Error out consul connect envoy if agent explicitly disabled grpc
#15794
Conversation
kisunji
force-pushed
the
kisunji/NET-1767-envoy-grpc-disabled
branch
from
6765016 to
1a8accb
Compare
github-actions
bot
added
the
theme/cli
command/connect/envoy/envoy.go
Outdated
| c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err)) | ||
| return g, fmt.Errorf("Could not look up xDS port: %w", err) |
There was a problem hiding this comment.
I'm unsure if the return was missed here or we intentionally went on to default to 8502. It looks safe to error here since if the call to Agent.Self doesn't yield any port, we probably don't want the command to continue.
There was a problem hiding this comment.
It can't error out because typically agent:read is not granted to sidecars, which is required for /v1/agent/self. The existing code did the agent self lookup as an UX optimization.
Instead you could pick whichever port we already calculated and do a super simple net.Dial with a short timeout and see if the port is even open instead, which wouldn't even need ACL tokens.
There was a problem hiding this comment.
Yeah, I'm not sure why it never errored-out before. I assume it was to enable some backwards compatibility with old APIs that didn't include the port. I don't honestly know the history on this particular area of code, aside from the recent changes I made. I'll have to think about it quite a bit, because there might be some situation where the API is not available, but gRPC is.
There was a problem hiding this comment.
Nevermind. RB already answered the question.
There was a problem hiding this comment.
@rboyer I ended up logging and defaulting only if it's an ACL perm denied and otherwise erroring out.
kisunji
force-pushed
the
kisunji/NET-1767-envoy-grpc-disabled
branch
from
1a8accb to
1a5a2fb
Compare
kisunji
requested review from
hashi-derek,
a team,
pglass and
cthain
and removed request for
a team
kisunji
force-pushed
the
kisunji/NET-1767-envoy-grpc-disabled
branch
2 times, most recently
from
1bd5e3e to
fff2726
Compare
| WantArgs: BootstrapTplArgs{ | ||
| ProxyCluster: "test-proxy", | ||
| ProxyID: "test-proxy", | ||
| // We don't know this til after the lookup so it will be empty in the | ||
| // initial args call we are testing here. | ||
| ProxySourceService: "", | ||
| // Should resolve IP, note this might not resolve the same way | ||
| // everywhere which might make this test brittle but not sure what else | ||
| // to do. | ||
| GRPC: GRPC{ | ||
| AgentAddress: "127.0.0.1", | ||
| AgentPort: "8502", | ||
| }, | ||
| }, |
There was a problem hiding this comment.
WantArgs is never evaluated if WantErr exists so I removed it
kisunji
force-pushed
the
kisunji/NET-1767-envoy-grpc-disabled
branch
2 times, most recently
from
962dd94 to
7957ace
Compare
kisunji
force-pushed
the
kisunji/NET-1767-envoy-grpc-disabled
branch
from
7957ace to
59ea55b
Compare
kisunji
force-pushed
the
kisunji/NET-1767-envoy-grpc-disabled
branch
from
f77c705 to
6df7ad4
Compare
Co-authored-by: Paul Glass <pglass@hashicorp.com>
kisunji
force-pushed
the
kisunji/NET-1767-envoy-grpc-disabled
branch
from
6df7ad4 to
1788be7
Compare
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Description
Error out if no grpc ports are returned by
/v1/agent/selfinstead of defaulting to 8502.Update tests to reflect Consul's new default behavior to enable grpc TLS (#15302)
Testing & Reproduction steps
PR Checklist