From b5b93ec387736ce46495f7b5cae7c7547c507bbd Mon Sep 17 00:00:00 2001 From: Ivan K Berlot Date: Fri, 29 Jul 2022 13:55:03 -0300 Subject: [PATCH] [CONSUL-246] Scenario case-badauthz (#23) --- Dockerfile-windows | 2 +- .../Dockerfile-fortio-windows | 8 +++- .../envoy/Dockerfile-consul-envoy-windows | 9 ++++ .../envoy/consul-windows-base-cfg/base.hcl | 2 + .../consul-windows-base-cfg/service_s1.hcl | 17 +++++++ .../consul-windows-base-cfg/service_s2.hcl | 9 ++++ .../connect/envoy/helpers.windows.bash | 36 ++++++++++---- .../connect/envoy/run-tests.windows.sh | 47 ++++++++++--------- 8 files changed, 97 insertions(+), 33 deletions(-) create mode 100644 test/integration/connect/envoy/consul-windows-base-cfg/base.hcl create mode 100644 test/integration/connect/envoy/consul-windows-base-cfg/service_s1.hcl create mode 100644 test/integration/connect/envoy/consul-windows-base-cfg/service_s2.hcl diff --git a/Dockerfile-windows b/Dockerfile-windows index c6025612cba3..c1987ce9850c 100644 --- a/Dockerfile-windows +++ b/Dockerfile-windows @@ -37,7 +37,7 @@ EXPOSE 8500 8600 8600/udp ENV CONSUL_URL=https://releases.hashicorp.com/consul/${VERSION}/consul_${VERSION}_windows_amd64.zip RUN curl %CONSUL_URL% -L -o consul.zip RUN tar -xf consul.zip -C consul -ENV PATH C:\\Program Files\\Git\\bin;C:\\consul;%PATH% +ENV PATH C:\\Program Files\\Git\\bin;C:\\consul;C:\\Windows\\System32;%PATH% COPY .release/docker/docker-entrypoint-windows.sh C:\\docker-entrypoint-windows.sh ENTRYPOINT ["bash.exe", "docker-entrypoint-windows.sh"] diff --git a/build-support-windows/Dockerfile-fortio-windows b/build-support-windows/Dockerfile-fortio-windows index b5739e77de9d..8ddc82552874 100644 --- a/build-support-windows/Dockerfile-fortio-windows +++ b/build-support-windows/Dockerfile-fortio-windows @@ -9,4 +9,10 @@ RUN tar -xf fortio.zip -C fortio ENV PATH C:\\fortio;%PATH% -CMD [ "fortio.exe", "server" ] +EXPOSE 8078/tcp +EXPOSE 8079/tcp +EXPOSE 8080/tcp +EXPOSE 8081/tcp + +ENTRYPOINT ["fortio.exe"] +CMD [ "fortio.exe", "server" ] \ No newline at end of file diff --git a/test/integration/connect/envoy/Dockerfile-consul-envoy-windows b/test/integration/connect/envoy/Dockerfile-consul-envoy-windows index 936bb972cd81..b3f8d113f868 100644 --- a/test/integration/connect/envoy/Dockerfile-consul-envoy-windows +++ b/test/integration/connect/envoy/Dockerfile-consul-envoy-windows @@ -5,3 +5,12 @@ FROM windows/consul-dev as consul FROM docker.mirror.hashicorp.services/windows/envoy-windows:v${ENVOY_VERSION} COPY --from=consul C:\\consul C:\\consul + +EXPOSE 8300 +EXPOSE 8301 8301/udp 8302 8302/udp +EXPOSE 8500 8600 8600/udp +EXPOSE 8502 +EXPOSE 19000 +EXPOSE 21000 + +ENV PATH C:\\consul;C:\\Program Files\\envoy;C:\\Windows\\System32;%PATH%; \ No newline at end of file diff --git a/test/integration/connect/envoy/consul-windows-base-cfg/base.hcl b/test/integration/connect/envoy/consul-windows-base-cfg/base.hcl new file mode 100644 index 000000000000..241261c1f8a6 --- /dev/null +++ b/test/integration/connect/envoy/consul-windows-base-cfg/base.hcl @@ -0,0 +1,2 @@ +primary_datacenter = "primary" +log_level = "trace" diff --git a/test/integration/connect/envoy/consul-windows-base-cfg/service_s1.hcl b/test/integration/connect/envoy/consul-windows-base-cfg/service_s1.hcl new file mode 100644 index 000000000000..074ca828c677 --- /dev/null +++ b/test/integration/connect/envoy/consul-windows-base-cfg/service_s1.hcl @@ -0,0 +1,17 @@ +services { + name = "s1" + port = 8080 + connect { + sidecar_service { + proxy { + upstreams = [ + { + destination_name = "s2" + local_bind_port = 5000 + } + ] + local_service_address = "envoy_s1-sidecar-proxy_1" + } + } + } +} \ No newline at end of file diff --git a/test/integration/connect/envoy/consul-windows-base-cfg/service_s2.hcl b/test/integration/connect/envoy/consul-windows-base-cfg/service_s2.hcl new file mode 100644 index 000000000000..a27fe9fedeb6 --- /dev/null +++ b/test/integration/connect/envoy/consul-windows-base-cfg/service_s2.hcl @@ -0,0 +1,9 @@ +services { + name = "s2" + port = 8181 + connect { sidecar_service { + proxy { + local_service_address = "envoy_s2-sidecar-proxy_1" + } + } } +} \ No newline at end of file diff --git a/test/integration/connect/envoy/helpers.windows.bash b/test/integration/connect/envoy/helpers.windows.bash index b2e654ad265b..a85261dce321 100644 --- a/test/integration/connect/envoy/helpers.windows.bash +++ b/test/integration/connect/envoy/helpers.windows.bash @@ -568,7 +568,6 @@ function docker_consul { function docker_consul_for_proxy_bootstrap { local DC=$1 shift 1 - docker.exe run -i --rm --network envoy-tests windows/consul-dev "$@" } @@ -581,7 +580,7 @@ function docker_wget { function docker_curl { local DC=$1 shift 1 - docker.exe run --rm --network envoy-tests --entrypoint curl windows/consul-dev "$@" + docker.exe run --rm --network envoy-tests --entrypoint curl.exe windows/consul-dev "$@" } function docker_exec { @@ -649,7 +648,10 @@ function must_match_in_stats_proxy_response { # Envoy rather than a connection-level error. function must_fail_tcp_connection { # Attempt to curl through upstream - run curl --no-keepalive -s -v -f -d hello $1 + SERVER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' envoy_consul-primary_1) + + # run curl --no-keepalive -s -v -f -d hello $1 + run curl --no-keepalive -s -v -f -d hello $SERVER_IP:5000 echo "OUTPUT $output" @@ -658,6 +660,8 @@ function must_fail_tcp_connection { # Verbose output should enclude empty reply echo "$output" | grep 'Empty reply from server' + + } function must_pass_tcp_connection { @@ -757,6 +761,8 @@ function gen_envoy_bootstrap { DC=${3:-primary} IS_GW=${4:-0} EXTRA_ENVOY_BS_ARGS="${5-}" + + SERVER_IP=$(getIP) PROXY_ID="$SERVICE" if ! is_set "$IS_GW" @@ -767,8 +773,11 @@ function gen_envoy_bootstrap { if output=$(docker_consul_for_proxy_bootstrap "$DC" connect envoy -bootstrap \ -proxy-id $PROXY_ID \ -envoy-version "$ENVOY_VERSION" \ - -admin-bind 0.0.0.0:$ADMIN_PORT ${EXTRA_ENVOY_BS_ARGS} 2>&1); then - + -http-addr $SERVER_IP:8500 \ + -grpc-addr $SERVER_IP:8502 \ + -admin-access-log-path C:/envoy \ + -admin-bind 0.0.0.0:$ADMIN_PORT ${EXTRA_ENVOY_BS_ARGS}); then + # All OK, write config to file echo "$output" > workdir/${DC}/envoy/$SERVICE-bootstrap.json else @@ -785,7 +794,7 @@ function read_config_entry { local NAME=$2 local DC=${3:-primary} - docker_consul "$DC" config read -kind $KIND -name $NAME + docker_consul "$DC" config read -kind $KIND -name $NAME -http-addr="consul-$DC:8500" } function wait_for_namespace { @@ -806,7 +815,15 @@ function delete_config_entry { function register_services { local DC=${1:-primary} - docker_consul_exec ${DC} sh -c "consul services register /workdir/${DC}/register/service_*.hcl" + docker_consul_exec ${DC} bash -c "consul services register workdir/${DC}/register/service_*.hcl" +} + +function getIP { + docker.exe inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' envoy_consul-primary_1 +} + +function getIP_container { + docker.exe inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $1 } function setup_upsert_l4_intention { @@ -814,8 +831,9 @@ function setup_upsert_l4_intention { local DESTINATION=$2 local ACTION=$3 - retry_default docker_curl primary -sL -XPUT "http://127.0.0.1:8500/v1/connect/intentions/exact?source=${SOURCE}&destination=${DESTINATION}" \ - -d"{\"Action\": \"${ACTION}\"}" >/dev/null + SERVER_IP=$(getIP) + + retry_default docker_curl primary -sL -X PUT -d"{\"Action\": \"${ACTION}\"}" "http://${SERVER_IP}:8500/v1/connect/intentions/exact?source=${SOURCE}&destination=${DESTINATION}" } function upsert_l4_intention { diff --git a/test/integration/connect/envoy/run-tests.windows.sh b/test/integration/connect/envoy/run-tests.windows.sh index d4752a355a5a..50047aa02619 100644 --- a/test/integration/connect/envoy/run-tests.windows.sh +++ b/test/integration/connect/envoy/run-tests.windows.sh @@ -61,7 +61,7 @@ function init_workdir { mkdir -p workdir/${CLUSTER}/{consul,consul-server,register,envoy,bats,statsd,data} # Reload consul config from defaults - cp consul-base-cfg/*.hcl workdir/${CLUSTER}/consul/ + cp consul-windows-base-cfg/*.hcl workdir/${CLUSTER}/consul/ # Add any overrides if there are any (no op if not) find ${CASE_DIR} -maxdepth 1 -name '*.hcl' -type f -exec cp -f {} workdir/${CLUSTER}/consul \; @@ -213,12 +213,12 @@ function start_consul { -e "CONSUL_LICENSE=$license" \ windows/consul-dev \ agent -dev -datacenter "${DC}" \ - -config-dir "/workdir/${DC}/consul" \ - -config-dir "/workdir/${DC}/consul-server" \ - -grpc-port $server_grpc_port \ + -config-dir "C:\\workdir\\${DC}\\consul" \ + -config-dir "C:\\workdir\\${DC}\\consul-server" \ + -grpc-port -1 \ -client "0.0.0.0" \ -bind "0.0.0.0" >/dev/null - + docker.exe run -d --name envoy_consul-${DC}_1 \ --net=envoy-tests \ $WORKDIR_SNIPPET \ @@ -228,7 +228,7 @@ function start_consul { ${ports[@]} \ windows/consul-dev \ agent -datacenter "${DC}" \ - -config-dir "/workdir/${DC}/consul" \ + -config-dir "C:\\workdir\\${DC}\\consul" \ -data-dir "/tmp/consul" \ -client "0.0.0.0" \ -grpc-port 8502 \ @@ -247,8 +247,8 @@ function start_consul { ${ports[@]} \ windows/consul-dev \ agent -dev -datacenter "${DC}" \ - -config-dir "/workdir/${DC}/consul" \ - -config-dir "/workdir/${DC}/consul-server" \ + -config-dir "C:\\workdir\\${DC}\\consul" \ + -config-dir "C:\\workdir\\${DC}\\consul-server" \ -client "0.0.0.0" >/dev/null fi } @@ -284,13 +284,12 @@ function start_partitioned_client { -retry-join "consul-primary-server" \ -grpc-port 8502 \ -data-dir "/tmp/consul" \ - -config-dir "/workdir/${PARTITION}/consul" \ + -config-dir "C:\\workdir\\${PARTITION}/consul" \ -client "0.0.0.0" >/dev/null } function pre_service_setup { local CLUSTER=${1:-primary} - # Run test case setup (e.g. generating Envoy bootstrap, starting containers) if [ -f "${CASE_DIR}/${CLUSTER}/setup.sh" ] then @@ -301,10 +300,11 @@ function pre_service_setup { } function start_services { - # Push the state to the shared docker volume (note this is because CircleCI + # Push the state to the shared docker.exe volume (note this is because CircleCI # can't use shared volumes) # docker.exe cp workdir/. envoy_workdir_1:/workdir + # Start containers required if [ ! -z "$REQUIRED_SERVICES" ] ; then docker_kill_rm $REQUIRED_SERVICES @@ -337,7 +337,7 @@ function verify { --pid=host \ $(network_snippet $CLUSTER) \ bats-verify \ - --pretty /workdir/${CLUSTER}/bats ; then + --pretty ${CLUSTER}/bats ; then echogreen "✓ PASS" else echored "⨯ FAIL" @@ -430,7 +430,7 @@ function wipe_volumes { # Windows containers does not allow cp command while running. function stop_and_copy_files { # Create CMD file to execute within the container - echo "XCOPY C:\workdir_bak C:\workdir /E /H /C /I" > copy.cmd + echo "XCOPY C:\workdir_bak C:\workdir /e /h /c /i /y" > copy.cmd # Stop dummy container to copy local workdir to container's workdir_bak docker.exe stop envoy_workdir_1 docker.exe cp workdir/. envoy_workdir_1:/workdir_bak @@ -510,6 +510,8 @@ function run_tests { pre_service_setup alpha fi + stop_and_copy_files + echo "Starting services" start_services @@ -541,8 +543,7 @@ function workdir_cleanup { function suite_setup { # Cleanup from any previous unclean runs. - suite_teardown - + suite_teardown docker.exe network create -d "nat" --subnet "10.244.0.0/24" envoy-tests &>/dev/null # Start the volume container @@ -558,7 +559,8 @@ function suite_setup { # pre-build the verify container echo "Rebuilding 'bats-verify' image..." - docker build -t bats-verify -f Dockerfile-bats-windows . + + docker.exe build -t bats-verify -f Dockerfile-bats-windows . # if this fails on CircleCI your first thing to try would be to upgrade # the machine image to the latest version using this listing: @@ -568,10 +570,10 @@ function suite_setup { docker.exe run --rm -t bats-verify -v # pre-build the consul+envoy container - echo "Rebuilding 'consul-dev-envoy:${ENVOY_VERSION}' image..." - docker build -t consul-dev-envoy:${ENVOY_VERSION} \ - --build-arg ENVOY_VERSION=${ENVOY_VERSION} \ - -f Dockerfile-consul-envoy-windows . + echo "Rebuilding 'consul-dev-envoy:v${ENVOY_VERSION}' image..." + docker.exe build -t consul-dev-envoy:v${ENVOY_VERSION} \ + --build-arg ENVOY_VERSION=${ENVOY_VERSION} \ + -f Dockerfile-consul-envoy-windows . # pre-build the test-sds-server container echo "Rebuilding 'test-sds-server' image..." @@ -690,6 +692,7 @@ function common_run_container_sidecar_proxy { local service="$1" local CLUSTER="$2" + # Hot restart breaks since both envoys seem to interact with each other # despite separate containers that don't share IPC namespace. Not quite # sure how this happens but may be due to unix socket being in some shared @@ -699,7 +702,7 @@ function common_run_container_sidecar_proxy { $(network_snippet $CLUSTER) \ "${HASHICORP_DOCKER_PROXY}/windows/envoy-windows:v${ENVOY_VERSION}" \ envoy \ - -c /workdir/${CLUSTER}/envoy/${service}-bootstrap.json \ + -c C:\\workdir\\${CLUSTER}\\envoy\\${service}-bootstrap.json \ -l trace \ --disable-hot-restart \ --drain-time-s 1 >/dev/null @@ -857,7 +860,7 @@ function debug_dump_volumes { -v ./:/cwd \ --net=none \ "${HASHICORP_DOCKER_PROXY}/windows/nanoserver" \ - xcopy "\workdir" "\cwd\workdir" /E /H /C /I + xcopy "\workdir" "\cwd\workdir" /E /H /C /I /Y } function run_container_tcpdump-primary {