mirror of https://github.com/status-im/consul.git
d9206fc7e2
mesh: add options for HTTP incoming request normalization Expose global mesh configuration to enforce inbound HTTP request normalization on mesh traffic via Envoy xDS config. mesh: enable inbound URL path normalization by default mesh: add support for L7 header match contains and ignore_case Enable partial string and case-insensitive matching in L7 intentions header match rules. ui: support L7 header match contains and ignore_case Co-authored-by: Phil Renaud <phil@riotindustries.com> test: add request normalization integration bats tests Add both "positive" and "negative" test suites, showing normalization in action as well as expected results when it is not enabled, for the same set of test cases. Also add some alternative service container test helpers for verifying raw HTTP request paths, which is difficult to do with Fortio. docs: update security and reference docs for L7 intentions bypass prevention - Update security docs with best practices for service intentions configuration - Update configuration entry references for mesh and intentions to reflect new values and add guidance on usage |
||
|---|---|---|
| .. | ||
| case-api-gateway-http-hostnames | ||
| case-api-gateway-http-simple | ||
| case-api-gateway-http-splitter-targets | ||
| case-api-gateway-http-tls-overlapping-hosts | ||
| case-api-gateway-tcp-conflicted | ||
| case-api-gateway-tcp-simple | ||
| case-api-gateway-tcp-tls-overlapping-hosts | ||
| case-badauthz | ||
| case-basic | ||
| case-centralconf | ||
| case-cfg-resolver-cluster-peering-failover | ||
| case-cfg-resolver-dc-failover-gateways-none | ||
| case-cfg-resolver-dc-failover-gateways-remote | ||
| case-cfg-resolver-defaultsubset | ||
| case-cfg-resolver-features | ||
| case-cfg-resolver-subset-onlypassing | ||
| case-cfg-resolver-subset-redirect | ||
| case-cfg-resolver-svc-failover | ||
| case-cfg-resolver-svc-redirect-http | ||
| case-cfg-resolver-svc-redirect-tcp | ||
| case-cfg-router-features | ||
| case-cfg-splitter-cluster-peering | ||
| case-cfg-splitter-features | ||
| case-cfg-splitter-peering-ingress-gateways | ||
| case-consul-exec | ||
| case-cross-peer-control-plane-mgw | ||
| case-cross-peers | ||
| case-cross-peers-http | ||
| case-cross-peers-http-router | ||
| case-cross-peers-resolver-redirect-tcp | ||
| case-dogstatsd-udp | ||
| case-expose-checks | ||
| case-gateway-without-services | ||
| case-gateways-local | ||
| case-gateways-remote | ||
| case-grpc | ||
| case-http | ||
| case-http-badauthz | ||
| case-ingress-gateway-grpc | ||
| case-ingress-gateway-http | ||
| case-ingress-gateway-multiple-services | ||
| case-ingress-gateway-peering-failover | ||
| case-ingress-gateway-sds | ||
| case-ingress-gateway-simple | ||
| case-ingress-gateway-tls | ||
| case-ingress-mesh-gateways-resolver | ||
| case-l7-intentions | ||
| case-l7-intentions-request-normalization | ||
| case-l7-intentions-request-normalization-disabled | ||
| case-lua | ||
| case-mesh-to-lambda | ||
| case-multidc-rsa-ca | ||
| case-prometheus | ||
| case-property-override | ||
| case-stats-proxy | ||
| case-statsd-udp | ||
| case-terminating-gateway-hostnames | ||
| case-terminating-gateway-simple | ||
| case-terminating-gateway-subsets | ||
| case-terminating-gateway-without-services | ||
| case-upstream-config | ||
| case-wanfed-gw | ||
| case-wasm | ||
| case-zipkin | ||
| consul-base-cfg | ||
| docs | ||
| test-sds-server | ||
| .gitignore | ||
| Dockerfile-bats | ||
| Dockerfile-consul-envoy | ||
| Dockerfile-consul-envoy-windows | ||
| Dockerfile-tcpdump | ||
| Dockerfile-tcpdump-windows | ||
| Dockerfile-test-sds-server-windows | ||
| README.md | ||
| WINDOWS-TEST.md | ||
| defaults.sh | ||
| docker-windows.md | ||
| down.sh | ||
| helpers.bash | ||
| helpers.windows.bash | ||
| main_test.go | ||
| run-tests.sh | ||
| run-tests.windows.sh | ||
| windows-troubleshooting.md | ||
README.md
Envoy Integration Tests
Overview
These tests validate that Consul is configuring Envoy correctly. They set up various scenarios using Docker containers and then run Bats (a Bash test framework) tests to validate the expected results.
Running Tests
To run the tests locally, cd into the root of the repo and run:
make test-envoy-integ
To run a specific test, run:
make test-envoy-integ GO_TEST_FLAGS="-run TestEnvoy/case-basic"
Where case-basic can be replaced by any directory name from this directory.
How Do These Tests Work
- The tests are all run through Go test via the
main_test.gofile. Each directory prefixed bycase-is a subtest, for example,TestEnvoy/case-basicandTestEnvoy/case-wanfed-gw. - The real framework for this test suite lives in
run-tests.sh. Under the hood,main_test.gojust runsrun-tests.shwith various arguments. - The tests use your local code by building a Docker image from your local directory just before executing.
Note: this is implemented as the
docker-envoy-integMakefile target which is a prerequisite to thetest-envoy-integtarget, so if you are running the tests by invokingrun-tests.shorgo testmanually, be sure to rebuild the Docker image to ensure you are running your latest code. - The tests run Docker containers connected by a shared Docker network. All tests have at least one Consul server running and then
depending on the test case they will spin up additional services or gateways. Some tests run multiple Consul servers to test
multi-DC setups. See the
case-wanfed-gatewaytest for an example of this. - At a high level, tests are set up by executing the
setup.shscript in each directory. This script uses helper functions defined inhelpers.bash. Once the test case is set up, the validations inverify.batsare run. - If there exists a
vars.shfile in the top-level of the case directory, the test runner will source it prior to invoking therun_tests,test_teardownandcapture_logsphases of the test scenario. - If there exists a
capture.shfile in the top-level of the case directory, it will be executed after the test is done, but prior to the containers being removed. This is useful for capturing logs or Envoy snapshots for debugging test failures. - Any files matching the
*.hclglob will be copied to the container$WORKDIR/$CLUSTER/consuldirectory prior to running the tests. This is useful for defining Consul configuration for each agent process to load on start up. - In CI, the tests are executed against different Envoy versions and with both
XDS_TARGET=clientandXDS_TARGET=server. If set toclient, a Consul server and client are run, and services are registered against the client. If set toserver, only a Consul server is run, and services are registered against the server. By default,XDS_TARGETis set toserver. See this comment for more information.
Investigating Test Failures
- When tests fail in CI, logs and additional debugging data are available in the artifacts of the test run.
- You can re-run the tests locally by running
make test-envoy-integ GO_TEST_FLAGS="-run TestEnvoy/<case-directory>"where<case-directory>is replaced with the name of the directory, e.g.case-basic. - You can override the envoy version by specifying
ENVOY_VERSION=<your envoy version>eg.ENVOY_VERSION=1.27.0 make test-envoy-integ. - Locally, all the logs of the failed test will be available in
workdirin this directory. - You can run with
DEBUG=1to print out all the commands being run, e.g.DEBUG=1 make test-envoy-integ GO_TEST_FLAGS="-run TestEnvoy/case-basic". - If you want to prevent the Docker containers from being spun down after test failure, add a
sleep 9999to theverify.batstest case that's failing.
Creating a New Test
Below is a rough outline for creating a new test. For the example, assume our test case will be called my-feature.
- Create a new directory named
case-my-feature - If the test involves multiple datacenters/clusters, create a separate subdirectory for each cluster (eg.
case-my-feature/{dc1,dc2}) - Add any necessary configuration to
*.hclfiles in the respective cluster subdirectory (or the test case directory when using a single cluster). - Create a
setup.shfile in the case directory - Create a
capture.shfile in the case directory - Create a
verify.batsfile in the case directory - Populate the
setup.sh,capture.shandverify.batsfiles with the appropriate code for running your test, validating its state and capturing any logs or snapshots.