mirror of https://github.com/status-im/consul.git
Simple API Gateway e2e test for tcp routes (#16222)
* Simple API Gateway e2e test for tcp routes * Drop DNSSans since we don't front the Gateway with a leaf cert
This commit is contained in:
parent
db2bd404bf
commit
3b9c569561
|
@ -4,6 +4,7 @@ import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
|
cachetype "github.com/hashicorp/consul/agent/cache-types"
|
||||||
"github.com/hashicorp/consul/agent/proxycfg/internal/watch"
|
"github.com/hashicorp/consul/agent/proxycfg/internal/watch"
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
"github.com/hashicorp/consul/proto/pbpeering"
|
"github.com/hashicorp/consul/proto/pbpeering"
|
||||||
|
@ -225,7 +226,7 @@ func (h *handlerAPIGateway) handleGatewayConfigUpdate(ctx context.Context, u Upd
|
||||||
return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
|
return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return h.watchIngressLeafCert(ctx, snap)
|
||||||
}
|
}
|
||||||
|
|
||||||
// handleInlineCertConfigUpdate stores the certificate for the gateway
|
// handleInlineCertConfigUpdate stores the certificate for the gateway
|
||||||
|
@ -416,7 +417,7 @@ func (h *handlerAPIGateway) handleRouteConfigUpdate(ctx context.Context, u Updat
|
||||||
//
|
//
|
||||||
// TODO This would probably be more generally useful as a helper in the structs pkg
|
// TODO This would probably be more generally useful as a helper in the structs pkg
|
||||||
func (h *handlerAPIGateway) referenceIsForListener(ref structs.ResourceReference, listener structs.APIGatewayListener, snap *ConfigSnapshot) bool {
|
func (h *handlerAPIGateway) referenceIsForListener(ref structs.ResourceReference, listener structs.APIGatewayListener, snap *ConfigSnapshot) bool {
|
||||||
if ref.Kind != snap.APIGateway.GatewayConfig.Kind {
|
if ref.Kind != structs.APIGateway && ref.Kind != "" {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if ref.Name != snap.APIGateway.GatewayConfig.Name {
|
if ref.Name != snap.APIGateway.GatewayConfig.Name {
|
||||||
|
@ -424,3 +425,30 @@ func (h *handlerAPIGateway) referenceIsForListener(ref structs.ResourceReference
|
||||||
}
|
}
|
||||||
return ref.SectionName == "" || ref.SectionName == listener.Name
|
return ref.SectionName == "" || ref.SectionName == listener.Name
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h *handlerAPIGateway) watchIngressLeafCert(ctx context.Context, snap *ConfigSnapshot) error {
|
||||||
|
// Note that we DON'T test for TLS.enabled because we need a leaf cert for the
|
||||||
|
// gateway even without TLS to use as a client cert.
|
||||||
|
if !snap.APIGateway.GatewayConfigLoaded {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Watch the leaf cert
|
||||||
|
if snap.APIGateway.LeafCertWatchCancel != nil {
|
||||||
|
snap.APIGateway.LeafCertWatchCancel()
|
||||||
|
}
|
||||||
|
ctx, cancel := context.WithCancel(ctx)
|
||||||
|
err := h.dataSources.LeafCertificate.Notify(ctx, &cachetype.ConnectCALeafRequest{
|
||||||
|
Datacenter: h.source.Datacenter,
|
||||||
|
Token: h.token,
|
||||||
|
Service: h.service,
|
||||||
|
EnterpriseMeta: h.proxyID.EnterpriseMeta,
|
||||||
|
}, leafWatchID, h.ch)
|
||||||
|
if err != nil {
|
||||||
|
cancel()
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
snap.APIGateway.LeafCertWatchCancel = cancel
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
@ -678,6 +678,10 @@ type configSnapshotAPIGateway struct {
|
||||||
TCPRoutes watch.Map[structs.ResourceReference, *structs.TCPRouteConfigEntry]
|
TCPRoutes watch.Map[structs.ResourceReference, *structs.TCPRouteConfigEntry]
|
||||||
Certificates watch.Map[structs.ResourceReference, *structs.InlineCertificateConfigEntry]
|
Certificates watch.Map[structs.ResourceReference, *structs.InlineCertificateConfigEntry]
|
||||||
|
|
||||||
|
// LeafCertWatchCancel is a CancelFunc to use when refreshing this gateway's
|
||||||
|
// leaf cert watch with different parameters.
|
||||||
|
LeafCertWatchCancel context.CancelFunc
|
||||||
|
|
||||||
// Listeners is the original listener config from the api-gateway config
|
// Listeners is the original listener config from the api-gateway config
|
||||||
// entry to save us trying to pass fields through Upstreams
|
// entry to save us trying to pass fields through Upstreams
|
||||||
Listeners map[string]structs.APIGatewayListener
|
Listeners map[string]structs.APIGatewayListener
|
||||||
|
@ -733,6 +737,7 @@ func (c *configSnapshotAPIGateway) ToIngress(datacenter string) (configSnapshotI
|
||||||
upstreams.DiscoveryChain = synthesizedChains
|
upstreams.DiscoveryChain = synthesizedChains
|
||||||
|
|
||||||
return configSnapshotIngressGateway{
|
return configSnapshotIngressGateway{
|
||||||
|
Upstreams: c.Upstreams,
|
||||||
ConfigSnapshotUpstreams: upstreams,
|
ConfigSnapshotUpstreams: upstreams,
|
||||||
GatewayConfigLoaded: true,
|
GatewayConfigLoaded: true,
|
||||||
Listeners: ingressListeners,
|
Listeners: ingressListeners,
|
||||||
|
@ -928,6 +933,7 @@ func (s *ConfigSnapshot) Valid() bool {
|
||||||
case structs.ServiceKindAPIGateway:
|
case structs.ServiceKindAPIGateway:
|
||||||
// TODO Is this the proper set of things to validate?
|
// TODO Is this the proper set of things to validate?
|
||||||
return s.Roots != nil &&
|
return s.Roots != nil &&
|
||||||
|
s.APIGateway.Leaf != nil &&
|
||||||
s.APIGateway.GatewayConfigLoaded &&
|
s.APIGateway.GatewayConfigLoaded &&
|
||||||
s.APIGateway.BoundGatewayConfigLoaded &&
|
s.APIGateway.BoundGatewayConfigLoaded &&
|
||||||
s.APIGateway.AreHostsSet &&
|
s.APIGateway.AreHostsSet &&
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/usr/bin/env bats
|
|
||||||
|
|
||||||
load helpers
|
|
||||||
|
|
||||||
@test "api gateway proxy admin is up on :20000" {
|
|
||||||
retry_default curl -f -s localhost:20000/stats -o /dev/null
|
|
||||||
}
|
|
|
@ -7,7 +7,7 @@ kind = "api-gateway"
|
||||||
name = "api-gateway"
|
name = "api-gateway"
|
||||||
listeners = [
|
listeners = [
|
||||||
{
|
{
|
||||||
port = 9999
|
port = 9999
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@ -18,11 +18,12 @@ kind = "tcp-route"
|
||||||
name = "api-gateway-route"
|
name = "api-gateway-route"
|
||||||
services = [
|
services = [
|
||||||
{
|
{
|
||||||
name = "s1"
|
name = "s1"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
parents = [
|
parents = [
|
||||||
{
|
{
|
||||||
|
kind = "api-gateway"
|
||||||
name = "api-gateway"
|
name = "api-gateway"
|
||||||
}
|
}
|
||||||
]
|
]
|
|
@ -0,0 +1,17 @@
|
||||||
|
#!/usr/bin/env bats
|
||||||
|
|
||||||
|
load helpers
|
||||||
|
|
||||||
|
@test "api gateway proxy admin is up on :20000" {
|
||||||
|
retry_default curl -f -s localhost:20000/stats -o /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "api gateway should have healthy endpoints for s1" {
|
||||||
|
assert_upstream_has_endpoints_in_status 127.0.0.1:20000 s1 HEALTHY 1
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "api gateway should be able to connect to s1 via configured port" {
|
||||||
|
run retry_default curl -s -f -d hello localhost:9999
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
[[ "$output" == *"hello"* ]]
|
||||||
|
}
|
Loading…
Reference in New Issue