Commit Graph

70 Commits

Author SHA1 Message Date
Derek Menteer ef61bdf3c2
Remove unnecessary default test config. (#15361) 2022-11-14 14:07:42 -06:00
freddygv 3034df6a5c Require Connect and TLS to generate peering tokens
By requiring Connect and a gRPC TLS listener we can automatically
configure TLS for all peering control-plane traffic.
2022-10-07 09:06:29 -06:00
Luke Kysow 960c42854b
Remove terminal colouring from test output so it is (#14810)
more readable in CI.

```
Running primary verification step for case-ingress-gateway-multiple-services...
�[34;1mverify.bats
�[0m�[1G   ingress proxy admin is up on :20000�[K�[75G 1/12�[2G�[1G ✓ ingress proxy admin is up on :20000�[K
�[0m�[1G   s1 proxy admin is up on :19000�[K�[75G 2/12�[2G�[1G ✓ s1 proxy admin is up on :19000�[K
�[0m�[1G   s2 proxy admin is up on :19001�[K�[75G 3/12�[2G�[1G ✓ s2 proxy admin is up on :19001�[K
�[0m�[1G   s1 proxy listener should be up and have right cert�[K�[75G 4/12�[2G�[1G ✓ s1 proxy listener should be up and have right cert�[K
�[0m�[1G   s2 proxy listener should be up and have right cert�[K�[75G 5/12�[2G�[1G ✓ s2 proxy listener should be up and have right cert�[K
�[0m�[1G   ingress-gateway should have healthy endpoints for s1�[K�[75G 6/12�[2G�[31;1m�[1G ✗ ingress-gateway should have healthy endpoints for s1�[K
�[0m�[31;22m   (from function `assert_upstream_has_endpoints_in_status' in file /workdir/primary/bats/helpers.bash, line 385,
```

versus

```
Running primary verification step for case-ingress-gateway-multiple-services...
1..12
ok 1 ingress proxy admin is up on :20000
ok 2 s1 proxy admin is up on :19000
ok 3 s2 proxy admin is up on :19001
ok 4 s1 proxy listener should be up and have right cert
ok 5 s2 proxy listener should be up and have right cert
not ok 6 ingress-gateway should have healthy endpoints for s1
not ok 7 s1 proxy should have been configured with max_connections in services
ok 8 ingress-gateway should have healthy endpoints for s2
```
2022-10-04 08:35:19 -07:00
Evan Culver 31ef39112a
Add more content to integration test docs (#14613) 2022-09-14 16:13:23 -07:00
Evan Culver d0416f593c
connect: Bump latest Envoy to 1.23.1 in test matrix (#14573) 2022-09-14 13:20:16 -07:00
Luke Kysow 095764a482
Suppress "unbound variable" error. (#14424)
Without this change, you'd see this error:

```
./run-tests.sh: line 49: LAMBDA_TESTS_ENABLED: unbound variable
./run-tests.sh: line 49: LAMBDA_TESTS_ENABLED: unbound variable
```
2022-08-31 13:06:35 -07:00
Luke Kysow 70bb6a2abd
Run integration tests locally using amd64 (#14365)
Locally, always run integration tests using amd64, even if running
on an arm mac. This ensures the architecture locally always matches
the CI/CD environment.

In addition:
* Use consul:local for envoy integration and upgrade tests. Previously,
  consul:local was used for upgrade tests and consul-dev for integration
  tests. I didn't see a reason to use separate images as it's more
  confusing.
* By default, disable the requirement that aws credentials are set.
  These are only needed for the lambda tests and make it so you
  can't run any tests locally, even if you're not running the
  lambda tests. Now they'll only run if the LAMBDA_TESTS_ENABLED
  env var is set.
* Split out the building of the Docker image for integration
  tests into its own target from `dev-docker`. This allows us to always
  use an amd64 image without messing up the `dev-docker` target.
* Add support for passing GO_TEST_FLAGs to `test-envoy-integ` target.
* Add a wait_for_leader function because tests were failing locally
  without it.
2022-08-29 16:13:49 -07:00
Chris S. Kim 670531f828 Retry docker build steps 2022-08-08 12:22:16 -04:00
Chris Thain af40b9b144
Add Consul Lambda integration tests (#13770) 2022-07-21 09:54:56 -07:00
Evan Culver 4116537b83
connect: Add support for Envoy 1.23, remove 1.19 (#13807) 2022-07-19 14:51:04 -07:00
R.B. Boyer af04851637
peering: move peer replication to the external gRPC port (#13698)
Peer replication is intended to be between separate Consul installs and
effectively should be considered "external". This PR moves the peer
stream replication bidirectional RPC endpoint to the external gRPC
server and ensures that things continue to function.
2022-07-08 12:01:13 -05:00
R.B. Boyer 1a9c86ea8f
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624)
A mesh gateway will now configure the filter chains for L7 exported
services using the correct discovery chain information.
2022-06-28 14:52:25 -05:00
Dan Upton ebf74d08fd
test: run Envoy integration tests against both servers and clients (#13610) 2022-06-28 13:15:45 +01:00
Evan Culver 7f8c650d61
connect: Use Envoy 1.22.2 instead of 1.22.1 (#13444) 2022-06-14 15:29:41 -07:00
Evan Culver ba6136eb42
connect: Update Envoy support matrix to latest patch releases (#13431) 2022-06-14 13:19:09 -07:00
R.B. Boyer bba3eb8cdd
peering: mesh gateways are required for cross-peer service mesh communication (#13410)
Require use of mesh gateways in order for service mesh data plane
traffic to flow between peers.

This also adds plumbing for envoy integration tests involving peers, and
one starter peering test.
2022-06-09 11:05:18 -05:00
R.B. Boyer bd87505bf2
ci: upgrade bats and the circle machine executors to get integration tests to function again (#12918)
Bonus change: send less context when building the test-sds-server to
speed up the setup.
2022-05-03 11:21:32 -05:00
Evan Culver 000d0621b4
connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805)
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-04-18 09:36:07 -07:00
Evan Culver 881e17fae1
connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 (#12777) 2022-04-14 10:44:42 -07:00
R.B. Boyer 231e5b61e7
test: use docker buildkit backend for envoy integration tests (#12726) 2022-04-11 10:49:44 -05:00
Evan Culver b95f010ac0
connect: Upgrade Envoy 1.20 to 1.20.2 (#12443) 2022-02-24 16:19:39 -08:00
Evan Culver e35dd08a63
connect: Upgrade Envoy 1.20 to 1.20.1 (#11895) 2022-01-18 14:35:27 -05:00
freddygv 5c1f7aa372 Allow cross-partition references in disco chain
* Add partition fields to targets like service route destinations
* Update validation to prevent cross-DC + cross-partition references
* Handle partitions when reading config entries for disco chain
* Encode partition in compiled targets
2021-12-06 12:32:19 -07:00
freddygv 129d54d060 Fix integ test 2021-12-03 17:02:57 -07:00
freddygv cc19f09f92 Add cross-partition integration test 2021-11-12 14:45:50 -07:00
Evan Culver 61be9371f5
connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
Evan Culver bec08f4ec3
connect: Add support for Envoy 1.20 (#11277) 2021-10-27 18:38:10 -07:00
R.B. Boyer 3b6eeced50
test: remove some envoy integ test warnings (#11369)
We launch one container as part of the test with --pid=host but
apparently within that container it launches a copy of "tini" as a
process supervisor that prefers to be PID 1.

Because it's not PID 1 it logs a warning message about this to the envoy
integration test logs that can lead to thinking somehow that a test
failure is related when in fact it's completely unrelated.

Adding this environment variable avoids the warning.
2021-10-20 15:50:45 -05:00
Evan Culver 585d9363ed
Merge branch 'main' into eculver/envoy-1.19.1 2021-09-28 11:54:33 -07:00
Paul Banks 2b755d7b3f Allow skipping v2 compat tests for SDS as it's only the SDS server integration that doesn't support v2 2021-09-23 10:12:37 +01:00
Paul Banks e01c3585a5 Fix integration tests in CI - serve SDS certs from the Docker image not a mounted path 2021-09-23 10:12:37 +01:00
Paul Banks cd8ad007fe Add basic integration test for Envoy ingress with SDS 2021-09-23 10:08:02 +01:00
Evan Culver 7605dff46e
add envoy 1.19.1 2021-09-21 15:39:36 -07:00
Freddy 8d83d27674
connect: update envoy supported versions to latest patch release
(#10961)

Relevant advisory: 
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h
2021-08-31 10:39:18 -06:00
Matt Keeler caafc02449 hcs-1936: Prepare for adding license auto-retrieval to auto-config in enterprise 2021-05-24 13:20:30 -04:00
R.B. Boyer 3b50a55533
connect: update supported envoy versions to 1.18.3, 1.17.3, 1.16.4, and 1.15.5 (#10231) 2021-05-12 14:06:06 -05:00
R.B. Boyer abc1dc0fe9
connect: update supported envoy versions to 1.18.2, 1.17.2, 1.16.3, and 1.15.4 (#10101)
The only thing that needed fixing up pertained to this section of the 1.18.x release notes:

> grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default.

For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default.

Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.
2021-04-29 15:22:03 -05:00
R.B. Boyer 71d45a3460
Support Incremental xDS mode (#9855)
This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged.

Union of all commit messages follows to give an overarching summary:

xds: exclusively support incremental xDS when using xDS v3

Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail.
Work around a strange older envoy behavior involving empty CDS responses over incremental xDS.
xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support

Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead.
Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client.
xds: pull out checkStreamACLs method in advance of a later commit

xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings

In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty.

This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10.

xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 13:54:05 -05:00
R.B. Boyer 398b766532
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658)
- Also add support for envoy 1.17.0
2021-02-26 16:23:15 -06:00
R.B. Boyer 6eeccc93ce
connect: update supported envoy point releases to 1.16.2, 1.15.3, 1.14.6, 1.13.7 (#9737) 2021-02-10 13:11:15 -06:00
Daniel Nephin 79284b41ea Pin alpine/socat image to a version.
To fix failing integration tests. The latest version (`1.7.4.0-r0`)
appears to not be catting all the bytes, so the expected metrics are
missing in the output.
2021-01-06 18:01:39 -05:00
R.B. Boyer 5afd04897c
test: use direct service registration in envoy integration tests (#9138)
This has the biggest impact on enterprise test cases that use namespaced
registrations, which prior to this change sometimes failed the initial
registration because the namespace was not yet created.
2020-11-09 13:59:46 -06:00
R.B. Boyer 44bd8bd2ae
use the docker proxy for more envoy integration test containers (#9085) 2020-11-02 14:52:33 -06:00
Alvin Huang ea88956c9c
use hashicorp docker mirror to prevent rate limit (#9070) 2020-10-30 17:59:13 -04:00
R.B. Boyer d7c7858d87
Fix even more test flakes in intentions related envoy integration tests (#9013)
The key thing here is to use `curl --no-keepalive` so that envoy
pre-1.15 tests will reliably use the latest listener every time.

Extra:

- Switched away from editing line-item intentions the legacy way.

- Removed some teardown scripts, as we don't share anything between cases anyway

- Removed unnecessary use of `run` in some places.
2020-10-26 17:04:35 -05:00
R.B. Boyer a2c50d3303
connect: add support for envoy 1.16.0, drop support for 1.12.x, and bump point releases as well (#8944)
Supported versions will be: "1.16.0", "1.15.2", "1.14.5", "1.13.6"
2020-10-22 13:46:19 -05:00
R.B. Boyer 0bf62246e5
speed up envoy integration tests by removing docker-compose (#8982)
This speeds up individual envoy integration test runs from ~23m to ~14m.

It's also a pre-req for possibly switching to doing the tests entirely within Go (no shell-outs).
2020-10-22 13:20:31 -05:00
R.B. Boyer a68c0ce1e7
speed up envoy integ tests by not politely stopping containers before destroying them (#8969)
In local testing this sped up the stop_services call from 11s to 1s per test.
2020-10-15 11:51:37 -05:00
R.B. Boyer c599a2f5f4
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424)
Related changes:

- hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported
- remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it
- stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 15:52:49 -05:00
Hans Hasselberg 496fb5fc5b
add support for envoy 1.14.4, 1.13.4, 1.12.6 (#8216) 2020-07-13 15:44:44 -05:00