agentless: initial integration with consul-dataplane (#1470)

.circleci/config.yml

@@ -112,6 +112,7 @@ commands:
                           << parameters.additional-flags >> \
                           ${ENABLE_ENTERPRISE:+-enable-enterprise} \
                           -debug-directory="$TEST_RESULTS/debug" \
+                          -consul-image=hashicorppreview/consul-enterprise:1.14-dev \
                           -consul-k8s-image=<< parameters.consul-k8s-image >>
                     then
                       echo "Tests in ${pkg} failed, aborting early"

acceptance/tests/connect/connect_helper.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"strconv"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/config"
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
@@ -93,7 +94,8 @@ func (c *ConnectHelper) DeployClientAndServer(t *testing.T) {
 		// deployments because golang will execute them in reverse order
 		// (i.e. the last registered cleanup function will be executed first).
 		t.Cleanup(func() {
-			retry.Run(t, func(r *retry.R) {
+			retrier := &retry.Timer{Timeout: 30 * time.Second, Wait: 100 * time.Millisecond}
+			retry.RunWith(retrier, t, func(r *retry.R) {
 				tokens, _, err := c.consulClient.ACL().TokenList(nil)
 				require.NoError(r, err)
 				for _, token := range tokens {

acceptance/tests/connect/connect_inject_test.go

@@ -94,15 +94,14 @@ func TestConnectInject(t *testing.T) {
 					logger.Log(t, output)
 
 					// Both proxies must see their own local agent and app as clusters.
-					require.Regexp(r, "local_agent.*STATIC", output)
+					require.Regexp(r, "consul-dataplane.*STATIC", output)
 					require.Regexp(r, "local_app.*STATIC", output)
 
 					// Static Client must have Static Server as a cluster and endpoint.
 					if strings.Contains(podName, "static-client") {
 						require.Regexp(r, "static-server.*static-server\\.default\\.dc1\\.internal.*EDS", output)
 						require.Regexp(r, ipv4RegEx+".*static-server", output)
 					}
-
 				}
 			})
 
@@ -175,26 +174,16 @@ func TestConnectInjectOnUpgrade(t *testing.T) {
 
 // Test the endpoints controller cleans up force-killed pods.
 func TestConnectInject_CleanupKilledPods(t *testing.T) {
-	cases := []struct {
-		secure      bool
-		autoEncrypt bool
-	}{
-		{false, false},
-		{true, false},
-		{true, true},
-	}
-
-	for _, c := range cases {
-		name := fmt.Sprintf("secure: %t; auto-encrypt: %t", c.secure, c.autoEncrypt)
+	for _, secure := range []bool{false, true} {
+		name := fmt.Sprintf("secure: %t", secure)
 		t.Run(name, func(t *testing.T) {
 			cfg := suite.Config()
 			ctx := suite.Environment().DefaultContext(t)
 
 			helmValues := map[string]string{
 				"connectInject.enabled":        "true",
-				"global.tls.enabled":           strconv.FormatBool(c.secure),
-				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.autoEncrypt),
-				"global.acls.manageSystemACLs": strconv.FormatBool(c.secure),
+				"global.tls.enabled":           strconv.FormatBool(secure),
+				"global.acls.manageSystemACLs": strconv.FormatBool(secure),
 			}
 
 			releaseName := helpers.RandomName()
@@ -206,7 +195,7 @@ func TestConnectInject_CleanupKilledPods(t *testing.T) {
 			k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-client-inject")
 
 			logger.Log(t, "waiting for static-client to be registered with Consul")
-			consulClient, _ := consulCluster.SetupConsulClient(t, c.secure)
+			consulClient, _ := consulCluster.SetupConsulClient(t, secure)
 			retry.Run(t, func(r *retry.R) {
 				for _, name := range []string{"static-client", "static-client-sidecar-proxy"} {
 					instances, _, err := consulClient.Catalog().Service(name, "", nil)
@@ -253,17 +242,9 @@ const multiportAdmin = "multiport-admin"
 // two ports. This tests inbound connections to each port of the multiport app, and outbound connections from the
 // multiport app to static-server.
 func TestConnectInject_MultiportServices(t *testing.T) {
-	cases := []struct {
-		secure      bool
-		autoEncrypt bool
-	}{
-		{false, false},
-		{true, false},
-		{true, true},
-	}
-
-	for _, c := range cases {
-		name := fmt.Sprintf("secure: %t; auto-encrypt: %t", c.secure, c.autoEncrypt)
+	t.Skipf("skipping until multi-port workaround is supported")
+	for _, secure := range []bool{false, true} {
+		name := fmt.Sprintf("secure: %t", secure)
 		t.Run(name, func(t *testing.T) {
 			cfg := suite.Config()
 			ctx := suite.Environment().DefaultContext(t)
@@ -276,20 +257,19 @@ func TestConnectInject_MultiportServices(t *testing.T) {
 			helmValues := map[string]string{
 				"connectInject.enabled": "true",
 
-				"global.tls.enabled":           strconv.FormatBool(c.secure),
-				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.autoEncrypt),
-				"global.acls.manageSystemACLs": strconv.FormatBool(c.secure),
+				"global.tls.enabled":           strconv.FormatBool(secure),
+				"global.acls.manageSystemACLs": strconv.FormatBool(secure),
 			}
 
 			releaseName := helpers.RandomName()
 			consulCluster := consul.NewHelmCluster(t, helmValues, ctx, cfg, releaseName)
 
 			consulCluster.Create(t)
 
-			consulClient, _ := consulCluster.SetupConsulClient(t, c.secure)
+			consulClient, _ := consulCluster.SetupConsulClient(t, secure)
 
 			// Check that the ACL token is deleted.
-			if c.secure {
+			if secure {
 				// We need to register the cleanup function before we create the deployments
 				// because golang will execute them in reverse order i.e. the last registered
 				// cleanup function will be executed first.
@@ -328,7 +308,7 @@ func TestConnectInject_MultiportServices(t *testing.T) {
 			require.Len(t, podList.Items, 1)
 			require.Len(t, podList.Items[0].Spec.Containers, 4)
 
-			if c.secure {
+			if secure {
 				logger.Log(t, "checking that the connection is not successful because there's no intention")
 				k8s.CheckStaticServerConnectionFailing(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:1234")
 				k8s.CheckStaticServerConnectionFailing(t, ctx.KubectlOptions(t), StaticClientName, "http://localhost:2234")
@@ -373,7 +353,7 @@ func TestConnectInject_MultiportServices(t *testing.T) {
 
 			// For outbound connections from the multi port pod, only intentions from the first service in the multiport
 			// pod need to be created, since all upstream connections are made through the first service's envoy proxy.
-			if c.secure {
+			if secure {
 				logger.Log(t, "checking that the connection is not successful because there's no intention")
 
 				k8s.CheckStaticServerConnectionFailing(t, ctx.KubectlOptions(t), multiport, "http://localhost:3234")

acceptance/tests/metrics/metrics_test.go

@@ -90,6 +90,7 @@ func TestComponentMetrics(t *testing.T) {
 // Test that merged service and envoy metrics are accessible from the
 // endpoints that have been exposed on the service.
 func TestAppMetrics(t *testing.T) {
+	t.Skipf("Skipping this test because it's not yet supported with agentless")
 	env := suite.Environment()
 	cfg := suite.Config()
 	ctx := env.DefaultContext(t)

charts/consul/templates/connect-inject-deployment.yaml

@@ -128,12 +128,13 @@ spec:
                 -log-json={{ .Values.global.logJSON }} \
                 -default-inject={{ .Values.connectInject.default }} \
                 -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \
-                -envoy-image="{{ .Values.global.imageEnvoy }}" \
+                -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \
                 -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \
                 -release-name="{{ .Release.Name }}" \
                 -release-namespace="{{ .Release.Namespace }}" \
                 -resource-prefix={{ template "consul.fullname" . }} \
                 -listen=:8080 \
+                -tls-server-name="server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \
                 {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
                 {{- if .Values.externalServers.enabled }}
                 {{- if .Values.global.tls.enabled }}

charts/consul/test/unit/connect-inject-deployment.bats

@@ -317,14 +317,14 @@ EOF
   [ "${actual}" = "true" ]
 }
 
-@test "connectInject/Deployment: envoy-image can be set via global" {
+@test "connectInject/Deployment: consul-dataplane-image can be set via global" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/connect-inject-deployment.yaml  \
       --set 'connectInject.enabled=true' \
-      --set 'global.imageEnvoy=foo' \
+      --set 'global.imageConsulDataplane=foo' \
       . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-envoy-image=\"foo\""))' | tee /dev/stderr)
+      yq '.spec.template.spec.containers[0].command | any(contains("-consul-dataplane-image=\"foo\""))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 

charts/consul/values.yaml

@@ -631,6 +631,11 @@ global:
   # @default: envoyproxy/envoy-alpine:<latest supported version>
   imageEnvoy: "envoyproxy/envoy:v1.23.1"
 
+  # The name (and tag) of the consul-dataplane Docker image used for the
+  # connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
+  # @default: hashicorp/consul-dataplane:<latest supported version>
+  imageConsulDataplane: "ishustava/consul-dataplane:latest@sha256:5ac25d6a159e360b9cbe9b12ea6be70cde8f4677cbf00ae4885e5f5fd9b1ad36"
+
   # Configuration for running this Helm chart on the Red Hat OpenShift platform.
   # This Helm chart currently supports OpenShift v4.x+.
   openshift:

control-plane/api/v1alpha1/servicedefaults_types.go

@@ -2,6 +2,9 @@ package v1alpha1
 
 import (
 	"fmt"
+	"net"
+	"strings"
+
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/hashicorp/consul-k8s/control-plane/api/common"
@@ -12,8 +15,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	"net"
-	"strings"
 )
 
 const (

control-plane/connect-inject/annotations.go

@@ -108,11 +108,14 @@ const (
 	annotationServiceMetricsPort   = "consul.hashicorp.com/service-metrics-port"
 	annotationServiceMetricsPath   = "consul.hashicorp.com/service-metrics-path"
 
-	// annotations for configuring TLS for Prometheus.
-	annotationPrometheusCAFile   = "consul.hashicorp.com/prometheus-ca-file"
-	annotationPrometheusCAPath   = "consul.hashicorp.com/prometheus-ca-path"
-	annotationPrometheusCertFile = "consul.hashicorp.com/prometheus-cert-file"
-	annotationPrometheusKeyFile  = "consul.hashicorp.com/prometheus-key-file"
+	// todo (agentless): uncomment once consul-dataplane supports metrics
+	/*
+		annotations for configuring TLS for Prometheus.
+		annotationPrometheusCAFile   = "consul.hashicorp.com/prometheus-ca-file"
+		annotationPrometheusCAPath   = "consul.hashicorp.com/prometheus-ca-path"
+		annotationPrometheusCertFile = "consul.hashicorp.com/prometheus-cert-file"
+		annotationPrometheusKeyFile  = "consul.hashicorp.com/prometheus-key-file"
+	*/
 
 	// annotationEnvoyExtraArgs is a space-separated list of arguments to be passed to the
 	// envoy binary. See list of args here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli