Error out consul connect envoy if agent explicitly disabled grpc

[kisunji]

Description

Error out if no grpc ports are returned by /v1/agent/self instead of defaulting to 8502.

Update tests to reflect Consul's new default behavior to enable grpc TLS (#15302)

Testing & Reproduction steps

• Added testcase for explicit disabling of both plaintext and TLS gRPC ports

PR Checklist

• updated test coverage
• external facing docs updated
• not a security concern

[kisunji]

I'm unsure if the return was missed here or we intentionally went on to default to 8502. It looks safe to error here since if the call to Agent.Self doesn't yield any port, we probably don't want the command to continue.

[rboyer]

It can't error out because typically agent:read is not granted to sidecars, which is required for /v1/agent/self. The existing code did the agent self lookup as an UX optimization.

Instead you could pick whichever port we already calculated and do a super simple net.Dial with a short timeout and see if the port is even open instead, which wouldn't even need ACL tokens.

[hashi-derek]

Yeah, I'm not sure why it never errored-out before. I assume it was to enable some backwards compatibility with old APIs that didn't include the port. I don't honestly know the history on this particular area of code, aside from the recent changes I made. I'll have to think about it quite a bit, because there might be some situation where the API is not available, but gRPC is.

[hashi-derek]

Nevermind. RB already answered the question.

[kisunji]

@rboyer I ended up logging and defaulting only if it's an ACL perm denied and otherwise erroring out.

[kisunji]

WantArgs is never evaluated if WantErr exists so I removed it

[pglass]

👍

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
consul-ui-staging	🔄 Building (Inspect)		Dec 19, 2022 at 4:59PM (UTC)