diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go index 7e80415f41..fa1ca1a6f8 100644 --- a/acceptance/tests/peering/peering_connect_namespaces_test.go +++ b/acceptance/tests/peering/peering_connect_namespaces_test.go @@ -32,10 +32,6 @@ func TestPeering_ConnectNamespaces(t *testing.T) { t.Skipf("skipping this test because -enable-enterprise is not set") } - if cfg.EnableTransparentProxy { - t.Skipf("skipping this test because Transparent Proxy is enabled") - } - ver, err := version.NewVersion("1.13.0") require.NoError(t, err) if cfg.ConsulVersion != nil && cfg.ConsulVersion.LessThan(ver) { @@ -80,7 +76,9 @@ func TestPeering_ConnectNamespaces(t *testing.T) { "global.peering.enabled": "true", "global.enableConsulNamespaces": "true", - "global.image": "hashicorp/consul-enterprise:1.13.0-alpha2-ent", + // "global.image": "hashicorp/consul-enterprise:1.13.0-alpha2-ent", + "global.image": "thisisnotashwin/consul@sha256:3836ee1543ae3d20ab207b66d62c9bc3f593c1560446888a7c00a45fd23287bb", + "global.imageK8S": "thisisnotashwin/consul-k8s@sha256:6fe1ec532876073813c824f27b2c972c03a41376e0729a502f6f3302dc352379", "global.tls.enabled": "false", "global.tls.httpsOnly": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled), @@ -98,6 +96,9 @@ func TestPeering_ConnectNamespaces(t *testing.T) { "meshGateway.replicas": "1", "controller.enabled": "true", + + "dns.enabled": "true", + "dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy), } staticServerPeerHelmValues := map[string]string{ @@ -261,7 +262,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) { logger.Log(t, "checking that connection is successful") if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", staticServerNamespace, staticServerPeer)) + k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer)) } else { k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, "http://localhost:1234") } @@ -284,7 +285,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) { logger.Log(t, "checking that the connection is not successful because there's no allow intention") if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.%s.consul", staticServerNamespace, staticServerPeer)) + k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer)) } else { k8s.CheckStaticServerConnectionFailing(t, staticClientOpts, staticClientName, "http://localhost:1234") } @@ -316,7 +317,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) { logger.Log(t, "checking that connection is successful") if cfg.EnableTransparentProxy { - k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", staticServerNamespace, staticServerPeer)) + k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer)) } else { k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, "http://localhost:1234") } diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go index 5762f51bff..d1a07d4fe6 100644 --- a/acceptance/tests/peering/peering_connect_test.go +++ b/acceptance/tests/peering/peering_connect_test.go @@ -23,10 +23,6 @@ func TestPeering_Connect(t *testing.T) { env := suite.Environment() cfg := suite.Config() - if cfg.EnableTransparentProxy { - t.Skipf("skipping this test because Transparent Proxy is enabled") - } - ver, err := version.NewVersion("1.13.0") require.NoError(t, err) if cfg.ConsulVersion != nil && cfg.ConsulVersion.LessThan(ver) { @@ -53,7 +49,9 @@ func TestPeering_Connect(t *testing.T) { commonHelmValues := map[string]string{ "global.peering.enabled": "true", - "global.image": "hashicorp/consul:1.13.0-alpha2", + // "global.image": "hashicorp/consul:1.13.0-alpha2", + "global.image": "thisisnotashwin/consul@sha256:3836ee1543ae3d20ab207b66d62c9bc3f593c1560446888a7c00a45fd23287bb", + "global.imageK8S": "thisisnotashwin/consul-k8s@sha256:6fe1ec532876073813c824f27b2c972c03a41376e0729a502f6f3302dc352379", "global.tls.enabled": "false", "global.tls.httpsOnly": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled), @@ -67,6 +65,9 @@ func TestPeering_Connect(t *testing.T) { "meshGateway.replicas": "1", "controller.enabled": "true", + + "dns.enabled": "true", + "dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy), } staticServerPeerHelmValues := map[string]string{ diff --git a/charts/consul/templates/server-podsecuritypolicy.yaml b/charts/consul/templates/server-podsecuritypolicy.yaml index c037ee9b8e..507a07179f 100644 --- a/charts/consul/templates/server-podsecuritypolicy.yaml +++ b/charts/consul/templates/server-podsecuritypolicy.yaml @@ -35,6 +35,8 @@ spec: max: {{ .Values.server.ports.serflan.port }} - min: 8302 max: 8302 + - min: 8503 + max: 8503 {{- end }} hostIPC: false hostPID: false diff --git a/charts/consul/templates/server-service.yaml b/charts/consul/templates/server-service.yaml index a6003f9ec3..4b1c714c1b 100644 --- a/charts/consul/templates/server-service.yaml +++ b/charts/consul/templates/server-service.yaml @@ -39,6 +39,9 @@ spec: port: 8501 targetPort: 8501 {{- end }} + - name: grpc + port: 8503 + targetPort: 8503 - name: serflan-tcp protocol: "TCP" port: 8301 diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 7caec15b21..486b4a5ba5 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -296,6 +296,7 @@ spec: -config-dir=/consul/userconfig/{{ .name }} \ {{- end }} {{- end }} + -hcl='ports { grpc = 8503 }' \ -config-file=/consul/extra-config/extra-from-values.json volumeMounts: - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} @@ -334,6 +335,11 @@ spec: - name: https containerPort: 8501 {{- end }} + - containerPort: 8503 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8503 + {{- end }} + name: grpc - name: serflan-tcp containerPort: {{ .Values.server.ports.serflan.port }} {{- if .Values.server.exposeGossipAndRPCPorts }} diff --git a/charts/consul/test/unit/server-podsecuritypolicy.bats b/charts/consul/test/unit/server-podsecuritypolicy.bats index a87980ee80..99902d1971 100644 --- a/charts/consul/test/unit/server-podsecuritypolicy.bats +++ b/charts/consul/test/unit/server-podsecuritypolicy.bats @@ -39,7 +39,7 @@ load _helpers --set 'server.exposeGossipAndRPCPorts=true' \ . | tee /dev/stderr | yq -c '.spec.hostPorts' | tee /dev/stderr) - [ "${actual}" = '[{"min":8300,"max":8300},{"min":8301,"max":8301},{"min":8302,"max":8302}]' ] + [ "${actual}" = '[{"min":8300,"max":8300},{"min":8301,"max":8301},{"min":8302,"max":8302},{"min":8503,"max":8503}]' ] } @test "server/PodSecurityPolicy: hostPort 8300, server.ports.serflan.port and 8302 allowed when exposeGossipAndRPCPorts=true" { @@ -51,5 +51,5 @@ load _helpers --set 'server.ports.serflan.port=8333' \ . | tee /dev/stderr | yq -c '.spec.hostPorts' | tee /dev/stderr) - [ "${actual}" = '[{"min":8300,"max":8300},{"min":8333,"max":8333},{"min":8302,"max":8302}]' ] + [ "${actual}" = '[{"min":8300,"max":8300},{"min":8333,"max":8333},{"min":8302,"max":8302},{"min":8503,"max":8503}]' ] }