diff --git a/acceptance/framework/helpers/helpers.go b/acceptance/framework/helpers/helpers.go index 0871532426..e1e81dc364 100644 --- a/acceptance/framework/helpers/helpers.go +++ b/acceptance/framework/helpers/helpers.go @@ -209,6 +209,12 @@ func RunCommand(t testutil.TestingTB, options *k8s.KubectlOptions, command Comma go func() { output, err := exec.Command(command.Command, command.Args...).CombinedOutput() + for _, v := range command.Args { + if strings.Contains(v, "-vvvsSf") { + fmt.Printf("%s%s\n", command.Command, command.Args) + fmt.Println(string(output)) + } + } resultCh <- &cmdResult{output: string(output), err: err} }() diff --git a/acceptance/framework/k8s/deploy.go b/acceptance/framework/k8s/deploy.go index e1d9f01a80..6ac20ca9af 100644 --- a/acceptance/framework/k8s/deploy.go +++ b/acceptance/framework/k8s/deploy.go @@ -180,6 +180,7 @@ func CheckStaticServerConnectionFailing(t *testing.T, options *k8s.KubectlOption "curl: (52) Empty reply from server", "curl: (7) Failed to connect", "curl: (56) Recv failure: Connection reset by peer", + "curl: (35) OpenSSL SSL_connect: Connection reset by peer", }, "", curlArgs...) } diff --git a/acceptance/tests/fixtures/bases/static-server-test-tcp/configmap.yaml b/acceptance/tests/fixtures/bases/static-server-test-tcp/configmap.yaml new file mode 100644 index 0000000000..c2b200a1e4 --- /dev/null +++ b/acceptance/tests/fixtures/bases/static-server-test-tcp/configmap.yaml @@ -0,0 +1,22 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: static-server-config +data: + config: | + { + local_certs + skip_install_trust + auto_https disable_redirects + } + static-server-hostname.virtual.server.consul { + log + respond "hello world" + } + :80 { + log + respond "hello world" + } \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-server-test-tcp/deployment.yaml b/acceptance/tests/fixtures/bases/static-server-test-tcp/deployment.yaml new file mode 100644 index 0000000000..ccf48a873b --- /dev/null +++ b/acceptance/tests/fixtures/bases/static-server-test-tcp/deployment.yaml @@ -0,0 +1,41 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-server + template: + metadata: + labels: + app: static-server + spec: + containers: + - name: caddy + image: caddy:latest + ports: + - name: https-port + containerPort: 443 + - name: http-port + containerPort: 80 + volumeMounts: + - name: data + mountPath: "/data" + - name: config + mountPath: /etc/caddy/ + readOnly: true + serviceAccountName: static-server + volumes: + - name: data + emptyDir: {} + - name: config + configMap: + name: static-server-config + items: + - key: "config" + path: "Caddyfile" \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-server-test-tcp/kustomization.yaml b/acceptance/tests/fixtures/bases/static-server-test-tcp/kustomization.yaml new file mode 100644 index 0000000000..6d7daa8f88 --- /dev/null +++ b/acceptance/tests/fixtures/bases/static-server-test-tcp/kustomization.yaml @@ -0,0 +1,10 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +resources: + - deployment.yaml + - configmap.yaml + - service.yaml + - serviceaccount.yaml + - psp-rolebinding.yaml + - privileged-scc-rolebinding.yaml diff --git a/acceptance/tests/fixtures/bases/static-server-test-tcp/privileged-scc-rolebinding.yaml b/acceptance/tests/fixtures/bases/static-server-test-tcp/privileged-scc-rolebinding.yaml new file mode 100644 index 0000000000..bed477ed26 --- /dev/null +++ b/acceptance/tests/fixtures/bases/static-server-test-tcp/privileged-scc-rolebinding.yaml @@ -0,0 +1,14 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: static-server-openshift-privileged +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: static-server \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-server-test-tcp/psp-rolebinding.yaml b/acceptance/tests/fixtures/bases/static-server-test-tcp/psp-rolebinding.yaml new file mode 100644 index 0000000000..3c6cfad8f1 --- /dev/null +++ b/acceptance/tests/fixtures/bases/static-server-test-tcp/psp-rolebinding.yaml @@ -0,0 +1,14 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: static-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test-psp +subjects: + - kind: ServiceAccount + name: static-server \ No newline at end of file diff --git a/acceptance/tests/fixtures/bases/static-server-test-tcp/service.yaml b/acceptance/tests/fixtures/bases/static-server-test-tcp/service.yaml new file mode 100644 index 0000000000..7f4f930c0a --- /dev/null +++ b/acceptance/tests/fixtures/bases/static-server-test-tcp/service.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: v1 +kind: Service +metadata: + name: static-server + labels: + app: static-server +spec: + ports: + - name: https-port + port: 443 + targetPort: https-port + protocol: TCP + - name: http-port + port: 80 + targetPort: http-port + protocol: TCP + selector: + app: static-server diff --git a/acceptance/tests/fixtures/bases/static-server-test-tcp/serviceaccount.yaml b/acceptance/tests/fixtures/bases/static-server-test-tcp/serviceaccount.yaml new file mode 100644 index 0000000000..ced9002d6b --- /dev/null +++ b/acceptance/tests/fixtures/bases/static-server-test-tcp/serviceaccount.yaml @@ -0,0 +1,7 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: static-server diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go index 6bab0aa909..8a46d8ffd1 100644 --- a/acceptance/tests/peering/peering_connect_test.go +++ b/acceptance/tests/peering/peering_connect_test.go @@ -40,17 +40,19 @@ func TestPeering_Connect(t *testing.T) { t.Skipf("skipping this test because peering is not supported in version %v", cfg.ConsulVersion.String()) } - const staticServerPeer = "server" - const staticClientPeer = "client" + const ( + staticServerPeer = "server" + staticClientPeer = "client" + ) cases := []struct { name string ACLsEnabled bool }{ - { - "default installation", - false, - }, + // { + // "default installation", + // false, + // }, { "secure installation", true, @@ -337,7 +339,7 @@ func TestPeering_Connect(t *testing.T) { // Create the external server in the server Kubernetes cluster, outside the mesh in the "external" namespace logger.Log(t, "creating static-server deployment in server peer outside of mesh") - k8s.DeployKustomize(t, externalServerOpts, cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/bases/static-server") + k8s.DeployKustomize(t, externalServerOpts, cfg.NoCleanupOnFailure, cfg.NoCleanup, cfg.DebugDirectory, "../fixtures/bases/static-server-test-tcp") // Prevent dialing the server directly through the sidecar. terminatinggateway.CreateMeshConfigEntry(t, staticServerPeerClient, "") @@ -377,6 +379,16 @@ func TestPeering_Connect(t *testing.T) { // Test that we can make a call to the terminating gateway. logger.Log(t, "trying calls to terminating gateway") k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, externalServerHostnameURL) + + // Update the service default declaring the external service (aka Destination) + logger.Log(t, "updating service defaults to try tcp scenario") + // Register the external service. + externalServerHostnameURL = fmt.Sprintf("https://%s.virtual.%s.consul", externalServerHostnameID, staticServerPeer) + + terminatinggateway.CreateServiceDefaultDestination(t, staticServerPeerClient, "", externalServerHostnameID, "", 443, fmt.Sprintf("%s.%s", externalServerServiceName, externalServerK8sNamespace)) + + logger.Log(t, "trying calls to terminating gateway") + k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, "-k", externalServerHostnameURL) } }) }