diff --git a/.circleci/config.yml b/.circleci/config.yml index 4347e03b67..b1bcce48c7 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -651,7 +651,7 @@ jobs: - run: mkdir -p $TEST_RESULTS - run-acceptance-tests: - additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-pod-security-policies + additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-pod-security-policies -enable-transparent-proxy - store_test_results: path: /tmp/test-results @@ -706,7 +706,7 @@ jobs: - run: mkdir -p $TEST_RESULTS - run-acceptance-tests: - additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -disable-peering + additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -disable-peering -enable-transparent-proxy - store_test_results: path: /tmp/test-results @@ -767,7 +767,7 @@ jobs: - run: mkdir -p $TEST_RESULTS - run-acceptance-tests: - additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" + additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy - store_test_results: path: /tmp/test-results @@ -862,7 +862,7 @@ jobs: - ~/.go_workspace/pkg/mod - run: mkdir -p $TEST_RESULTS - run-acceptance-tests: - additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" + additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -enable-transparent-proxy - store_test_results: path: /tmp/test-results - store_artifacts: diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go index 7e80415f41..57421a3f53 100644 --- a/acceptance/tests/peering/peering_connect_namespaces_test.go +++ b/acceptance/tests/peering/peering_connect_namespaces_test.go @@ -32,10 +32,6 @@ func TestPeering_ConnectNamespaces(t *testing.T) { t.Skipf("skipping this test because -enable-enterprise is not set") } - if cfg.EnableTransparentProxy { - t.Skipf("skipping this test because Transparent Proxy is enabled") - } - ver, err := version.NewVersion("1.13.0") require.NoError(t, err) if cfg.ConsulVersion != nil && cfg.ConsulVersion.LessThan(ver) { @@ -80,7 +76,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) { "global.peering.enabled": "true", "global.enableConsulNamespaces": "true", - "global.image": "hashicorp/consul-enterprise:1.13.0-alpha2-ent", + "global.image": "thisisnotashwin/consul@sha256:446aad6e02f66e3027756dfc0d34e8e6e2b11ac6ec5637b134b34644ca7cda64", "global.tls.enabled": "false", "global.tls.httpsOnly": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled), @@ -98,6 +94,9 @@ func TestPeering_ConnectNamespaces(t *testing.T) { "meshGateway.replicas": "1", "controller.enabled": "true", + + "dns.enabled": "true", + "dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy), } staticServerPeerHelmValues := map[string]string{ @@ -261,7 +260,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) { logger.Log(t, "checking that connection is successful") if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", staticServerNamespace, staticServerPeer)) + k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer)) } else { k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, "http://localhost:1234") } @@ -284,7 +283,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) { logger.Log(t, "checking that the connection is not successful because there's no allow intention") if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.%s.consul", staticServerNamespace, staticServerPeer)) + k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer)) } else { k8s.CheckStaticServerConnectionFailing(t, staticClientOpts, staticClientName, "http://localhost:1234") } @@ -316,7 +315,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) { logger.Log(t, "checking that connection is successful") if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", staticServerNamespace, staticServerPeer)) + k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer)) } else { k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, "http://localhost:1234") } diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go index e52b70fe83..b1b246aac5 100644 --- a/acceptance/tests/peering/peering_connect_test.go +++ b/acceptance/tests/peering/peering_connect_test.go @@ -23,10 +23,6 @@ func TestPeering_Connect(t *testing.T) { env := suite.Environment() cfg := suite.Config() - if cfg.EnableTransparentProxy { - t.Skipf("skipping this test because Transparent Proxy is enabled") - } - ver, err := version.NewVersion("1.13.0") require.NoError(t, err) if cfg.ConsulVersion != nil && cfg.ConsulVersion.LessThan(ver) { @@ -53,7 +49,7 @@ func TestPeering_Connect(t *testing.T) { commonHelmValues := map[string]string{ "global.peering.enabled": "true", - "global.image": "hashicorp/consul:1.13.0-alpha2", + "global.image": "thisisnotashwin/consul@sha256:446aad6e02f66e3027756dfc0d34e8e6e2b11ac6ec5637b134b34644ca7cda64", "global.tls.enabled": "false", "global.tls.httpsOnly": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled), @@ -67,6 +63,9 @@ func TestPeering_Connect(t *testing.T) { "meshGateway.replicas": "1", "controller.enabled": "true", + + "dns.enabled": "true", + "dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy), } staticServerPeerHelmValues := map[string]string{ diff --git a/charts/consul/templates/server-podsecuritypolicy.yaml b/charts/consul/templates/server-podsecuritypolicy.yaml index c037ee9b8e..507a07179f 100644 --- a/charts/consul/templates/server-podsecuritypolicy.yaml +++ b/charts/consul/templates/server-podsecuritypolicy.yaml @@ -35,6 +35,8 @@ spec: max: {{ .Values.server.ports.serflan.port }} - min: 8302 max: 8302 + - min: 8503 + max: 8503 {{- end }} hostIPC: false hostPID: false diff --git a/charts/consul/templates/server-service.yaml b/charts/consul/templates/server-service.yaml index a6003f9ec3..4b1c714c1b 100644 --- a/charts/consul/templates/server-service.yaml +++ b/charts/consul/templates/server-service.yaml @@ -39,6 +39,9 @@ spec: port: 8501 targetPort: 8501 {{- end }} + - name: grpc + port: 8503 + targetPort: 8503 - name: serflan-tcp protocol: "TCP" port: 8301 diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 7caec15b21..486b4a5ba5 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -296,6 +296,7 @@ spec: -config-dir=/consul/userconfig/{{ .name }} \ {{- end }} {{- end }} + -hcl='ports { grpc = 8503 }' \ -config-file=/consul/extra-config/extra-from-values.json volumeMounts: - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} @@ -334,6 +335,11 @@ spec: - name: https containerPort: 8501 {{- end }} + - containerPort: 8503 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8503 + {{- end }} + name: grpc - name: serflan-tcp containerPort: {{ .Values.server.ports.serflan.port }} {{- if .Values.server.exposeGossipAndRPCPorts }} diff --git a/charts/consul/test/unit/server-podsecuritypolicy.bats b/charts/consul/test/unit/server-podsecuritypolicy.bats index a87980ee80..99902d1971 100644 --- a/charts/consul/test/unit/server-podsecuritypolicy.bats +++ b/charts/consul/test/unit/server-podsecuritypolicy.bats @@ -39,7 +39,7 @@ load _helpers --set 'server.exposeGossipAndRPCPorts=true' \ . | tee /dev/stderr | yq -c '.spec.hostPorts' | tee /dev/stderr) - [ "${actual}" = '[{"min":8300,"max":8300},{"min":8301,"max":8301},{"min":8302,"max":8302}]' ] + [ "${actual}" = '[{"min":8300,"max":8300},{"min":8301,"max":8301},{"min":8302,"max":8302},{"min":8503,"max":8503}]' ] } @test "server/PodSecurityPolicy: hostPort 8300, server.ports.serflan.port and 8302 allowed when exposeGossipAndRPCPorts=true" { @@ -51,5 +51,5 @@ load _helpers --set 'server.ports.serflan.port=8333' \ . | tee /dev/stderr | yq -c '.spec.hostPorts' | tee /dev/stderr) - [ "${actual}" = '[{"min":8300,"max":8300},{"min":8333,"max":8333},{"min":8302,"max":8302}]' ] + [ "${actual}" = '[{"min":8300,"max":8300},{"min":8333,"max":8333},{"min":8302,"max":8302},{"min":8503,"max":8503}]' ] }