From 518e8be445ea171806d4ef670d16a8f23f3567bd Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Tue, 29 Aug 2023 11:24:34 -0400 Subject: [PATCH 01/11] Only setcap envoy so consul-dataplane can still access the TMPDIR envar --- Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c82e439c..57fcf673 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,11 +21,9 @@ ARG TARGETARCH ARG TARGETOS COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/ -COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ RUN apk add libcap RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy -RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME # go-discover builds the discover binary (which we don't currently publish # either). @@ -62,7 +60,7 @@ LABEL name=${BIN_NAME}\ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ COPY --from=setcap /usr/local/bin/envoy /usr/local/bin/ -COPY --from=setcap /usr/local/bin/$BIN_NAME /usr/local/bin/ +COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ USER 100 @@ -131,7 +129,7 @@ RUN groupadd --gid 1000 $PRODUCT_NAME && \ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ COPY --from=setcap /usr/local/bin/envoy /usr/local/bin/ -COPY --from=setcap /usr/local/bin/$BIN_NAME /usr/local/bin/ +COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ COPY LICENSE /licenses/copyright.txt USER 100 From 1de6153702f0f89d3b0dab0dd2cd76254658b352 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 30 Aug 2023 14:14:47 -0400 Subject: [PATCH 02/11] Use consistent stage naming, always use setcap'ed envoy binary --- Dockerfile | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 57fcf673..8da79efc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ FROM envoyproxy/envoy-distroless:v1.26.4 as envoy-binary FROM hashicorp/envoy-fips:v1.26.4 as envoy-fips-binary # Modify the envoy binary to be able to bind to privileged ports (< 1024) -FROM alpine:latest AS setcap +FROM debian:bullseye-slim AS setcap-envoy-binary ARG BIN_NAME=consul-dataplane ARG TARGETARCH @@ -22,7 +22,19 @@ ARG TARGETOS COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/ -RUN apk add libcap +RUN apt-get update && apt install -y libcap2-bin +RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy + +# Modify the envoy-fips binary to be able to bind to privileged ports (< 1024) +FROM debian:bullseye-slim AS setcap-envoy-fips-binary + +ARG BIN_NAME=consul-dataplane +ARG TARGETARCH +ARG TARGETOS + +COPY --from=envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ + +RUN apt-get update && apt install -y libcap2-bin RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy # go-discover builds the discover binary (which we don't currently publish @@ -59,7 +71,7 @@ LABEL name=${BIN_NAME}\ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ -COPY --from=setcap /usr/local/bin/envoy /usr/local/bin/ +COPY --from=setcap-envoy-binary /usr/local/bin/envoy /usr/local/bin/ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ USER 100 @@ -88,7 +100,7 @@ LABEL name=${BIN_NAME}\ description="Consul dataplane manages the proxy that runs within the data plane layer of Consul Service Mesh." COPY --from=go-discover /go/bin/discover /usr/local/bin/ -COPY --from=envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ +COPY --from=setcap-envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ @@ -128,7 +140,7 @@ RUN groupadd --gid 1000 $PRODUCT_NAME && \ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ -COPY --from=setcap /usr/local/bin/envoy /usr/local/bin/ +COPY --from=setcap-envoy-binary /usr/local/bin/envoy /usr/local/bin/ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ COPY LICENSE /licenses/copyright.txt @@ -165,10 +177,10 @@ RUN groupadd --gid 1000 $PRODUCT_NAME && \ adduser --uid 100 --system -g $PRODUCT_NAME $PRODUCT_NAME && \ usermod -a -G root $PRODUCT_NAME -COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ -COPY --from=go-discover /go/bin/discover /usr/local/bin/ -COPY --from=envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/envoy COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ +COPY --from=go-discover /go/bin/discover /usr/local/bin/ +COPY --from=setcap-envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/envoy +COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ COPY LICENSE /licenses/copyright.txt USER 100 From fdf19892dbc7b2b1c5c99db6ecf592fdacdfd05f Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 30 Aug 2023 14:16:59 -0400 Subject: [PATCH 03/11] Group related build stages together --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8da79efc..c032b3c3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,8 +11,6 @@ # prebuilt binaries in any other form. FROM envoyproxy/envoy-distroless:v1.26.4 as envoy-binary -FROM hashicorp/envoy-fips:v1.26.4 as envoy-fips-binary - # Modify the envoy binary to be able to bind to privileged ports (< 1024) FROM debian:bullseye-slim AS setcap-envoy-binary @@ -25,6 +23,8 @@ COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/ RUN apt-get update && apt install -y libcap2-bin RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy +FROM hashicorp/envoy-fips:v1.26.4 as envoy-fips-binary + # Modify the envoy-fips binary to be able to bind to privileged ports (< 1024) FROM debian:bullseye-slim AS setcap-envoy-fips-binary From 039196332a7ad8745315c95c0ca17968f715cd15 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 30 Aug 2023 14:39:47 -0400 Subject: [PATCH 04/11] Copy LICENSE into all build images --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index c032b3c3..0dcaee61 100644 --- a/Dockerfile +++ b/Dockerfile @@ -73,6 +73,7 @@ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ COPY --from=setcap-envoy-binary /usr/local/bin/envoy /usr/local/bin/ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ +COPY LICENSE /licenses/copyright.txt USER 100 @@ -103,6 +104,7 @@ COPY --from=go-discover /go/bin/discover /usr/local/bin/ COPY --from=setcap-envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ +COPY LICENSE /licenses/copyright.txt USER 100 From 268a2bc464b8abc2bc545e85c56fc1b313e44ea8 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 30 Aug 2023 15:05:16 -0400 Subject: [PATCH 05/11] Add docstring warning against running setcap on consul-dataplane --- Dockerfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0dcaee61..cc53d5b4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,10 @@ # prebuilt binaries in any other form. FROM envoyproxy/envoy-distroless:v1.26.4 as envoy-binary -# Modify the envoy binary to be able to bind to privileged ports (< 1024) +# Modify the envoy binary to be able to bind to privileged ports (< 1024). +# NOTE: We should not/cannot run setcap on consul-dataplane as it removes +# the TMPDIR envar that consul-dataplane depends on for bootstrapping envoy. +# See the Environment docs at https://man7.org/linux/man-pages/man8/ld.so.8.html FROM debian:bullseye-slim AS setcap-envoy-binary ARG BIN_NAME=consul-dataplane @@ -25,7 +28,10 @@ RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy FROM hashicorp/envoy-fips:v1.26.4 as envoy-fips-binary -# Modify the envoy-fips binary to be able to bind to privileged ports (< 1024) +# Modify the envoy-fips binary to be able to bind to privileged ports (< 1024). +# NOTE: We should not/cannot run setcap on consul-dataplane as it removes +# the TMPDIR envar that consul-dataplane depends on for bootstrapping envoy. +# See the Environment docs at https://man7.org/linux/man-pages/man8/ld.so.8.html FROM debian:bullseye-slim AS setcap-envoy-fips-binary ARG BIN_NAME=consul-dataplane From 0e00abedfc0e5ec0a9b82af7b8a9abb2767009ae Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 30 Aug 2023 16:46:16 -0400 Subject: [PATCH 06/11] Restore setcap of consul-dataplane The net_bind_service capability is lost when running the envoy process from a consul-dataplane process that does not have the capability --- Dockerfile | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index cc53d5b4..70b2129e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,9 +22,11 @@ ARG TARGETARCH ARG TARGETOS COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/ +COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ RUN apt-get update && apt install -y libcap2-bin RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy +RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME FROM hashicorp/envoy-fips:v1.26.4 as envoy-fips-binary @@ -39,9 +41,11 @@ ARG TARGETARCH ARG TARGETOS COPY --from=envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ +COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ RUN apt-get update && apt install -y libcap2-bin RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy +RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME # go-discover builds the discover binary (which we don't currently publish # either). @@ -78,7 +82,7 @@ LABEL name=${BIN_NAME}\ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ COPY --from=setcap-envoy-binary /usr/local/bin/envoy /usr/local/bin/ -COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ +COPY --from=setcap-envoy-binary /usr/local/bin/$BIN_NAME /usr/local/bin/ COPY LICENSE /licenses/copyright.txt USER 100 @@ -106,10 +110,10 @@ LABEL name=${BIN_NAME}\ summary="Consul dataplane manages the proxy that runs within the data plane layer of Consul Service Mesh." \ description="Consul dataplane manages the proxy that runs within the data plane layer of Consul Service Mesh." +COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ COPY --from=setcap-envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ -COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ -COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ +COPY --from=setcap-envoy-fips-binary /usr/local/bin/$BIN_NAME /usr/local/bin/ COPY LICENSE /licenses/copyright.txt USER 100 @@ -149,7 +153,7 @@ RUN groupadd --gid 1000 $PRODUCT_NAME && \ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ COPY --from=setcap-envoy-binary /usr/local/bin/envoy /usr/local/bin/ -COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ +COPY --from=setcap-envoy-binary /usr/local/bin/$BIN_NAME /usr/local/bin/ COPY LICENSE /licenses/copyright.txt USER 100 @@ -187,8 +191,8 @@ RUN groupadd --gid 1000 $PRODUCT_NAME && \ COPY --from=dumb-init /usr/bin/dumb-init /usr/local/bin/ COPY --from=go-discover /go/bin/discover /usr/local/bin/ -COPY --from=setcap-envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/envoy -COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ +COPY --from=setcap-envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ +COPY --from=setcap-envoy-fips-binary /usr/local/bin/$BIN_NAME /usr/local/bin/ COPY LICENSE /licenses/copyright.txt USER 100 From 45453c1a545fa6c14ea1a133d2d11e39935ae52f Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 30 Aug 2023 16:49:09 -0400 Subject: [PATCH 07/11] Provide JSON config directly to envoy process instead of writing to os.TempDir This amounts to using `envoy --config-yaml` -- which also accepts JSON -- instead of `envoy --config-path` --- pkg/envoy/proxy.go | 45 +++------------------------------------------ 1 file changed, 3 insertions(+), 42 deletions(-) diff --git a/pkg/envoy/proxy.go b/pkg/envoy/proxy.go index a81e268c..8b780077 100644 --- a/pkg/envoy/proxy.go +++ b/pkg/envoy/proxy.go @@ -8,11 +8,9 @@ import ( "errors" "fmt" "io" - "log" "net/http" "os" "os/exec" - "path/filepath" "strings" "sync/atomic" "time" @@ -147,14 +145,8 @@ func (p *Proxy) Run(ctx context.Context) error { return errors.New("proxy may only be run once") } - // Write the bootstrap config to a pipe. - configPath, cleanup, err := writeBootstrapConfig(p.cfg.BootstrapConfig) - if err != nil { - return err - } - // Run the Envoy process. - p.cmd = p.buildCommand(ctx, configPath) + p.cmd = p.buildCommand(ctx, string(p.cfg.BootstrapConfig)) // Start Envoy in its own process group to avoid directly receiving // SIGTERM intended for consul-dataplane, let proxy manager handle @@ -163,10 +155,6 @@ func (p *Proxy) Run(ctx context.Context) error { p.cfg.Logger.Debug("running envoy proxy", "command", strings.Join(p.cmd.Args, " ")) if err := p.cmd.Start(); err != nil { - // Clean up the pipe if we weren't able to run Envoy. - if err := cleanup(); err != nil { - p.cfg.Logger.Error("failed to cleanup boostrap config", "error", err) - } return err } @@ -177,9 +165,6 @@ func (p *Proxy) Run(ctx context.Context) error { err := p.cmd.Wait() p.cfg.Logger.Info("envoy process exited", "error", err) p.transitionState(stateRunning, stateExited) - if err := cleanup(); err != nil { - p.cfg.Logger.Error("failed to cleanup boostrap config", "error", err) - } p.exitedCh <- err close(p.exitedCh) }() @@ -328,33 +313,9 @@ func (p *Proxy) transitionState(before, after state) bool { return atomic.CompareAndSwapUint32((*uint32)(&p.state), uint32(before), uint32(after)) } -// writeBootstrapConfig writes the given Envoy bootstrap config to a named pipe -// and returns the path. It also returns a cleanup function that must be called -// when Envoy is done with it. -// -// We use a named pipe rather than a tempfile because it prevents writing any -// secrets to disk. See: https://github.com/hashicorp/consul/pull/5964 -func writeBootstrapConfig(cfg []byte) (string, func() error, error) { - path := filepath.Join( - os.TempDir(), - fmt.Sprintf("envoy-%x-bootstrap.json", time.Now().UnixNano()+int64(os.Getpid())), - ) - - log.Printf("bootstrap config path: %s", path) - err := os.WriteFile(path, cfg, 0600) - - return path, func() error { - err := os.Remove(path) - if err == nil || errors.Is(err, os.ErrNotExist) { - return nil - } - return err - }, err -} - // buildCommand builds the exec.Cmd to run Envoy with the relevant arguments // (e.g. config path) and its logs redirected to the logger. -func (p *Proxy) buildCommand(ctx context.Context, cfgPath string) *exec.Cmd { +func (p *Proxy) buildCommand(ctx context.Context, cfgYaml string) *exec.Cmd { var logFormat string if p.cfg.LogJSON { logFormat = logFormatJSON @@ -392,7 +353,7 @@ func (p *Proxy) buildCommand(ctx context.Context, cfgPath string) *exec.Cmd { args := append( []string{ - "--config-path", cfgPath, + "--config-yaml", cfgYaml, "--log-format", logFormat, "--log-level", logLevel, From 54b21a4669c3a30c81e4d4ae33828e5f80e79cab Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Thu, 31 Aug 2023 11:46:42 -0400 Subject: [PATCH 08/11] Update unit tests --- pkg/envoy/proxy_test.go | 32 +++++++++++++++++++++++--------- pkg/envoy/testdata/fake-envoy | 17 +++++++++-------- 2 files changed, 32 insertions(+), 17 deletions(-) diff --git a/pkg/envoy/proxy_test.go b/pkg/envoy/proxy_test.go index 7806442f..6dbe9063 100644 --- a/pkg/envoy/proxy_test.go +++ b/pkg/envoy/proxy_test.go @@ -4,8 +4,10 @@ package envoy import ( + "bytes" "context" "encoding/json" + "errors" "fmt" "io" "os" @@ -15,6 +17,7 @@ import ( "time" "github.com/hashicorp/go-hclog" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -28,10 +31,14 @@ func TestProxy(t *testing.T) { outputPath := testOutputPath() t.Cleanup(func() { _ = os.Remove(outputPath) }) + // Capture fake-envoy output so we know if we encounter an error case below + envoyOut := bytes.NewBuffer([]byte{}) + envoyErr := bytes.NewBuffer([]byte{}) + p, err := NewProxy(ProxyConfig{ Logger: hclog.New(&hclog.LoggerOptions{Level: hclog.Warn, Output: io.Discard}), - EnvoyErrorStream: io.Discard, - EnvoyOutputStream: io.Discard, + EnvoyErrorStream: envoyErr, + EnvoyOutputStream: envoyOut, ExecutablePath: "testdata/fake-envoy", ExtraArgs: []string{"--test-output", outputPath}, BootstrapConfig: bootstrapConfig, @@ -46,7 +53,10 @@ func TestProxy(t *testing.T) { Args []byte ConfigData []byte } - require.Eventually(t, func() bool { + + // Wait for output file to be generated by fake-envoy. + // Use assert so that we can check for error output below. + assert.Eventually(t, func() bool { outputBytes, err := os.ReadFile(outputPath) if err != nil { t.Logf("failed to read output file: %v", err) @@ -59,23 +69,27 @@ func TestProxy(t *testing.T) { return true }, 2*time.Second, 50*time.Millisecond) + // Check the output from fake-envoy to make sure we didn't hit an error case + require.Empty(t, envoyOut.String()) + require.Empty(t, envoyErr.String()) + // Check that fake-envoy was able to read the config from the pipe. - require.Equal(t, bootstrapConfig, output.ConfigData) + assert.Equal(t, string(bootstrapConfig), string(output.ConfigData)) // Check that we're correctly configuring the log level. - require.Contains(t, string(output.Args), "--log-level warn") + assert.Contains(t, string(output.Args), "--log-level warn") // Check that we're disabling hot restarts. - require.Contains(t, string(output.Args), "--disable-hot-restart") + assert.Contains(t, string(output.Args), "--disable-hot-restart") // Check the process is still running. - require.NoError(t, p.cmd.Process.Signal(syscall.Signal(0))) + assert.NoError(t, p.cmd.Process.Signal(syscall.Signal(0))) // Ensure Kill kills and reaps the process. require.NoError(t, p.Kill()) - require.Eventually(t, func() bool { - return p.cmd.Process.Signal(syscall.Signal(0)) == os.ErrProcessDone + err := p.cmd.Process.Signal(syscall.Signal(0)) + return errors.Is(err, os.ErrProcessDone) }, 2*time.Second, 50*time.Millisecond) } diff --git a/pkg/envoy/testdata/fake-envoy b/pkg/envoy/testdata/fake-envoy index f927ee24..e9c68bd3 100755 --- a/pkg/envoy/testdata/fake-envoy +++ b/pkg/envoy/testdata/fake-envoy @@ -1,20 +1,20 @@ #!/bin/bash # This script pretends to be Envoy in unit tests. It captures the flags and the -# bootstrap config from the named pipe specified via `--config-path`, and writes -# them to the file at `--test-output` (which is read and checked in the test). +# bootstrap config specified via `--config-yaml`, and writes them to the file at +# `--test-output` (which is read and checked in the test). # It then sleeps for 10 minutes to check we're correctly killing the process. set -e -config_path="" +config_yaml="" test_output="" prev_arg="" for arg in "$@"; do case "$prev_arg" in - --config-path) - config_path="$arg" + --config-yaml) + config_yaml="$arg" ;; --test-output) test_output="$arg" @@ -23,8 +23,9 @@ for arg in "$@"; do prev_arg="$arg" done -if [ -z "$config_path" ]; then - >&2 echo "--config-path is required" +if [ -z "$config_yaml" ]; then + >&2 echo "--config-yaml is required" + echo "--config-yaml is required" exit 1 fi @@ -35,7 +36,7 @@ fi # Base64 encode the data to avoid having to escape it in the JSON output. args=$(echo "$@" | base64 | tr -d \\n) -config_data=$(base64 -i $config_path | tr -d \\n) +config_data=$(echo -n "$config_yaml" | base64 | tr -d \\n) cat < "$test_output" { From 8a56a78f00bcdeb687ee95c5e8044d228df12693 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Thu, 31 Aug 2023 11:57:56 -0400 Subject: [PATCH 09/11] Make bootstrap config for testing more robust, actual JSON --- pkg/envoy/proxy_test.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/pkg/envoy/proxy_test.go b/pkg/envoy/proxy_test.go index 6dbe9063..5db6d881 100644 --- a/pkg/envoy/proxy_test.go +++ b/pkg/envoy/proxy_test.go @@ -22,7 +22,21 @@ import ( ) func TestProxy(t *testing.T) { - bootstrapConfig := []byte(`hello world`) + bootstrapConfig := []byte(` + { + "dynamic_resources": { + "cds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + "lds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + } + }`) // This test checks that we're starting the Envoy process with the correct // arguments and that it is able to read the config we provide. It does so From e96130d92ba19468b60fef8f715aa1cf0c954d90 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Thu, 31 Aug 2023 13:41:03 -0400 Subject: [PATCH 10/11] Remove outdated comments in Dockerfile --- Dockerfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 70b2129e..96f97dab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,9 +12,6 @@ FROM envoyproxy/envoy-distroless:v1.26.4 as envoy-binary # Modify the envoy binary to be able to bind to privileged ports (< 1024). -# NOTE: We should not/cannot run setcap on consul-dataplane as it removes -# the TMPDIR envar that consul-dataplane depends on for bootstrapping envoy. -# See the Environment docs at https://man7.org/linux/man-pages/man8/ld.so.8.html FROM debian:bullseye-slim AS setcap-envoy-binary ARG BIN_NAME=consul-dataplane @@ -31,9 +28,6 @@ RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME FROM hashicorp/envoy-fips:v1.26.4 as envoy-fips-binary # Modify the envoy-fips binary to be able to bind to privileged ports (< 1024). -# NOTE: We should not/cannot run setcap on consul-dataplane as it removes -# the TMPDIR envar that consul-dataplane depends on for bootstrapping envoy. -# See the Environment docs at https://man7.org/linux/man-pages/man8/ld.so.8.html FROM debian:bullseye-slim AS setcap-envoy-fips-binary ARG BIN_NAME=consul-dataplane From 87a5291e340a97b4ea2f80c83c496d17aaf8f67b Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Thu, 31 Aug 2023 14:18:11 -0400 Subject: [PATCH 11/11] Remove redundant echo added to fake-envoy while testing --- pkg/envoy/testdata/fake-envoy | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/envoy/testdata/fake-envoy b/pkg/envoy/testdata/fake-envoy index e9c68bd3..145d8822 100755 --- a/pkg/envoy/testdata/fake-envoy +++ b/pkg/envoy/testdata/fake-envoy @@ -25,7 +25,6 @@ done if [ -z "$config_yaml" ]; then >&2 echo "--config-yaml is required" - echo "--config-yaml is required" exit 1 fi