[CONSUL-246] Scenario case-badauthz (#23)

Dockerfile-windows

@@ -37,7 +37,7 @@ EXPOSE 8500 8600 8600/udp
 ENV CONSUL_URL=https://releases.hashicorp.com/consul/${VERSION}/consul_${VERSION}_windows_amd64.zip
 RUN curl %CONSUL_URL% -L -o consul.zip
 RUN tar -xf consul.zip -C consul
-ENV PATH C:\\Program Files\\Git\\bin;C:\\consul;%PATH%
+ENV PATH C:\\Program Files\\Git\\bin;C:\\consul;C:\\Windows\\System32;%PATH%
 
 COPY .release/docker/docker-entrypoint-windows.sh C:\\docker-entrypoint-windows.sh
 ENTRYPOINT ["bash.exe", "docker-entrypoint-windows.sh"]

build-support-windows/Dockerfile-fortio-windows

@@ -9,4 +9,10 @@ RUN tar -xf fortio.zip -C fortio
 
 ENV PATH C:\\fortio;%PATH%
 
-CMD [ "fortio.exe", "server" ]
+EXPOSE 8078/tcp
+EXPOSE 8079/tcp
+EXPOSE 8080/tcp
+EXPOSE 8081/tcp
+
+ENTRYPOINT ["fortio.exe"]
+CMD [ "fortio.exe", "server" ]

test/integration/connect/envoy/Dockerfile-consul-envoy-windows

@@ -5,3 +5,12 @@ FROM windows/consul-dev as consul
 
 FROM docker.mirror.hashicorp.services/windows/envoy-windows:v${ENVOY_VERSION}
 COPY --from=consul C:\\consul C:\\consul
+
+EXPOSE 8300
+EXPOSE 8301 8301/udp 8302 8302/udp
+EXPOSE 8500 8600 8600/udp
+EXPOSE 8502 
+EXPOSE 19000
+EXPOSE 21000
+
+ENV PATH C:\\consul;C:\\Program Files\\envoy;C:\\Windows\\System32;%PATH%;

test/integration/connect/envoy/consul-windows-base-cfg/base.hcl

@@ -0,0 +1,2 @@
+primary_datacenter = "primary"
+log_level          = "trace"

test/integration/connect/envoy/consul-windows-base-cfg/service_s1.hcl

@@ -0,0 +1,17 @@
+services {
+  name = "s1"
+  port = 8080
+  connect {
+    sidecar_service {
+      proxy {
+        upstreams = [
+          {
+            destination_name = "s2"
+            local_bind_port = 5000
+          }
+        ]
+        local_service_address = "envoy_s1-sidecar-proxy_1"
+      }
+    }
+  }
+}

test/integration/connect/envoy/consul-windows-base-cfg/service_s2.hcl

@@ -0,0 +1,9 @@
+services {
+  name = "s2"
+  port = 8181
+  connect { sidecar_service {
+    proxy {
+        local_service_address = "envoy_s2-sidecar-proxy_1"
+      }
+  } }
+}

test/integration/connect/envoy/helpers.windows.bash

@@ -568,7 +568,6 @@ function docker_consul {
 function docker_consul_for_proxy_bootstrap {
   local DC=$1
   shift 1
-
   docker.exe run -i --rm --network envoy-tests windows/consul-dev "$@"
 }
 
@@ -581,7 +580,7 @@ function docker_wget {
 function docker_curl {
   local DC=$1
   shift 1
-  docker.exe run --rm --network envoy-tests --entrypoint curl windows/consul-dev "$@"
+  docker.exe run --rm --network envoy-tests --entrypoint curl.exe windows/consul-dev "$@"
 }
 
 function docker_exec {
@@ -649,7 +648,10 @@ function must_match_in_stats_proxy_response {
 # Envoy rather than a connection-level error.
 function must_fail_tcp_connection {
   # Attempt to curl through upstream
-  run curl --no-keepalive -s -v -f -d hello $1
+  SERVER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' envoy_consul-primary_1)
+
+  # run curl --no-keepalive -s -v -f -d hello $1
+  run curl --no-keepalive -s -v -f -d hello $SERVER_IP:5000
 
   echo "OUTPUT $output"
 
@@ -658,6 +660,8 @@ function must_fail_tcp_connection {
 
   # Verbose output should enclude empty reply
   echo "$output" | grep 'Empty reply from server'
+
+
 }
 
 function must_pass_tcp_connection {
@@ -757,6 +761,8 @@ function gen_envoy_bootstrap {
   DC=${3:-primary}
   IS_GW=${4:-0}
   EXTRA_ENVOY_BS_ARGS="${5-}"
+
+  SERVER_IP=$(getIP)
 
   PROXY_ID="$SERVICE"
   if ! is_set "$IS_GW"
@@ -767,8 +773,11 @@ function gen_envoy_bootstrap {
   if output=$(docker_consul_for_proxy_bootstrap "$DC" connect envoy -bootstrap \
     -proxy-id $PROXY_ID \
     -envoy-version "$ENVOY_VERSION" \
-    -admin-bind 0.0.0.0:$ADMIN_PORT ${EXTRA_ENVOY_BS_ARGS} 2>&1); then
-
+    -http-addr $SERVER_IP:8500 \
+    -grpc-addr $SERVER_IP:8502 \
+    -admin-access-log-path C:/envoy \
+    -admin-bind 0.0.0.0:$ADMIN_PORT ${EXTRA_ENVOY_BS_ARGS}); then
+
     # All OK, write config to file
     echo "$output" > workdir/${DC}/envoy/$SERVICE-bootstrap.json
   else
@@ -785,7 +794,7 @@ function read_config_entry {
   local NAME=$2
   local DC=${3:-primary}
 
-  docker_consul "$DC" config read -kind $KIND -name $NAME
+  docker_consul "$DC" config read -kind $KIND -name $NAME -http-addr="consul-$DC:8500"
 }
 
 function wait_for_namespace {
@@ -806,16 +815,25 @@ function delete_config_entry {
 
 function register_services {
   local DC=${1:-primary}
-  docker_consul_exec ${DC} sh -c "consul services register /workdir/${DC}/register/service_*.hcl"
+  docker_consul_exec ${DC} bash -c "consul services register workdir/${DC}/register/service_*.hcl"
+}
+
+function getIP {
+    docker.exe inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' envoy_consul-primary_1
+}
+
+function getIP_container {
+    docker.exe inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $1
 }
 
 function setup_upsert_l4_intention {
   local SOURCE=$1
   local DESTINATION=$2
   local ACTION=$3
 
-  retry_default docker_curl primary -sL -XPUT "http://127.0.0.1:8500/v1/connect/intentions/exact?source=${SOURCE}&destination=${DESTINATION}" \
-      -d"{\"Action\": \"${ACTION}\"}" >/dev/null
+  SERVER_IP=$(getIP)
+
+  retry_default docker_curl primary -sL -X PUT -d"{\"Action\": \"${ACTION}\"}" "http://${SERVER_IP}:8500/v1/connect/intentions/exact?source=${SOURCE}&destination=${DESTINATION}"
 }
 
 function upsert_l4_intention {

test/integration/connect/envoy/run-tests.windows.sh

@@ -61,7 +61,7 @@ function init_workdir {
   mkdir -p workdir/${CLUSTER}/{consul,consul-server,register,envoy,bats,statsd,data}
 
   # Reload consul config from defaults
-  cp consul-base-cfg/*.hcl workdir/${CLUSTER}/consul/
+  cp consul-windows-base-cfg/*.hcl workdir/${CLUSTER}/consul/
 
   # Add any overrides if there are any (no op if not)
   find ${CASE_DIR} -maxdepth 1 -name '*.hcl' -type f -exec cp -f {} workdir/${CLUSTER}/consul \;
@@ -213,12 +213,12 @@ function start_consul {
       -e "CONSUL_LICENSE=$license" \
       windows/consul-dev \
       agent -dev -datacenter "${DC}" \
-      -config-dir "/workdir/${DC}/consul" \
-      -config-dir "/workdir/${DC}/consul-server" \
-      -grpc-port $server_grpc_port \
+      -config-dir "C:\\workdir\\${DC}\\consul" \
+      -config-dir "C:\\workdir\\${DC}\\consul-server" \
+      -grpc-port -1 \
       -client "0.0.0.0" \
       -bind "0.0.0.0" >/dev/null
-
+    
     docker.exe run -d --name envoy_consul-${DC}_1 \
       --net=envoy-tests \
       $WORKDIR_SNIPPET \
@@ -228,7 +228,7 @@ function start_consul {
       ${ports[@]} \
       windows/consul-dev \
       agent -datacenter "${DC}" \
-      -config-dir "/workdir/${DC}/consul" \
+      -config-dir "C:\\workdir\\${DC}\\consul" \
       -data-dir "/tmp/consul" \
       -client "0.0.0.0" \
       -grpc-port 8502 \
@@ -247,8 +247,8 @@ function start_consul {
       ${ports[@]} \
       windows/consul-dev \
       agent -dev -datacenter "${DC}" \
-      -config-dir "/workdir/${DC}/consul" \
-      -config-dir "/workdir/${DC}/consul-server" \
+      -config-dir "C:\\workdir\\${DC}\\consul" \
+      -config-dir "C:\\workdir\\${DC}\\consul-server" \
       -client "0.0.0.0" >/dev/null
   fi
 }
@@ -284,13 +284,12 @@ function start_partitioned_client {
     -retry-join "consul-primary-server" \
     -grpc-port 8502 \
     -data-dir "/tmp/consul" \
-    -config-dir "/workdir/${PARTITION}/consul" \
+    -config-dir "C:\\workdir\\${PARTITION}/consul" \
     -client "0.0.0.0" >/dev/null
 }
 
 function pre_service_setup {
   local CLUSTER=${1:-primary}
-
   # Run test case setup (e.g. generating Envoy bootstrap, starting containers)
   if [ -f "${CASE_DIR}/${CLUSTER}/setup.sh" ]
   then
@@ -301,10 +300,11 @@ function pre_service_setup {
 }
 
 function start_services {
-  # Push the state to the shared docker volume (note this is because CircleCI
+  # Push the state to the shared docker.exe volume (note this is because CircleCI
   # can't use shared volumes)
   # docker.exe cp workdir/. envoy_workdir_1:/workdir
 
+
   # Start containers required
   if [ ! -z "$REQUIRED_SERVICES" ] ; then
     docker_kill_rm $REQUIRED_SERVICES
@@ -337,7 +337,7 @@ function verify {
     --pid=host \
     $(network_snippet $CLUSTER) \
     bats-verify \
-    --pretty /workdir/${CLUSTER}/bats ; then
+    --pretty ${CLUSTER}/bats ; then
     echogreen "✓ PASS"
   else
     echored "⨯ FAIL"
@@ -430,7 +430,7 @@ function wipe_volumes {
 # Windows containers does not allow cp command while running.
 function stop_and_copy_files {
     # Create CMD file to execute within the container
-    echo "XCOPY C:\workdir_bak C:\workdir /E /H /C /I" > copy.cmd
+    echo "XCOPY C:\workdir_bak C:\workdir /e /h /c /i /y" > copy.cmd
     # Stop dummy container to copy local workdir to container's workdir_bak    
     docker.exe stop envoy_workdir_1
     docker.exe cp workdir/. envoy_workdir_1:/workdir_bak
@@ -510,6 +510,8 @@ function run_tests {
     pre_service_setup alpha
   fi
 
+  stop_and_copy_files
+
   echo "Starting services"
   start_services
 
@@ -541,8 +543,7 @@ function workdir_cleanup {
 
 function suite_setup {
     # Cleanup from any previous unclean runs.
-    suite_teardown 
-
+    suite_teardown
     docker.exe network create -d "nat" --subnet "10.244.0.0/24" envoy-tests &>/dev/null
 
     # Start the volume container
@@ -558,7 +559,8 @@ function suite_setup {
 
     # pre-build the verify container
     echo "Rebuilding 'bats-verify' image..."
-    docker build -t bats-verify -f Dockerfile-bats-windows .
+
+    docker.exe build -t bats-verify -f Dockerfile-bats-windows .
 
     # if this fails on CircleCI your first thing to try would be to upgrade
     # the machine image to the latest version using this listing:
@@ -568,10 +570,10 @@ function suite_setup {
     docker.exe run --rm -t bats-verify -v
 
     # pre-build the consul+envoy container
-    echo "Rebuilding 'consul-dev-envoy:${ENVOY_VERSION}' image..."
-    docker build -t consul-dev-envoy:${ENVOY_VERSION} \
-        --build-arg ENVOY_VERSION=${ENVOY_VERSION} \
-        -f Dockerfile-consul-envoy-windows .
+    echo "Rebuilding 'consul-dev-envoy:v${ENVOY_VERSION}' image..."
+    docker.exe build -t consul-dev-envoy:v${ENVOY_VERSION} \
+         --build-arg ENVOY_VERSION=${ENVOY_VERSION} \
+         -f Dockerfile-consul-envoy-windows .
 
     # pre-build the test-sds-server container
     echo "Rebuilding 'test-sds-server' image..."
@@ -690,6 +692,7 @@ function common_run_container_sidecar_proxy {
   local service="$1"
   local CLUSTER="$2"
 
+
   # Hot restart breaks since both envoys seem to interact with each other
   # despite separate containers that don't share IPC namespace. Not quite
   # sure how this happens but may be due to unix socket being in some shared
@@ -699,7 +702,7 @@ function common_run_container_sidecar_proxy {
     $(network_snippet $CLUSTER) \
     "${HASHICORP_DOCKER_PROXY}/windows/envoy-windows:v${ENVOY_VERSION}" \
     envoy \
-    -c /workdir/${CLUSTER}/envoy/${service}-bootstrap.json \
+    -c C:\\workdir\\${CLUSTER}\\envoy\\${service}-bootstrap.json \
     -l trace \
     --disable-hot-restart \
     --drain-time-s 1 >/dev/null
@@ -857,7 +860,7 @@ function debug_dump_volumes {
     -v ./:/cwd \
     --net=none \
     "${HASHICORP_DOCKER_PROXY}/windows/nanoserver" \
-    xcopy "\workdir" "\cwd\workdir" /E /H /C /I
+    xcopy "\workdir" "\cwd\workdir" /E /H /C /I /Y
 }
 
 function run_container_tcpdump-primary {