Integrate consul-server-connection-manager library

[sarahalsmiller]

Changes proposed in this PR:

How I've tested this PR:

How I expect reviewers to test this PR:

Checklist:

• Tests added
• CHANGELOG entry added

  Run make changelog-entry for guidance in authoring a changelog entry, and
  commit the resulting file, which should have a name matching your PR number.
  Entries should use imperative present tense (e.g. Add support for...)

[andrewstucki]

making progress.

[andrewstucki]

More comments, maybe we can pair tomorrow on this.

[andrewstucki]

So I went ahead and validated this with the following agentless configurations that pretty much exercise the majority auth method + tls configuration for the discovery library:

internal server
TLS enabled + internal server
Managed ACLs + internal server
External server with static address
External server with connection string exec=echo 192.168.65.2

Despite the introduction of all the more flaky unit tests due to the upstream issues with the manager library use of the grpc balancer subpackage, I think we can merge with the inclusion of some changelog entries + a thorough review pass. We'll continue to vet this over the next few days with a variety of consul-k8s configurations. @sarahalsmiller since I'm out a good chunk of tomorrow morning, would you mind handling the changelog stuff?

[mikemorris]

Minor notes/questions but mostly LGTM!

[mikemorris]

This seems like a weird error, is it because we're expecting a file path for the bearer token or something? Should we add a test for if it's present but invalid, and/or is there an actual implementation issue here where setting the Token field in an AuthConfig isn't handled properly?

[mikemorris]

I'm assuming this was needed because of the un-threadsafe behavior of how consul-server-connection-manager is registering the gRPC load balancer? Refs hashicorp/consul-server-connection-manager#25

[andrewstucki]

👍

[mikemorris]

I was curious about the best way to check for whether TLS should be used for these gRPC connections - this approach seems reasonable, in
I took a different approach more similar to internal/commands/server/server.go and internal/commands/exec/exec.go though, checking

if consulAPITLSConfig.CAFile != "" || len(consulAPITLSConfig.CAPem) > 0

It looks like consul-dataplane is asking for an explicit -tls-disabled configuration https://github.com/hashicorp/consul-dataplane/#configuration-reference

[andrewstucki]

Yeah, so Consul Dataplane uses that to see whether or not it should set a TLS parameter in the underlying library that we share usage of. We're doing the same with a PlainText option to the struct. For our codebase we have knowledge of the scheme we're trying to use to connect, so I just used that -- if we're over http we use plain text, if https use TLS.

[mikemorris]

Could we add a ACL() method to the client wrapper since we plan to remove the Internal() catch-all soon?

[mikemorris]

Is this still needed at all now that we're using the consul-server-connection-manager integrated login flow?

[andrewstucki]

Yes, this is the client that gets passed around with the root auth token in our tests so that we can actually check what's in Consul.

[mikemorris]

Do we not actually need to mock the WatchServers method anywhere? Are we only exercising that in e2e tests?

[andrewstucki]

No, we don't -- this is just a gRPC server that stubs out the endpoints. So the library actually hits this and issues real API calls against this. It's almost like using httptest.

[andrewstucki]

LGTM -- We'll want to hammer this some more with the helm changes to make sure we have all of our myriad of configurations fully vetted and documented.