From 6699b173136276c3b9d6bc7ed126d8f5dbd7c0a1 Mon Sep 17 00:00:00 2001 From: Chris Thain Date: Mon, 5 Jun 2023 12:08:54 -0700 Subject: [PATCH 1/4] checkpoint: working OPA ext-authz --- .../consul-container/libs/cluster/agent.go | 9 +- .../consul-container/libs/utils/utils.go | 13 ++ .../test/envoy_extensions/ext_authz_test.go | 153 ++++++++++++++++++ .../testdata/policies/bundle.tar.gz | Bin 0 -> 281 bytes .../testdata/policies/policy.rego | 12 ++ 5 files changed, 181 insertions(+), 6 deletions(-) create mode 100644 test/integration/consul-container/test/envoy_extensions/ext_authz_test.go create mode 100644 test/integration/consul-container/test/envoy_extensions/testdata/policies/bundle.tar.gz create mode 100644 test/integration/consul-container/test/envoy_extensions/testdata/policies/policy.rego diff --git a/test/integration/consul-container/libs/cluster/agent.go b/test/integration/consul-container/libs/cluster/agent.go index c6e4a2a002ea..2de346406d9e 100644 --- a/test/integration/consul-container/libs/cluster/agent.go +++ b/test/integration/consul-container/libs/cluster/agent.go @@ -46,11 +46,11 @@ type Agent interface { type Config struct { // NodeName is set for the consul agent name and container name // Equivalent to the -node command-line flag. - // If empty, a randam name will be generated + // If empty, a random name will be generated NodeName string // NodeID is used to configure node_id in agent config file // Equivalent to the -node-id command-line flag. - // If empty, a randam name will be generated + // If empty, a random name will be generated NodeID string // ExternalDataDir is data directory to copy consul data from, if set. @@ -83,10 +83,7 @@ func (c *Config) DockerImage() string { func (c Config) Clone() Config { c2 := c if c.Cmd != nil { - c2.Cmd = make([]string, len(c.Cmd)) - for i, v := range c.Cmd { - c2.Cmd[i] = v - } + copy(c2.Cmd, c.Cmd) } return c2 } diff --git a/test/integration/consul-container/libs/utils/utils.go b/test/integration/consul-container/libs/utils/utils.go index 7be336eb8d50..d91fc0f5bb84 100644 --- a/test/integration/consul-container/libs/utils/utils.go +++ b/test/integration/consul-container/libs/utils/utils.go @@ -6,7 +6,9 @@ package utils import ( "encoding/json" "fmt" + "os" "strings" + "time" "github.com/itchyny/gojq" "github.com/teris-io/shortid" @@ -66,3 +68,14 @@ func BoolToPointer(b bool) *bool { func StringToPointer(s string) *string { return &s } + +func Wait() { + for { + _, err := os.Stat("continue") + if err == nil { + _ = os.Remove("continue") + break + } + time.Sleep(time.Second) + } +} diff --git a/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go new file mode 100644 index 000000000000..b92518654af3 --- /dev/null +++ b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go @@ -0,0 +1,153 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package envoyextensions + +import ( + "context" + "fmt" + "os" + "testing" + + "github.com/stretchr/testify/require" + "github.com/testcontainers/testcontainers-go" + + "github.com/hashicorp/consul/api" + libassert "github.com/hashicorp/consul/test/integration/consul-container/libs/assert" + libcluster "github.com/hashicorp/consul/test/integration/consul-container/libs/cluster" + libservice "github.com/hashicorp/consul/test/integration/consul-container/libs/service" + "github.com/hashicorp/consul/test/integration/consul-container/libs/topology" + "github.com/hashicorp/consul/test/integration/consul-container/libs/utils" +) + +// TestExtAuthz Summary +// This test makes sure two services in the same datacenter have connectivity. +// A simulated client (a direct HTTP call) talks to it's upstream proxy through the +// +// Steps: +// - Create a single agent cluster. +// - Create the example static-server and sidecar containers, then register them both with Consul +// - Create an example static-client sidecar, then register both the service and sidecar with Consul +// - Make sure a call to the client sidecar local bind port returns a response from the upstream, static-server +func TestExtAuthz(t *testing.T) { + t.Parallel() + + cluster, _, _ := topology.NewCluster(t, &topology.ClusterConfig{ + NumServers: 1, + NumClients: 1, + ApplyDefaultProxySettings: true, + BuildOpts: &libcluster.BuildOptions{ + Datacenter: "dc1", + InjectAutoEncryption: true, + InjectGossipEncryption: true, + }, + }) + + createLocalAuthzService(t, cluster) + + clientService := createServices(t, cluster) + _, port := clientService.GetAddr() + _, adminPort := clientService.GetAdminAddr() + + libassert.AssertUpstreamEndpointStatus(t, adminPort, "static-server.default", "HEALTHY", 1) + libassert.GetEnvoyListenerTCPFilters(t, adminPort) + + libassert.AssertContainerState(t, clientService, "running") + libassert.HTTPServiceEchoes(t, "localhost", port, "") + libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", port), "static-server", "") + + // wire up ext-authz envoy extension + consul := cluster.APIClient(0) + defaults := api.ServiceConfigEntry{ + Kind: api.ServiceDefaults, + Name: "static-server", + Protocol: "http", + EnvoyExtensions: []api.EnvoyExtension{{ + Name: "builtin/ext-authz", + Arguments: map[string]any{ + "Config": map[string]any{ + "GrpcService": map[string]any{ + "Target": map[string]any{"URI": "127.0.0.1:9191"}, + }, + }, + }, + }}, + } + + consul.ConfigEntries().Set(&defaults, nil) + + utils.Wait() +} + +func createServices(t *testing.T, cluster *libcluster.Cluster) libservice.Service { + node := cluster.Agents[0] + client := node.GetClient() + // Create a service and proxy instance + serviceOpts := &libservice.ServiceOpts{ + Name: libservice.StaticServerServiceName, + ID: "static-server", + HTTPPort: 8080, + GRPCPort: 8079, + } + + // Create a service and proxy instance + _, _, err := libservice.CreateAndRegisterStaticServerAndSidecar(node, serviceOpts) + require.NoError(t, err) + + libassert.CatalogServiceExists(t, client, "static-server-sidecar-proxy", nil) + libassert.CatalogServiceExists(t, client, libservice.StaticServerServiceName, nil) + + // Create a client proxy instance with the server as an upstream + clientConnectProxy, err := libservice.CreateAndRegisterStaticClientSidecar(node, "", false, false) + require.NoError(t, err) + + libassert.CatalogServiceExists(t, client, "static-client-sidecar-proxy", nil) + + return clientConnectProxy +} + +func createLocalAuthzService(t *testing.T, cluster *libcluster.Cluster) { + node := cluster.Agents[0] + //client := node.GetClient() + + cwd, err := os.Getwd() + if err != nil { + t.Fatal(err) + } + + req := testcontainers.ContainerRequest{ + Image: "openpolicyagent/opa:0.53.0-envoy-3", + AutoRemove: true, + Name: "ext-authz", + Env: make(map[string]string), + Cmd: []string{ + "run", + "--server", + "--addr=localhost:8181", + "--diagnostic-addr=0.0.0.0:8282", + "--set=plugins.envoy_ext_authz_grpc.addr=:9191", + "--set=plugins.envoy_ext_authz_grpc.path=envoy/authz/allow", + "--set=decision_logs.console=true", + "--set=status.console=true", + "--ignore=.*", + "/testdata/policies/bundle.tar.gz", + }, + Mounts: []testcontainers.ContainerMount{{ + Source: testcontainers.DockerBindMountSource{ + HostPath: fmt.Sprintf("%s/testdata", cwd), + }, + Target: "/testdata", + ReadOnly: true, + }}, + } + + ctx := context.Background() + + exposedPorts := []string{} + info, err := libcluster.LaunchContainerOnNode(ctx, node, req, exposedPorts) + if err != nil { + t.Fatal(err) + } + + fmt.Printf("\n!!! ext-authz info = %#v\n\n", *info) +} diff --git a/test/integration/consul-container/test/envoy_extensions/testdata/policies/bundle.tar.gz b/test/integration/consul-container/test/envoy_extensions/testdata/policies/bundle.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..a689dc734fd0e2d5f751d6f1a1e4fe81e0af143d GIT binary patch literal 281 zcmV+!0p|W6iwFP!00000|LoMyN;5GK0PwvwPch{5eNeK~R(lY76koubh)lcLKQ_CG z$;7f2-(9StwH|tqwFvoLCK(uJa+u@=F{%4tyKFFsh;zhU#P1OiXM1PNa5BO3Nd`FF zNS|V0@)`cP*Wu&-i0!jD^$5uc<<6RB)hn+nJ5-Nj`#+n`5BL9UHck8g8yv0HRB6!N zqwN(%uAhWxT4y~&8992b*1F$VUxbf*)49lsn0>R1tb_9UA?m=YW_CaUUgO<+QiwvA z6b%CzV>fWIfRaqmLcHCZ61HNrU!hvfwJl(=0C{zJEybuZcBxw8RsB!qyD~Y38=1@7 f@t0o85!e4k`qGjlNsfC700960fVRhk01N;Cy6B6| literal 0 HcmV?d00001 diff --git a/test/integration/consul-container/test/envoy_extensions/testdata/policies/policy.rego b/test/integration/consul-container/test/envoy_extensions/testdata/policies/policy.rego new file mode 100644 index 000000000000..2e5ead6cd29a --- /dev/null +++ b/test/integration/consul-container/test/envoy_extensions/testdata/policies/policy.rego @@ -0,0 +1,12 @@ +package envoy.authz + +import future.keywords + +import input.attributes.request.http as http_request + +default allow := false + +allow if { + http_request.method == "GET" + glob.match("/allow", ["/"], http_request.path) +} From c094df601ed67dc9f9ec88f568d7b79579dfa8bd Mon Sep 17 00:00:00 2001 From: Chris Thain Date: Wed, 7 Jun 2023 11:13:31 -0700 Subject: [PATCH 2/4] debug test failure --- .../consul-container/libs/utils/utils.go | 13 ---- .../test/envoy_extensions/ext_authz_test.go | 70 ++++++++++++++++--- 2 files changed, 59 insertions(+), 24 deletions(-) diff --git a/test/integration/consul-container/libs/utils/utils.go b/test/integration/consul-container/libs/utils/utils.go index d91fc0f5bb84..7be336eb8d50 100644 --- a/test/integration/consul-container/libs/utils/utils.go +++ b/test/integration/consul-container/libs/utils/utils.go @@ -6,9 +6,7 @@ package utils import ( "encoding/json" "fmt" - "os" "strings" - "time" "github.com/itchyny/gojq" "github.com/teris-io/shortid" @@ -68,14 +66,3 @@ func BoolToPointer(b bool) *bool { func StringToPointer(s string) *string { return &s } - -func Wait() { - for { - _, err := os.Stat("continue") - if err == nil { - _ = os.Remove("continue") - break - } - time.Sleep(time.Second) - } -} diff --git a/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go index b92518654af3..66b636448e18 100644 --- a/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go +++ b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go @@ -6,8 +6,11 @@ package envoyextensions import ( "context" "fmt" + "net/http" "os" + "strings" "testing" + "time" "github.com/stretchr/testify/require" "github.com/testcontainers/testcontainers-go" @@ -17,18 +20,23 @@ import ( libcluster "github.com/hashicorp/consul/test/integration/consul-container/libs/cluster" libservice "github.com/hashicorp/consul/test/integration/consul-container/libs/service" "github.com/hashicorp/consul/test/integration/consul-container/libs/topology" - "github.com/hashicorp/consul/test/integration/consul-container/libs/utils" ) // TestExtAuthz Summary // This test makes sure two services in the same datacenter have connectivity. -// A simulated client (a direct HTTP call) talks to it's upstream proxy through the +// A simulated client (a direct HTTP call) talks to it's upstream proxy through the mesh. +// The upstream (static-server) is configured with a `builtin/ext-authz` extension that +// calls an OPA external authorization service to authorize incoming HTTP requests. // // Steps: // - Create a single agent cluster. // - Create the example static-server and sidecar containers, then register them both with Consul // - Create an example static-client sidecar, then register both the service and sidecar with Consul -// - Make sure a call to the client sidecar local bind port returns a response from the upstream, static-server +// - Create an OPA external authorization container on the local network, this doesn't need to be registered with Consul. +// - Configure the static-server service with a `builtin/ext-authz` EnvoyExtension. +// - Make sure a call to the client sidecar local bind port returns the expected response from the upstream, static-server: +// - A call to `/allow` returns 200 OK. +// - A call to any other endpoint returns 403 Forbidden. func TestExtAuthz(t *testing.T) { t.Parallel() @@ -53,10 +61,9 @@ func TestExtAuthz(t *testing.T) { libassert.GetEnvoyListenerTCPFilters(t, adminPort) libassert.AssertContainerState(t, clientService, "running") - libassert.HTTPServiceEchoes(t, "localhost", port, "") libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", port), "static-server", "") - // wire up ext-authz envoy extension + // wire up ext-authz envoy extension for the static-server consul := cluster.APIClient(0) defaults := api.ServiceConfigEntry{ Kind: api.ServiceDefaults, @@ -73,10 +80,13 @@ func TestExtAuthz(t *testing.T) { }, }}, } - consul.ConfigEntries().Set(&defaults, nil) - - utils.Wait() + entry, _, _ := consul.ConfigEntries().Get("service-defaults", "static-server", nil) + fmt.Printf("\n\n!!! entry = %#v\n\n", entry) + baseURL := fmt.Sprintf("http://localhost:%d/", port) + doRequest(t, baseURL, http.StatusForbidden) + doRequest(t, baseURL+"/allow", http.StatusOK) + wait() } func createServices(t *testing.T, cluster *libcluster.Cluster) libservice.Service { @@ -108,7 +118,6 @@ func createServices(t *testing.T, cluster *libcluster.Cluster) libservice.Servic func createLocalAuthzService(t *testing.T, cluster *libcluster.Cluster) { node := cluster.Agents[0] - //client := node.GetClient() cwd, err := os.Getwd() if err != nil { @@ -144,10 +153,49 @@ func createLocalAuthzService(t *testing.T, cluster *libcluster.Cluster) { ctx := context.Background() exposedPorts := []string{} - info, err := libcluster.LaunchContainerOnNode(ctx, node, req, exposedPorts) + _, err = libcluster.LaunchContainerOnNode(ctx, node, req, exposedPorts) if err != nil { t.Fatal(err) } +} - fmt.Printf("\n!!! ext-authz info = %#v\n\n", *info) +func doRequest(t *testing.T, url string, expStatus int) { + var errs []string + for i := 0; i < 5; i++ { + req, err := http.NewRequest(http.MethodGet, url, nil) + if err != nil { + t.Log(err) + t.FailNow() + } + req.Header.Set("user-agent", "foo") + client := &http.Client{} + res, err := client.Do(req) + if err == nil { + if res.StatusCode == expStatus { + return + } else { + fmt.Printf("\n\n!!! response from %s: %#v\n\nrequest = %#v\n\n", url, *res, res.Request) + errs = append(errs, fmt.Sprintf("%s unexpected status code: want: %d, have: %d", time.Now().Format(time.RFC3339), expStatus, res.StatusCode)) + } + } else { + errs = append(errs, fmt.Sprintf("unexpected error: %s", err.Error())) + } + if res != nil { + res.Body.Close() + } + time.Sleep(time.Duration(i+1) * time.Second) + } + t.Logf("request failed: \n%s", strings.Join(errs, " \n")) + t.Fail() +} + +func wait() { + for { + _, err := os.Stat("continue") + if err == nil { + _ = os.Remove("continue") + break + } + time.Sleep(time.Second) + } } From d2203de5462fcf0b6ffa3e0e69129482f99604bf Mon Sep 17 00:00:00 2001 From: Chris Thain Date: Mon, 12 Jun 2023 07:47:24 -0700 Subject: [PATCH 3/4] use cleanhttp for requests --- .../test/envoy_extensions/ext_authz_test.go | 60 ++++++++++--------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go index 66b636448e18..30775d8af0f7 100644 --- a/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go +++ b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go @@ -8,7 +8,6 @@ import ( "fmt" "net/http" "os" - "strings" "testing" "time" @@ -20,24 +19,27 @@ import ( libcluster "github.com/hashicorp/consul/test/integration/consul-container/libs/cluster" libservice "github.com/hashicorp/consul/test/integration/consul-container/libs/service" "github.com/hashicorp/consul/test/integration/consul-container/libs/topology" + "github.com/hashicorp/go-cleanhttp" + "github.com/hashicorp/go-multierror" ) -// TestExtAuthz Summary +// TestExtAuthzLocal Summary // This test makes sure two services in the same datacenter have connectivity. // A simulated client (a direct HTTP call) talks to it's upstream proxy through the mesh. // The upstream (static-server) is configured with a `builtin/ext-authz` extension that // calls an OPA external authorization service to authorize incoming HTTP requests. +// The external authorization service is deployed as a container on the local network. // // Steps: -// - Create a single agent cluster. -// - Create the example static-server and sidecar containers, then register them both with Consul -// - Create an example static-client sidecar, then register both the service and sidecar with Consul -// - Create an OPA external authorization container on the local network, this doesn't need to be registered with Consul. -// - Configure the static-server service with a `builtin/ext-authz` EnvoyExtension. -// - Make sure a call to the client sidecar local bind port returns the expected response from the upstream, static-server: +// - Create a single agent cluster. +// - Create the example static-server and sidecar containers, then register them both with Consul +// - Create an example static-client sidecar, then register both the service and sidecar with Consul +// - Create an OPA external authorization container on the local network, this doesn't need to be registered with Consul. +// - Configure the static-server service with a `builtin/ext-authz` EnvoyExtension targeting the OPA ext-authz service. +// - Make sure a call to the client sidecar local bind port returns the expected response from the upstream static-server: // - A call to `/allow` returns 200 OK. // - A call to any other endpoint returns 403 Forbidden. -func TestExtAuthz(t *testing.T) { +func TestExtAuthzLocal(t *testing.T) { t.Parallel() cluster, _, _ := topology.NewCluster(t, &topology.ClusterConfig{ @@ -63,7 +65,7 @@ func TestExtAuthz(t *testing.T) { libassert.AssertContainerState(t, clientService, "running") libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", port), "static-server", "") - // wire up ext-authz envoy extension for the static-server + // wire up the ext-authz envoy extension for the static-server consul := cluster.APIClient(0) defaults := api.ServiceConfigEntry{ Kind: api.ServiceDefaults, @@ -81,12 +83,10 @@ func TestExtAuthz(t *testing.T) { }}, } consul.ConfigEntries().Set(&defaults, nil) - entry, _, _ := consul.ConfigEntries().Get("service-defaults", "static-server", nil) - fmt.Printf("\n\n!!! entry = %#v\n\n", entry) - baseURL := fmt.Sprintf("http://localhost:%d/", port) + + baseURL := fmt.Sprintf("http://localhost:%d", port) doRequest(t, baseURL, http.StatusForbidden) doRequest(t, baseURL+"/allow", http.StatusOK) - wait() } func createServices(t *testing.T, cluster *libcluster.Cluster) libservice.Service { @@ -160,36 +160,38 @@ func createLocalAuthzService(t *testing.T, cluster *libcluster.Cluster) { } func doRequest(t *testing.T, url string, expStatus int) { - var errs []string + var errs error for i := 0; i < 5; i++ { req, err := http.NewRequest(http.MethodGet, url, nil) if err != nil { - t.Log(err) - t.FailNow() + errs = multierror.Append(errs, fmt.Errorf("failed to create HTTP request: %w", err)) } - req.Header.Set("user-agent", "foo") - client := &http.Client{} - res, err := client.Do(req) + res, err := cleanhttp.DefaultClient().Do(req) if err == nil { + res.Body.Close() + fmt.Printf("\n\n!!! GET %s: exp %d, obs %d\n\n", url, expStatus, res.StatusCode) if res.StatusCode == expStatus { return } else { - fmt.Printf("\n\n!!! response from %s: %#v\n\nrequest = %#v\n\n", url, *res, res.Request) - errs = append(errs, fmt.Sprintf("%s unexpected status code: want: %d, have: %d", time.Now().Format(time.RFC3339), expStatus, res.StatusCode)) + errs = multierror.Append(errs, fmt.Errorf("unexpected status code: want: %d, have: %d", expStatus, res.StatusCode)) } } else { - errs = append(errs, fmt.Sprintf("unexpected error: %s", err.Error())) - } - if res != nil { - res.Body.Close() + errs = multierror.Append(errs, fmt.Errorf("unexpected error: %w", err)) } time.Sleep(time.Duration(i+1) * time.Second) } - t.Logf("request failed: \n%s", strings.Join(errs, " \n")) - t.Fail() + t.Fatalf("request failed:\n%s", errs.Error()) +} + +type MeshServiceRequest struct { + Agent libcluster.Agent + ServiceOpts *libservice.ServiceOpts + ContainerRequest testcontainers.ContainerRequest + MapPorts []string + DisableTestdataMount bool } -func wait() { +func Wait() { for { _, err := os.Stat("continue") if err == nil { From f0bbbbb6fd1e3a445a9c4273f335f71f1fc95d73 Mon Sep 17 00:00:00 2001 From: Chris Thain Date: Fri, 30 Jun 2023 09:35:47 -0700 Subject: [PATCH 4/4] Cleanup test code --- .../test/envoy_extensions/ext_authz_test.go | 53 ++++-------------- .../testdata/policies/bundle.tar.gz | Bin 281 -> 0 bytes 2 files changed, 10 insertions(+), 43 deletions(-) delete mode 100644 test/integration/consul-container/test/envoy_extensions/testdata/policies/bundle.tar.gz diff --git a/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go index 30775d8af0f7..938981c60f51 100644 --- a/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go +++ b/test/integration/consul-container/test/envoy_extensions/ext_authz_test.go @@ -15,12 +15,12 @@ import ( "github.com/testcontainers/testcontainers-go" "github.com/hashicorp/consul/api" + "github.com/hashicorp/consul/sdk/testutil/retry" libassert "github.com/hashicorp/consul/test/integration/consul-container/libs/assert" libcluster "github.com/hashicorp/consul/test/integration/consul-container/libs/cluster" libservice "github.com/hashicorp/consul/test/integration/consul-container/libs/service" "github.com/hashicorp/consul/test/integration/consul-container/libs/topology" "github.com/hashicorp/go-cleanhttp" - "github.com/hashicorp/go-multierror" ) // TestExtAuthzLocal Summary @@ -65,7 +65,7 @@ func TestExtAuthzLocal(t *testing.T) { libassert.AssertContainerState(t, clientService, "running") libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", port), "static-server", "") - // wire up the ext-authz envoy extension for the static-server + // Wire up the ext-authz envoy extension for the static-server consul := cluster.APIClient(0) defaults := api.ServiceConfigEntry{ Kind: api.ServiceDefaults, @@ -84,6 +84,8 @@ func TestExtAuthzLocal(t *testing.T) { } consul.ConfigEntries().Set(&defaults, nil) + // Make requests to the static-server. We expect that all requests are rejected with 403 Forbidden + // unless they are to the /allow path. baseURL := fmt.Sprintf("http://localhost:%d", port) doRequest(t, baseURL, http.StatusForbidden) doRequest(t, baseURL+"/allow", http.StatusOK) @@ -139,7 +141,7 @@ func createLocalAuthzService(t *testing.T, cluster *libcluster.Cluster) { "--set=decision_logs.console=true", "--set=status.console=true", "--ignore=.*", - "/testdata/policies/bundle.tar.gz", + "/testdata/policies/policy.rego", }, Mounts: []testcontainers.ContainerMount{{ Source: testcontainers.DockerBindMountSource{ @@ -160,44 +162,9 @@ func createLocalAuthzService(t *testing.T, cluster *libcluster.Cluster) { } func doRequest(t *testing.T, url string, expStatus int) { - var errs error - for i := 0; i < 5; i++ { - req, err := http.NewRequest(http.MethodGet, url, nil) - if err != nil { - errs = multierror.Append(errs, fmt.Errorf("failed to create HTTP request: %w", err)) - } - res, err := cleanhttp.DefaultClient().Do(req) - if err == nil { - res.Body.Close() - fmt.Printf("\n\n!!! GET %s: exp %d, obs %d\n\n", url, expStatus, res.StatusCode) - if res.StatusCode == expStatus { - return - } else { - errs = multierror.Append(errs, fmt.Errorf("unexpected status code: want: %d, have: %d", expStatus, res.StatusCode)) - } - } else { - errs = multierror.Append(errs, fmt.Errorf("unexpected error: %w", err)) - } - time.Sleep(time.Duration(i+1) * time.Second) - } - t.Fatalf("request failed:\n%s", errs.Error()) -} - -type MeshServiceRequest struct { - Agent libcluster.Agent - ServiceOpts *libservice.ServiceOpts - ContainerRequest testcontainers.ContainerRequest - MapPorts []string - DisableTestdataMount bool -} - -func Wait() { - for { - _, err := os.Stat("continue") - if err == nil { - _ = os.Remove("continue") - break - } - time.Sleep(time.Second) - } + retry.RunWith(&retry.Timer{Timeout: 5 * time.Second, Wait: time.Second}, t, func(r *retry.R) { + resp, err := cleanhttp.DefaultClient().Get(url) + require.NoError(r, err) + require.Equal(r, expStatus, resp.StatusCode) + }) } diff --git a/test/integration/consul-container/test/envoy_extensions/testdata/policies/bundle.tar.gz b/test/integration/consul-container/test/envoy_extensions/testdata/policies/bundle.tar.gz deleted file mode 100644 index a689dc734fd0e2d5f751d6f1a1e4fe81e0af143d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 281 zcmV+!0p|W6iwFP!00000|LoMyN;5GK0PwvwPch{5eNeK~R(lY76koubh)lcLKQ_CG z$;7f2-(9StwH|tqwFvoLCK(uJa+u@=F{%4tyKFFsh;zhU#P1OiXM1PNa5BO3Nd`FF zNS|V0@)`cP*Wu&-i0!jD^$5uc<<6RB)hn+nJ5-Nj`#+n`5BL9UHck8g8yv0HRB6!N zqwN(%uAhWxT4y~&8992b*1F$VUxbf*)49lsn0>R1tb_9UA?m=YW_CaUUgO<+QiwvA z6b%CzV>fWIfRaqmLcHCZ61HNrU!hvfwJl(=0C{zJEybuZcBxw8RsB!qyD~Y38=1@7 f@t0o85!e4k`qGjlNsfC700960fVRhk01N;Cy6B6|