Merge branch 'main' into HTTPRoutes

projectcontour · Feb 10, 2021 · ef62b34 · ef62b34
2 parents 60892ec + c8c8589
commit ef62b34
Show file tree

Hide file tree

Showing 27 changed files with 1,072 additions and 159 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -47,11 +47,6 @@ issues:
   - linters:
     - staticcheck
     text: "SA1019: package github.com/golang/protobuf"
-  # Disable deprecation warnings for Http2ProtocolOptions, which we're still using for compatibility
-  # with Envoy 1.16 to allow no-downtime upgrades, and which we can't nolint by line (see above).
-  - linters:
-    - staticcheck
-    text: "Http2ProtocolOptions is deprecated: Do not use."
   - linters:
     - golint
     text: "var `ingress_https` should be `ingressHTTPS`"

diff --git a/_integration/testsuite/httpproxy/018-external-name-service.yaml b/_integration/testsuite/httpproxy/018-external-name-service.yaml
@@ -12,49 +12,232 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-skip[msg] {
-  msg := "018-external-name-service is flaky, skipping until it's fixed"
-}
+---
+
+# This test covers proxying to both TLS and non-TLS
+# ExternalName services. The ExternalName services
+# point to DNS names of in-cluster services, to avoid
+# flaky dependencies on external domains.
+
+---
+
+# Test Case 1: the non-TLS echo server
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-conformance-echo
+$apply:
+  fixture:
+    as: echo
 
 ---
 
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-conformance-echo
+$apply:
+  fixture:
+    as: echo
+
+---
+
+# Create an ExternalName service that uses the DNS
+# name of the service created above.
+
 apiVersion: v1
 kind: Service
 metadata:
   name: external-name-svc
 spec:
   type: ExternalName
-  externalName: projectcontour.io
+  externalName: echo.default
   ports:
-    - name: https
-      port: 443
+    - name: http
+      port: 80
       protocol: TCP
 
 ---
 
+# Proxy to the external name service.
+
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
 metadata:
   name: external-name-proxy
 spec:
   virtualhost:
-    fqdn: externalname.bar.com
+    fqdn: external.io
   routes:
   - services:
     - name: external-name-svc
+      port: 80
+    requestHeadersPolicy:
+      set:
+      - name: Host
+        value: echo.default
+
+---
+
+import data.contour.resources
+
+fatal_proxy_is_not_valid[msg] {
+  name := "external-name-proxy"
+  proxy := resources.get("httpproxies", name)
+  status := object.get(proxy, "status", {})
+
+  object.get(status, "currentStatus", "") != "valid"
+
+  msg := sprintf("HTTP proxy for '%s' is not valid\n%s", [
+    name, yaml.marshal(status)
+  ])
+}
+
+---
+
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
+
+Response := client.Get({
+  "url": url.http("/"),
+  "headers": {
+    "Host": "external.io",
+    "User-Agent": client.ua("external-name-test"),
+  },
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
+}
+
+---
+
+# Test Case 2: the TLS echo server
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ca-projectcontour-io
+spec:
+  isCA: true
+  usages:
+  - signing
+  - cert sign
+  subject:
+    organizationalUnits:
+    - io
+    - projectcontour
+    - testsuite
+  commonName: issuer
+  secretName: ca-projectcontour-io
+  issuerRef:
+    name: selfsigned
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: ca-projectcontour-io
+spec:
+  ca:
+    secretName: ca-projectcontour-io
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: backend-server-cert
+spec:
+  commonName: echo
+  usages:
+  - server auth
+  dnsNames:
+  - echo
+  secretName: backend-server-cert
+  issuerRef:
+    name: ca-projectcontour-io
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-conformance-echo-tls
+$apply:
+  fixture:
+    as: echo-tls
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-conformance-echo-tls
+$apply:
+  fixture:
+    as: echo-tls
+
+---
+
+# Create an ExternalName service that uses the DNS
+# name of the service created above.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-name-svc-tls
+spec:
+  type: ExternalName
+  externalName: echo-tls.default
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+
+---
+
+# Proxy to the external name service.
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: external-name-proxy-tls
+spec:
+  virtualhost:
+    fqdn: tls.externalname.io
+  routes:
+  - services:
+    - name: external-name-svc-tls
       port: 443
       protocol: tls
     requestHeadersPolicy:
       set:
       - name: Host
-        value: projectcontour.io
+        value: echo-tls.default
 
 ---
 
 import data.contour.resources
 
 fatal_proxy_is_not_valid[msg] {
-  name := "external-name-proxy"
+  name := "external-name-proxy-tls"
   proxy := resources.get("httpproxies", name)
   status := object.get(proxy, "status", {})
 
@@ -74,7 +257,7 @@ import data.contour.http.expect
 Response := client.Get({
   "url": url.http("/"),
   "headers": {
-    "Host": "externalname.bar.com",
+    "Host": "tls.externalname.io",
     "User-Agent": client.ua("external-name-test"),
   },
 })

diff --git a/_integration/testsuite/httpproxy/019-local-rate-limiting.yaml b/_integration/testsuite/httpproxy/019-local-rate-limiting.yaml
@@ -37,41 +37,68 @@ $apply:
 
 ---
 
-# This proxy has a local rate limit on the virtual host.
+# Create the HTTPProxy without rate limits first
+# and wait until we get a 200 from it before applying
+# rate limits and counting responses. This ensures
+# the pods are up and receiving traffic and prevents
+# the test from being flaky.
+
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
 metadata:
   name: vhostratelimit
 spec:
   virtualhost:
     fqdn: vhostratelimit.projectcontour.io
-    rateLimitPolicy:
-      local:
-        requests: 1
-        unit: hour
   routes:
   - services:
     - name: echo
       port: 80
 ---
 
-# Wait for the service to have endpoints before trying to make
-# a request.
+# Wait until we get a 200 from the proxy confirming
+# the pods are up and serving traffic.
 
-import data.contour.resources
+import data.contour.http.client
+import data.contour.http.client.url
+import data.contour.http.expect
 
-error_endpoints_not_ready[msg] {
-  ep := resources.get("endpoints", "echo")
-
-  not ep.subsets[0].addresses
-
-  msg := "endpoints for svc/ingress-conformance-echo are not ready"
+Response := client.Get({
+  "url": url.http("/"),
+  "headers": {
+    "Host": "vhostratelimit.projectcontour.io",
+    "User-Agent": client.ua("local-rate-limit"),
+  },
+})
+
+check_for_status_code [msg] {
+  msg := expect.response_status_is(Response, 200)
 }
 
 ---
 
+# Add a local rate limit policy on the virtual host.
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: vhostratelimit
+spec:
+  virtualhost:
+    fqdn: vhostratelimit.projectcontour.io
+    rateLimitPolicy:
+      local:
+        requests: 1
+        unit: hour
+  routes:
+  - services:
+    - name: echo
+      port: 80
+---
+
+
 # Make a request against the proxy, confirm a 200 response
-# is returned.
+# is returned since we're allowed one request per hour.
 
 import data.contour.http.client
 import data.contour.http.client.url
@@ -137,7 +164,7 @@ spec:
 ---
 
 # Make a request against the proxy, confirm a 200 response
-# is returned.
+# is returned since we're allowed one request per hour.
 
 import data.contour.http.client
 import data.contour.http.client.url

diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
@@ -255,6 +255,10 @@ func doServe(log logrus.FieldLogger, ctx *serveContext) error {
 	if err != nil {
 		return fmt.Errorf("error parsing stream idle timeout: %w", err)
 	}
+	delayedCloseTimeout, err := timeout.Parse(ctx.Config.Timeouts.DelayedCloseTimeout)
+	if err != nil {
+		return fmt.Errorf("error parsing delayed close timeout: %w", err)
+	}
 	maxConnectionDuration, err := timeout.Parse(ctx.Config.Timeouts.MaxConnectionDuration)
 	if err != nil {
 		return fmt.Errorf("error parsing max connection duration: %w", err)
@@ -282,6 +286,7 @@ func doServe(log logrus.FieldLogger, ctx *serveContext) error {
 		RequestTimeout:                requestTimeout,
 		ConnectionIdleTimeout:         connectionIdleTimeout,
 		StreamIdleTimeout:             streamIdleTimeout,
+		DelayedCloseTimeout:           delayedCloseTimeout,
 		MaxConnectionDuration:         maxConnectionDuration,
 		ConnectionShutdownGracePeriod: connectionShutdownGracePeriod,
 		DefaultHTTPVersions:           parseDefaultHTTPVersions(ctx.Config.DefaultHTTPVersions),

diff --git a/examples/contour/01-contour-config.yaml b/examples/contour/01-contour-config.yaml
@@ -85,6 +85,7 @@ data:
     #   connection-idle-timeout: 60s
     #   stream-idle-timeout: 5m
     #   max-connection-duration: infinity
+    #   delayed-close-timeout: 1s
     #   connection-shutdown-grace-period: 5s
     #
     # Envoy cluster settings.

diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml
@@ -119,6 +119,7 @@ data:
     #   connection-idle-timeout: 60s
     #   stream-idle-timeout: 5m
     #   max-connection-duration: infinity
+    #   delayed-close-timeout: 1s
     #   connection-shutdown-grace-period: 5s
     #
     # Envoy cluster settings.