Merge branch 'main' into NET-4135

.github/workflows/test-integrations.yml

@@ -384,6 +384,7 @@ jobs:
       contents: read
     env:
       ENVOY_VERSION: "1.25.4"
+      CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.3-dev"
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       # NOTE: This step is specifically needed for ENT. It allows us to access the required private HashiCorp repos.
@@ -415,6 +416,8 @@ jobs:
       - name: Retry Build consul-envoy:target-version image
         if: steps.buildConsulEnvoyImage.outcome == 'failure'
         run: docker build -t consul-envoy:target-version --build-arg CONSUL_IMAGE=${{ env.CONSUL_LATEST_IMAGE_NAME }}:local --build-arg ENVOY_VERSION=${{ env.ENVOY_VERSION }} -f ./test/integration/consul-container/assets/Dockerfile-consul-envoy ./test/integration/consul-container/assets
+      - name: Build consul-dataplane:local image
+        run: docker build -t consul-dataplane:local --build-arg CONSUL_DATAPLANE_IMAGE=${{ env.CONSUL_DATAPLANE_IMAGE }} -f ./test/integration/consul-container/assets/Dockerfile-consul-dataplane ./test/integration/consul-container/assets
       - name: Configure GH workaround for ipv6 loopback
         if: ${{ !endsWith(github.repository, '-enterprise') }}
         run: |

Makefile

@@ -66,6 +66,7 @@ UI_BUILD_TAG?=consul-build-ui
 BUILD_CONTAINER_NAME?=consul-builder
 CONSUL_IMAGE_VERSION?=latest
 ENVOY_VERSION?='1.25.4'
+CONSUL_DATAPLANE_IMAGE := $(or $(CONSUL_DATAPLANE_IMAGE),"docker.io/hashicorppreview/consul-dataplane:1.3-dev")
 
 CONSUL_VERSION?=$(shell cat version/VERSION)
 
@@ -263,7 +264,8 @@ lint-container-test-deps: ## Check that the test-container module only imports a
 	@cd test/integration/consul-container && \
 		$(CURDIR)/build-support/scripts/check-allowed-imports.sh \
 			github.com/hashicorp/consul \
-			internal/catalog/catalogtest
+			"internal/catalog/catalogtest" \
+			"internal/resource/resourcetest"
 
 ##@ Testing
 
@@ -347,6 +349,7 @@ test-compat-integ-setup: dev-docker
 	@docker run --rm -t $(CONSUL_COMPAT_TEST_IMAGE):local consul version
 	@#  'consul-envoy:target-version' is needed by compatibility integ test
 	@docker build -t consul-envoy:target-version --build-arg CONSUL_IMAGE=$(CONSUL_COMPAT_TEST_IMAGE):local --build-arg ENVOY_VERSION=${ENVOY_VERSION} -f ./test/integration/consul-container/assets/Dockerfile-consul-envoy ./test/integration/consul-container/assets
+	@docker build -t consul-dataplane:local --build-arg CONSUL_DATAPLANE_IMAGE=${CONSUL_DATAPLANE_IMAGE} -f ./test/integration/consul-container/assets/Dockerfile-consul-dataplane ./test/integration/consul-container/assets
 
 .PHONY: test-compat-integ
 test-compat-integ: test-compat-integ-setup ## Test compat integ

acl/resolver/danger.go

@@ -3,13 +3,17 @@
 
 package resolver
 
-import "github.com/hashicorp/consul/acl"
+import (
+	"github.com/hashicorp/consul/acl"
+	"github.com/hashicorp/consul/agent/structs"
+)
 
 // DANGER_NO_AUTH implements an ACL resolver short-circuit authorization in
 // cases where it is handled somewhere else or expressly not required.
 type DANGER_NO_AUTH struct{}
 
 // ResolveTokenAndDefaultMeta returns an authorizer with unfettered permissions.
-func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) (Result, error) {
+func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(_ string, entMeta *acl.EnterpriseMeta, _ *acl.AuthorizerContext) (Result, error) {
+	entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
 	return Result{Authorizer: acl.ManageAll()}, nil
 }

build-support/scripts/check-allowed-imports.sh

@@ -46,7 +46,7 @@ function main {
          then
             module_root="$1"
          else
-            allowed_packages+="$1"
+            allowed_packages+=("$1")
          fi
          shift     
       esac

test/integration/consul-container/assets/Dockerfile-consul-dataplane

@@ -0,0 +1,8 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+ARG CONSUL_DATAPLANE_IMAGE
+
+FROM ${CONSUL_DATAPLANE_IMAGE} as consuldataplane
+COPY --from=busybox:uclibc /bin/sh /bin/sh
+COPY --from=ghcr.io/tarampampam/curl:latest /bin/curl /bin/curl

test/integration/consul-container/libs/cluster/dataplane.go

@@ -0,0 +1,120 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package cluster
+
+import (
+	"context"
+	"fmt"
+	"github.com/hashicorp/consul/test/integration/consul-container/libs/utils"
+	"github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go/wait"
+	"strconv"
+	"time"
+)
+
+type ConsulDataplaneContainer struct {
+	ctx               context.Context
+	container         testcontainers.Container
+	ip                string
+	appPort           []int
+	serviceName       string
+	externalAdminPort int
+	internalAdminPort int
+}
+
+func (g ConsulDataplaneContainer) GetAddr() (string, int) {
+	return g.ip, g.appPort[0]
+}
+
+// GetAdminAddr returns the external admin port
+func (g ConsulDataplaneContainer) GetAdminAddr() (string, int) {
+	return "localhost", g.externalAdminPort
+}
+
+func (c ConsulDataplaneContainer) Terminate() error {
+	return TerminateContainer(c.ctx, c.container, true)
+}
+
+func (g ConsulDataplaneContainer) GetStatus() (string, error) {
+	state, err := g.container.State(g.ctx)
+	return state.Status, err
+}
+
+func NewConsulDataplane(ctx context.Context, proxyID string, serverAddresses string, grpcPort int, serviceBindPorts []int,
+	node Agent, containerArgs ...string) (*ConsulDataplaneContainer, error) {
+	namePrefix := fmt.Sprintf("%s-consul-dataplane-%s", node.GetDatacenter(), proxyID)
+	containerName := utils.RandName(namePrefix)
+
+	internalAdminPort, err := node.ClaimAdminPort()
+	if err != nil {
+		return nil, err
+	}
+
+	pod := node.GetPod()
+	if pod == nil {
+		return nil, fmt.Errorf("node Pod is required")
+	}
+
+	var (
+		appPortStrs  []string
+		adminPortStr = strconv.Itoa(internalAdminPort)
+	)
+
+	for _, port := range serviceBindPorts {
+		appPortStrs = append(appPortStrs, strconv.Itoa(port))
+	}
+
+	// expose the app ports and the envoy adminPortStr on the agent container
+	exposedPorts := make([]string, len(appPortStrs))
+	copy(exposedPorts, appPortStrs)
+	exposedPorts = append(exposedPorts, adminPortStr)
+
+	command := []string{
+		"-addresses", serverAddresses,
+		fmt.Sprintf("-grpc-port=%d", grpcPort),
+		fmt.Sprintf("-proxy-id=%s", proxyID),
+		"-proxy-namespace=default",
+		"-proxy-partition=default",
+		"-log-level=info",
+		"-log-json=false",
+		"-envoy-concurrency=2",
+		"-tls-disabled",
+		fmt.Sprintf("-envoy-admin-bind-port=%d", internalAdminPort),
+	}
+
+	command = append(command, containerArgs...)
+
+	req := testcontainers.ContainerRequest{
+		Image:      "consul-dataplane:local",
+		WaitingFor: wait.ForLog("").WithStartupTimeout(60 * time.Second),
+		AutoRemove: false,
+		Name:       containerName,
+		Cmd:        command,
+		Env:        map[string]string{},
+	}
+
+	info, err := LaunchContainerOnNode(ctx, node, req, exposedPorts)
+	if err != nil {
+		return nil, err
+	}
+	out := &ConsulDataplaneContainer{
+		ctx:               ctx,
+		container:         info.Container,
+		ip:                info.IP,
+		serviceName:       containerName,
+		externalAdminPort: info.MappedPorts[adminPortStr].Int(),
+		internalAdminPort: internalAdminPort,
+	}
+
+	for _, port := range appPortStrs {
+		out.appPort = append(out.appPort, info.MappedPorts[port].Int())
+	}
+
+	fmt.Printf("NewConsulDataplane: proxyID %s, mapped App Port %d, service bind port %v\n",
+		proxyID, out.appPort, serviceBindPorts)
+	fmt.Printf("NewConsulDataplane: proxyID %s, , mapped admin port %d, admin port %d\n",
+		proxyID, out.externalAdminPort, internalAdminPort)
+
+	return out, nil
+}