diff --git a/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden b/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden index 4c7119d63fa3..cb81777262f6 100644 --- a/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden +++ b/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-with-specific-ports.golden @@ -14,46 +14,73 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~tcp" + "consul~grpc" ] }, "filters": [ { - "name": "envoy.filters.network.rbac", + "name": "envoy.filters.network.http_connection_manager", "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", - "rules": { - "policies": { - "consul-intentions-layer4": { - "permissions": [ - { - "any": true - } + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "public_listener", + "routeConfig": { + "name": "public_listener:grpc", + "virtualHosts": [ + { + "name": "public_listener:grpc", + "domains": [ + "*" ], - "principals": [ + "routes": [ { - "authenticated": { - "principalName": { - "safeRegex": { - "googleRe2": {}, - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } + "match": { + "prefix": "/" + }, + "route": { + "cluster": "local_app:grpc" } } ] } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.grpc_stats", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", + "statsForAllMethods": true + } + }, + { + "name": "envoy.filters.http.grpc_http1_bridge", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" + } + }, + { + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": {} + } + }, + { + "name": "envoy.filters.http.router", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } } + ], + "tracing": { + "randomSampling": {} }, - "statPrefix": "connect_authz" - } - }, - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "public_listener", - "cluster": "local_app:tcp" + "http2ProtocolOptions": {}, + "upgradeConfigs": [ + { + "upgradeType": "websocket" + } + ] } } ], @@ -77,7 +104,11 @@ "trustedCa": { "inlineString": "some-root\nsome-other-root\n" } - } + }, + "alpnProtocols": [ + "h2", + "http/1.1" + ] }, "requireClientCertificate": true } @@ -121,29 +152,7 @@ "name": "envoy.filters.http.rbac", "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", - "rules": { - "policies": { - "consul-intentions-layer4": { - "permissions": [ - { - "any": true - } - ], - "principals": [ - { - "authenticated": { - "principalName": { - "safeRegex": { - "googleRe2": {}, - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - } - } - ] - } - } - } + "rules": {} } }, { @@ -231,29 +240,7 @@ "name": "envoy.filters.http.rbac", "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", - "rules": { - "policies": { - "consul-intentions-layer4": { - "permissions": [ - { - "any": true - } - ], - "principals": [ - { - "authenticated": { - "principalName": { - "safeRegex": { - "googleRe2": {}, - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - } - } - ] - } - } - } + "rules": {} } }, { @@ -308,95 +295,24 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~grpc" + "consul~tcp" ] }, "filters": [ { - "name": "envoy.filters.network.http_connection_manager", + "name": "envoy.filters.network.rbac", "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": {}, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", "statPrefix": "public_listener", - "routeConfig": { - "name": "public_listener:grpc", - "virtualHosts": [ - { - "name": "public_listener:grpc", - "domains": [ - "*" - ], - "routes": [ - { - "match": { - "prefix": "/" - }, - "route": { - "cluster": "local_app:grpc" - } - } - ] - } - ] - }, - "httpFilters": [ - { - "name": "envoy.filters.http.grpc_stats", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", - "statsForAllMethods": true - } - }, - { - "name": "envoy.filters.http.grpc_http1_bridge", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" - } - }, - { - "name": "envoy.filters.http.rbac", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", - "rules": { - "policies": { - "consul-intentions-layer4": { - "permissions": [ - { - "any": true - } - ], - "principals": [ - { - "authenticated": { - "principalName": { - "safeRegex": { - "googleRe2": {}, - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - } - } - ] - } - } - } - } - }, - { - "name": "envoy.filters.http.router", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - } - ], - "tracing": { - "randomSampling": {} - }, - "http2ProtocolOptions": {}, - "upgradeConfigs": [ - { - "upgradeType": "websocket" - } - ] + "cluster": "local_app:tcp" } } ], @@ -420,11 +336,7 @@ "trustedCa": { "inlineString": "some-root\nsome-other-root\n" } - }, - "alpnProtocols": [ - "h2", - "http/1.1" - ] + } }, "requireClientCertificate": true } diff --git a/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-without-ports.golden b/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-without-ports.golden index fc42b2e7b3fb..81f3bcca70ff 100644 --- a/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-without-ports.golden +++ b/agent/xdsv2/testdata/listeners/source/multiple-workload-addresses-without-ports.golden @@ -14,57 +14,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~tcp" - ] - }, - "filters": [ - { - "name": "envoy.filters.network.rbac", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", - "rules": {}, - "statPrefix": "connect_authz" - } - }, - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "public_listener", - "cluster": "local_app:tcp" - } - } - ], - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", - "commonTlsContext": { - "tlsParams": {}, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "trustedCa": { - "inlineString": "some-root\nsome-other-root\n" - } - } - }, - "requireClientCertificate": true - } - } - }, - { - "filterChainMatch": { - "applicationProtocols": [ - "consul~http" + "consul~grpc" ] }, "filters": [ @@ -74,10 +24,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:http", + "name": "public_listener:grpc", "virtualHosts": [ { - "name": "public_listener:http", + "name": "public_listener:grpc", "domains": [ "*" ], @@ -87,7 +37,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:http" + "cluster": "local_app:grpc" } } ] @@ -95,6 +45,19 @@ ] }, "httpFilters": [ + { + "name": "envoy.filters.http.grpc_stats", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", + "statsForAllMethods": true + } + }, + { + "name": "envoy.filters.http.grpc_http1_bridge", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" + } + }, { "name": "envoy.filters.http.rbac", "typedConfig": { @@ -112,6 +75,7 @@ "tracing": { "randomSampling": {} }, + "http2ProtocolOptions": {}, "upgradeConfigs": [ { "upgradeType": "websocket" @@ -142,6 +106,7 @@ } }, "alpnProtocols": [ + "h2", "http/1.1" ] }, @@ -152,7 +117,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~http2" + "consul~http" ] }, "filters": [ @@ -162,10 +127,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:http2", + "name": "public_listener:http", "virtualHosts": [ { - "name": "public_listener:http2", + "name": "public_listener:http", "domains": [ "*" ], @@ -175,7 +140,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:http2" + "cluster": "local_app:http" } } ] @@ -200,7 +165,6 @@ "tracing": { "randomSampling": {} }, - "http2ProtocolOptions": {}, "upgradeConfigs": [ { "upgradeType": "websocket" @@ -231,7 +195,6 @@ } }, "alpnProtocols": [ - "h2", "http/1.1" ] }, @@ -242,7 +205,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~grpc" + "consul~http2" ] }, "filters": [ @@ -252,10 +215,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:grpc", + "name": "public_listener:http2", "virtualHosts": [ { - "name": "public_listener:grpc", + "name": "public_listener:http2", "domains": [ "*" ], @@ -265,7 +228,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:grpc" + "cluster": "local_app:http2" } } ] @@ -273,19 +236,6 @@ ] }, "httpFilters": [ - { - "name": "envoy.filters.http.grpc_stats", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", - "statsForAllMethods": true - } - }, - { - "name": "envoy.filters.http.grpc_http1_bridge", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" - } - }, { "name": "envoy.filters.http.rbac", "typedConfig": { @@ -341,6 +291,56 @@ "requireClientCertificate": true } } + }, + { + "filterChainMatch": { + "applicationProtocols": [ + "consul~tcp" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": {}, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app:tcp" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + } + } + }, + "requireClientCertificate": true + } + } } ], "listenerFilters": [ diff --git a/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden b/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden index fc42b2e7b3fb..81f3bcca70ff 100644 --- a/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden +++ b/agent/xdsv2/testdata/listeners/source/single-workload-address-without-ports.golden @@ -14,57 +14,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~tcp" - ] - }, - "filters": [ - { - "name": "envoy.filters.network.rbac", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", - "rules": {}, - "statPrefix": "connect_authz" - } - }, - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "public_listener", - "cluster": "local_app:tcp" - } - } - ], - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", - "commonTlsContext": { - "tlsParams": {}, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "trustedCa": { - "inlineString": "some-root\nsome-other-root\n" - } - } - }, - "requireClientCertificate": true - } - } - }, - { - "filterChainMatch": { - "applicationProtocols": [ - "consul~http" + "consul~grpc" ] }, "filters": [ @@ -74,10 +24,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:http", + "name": "public_listener:grpc", "virtualHosts": [ { - "name": "public_listener:http", + "name": "public_listener:grpc", "domains": [ "*" ], @@ -87,7 +37,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:http" + "cluster": "local_app:grpc" } } ] @@ -95,6 +45,19 @@ ] }, "httpFilters": [ + { + "name": "envoy.filters.http.grpc_stats", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", + "statsForAllMethods": true + } + }, + { + "name": "envoy.filters.http.grpc_http1_bridge", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" + } + }, { "name": "envoy.filters.http.rbac", "typedConfig": { @@ -112,6 +75,7 @@ "tracing": { "randomSampling": {} }, + "http2ProtocolOptions": {}, "upgradeConfigs": [ { "upgradeType": "websocket" @@ -142,6 +106,7 @@ } }, "alpnProtocols": [ + "h2", "http/1.1" ] }, @@ -152,7 +117,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~http2" + "consul~http" ] }, "filters": [ @@ -162,10 +127,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:http2", + "name": "public_listener:http", "virtualHosts": [ { - "name": "public_listener:http2", + "name": "public_listener:http", "domains": [ "*" ], @@ -175,7 +140,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:http2" + "cluster": "local_app:http" } } ] @@ -200,7 +165,6 @@ "tracing": { "randomSampling": {} }, - "http2ProtocolOptions": {}, "upgradeConfigs": [ { "upgradeType": "websocket" @@ -231,7 +195,6 @@ } }, "alpnProtocols": [ - "h2", "http/1.1" ] }, @@ -242,7 +205,7 @@ { "filterChainMatch": { "applicationProtocols": [ - "consul~grpc" + "consul~http2" ] }, "filters": [ @@ -252,10 +215,10 @@ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", "statPrefix": "public_listener", "routeConfig": { - "name": "public_listener:grpc", + "name": "public_listener:http2", "virtualHosts": [ { - "name": "public_listener:grpc", + "name": "public_listener:http2", "domains": [ "*" ], @@ -265,7 +228,7 @@ "prefix": "/" }, "route": { - "cluster": "local_app:grpc" + "cluster": "local_app:http2" } } ] @@ -273,19 +236,6 @@ ] }, "httpFilters": [ - { - "name": "envoy.filters.http.grpc_stats", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig", - "statsForAllMethods": true - } - }, - { - "name": "envoy.filters.http.grpc_http1_bridge", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_http1_bridge.v3.Config" - } - }, { "name": "envoy.filters.http.rbac", "typedConfig": { @@ -341,6 +291,56 @@ "requireClientCertificate": true } } + }, + { + "filterChainMatch": { + "applicationProtocols": [ + "consul~tcp" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": {}, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app:tcp" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICDjCCAbWgAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDEwlUZXN0IENB\nIDEwHhcNMjMxMDE2MTYxMzI5WhcNMjMxMDE2MTYyMzI5WjAAMFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9\nta/bGT+5orZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJaOCAQowggEGMA4GA1UdDwEB\n/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/\nBAIwADApBgNVHQ4EIgQg3ogXVz9cqaK2B6xdiJYMa5NtT0KkYv7BA2dR7h9EcwUw\nKwYDVR0jBCQwIoAgq+C1mPlPoGa4lt7sSft1goN5qPGyBIB/3mUHJZKSFY8wbwYD\nVR0RAQH/BGUwY4Zhc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9hcC9kZWZhdWx0L25zL2RlZmF1bHQvaWRlbnRpdHkv\ndGVzdC1pZGVudGl0eTAKBggqhkjOPQQDAgNHADBEAiB6L+t5bzRrBPhiQYNeA7fF\nUCuLWrdjW4Xbv3SLg0IKMgIgfRC5hEx+DqzQxTCP4sexX3hVWMjKoWmHdwiUcg+K\n/IE=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFIFkTIL1iUV4O/RpveVHzHs7ZzhSkvYIzbdXDttz9EooAoGCCqGSM49\nAwEHoUQDQgAErErAIosDPheZQGbxFQ4hYC/e9Fi4MG9z/zjfCnCq/oK9ta/bGT+5\norZqTmdN/ICsKQDhykxZ2u/Xr6845zhcJQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "some-root\nsome-other-root\n" + } + } + }, + "requireClientCertificate": true + } + } } ], "listenerFilters": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go index cd9e5480486d..7c4ff8df04a3 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go @@ -102,13 +102,27 @@ func TestBuildLocalApp(t *testing.T) { for name, c := range cases { t.Run(name, func(t *testing.T) { - proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", c.defaultAllow, nil). - BuildLocalApp(c.workload, c.ctp). + proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", true, nil). + BuildLocalApp(c.workload, nil). Build() + + // sort routers because of test flakes where order was flip flopping. + actualRouters := proxyTmpl.ProxyState.Listeners[0].Routers + sort.Slice(actualRouters, func(i, j int) bool { + return actualRouters[i].String() < actualRouters[j].String() + }) + actual := protoToJSON(t, proxyTmpl) - expected := golden.Get(t, actual, name+".golden") + expected := JSONToProxyTemplate(t, golden.GetBytes(t, actual, name+".golden")) - require.JSONEq(t, expected, actual) + // sort routers on listener from golden file + expectedRouters := expected.ProxyState.Listeners[0].Routers + sort.Slice(expectedRouters, func(i, j int) bool { + return expectedRouters[i].String() < expectedRouters[j].String() + }) + + // convert back to json after sorting so that test output does not contain extraneous fields. + require.Equal(t, protoToJSON(t, expected), protoToJSON(t, proxyTmpl)) }) } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-with-specific-ports.golden index bfdd334614c7..70d0232467f1 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-with-specific-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-with-specific-ports.golden @@ -108,28 +108,18 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "protocol": "L7_PROTOCOL_GRPC", + "route": { + "name": "public_listener:grpc" }, "statPrefix": "public_listener", - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "staticRoute": true, + "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~grpc" ] } }, @@ -150,19 +140,7 @@ }, "statPrefix": "public_listener", "staticRoute": true, - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "trafficPermissions": {} }, "match": { "alpnProtocols": [ @@ -188,19 +166,7 @@ }, "statPrefix": "public_listener", "staticRoute": true, - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "trafficPermissions": {} }, "match": { "alpnProtocols": [ @@ -219,30 +185,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-without-ports.golden index 3316d7161ead..b86daa281714 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiple-workload-addresses-without-ports.golden @@ -108,16 +108,18 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "protocol": "L7_PROTOCOL_GRPC", + "route": { + "name": "public_listener:grpc" }, "statPrefix": "public_listener", + "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~grpc" ] } }, @@ -183,18 +185,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } } diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden index 3316d7161ead..b86daa281714 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/single-workload-address-without-ports.golden @@ -108,16 +108,18 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "protocol": "L7_PROTOCOL_GRPC", + "route": { + "name": "public_listener:grpc" }, "statPrefix": "public_listener", + "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~grpc" ] } }, @@ -183,18 +185,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } } diff --git a/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-with-specific-ports.golden index 153c87306fd8..b67d034c7e34 100644 --- a/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-with-specific-ports.golden +++ b/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-with-specific-ports.golden @@ -113,28 +113,18 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "protocol": "L7_PROTOCOL_GRPC", + "route": { + "name": "public_listener:grpc" }, "statPrefix": "public_listener", - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "staticRoute": true, + "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~grpc" ] } }, @@ -155,19 +145,7 @@ }, "statPrefix": "public_listener", "staticRoute": true, - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "trafficPermissions": {} }, "match": { "alpnProtocols": [ @@ -193,19 +171,7 @@ }, "statPrefix": "public_listener", "staticRoute": true, - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "trafficPermissions": {} }, "match": { "alpnProtocols": [ @@ -224,30 +190,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, - "trafficPermissions": { - "allowPermissions": [ - { - "principals": [ - { - "spiffe": { - "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" - } - } - ] - } - ] - } + "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } } diff --git a/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-without-ports.golden index b5d20a1a4c66..8b0491894865 100644 --- a/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-without-ports.golden +++ b/internal/mesh/internal/controllers/xds/testdata/source/multiple-workload-addresses-without-ports.golden @@ -113,16 +113,18 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "protocol": "L7_PROTOCOL_GRPC", + "route": { + "name": "public_listener:grpc" }, "statPrefix": "public_listener", + "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~grpc" ] } }, @@ -188,18 +190,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } } diff --git a/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden index b5d20a1a4c66..8b0491894865 100644 --- a/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/xds/testdata/source/single-workload-address-without-ports.golden @@ -113,16 +113,18 @@ } } }, - "l4": { - "cluster": { - "name": "local_app:tcp" + "l7": { + "protocol": "L7_PROTOCOL_GRPC", + "route": { + "name": "public_listener:grpc" }, "statPrefix": "public_listener", + "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~tcp" + "consul~grpc" ] } }, @@ -188,18 +190,16 @@ } } }, - "l7": { - "protocol": "L7_PROTOCOL_GRPC", - "route": { - "name": "public_listener:grpc" + "l4": { + "cluster": { + "name": "local_app:tcp" }, "statPrefix": "public_listener", - "staticRoute": true, "trafficPermissions": {} }, "match": { "alpnProtocols": [ - "consul~grpc" + "consul~tcp" ] } }