Update ProxyDefaults and ServiceDefaults with Transparent Proxy

- Update the spec of ServiceDefaults and ProxyDefaults to support
  transparent proxy changes that are introduced as a part of Consul 1.10

.circleci/config.yml

@@ -6,8 +6,8 @@ executors:
       - image: docker.mirror.hashicorp.services/circleci/golang:1.14
     environment:
       TEST_RESULTS: /tmp/test-results # path to where test results are saved
-      CONSUL_VERSION: 1.9.4 # Consul's OSS version to use in tests
-      CONSUL_ENT_VERSION: 1.9.4+ent # Consul's enterprise version to use in tests
+      CONSUL_VERSION: 1.10.0-beta1 # Consul's OSS version to use in tests
+      CONSUL_ENT_VERSION: 1.10.0+ent-beta1 # Consul's enterprise version to use in tests
 
 jobs:
   go-fmt-and-vet:

api/v1alpha1/ingressgateway_webhook.go

@@ -48,7 +48,7 @@ type IngressGatewayWebhook struct {
 //
 // NOTE: The below line cannot be combined with any other comment. If it is it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-ingressgateway,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=ingressgateways,versions=v1alpha1,name=mutate-ingressgateway.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-ingressgateway,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=ingressgateways,versions=v1alpha1,name=mutate-ingressgateway.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *IngressGatewayWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var resource IngressGateway

api/v1alpha1/proxydefaults_types.go

@@ -61,6 +61,8 @@ type ProxyDefaultsSpec struct {
 	MeshGateway MeshGatewayConfig `json:"meshGateway,omitempty"`
 	// Expose controls the default expose path configuration for Envoy.
 	Expose ExposeConfig `json:"expose,omitempty"`
+	// TransparentProxy controls configuration specific to proxies in transparent mode.
+	TransparentProxy *TransparentProxyConfig `json:"transparentProxy,omitempty"`
 }
 
 func (in *ProxyDefaults) GetObjectMeta() metav1.ObjectMeta {
@@ -145,12 +147,13 @@ func (in *ProxyDefaults) SetLastSyncedTime(time *metav1.Time) {
 func (in *ProxyDefaults) ToConsul(datacenter string) capi.ConfigEntry {
 	consulConfig := in.convertConfig()
 	return &capi.ProxyConfigEntry{
-		Kind:        in.ConsulKind(),
-		Name:        in.ConsulName(),
-		MeshGateway: in.Spec.MeshGateway.toConsul(),
-		Expose:      in.Spec.Expose.toConsul(),
-		Config:      consulConfig,
-		Meta:        meta(datacenter),
+		Kind:             in.ConsulKind(),
+		Name:             in.ConsulName(),
+		MeshGateway:      in.Spec.MeshGateway.toConsul(),
+		Expose:           in.Spec.Expose.toConsul(),
+		Config:           consulConfig,
+		TransparentProxy: in.Spec.TransparentProxy.toConsul(),
+		Meta:             meta(datacenter),
 	}
 }
 

api/v1alpha1/proxydefaults_types_test.go

@@ -28,9 +28,12 @@ func TestProxyDefaults_MatchesConsul(t *testing.T) {
 				Spec: ProxyDefaultsSpec{},
 			},
 			Theirs: &capi.ProxyConfigEntry{
-				Name:        common.Global,
-				Kind:        capi.ProxyDefaults,
-				Namespace:   "default",
+				Name:      common.Global,
+				Kind:      capi.ProxyDefaults,
+				Namespace: "default",
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 0,
+				},
 				CreateIndex: 1,
 				ModifyIndex: 2,
 				Meta: map[string]string{
@@ -67,6 +70,9 @@ func TestProxyDefaults_MatchesConsul(t *testing.T) {
 							},
 						},
 					},
+					TransparentProxy: &TransparentProxyConfig{
+						OutboundListenerPort: 1000,
+					},
 				},
 			},
 			Theirs: &capi.ProxyConfigEntry{
@@ -95,6 +101,9 @@ func TestProxyDefaults_MatchesConsul(t *testing.T) {
 						},
 					},
 				},
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 1000,
+				},
 			},
 			Matches: true,
 		},
@@ -138,6 +147,9 @@ func TestProxyDefaults_ToConsul(t *testing.T) {
 					common.SourceKey:     common.SourceValue,
 					common.DatacenterKey: "datacenter",
 				},
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 0,
+				},
 			},
 		},
 		"every field set": {
@@ -167,6 +179,9 @@ func TestProxyDefaults_ToConsul(t *testing.T) {
 							},
 						},
 					},
+					TransparentProxy: &TransparentProxyConfig{
+						OutboundListenerPort: 1000,
+					},
 				},
 			},
 			Exp: &capi.ProxyConfigEntry{
@@ -196,6 +211,9 @@ func TestProxyDefaults_ToConsul(t *testing.T) {
 						},
 					},
 				},
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 1000,
+				},
 				Meta: map[string]string{
 					common.SourceKey:     common.SourceValue,
 					common.DatacenterKey: "datacenter",

api/v1alpha1/proxydefaults_webhook.go

@@ -31,7 +31,7 @@ type ProxyDefaultsWebhook struct {
 // NOTE: The below line cannot be combined with any other comment. If it is
 // it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-proxydefaults,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=proxydefaults,versions=v1alpha1,name=mutate-proxydefaults.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-proxydefaults,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=proxydefaults,versions=v1alpha1,name=mutate-proxydefaults.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *ProxyDefaultsWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var proxyDefaults ProxyDefaults

api/v1alpha1/servicedefaults_types.go

@@ -55,32 +55,8 @@ type ServiceDefaultsSpec struct {
 	// ExternalSNI is an optional setting that allows for the TLS SNI value
 	// to be changed to a non-connect value when federating with an external system.
 	ExternalSNI string `json:"externalSNI,omitempty"`
-}
-
-// ExposeConfig describes HTTP paths to expose through Envoy outside of Connect.
-// Users can expose individual paths and/or all HTTP/GRPC paths for checks.
-type ExposeConfig struct {
-	// Checks defines whether paths associated with Consul checks will be exposed.
-	// This flag triggers exposing all HTTP and GRPC check paths registered for the service.
-	Checks bool `json:"checks,omitempty"`
-
-	// Paths is the list of paths exposed through the proxy.
-	Paths []ExposePath `json:"paths,omitempty"`
-}
-
-type ExposePath struct {
-	// ListenerPort defines the port of the proxy's listener for exposed paths.
-	ListenerPort int `json:"listenerPort,omitempty"`
-
-	// Path is the path to expose through the proxy, ie. "/metrics".
-	Path string `json:"path,omitempty"`
-
-	// LocalPathPort is the port that the service is listening on for the given path.
-	LocalPathPort int `json:"localPathPort,omitempty"`
-
-	// Protocol describes the upstream's service protocol.
-	// Valid values are "http" and "http2", defaults to "http".
-	Protocol string `json:"protocol,omitempty"`
+	// TransparentProxy controls configuration specific to proxies in transparent mode.
+	TransparentProxy *TransparentProxyConfig `json:"transparentProxy,omitempty"`
 }
 
 func (in *ServiceDefaults) ConsulKind() string {
@@ -160,13 +136,14 @@ func (in *ServiceDefaults) SyncedConditionStatus() corev1.ConditionStatus {
 // ToConsul converts the entry into it's Consul equivalent struct.
 func (in *ServiceDefaults) ToConsul(datacenter string) capi.ConfigEntry {
 	return &capi.ServiceConfigEntry{
-		Kind:        in.ConsulKind(),
-		Name:        in.ConsulName(),
-		Protocol:    in.Spec.Protocol,
-		MeshGateway: in.Spec.MeshGateway.toConsul(),
-		Expose:      in.Spec.Expose.toConsul(),
-		ExternalSNI: in.Spec.ExternalSNI,
-		Meta:        meta(datacenter),
+		Kind:             in.ConsulKind(),
+		Name:             in.ConsulName(),
+		Protocol:         in.Spec.Protocol,
+		MeshGateway:      in.Spec.MeshGateway.toConsul(),
+		Expose:           in.Spec.Expose.toConsul(),
+		ExternalSNI:      in.Spec.ExternalSNI,
+		TransparentProxy: in.Spec.TransparentProxy.toConsul(),
+		Meta:             meta(datacenter),
 	}
 }
 
@@ -208,41 +185,3 @@ func (in *ServiceDefaults) MatchesConsul(candidate capi.ConfigEntry) bool {
 func (in *ServiceDefaults) ConsulGlobalResource() bool {
 	return false
 }
-
-// toConsul returns the ExposeConfig for the entry
-func (e ExposeConfig) toConsul() capi.ExposeConfig {
-	var paths []capi.ExposePath
-	for _, path := range e.Paths {
-		paths = append(paths, capi.ExposePath{
-			ListenerPort:  path.ListenerPort,
-			Path:          path.Path,
-			LocalPathPort: path.LocalPathPort,
-			Protocol:      path.Protocol,
-		})
-	}
-	return capi.ExposeConfig{
-		Checks: e.Checks,
-		Paths:  paths,
-	}
-}
-
-func (e ExposeConfig) validate(path *field.Path) []*field.Error {
-	var errs field.ErrorList
-	protocols := []string{"http", "http2"}
-	for i, pathCfg := range e.Paths {
-		indexPath := path.Child("paths").Index(i)
-		if invalidPathPrefix(pathCfg.Path) {
-			errs = append(errs, field.Invalid(
-				indexPath.Child("path"),
-				pathCfg.Path,
-				`must begin with a '/'`))
-		}
-		if pathCfg.Protocol != "" && !sliceContains(protocols, pathCfg.Protocol) {
-			errs = append(errs, field.Invalid(
-				indexPath.Child("protocol"),
-				pathCfg.Protocol,
-				notInSliceMessage(protocols)))
-		}
-	}
-	return errs
-}

api/v1alpha1/servicedefaults_types_test.go

@@ -26,6 +26,9 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 			&capi.ServiceConfigEntry{
 				Name: "foo",
 				Kind: capi.ServiceDefaults,
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 0,
+				},
 				Meta: map[string]string{
 					common.SourceKey:     common.SourceValue,
 					common.DatacenterKey: "datacenter",
@@ -60,6 +63,9 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 						},
 					},
 					ExternalSNI: "external-sni",
+					TransparentProxy: &TransparentProxyConfig{
+						OutboundListenerPort: 1000,
+					},
 				},
 			},
 			&capi.ServiceConfigEntry{
@@ -87,6 +93,9 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 					},
 				},
 				ExternalSNI: "external-sni",
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 1000,
+				},
 				Meta: map[string]string{
 					common.SourceKey:     common.SourceValue,
 					common.DatacenterKey: "datacenter",
@@ -117,9 +126,12 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) {
 				Spec: ServiceDefaultsSpec{},
 			},
 			&capi.ServiceConfigEntry{
-				Kind:        capi.ServiceDefaults,
-				Name:        "my-test-service",
-				Namespace:   "namespace",
+				Kind:      capi.ServiceDefaults,
+				Name:      "my-test-service",
+				Namespace: "namespace",
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 0,
+				},
 				CreateIndex: 1,
 				ModifyIndex: 2,
 				Meta: map[string]string{
@@ -156,6 +168,9 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) {
 						},
 					},
 					ExternalSNI: "sni-value",
+					TransparentProxy: &TransparentProxyConfig{
+						OutboundListenerPort: 1000,
+					},
 				},
 			},
 			&capi.ServiceConfigEntry{
@@ -182,6 +197,9 @@ func TestServiceDefaults_MatchesConsul(t *testing.T) {
 					},
 				},
 				ExternalSNI: "sni-value",
+				TransparentProxy: &capi.TransparentProxyConfig{
+					OutboundListenerPort: 1000,
+				},
 			},
 			true,
 		},

api/v1alpha1/servicedefaults_webhook.go

@@ -48,7 +48,7 @@ type ServiceDefaultsWebhook struct {
 //
 // NOTE: The below line cannot be combined with any other comment. If it is it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-servicedefaults,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=servicedefaults,versions=v1alpha1,name=mutate-servicedefaults.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-servicedefaults,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=servicedefaults,versions=v1alpha1,name=mutate-servicedefaults.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *ServiceDefaultsWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var svcDefaults ServiceDefaults

api/v1alpha1/serviceintentions_webhook.go

@@ -34,7 +34,7 @@ type ServiceIntentionsWebhook struct {
 // NOTE: The below line cannot be combined with any other comment. If it is
 // it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-serviceintentions,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=serviceintentions,versions=v1alpha1,name=mutate-serviceintentions.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-serviceintentions,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=serviceintentions,versions=v1alpha1,name=mutate-serviceintentions.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *ServiceIntentionsWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var svcIntentions ServiceIntentions

api/v1alpha1/serviceresolver_webhook.go

@@ -48,7 +48,7 @@ type ServiceResolverWebhook struct {
 //
 // NOTE: The below line cannot be combined with any other comment. If it is it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-serviceresolver,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=serviceresolvers,versions=v1alpha1,name=mutate-serviceresolver.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-serviceresolver,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=serviceresolvers,versions=v1alpha1,name=mutate-serviceresolver.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *ServiceResolverWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var svcResolver ServiceResolver

api/v1alpha1/servicerouter_webhook.go

@@ -48,7 +48,7 @@ type ServiceRouterWebhook struct {
 //
 // NOTE: The below line cannot be combined with any other comment. If it is it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-servicerouter,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=servicerouters,versions=v1alpha1,name=mutate-servicerouter.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-servicerouter,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=servicerouters,versions=v1alpha1,name=mutate-servicerouter.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *ServiceRouterWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var svcRouter ServiceRouter

api/v1alpha1/servicesplitter_webhook.go

@@ -49,7 +49,7 @@ type ServiceSplitterWebhook struct {
 // NOTE: The below line cannot be combined with any other comment. If it is
 // it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-servicesplitter,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=servicesplitters,versions=v1alpha1,name=mutate-servicesplitter.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-servicesplitter,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=servicesplitters,versions=v1alpha1,name=mutate-servicesplitter.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *ServiceSplitterWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var serviceSplitter ServiceSplitter

api/v1alpha1/terminatinggateway_webhook.go

@@ -48,7 +48,7 @@ type TerminatingGatewayWebhook struct {
 //
 // NOTE: The below line cannot be combined with any other comment. If it is it will break the code generation.
 //
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-terminatinggateway,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=terminatinggateways,versions=v1alpha1,name=mutate-terminatinggateway.consul.hashicorp.com,webhookVersions=v1beta1,sideEffects=None
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-v1alpha1-terminatinggateway,mutating=true,failurePolicy=fail,groups=consul.hashicorp.com,resources=terminatinggateways,versions=v1alpha1,name=mutate-terminatinggateway.consul.hashicorp.com,sideEffects=None,admissionReviewVersions=v1beta1;v1
 
 func (v *TerminatingGatewayWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	var resource TerminatingGateway