32 - }, - { - "addressPrefix": "3.3.3.3", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "2.2.2.2", - "prefixLen": 32 - }, - { - "addressPrefix": "3.3.3.3", - "prefixLen": 32 - } - ] - } - } - ] - }, - { - "capabilities": [ - "CAPABILITY_TRANSPARENT" - ], - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "127.0.0.1", - "port": 15001 - }, - "name": "outbound_listener", - "routers": [ - { - "l4": { - "cluster": { - "name": "tcp.api-app.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l4": { - "cluster": { - "name": "tcp.api-app2.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app2.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "2.2.2.2", - "prefixLen": 32 - }, - { - "addressPrefix": "3.3.3.3", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "2.2.2.2", - "prefixLen": 32 - }, - { - "addressPrefix": "3.3.3.3", - "prefixLen": 32 - } - ] - } - } - ] - }, - { - "capabilities": [ - "CAPABILITY_TRANSPARENT" - ], - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "127.0.0.1", - "port": 15001 - }, - "name": "outbound_listener", - "routers": [ - { - "l4": { - "cluster": { - "name": "tcp.api-app.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l4": { - "cluster": { - "name": "tcp.api-app2.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app2.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "2.2.2.2", - "prefixLen": 32 - }, - { - "addressPrefix": "3.3.3.3", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "2.2.2.2", - "prefixLen": 32 - }, - { - "addressPrefix": "3.3.3.3", - "prefixLen": 32 - } - ] - } - } - ] - }, { "capabilities": [ "CAPABILITY_TRANSPARENT" @@ -533,5 +284,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden index 10a41c4370..61ffc42206 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden @@ -61,50 +61,6 @@ } }, "listeners": [ - { - "capabilities": [ - "CAPABILITY_TRANSPARENT" - ], - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "127.0.0.1", - "port": 15001 - }, - "name": "outbound_listener", - "routers": [ - { - "l4": { - "cluster": { - "name": "tcp.api-app.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - } - ] - }, { "capabilities": [ "CAPABILITY_TRANSPARENT" @@ -207,5 +163,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden index 10a41c4370..61ffc42206 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden @@ -61,50 +61,6 @@ } }, "listeners": [ - { - "capabilities": [ - "CAPABILITY_TRANSPARENT" - ], - "direction": "DIRECTION_OUTBOUND", - "hostPort": { - "host": "127.0.0.1", - "port": 15001 - }, - "name": "outbound_listener", - "routers": [ - { - "l4": { - "cluster": { - "name": "tcp.api-app.default.dc1.internal.foo.consul" - }, - "statPrefix": "upstream.tcp.api-app.default.default.dc1" - }, - "match": { - "destinationPort": 8080, - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - }, - { - "l7": { - "name": "outbound_listener", - "statPrefix": "upstream." - }, - "match": { - "prefixRanges": [ - { - "addressPrefix": "1.1.1.1", - "prefixLen": 32 - } - ] - } - } - ] - }, { "capabilities": [ "CAPABILITY_TRANSPARENT" @@ -207,5 +163,17 @@ }, "port": "mesh" } + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } } } \ No newline at end of file diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden new file mode 100644 index 0000000000..da29255b87 --- /dev/null +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden @@ -0,0 +1,51 @@ +{ + "proxyState": { + "clusters": { + "black-hole-cluster": { + "endpointGroup": { + "static": {} + } + } + }, + "identity": { + "name": "test-identity", + "tenancy": { + "namespace": "default", + "partition": "default", + "peerName": "local" + } + }, + "listeners": [ + { + "direction": "DIRECTION_INBOUND", + "hostPort": { + "host": "10.0.0.1", + "port": 20000 + }, + "name": "public_listener", + "routers": [ + { + "l4": { + "cluster": { + "name": "black-hole-cluster" + }, + "statPrefix": "public_listener" + } + } + ] + } + ] + }, + "requiredLeafCertificates": { + "test-identity": { + "name": "test-identity", + "namespace": "default", + "partition": "default" + } + }, + "requiredTrustBundles": { + "local": { + "peer": "local" + } + } +} \ No newline at end of file