xds: remove deprecated usages of xDS

Note that this does NOT upgrade to xDS v3. That will come in a future PR.

Additionally:

- Ignored staticcheck warnings about how github.com/golang/protobuf is deprecated.
- Shuffled some agent/xds imports in advance of a later xDS v3 upgrade.
- Remove support for envoy 1.13.x but don't add in 1.17.x yet. We have to wait until the xDS v3 support is added in a follow-up PR.

Fixes #8425

.circleci/config.yml

@@ -779,14 +779,14 @@ jobs:
           command: bash <(curl -s https://codecov.io/bash) -v -c -C $CIRCLE_SHA1 -F ui
       - run: *notify-slack-failure
 
-  envoy-integration-test-1_13_7: &ENVOY_TESTS
+  envoy-integration-test-1_14_6: &ENVOY_TESTS
     docker:
       # We only really need bash and docker-compose which is installed on all
       # Circle images but pick Go since we have to pick one of them.
       - image: *GOLANG_IMAGE
     parallelism: 2
     environment:
-      ENVOY_VERSION: "1.13.7"
+      ENVOY_VERSION: "1.14.6"
     steps: &ENVOY_INTEGRATION_TEST_STEPS
       - checkout
       # Get go binary from workspace
@@ -819,11 +819,6 @@ jobs:
           path: *TEST_RESULTS_DIR
       - run: *notify-slack-failure
 
-  envoy-integration-test-1_14_6:
-    <<: *ENVOY_TESTS
-    environment:
-      ENVOY_VERSION: "1.14.6"
-
   envoy-integration-test-1_15_3:
     <<: *ENVOY_TESTS
     environment:
@@ -834,6 +829,8 @@ jobs:
     environment:
       ENVOY_VERSION: "1.16.2"
 
+  # TODO(rb): add in 1.17.0 support when v3 is ready
+
   # run integration tests for the connect ca providers
   test-connect-ca-providers:
     docker:
@@ -1042,9 +1039,6 @@ workflows:
       - nomad-integration-0_8:
           requires:
             - dev-build
-      - envoy-integration-test-1_13_7:
-          requires:
-            - dev-build
       - envoy-integration-test-1_14_6:
           requires:
             - dev-build
@@ -1054,6 +1048,8 @@ workflows:
       - envoy-integration-test-1_16_2:
           requires:
             - dev-build
+  # TODO(rb): add in 1.17.0 support when v3 is ready
+
   website:
     unless: << pipeline.parameters.trigger-load-test >>
     jobs:

.golangci.yml

@@ -19,6 +19,12 @@ issues:
     - linters: [staticcheck]
       text: 'SA9004:'
 
+    - linters: [staticcheck]
+      text: 'SA1019: Package github.com/golang/protobuf/jsonpb is deprecated'
+
+    - linters: [staticcheck]
+      text: 'SA1019: Package github.com/golang/protobuf/proto is deprecated'
+
     # An argument that always receives the same value is often not a problem.
     - linters: [unparam]
       text: 'always receives'

agent/xds/clusters.go

@@ -12,11 +12,13 @@ import (
 	envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	envoyendpoint "github.com/envoyproxy/go-control-plane/envoy/api/v2/endpoint"
 	envoytype "github.com/envoyproxy/go-control-plane/envoy/type"
+
 	"github.com/golang/protobuf/jsonpb"
 	"github.com/golang/protobuf/proto"
 	"github.com/golang/protobuf/ptypes"
 	"github.com/golang/protobuf/ptypes/any"
 	"github.com/golang/protobuf/ptypes/wrappers"
+
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/proxycfg"
 	"github.com/hashicorp/consul/agent/structs"
@@ -270,13 +272,18 @@ func (s *Server) injectGatewayServiceAddons(cfgSnap *proxycfg.ConfigSnapshot, c
 	case structs.ServiceKindTerminatingGateway:
 		// Context used for TLS origination to the cluster
 		if mapping, ok := cfgSnap.TerminatingGateway.GatewayServices[svc]; ok && mapping.CAFile != "" {
-			context := envoyauth.UpstreamTlsContext{
+			tlsContext := &envoyauth.UpstreamTlsContext{
 				CommonTlsContext: makeCommonTLSContextFromFiles(mapping.CAFile, mapping.CertFile, mapping.KeyFile),
 			}
 			if mapping.SNI != "" {
-				context.Sni = mapping.SNI
+				tlsContext.Sni = mapping.SNI
+			}
+
+			transportSocket, err := makeUpstreamTLSTransportSocket(tlsContext)
+			if err != nil {
+				return err
 			}
-			c.TlsContext = &context
+			c.TransportSocket = transportSocket
 		}
 		if err := injectLBToCluster(lb, c); err != nil {
 			return fmt.Errorf("failed to apply load balancer configuration to cluster %q: %v", c.Name, err)
@@ -418,11 +425,17 @@ func (s *Server) makeUpstreamClusterForPreparedQuery(upstream structs.Upstream,
 	}
 
 	// Enable TLS upstream with the configured client certificate.
-	c.TlsContext = &envoyauth.UpstreamTlsContext{
+	tlsContext := &envoyauth.UpstreamTlsContext{
 		CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()),
 		Sni:              sni,
 	}
 
+	transportSocket, err := makeUpstreamTLSTransportSocket(tlsContext)
+	if err != nil {
+		return nil, err
+	}
+	c.TransportSocket = transportSocket
+
 	return c, nil
 }
 
@@ -536,11 +549,17 @@ func (s *Server) makeUpstreamClustersForDiscoveryChain(
 		}
 
 		// Enable TLS upstream with the configured client certificate.
-		c.TlsContext = &envoyauth.UpstreamTlsContext{
+		tlsContext := &envoyauth.UpstreamTlsContext{
 			CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()),
 			Sni:              sni,
 		}
 
+		transportSocket, err := makeUpstreamTLSTransportSocket(tlsContext)
+		if err != nil {
+			return nil, err
+		}
+		c.TransportSocket = transportSocket
+
 		out = append(out, c)
 	}
 
@@ -551,7 +570,7 @@ func (s *Server) makeUpstreamClustersForDiscoveryChain(
 		defaultCluster := out[0]
 
 		// Overlay what the user provided.
-		escapeHatchCluster.TlsContext = defaultCluster.TlsContext
+		escapeHatchCluster.TransportSocket = defaultCluster.TransportSocket
 
 		out = []*envoy.Cluster{escapeHatchCluster}
 	}
@@ -726,18 +745,6 @@ func (s *Server) makeGatewayCluster(snap *proxycfg.ConfigSnapshot, opts gatewayC
 	return cluster
 }
 
-// injectTerminatingGatewayTLSContext adds an UpstreamTlsContext to a cluster for TLS origination
-func injectTerminatingGatewayTLSContext(cfgSnap *proxycfg.ConfigSnapshot, cluster *envoy.Cluster, service structs.ServiceName) {
-	if mapping, ok := cfgSnap.TerminatingGateway.GatewayServices[service]; ok && mapping.CAFile != "" {
-		cluster.TlsContext = &envoyauth.UpstreamTlsContext{
-			CommonTlsContext: makeCommonTLSContextFromFiles(mapping.CAFile, mapping.CertFile, mapping.KeyFile),
-
-			// TODO (gateways) (freddy) If mapping.SNI is empty, does Envoy behave any differently if TlsContext.Sni is excluded?
-			Sni: mapping.SNI,
-		}
-	}
-}
-
 func makeThresholdsIfNeeded(limits UpstreamLimits) []*envoycluster.CircuitBreakers_Thresholds {
 	var empty UpstreamLimits
 	// Make sure to not create any thresholds when passed the zero-value in order

agent/xds/clusters_test.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
+
 	"github.com/golang/protobuf/ptypes/wrappers"
 	testinf "github.com/mitchellh/go-testing-interface"
 	"github.com/stretchr/testify/require"
@@ -44,20 +45,7 @@ func TestClustersFromSnapshot(t *testing.T) {
 			setup: func(snap *proxycfg.ConfigSnapshot) {
 				snap.Proxy.Config["envoy_local_cluster_json"] =
 					customAppClusterJSON(t, customClusterJSONOptions{
-						Name:        "mylocal",
-						IncludeType: false,
-					})
-			},
-		},
-		{
-			name:               "custom-local-app-typed",
-			create:             proxycfg.TestConfigSnapshot,
-			overrideGoldenName: "custom-local-app",
-			setup: func(snap *proxycfg.ConfigSnapshot) {
-				snap.Proxy.Config["envoy_local_cluster_json"] =
-					customAppClusterJSON(t, customClusterJSONOptions{
-						Name:        "mylocal",
-						IncludeType: true,
+						Name: "mylocal",
 					})
 			},
 		},
@@ -67,8 +55,7 @@ func TestClustersFromSnapshot(t *testing.T) {
 			setup: func(snap *proxycfg.ConfigSnapshot) {
 				snap.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
 					customAppClusterJSON(t, customClusterJSONOptions{
-						Name:        "myservice",
-						IncludeType: false,
+						Name: "myservice",
 					})
 			},
 		},
@@ -78,20 +65,7 @@ func TestClustersFromSnapshot(t *testing.T) {
 			setup: func(snap *proxycfg.ConfigSnapshot) {
 				snap.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
 					customAppClusterJSON(t, customClusterJSONOptions{
-						Name:        "myservice",
-						IncludeType: false,
-					})
-			},
-		},
-		{
-			name:               "custom-upstream-typed",
-			create:             proxycfg.TestConfigSnapshot,
-			overrideGoldenName: "custom-upstream",
-			setup: func(snap *proxycfg.ConfigSnapshot) {
-				snap.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
-					customAppClusterJSON(t, customClusterJSONOptions{
-						Name:        "myservice",
-						IncludeType: true,
+						Name: "myservice",
 					})
 			},
 		},
@@ -102,10 +76,9 @@ func TestClustersFromSnapshot(t *testing.T) {
 			setup: func(snap *proxycfg.ConfigSnapshot) {
 				snap.Proxy.Upstreams[0].Config["envoy_cluster_json"] =
 					customAppClusterJSON(t, customClusterJSONOptions{
-						Name:        "myservice",
-						IncludeType: true,
+						Name: "myservice",
 						// Attempt to override the TLS context should be ignored
-						TLSContext: `{"commonTlsContext": {}}`,
+						TLSContext: `"allowRenegotiation": false`,
 					})
 			},
 		},
@@ -745,7 +718,7 @@ func expectClustersJSONResources(snap *proxycfg.ConfigSnapshot) map[string]strin
 					"healthyPanicThreshold": {}
 				},
 				"connectTimeout": "5s",
-				"tlsContext": ` + expectedUpstreamTLSContextJSON(snap, "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul") + `
+				"transportSocket": ` + expectedUpstreamTransportSocketJSON(snap, "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul") + `
 			}`,
 		"prepared_query:geo-cache": `
 			{
@@ -766,7 +739,7 @@ func expectClustersJSONResources(snap *proxycfg.ConfigSnapshot) map[string]strin
 
 				},
 				"connectTimeout": "5s",
-				"tlsContext": ` + expectedUpstreamTLSContextJSON(snap, "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul") + `
+				"transportSocket": ` + expectedUpstreamTransportSocketJSON(snap, "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul") + `
 			}`,
 	}
 }
@@ -804,17 +777,20 @@ func expectClustersJSON(snap *proxycfg.ConfigSnapshot, v, n uint64) string {
 }
 
 type customClusterJSONOptions struct {
-	Name        string
-	IncludeType bool
-	TLSContext  string
+	Name       string
+	TLSContext string
 }
 
 var customAppClusterJSONTpl = `{
-	{{ if .IncludeType -}}
 	"@type": "type.googleapis.com/envoy.api.v2.Cluster",
-	{{- end }}
 	{{ if .TLSContext -}}
-	"tlsContext": {{ .TLSContext }},
+	"transport_socket": {
+		"name": "tls",
+		"typed_config": {
+			"@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext",
+			{{ .TLSContext }}
+		}
+	},
 	{{- end }}
 	"name": "{{ .Name }}",
 	"connectTimeout": "15s",
@@ -858,35 +834,35 @@ func TestEnvoyLBConfig_InjectToCluster(t *testing.T) {
 	var tests = []struct {
 		name     string
 		lb       *structs.LoadBalancer
-		expected envoy.Cluster
+		expected *envoy.Cluster
 	}{
 		{
 			name: "skip empty",
 			lb: &structs.LoadBalancer{
 				Policy: "",
 			},
-			expected: envoy.Cluster{},
+			expected: &envoy.Cluster{},
 		},
 		{
 			name: "round robin",
 			lb: &structs.LoadBalancer{
 				Policy: structs.LBPolicyRoundRobin,
 			},
-			expected: envoy.Cluster{LbPolicy: envoy.Cluster_ROUND_ROBIN},
+			expected: &envoy.Cluster{LbPolicy: envoy.Cluster_ROUND_ROBIN},
 		},
 		{
 			name: "random",
 			lb: &structs.LoadBalancer{
 				Policy: structs.LBPolicyRandom,
 			},
-			expected: envoy.Cluster{LbPolicy: envoy.Cluster_RANDOM},
+			expected: &envoy.Cluster{LbPolicy: envoy.Cluster_RANDOM},
 		},
 		{
 			name: "maglev",
 			lb: &structs.LoadBalancer{
 				Policy: structs.LBPolicyMaglev,
 			},
-			expected: envoy.Cluster{LbPolicy: envoy.Cluster_MAGLEV},
+			expected: &envoy.Cluster{LbPolicy: envoy.Cluster_MAGLEV},
 		},
 		{
 			name: "ring_hash",
@@ -897,7 +873,7 @@ func TestEnvoyLBConfig_InjectToCluster(t *testing.T) {
 					MaximumRingSize: 7,
 				},
 			},
-			expected: envoy.Cluster{
+			expected: &envoy.Cluster{
 				LbPolicy: envoy.Cluster_RING_HASH,
 				LbConfig: &envoy.Cluster_RingHashLbConfig_{
 					RingHashLbConfig: &envoy.Cluster_RingHashLbConfig{
@@ -915,7 +891,7 @@ func TestEnvoyLBConfig_InjectToCluster(t *testing.T) {
 					ChoiceCount: 3,
 				},
 			},
-			expected: envoy.Cluster{
+			expected: &envoy.Cluster{
 				LbPolicy: envoy.Cluster_LEAST_REQUEST,
 				LbConfig: &envoy.Cluster_LeastRequestLbConfig_{
 					LeastRequestLbConfig: &envoy.Cluster_LeastRequestLbConfig{
@@ -932,7 +908,7 @@ func TestEnvoyLBConfig_InjectToCluster(t *testing.T) {
 			err := injectLBToCluster(tc.lb, &c)
 			require.NoError(t, err)
 
-			require.Equal(t, tc.expected, c)
+			require.Equal(t, tc.expected, &c)
 		})
 	}
 }

agent/xds/config.go

@@ -5,11 +5,13 @@ import (
 	"time"
 
 	envoycluster "github.com/envoyproxy/go-control-plane/envoy/api/v2/cluster"
+
 	"github.com/golang/protobuf/ptypes"
 	"github.com/golang/protobuf/ptypes/wrappers"
+	"github.com/mitchellh/mapstructure"
+
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/lib/decode"
-	"github.com/mitchellh/mapstructure"
 )
 
 // ProxyConfig describes the keys we understand from Connect.Proxy.Config. Note

agent/xds/config_test.go

@@ -4,8 +4,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/consul/agent/structs"
 	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul/agent/structs"
 )
 
 func TestParseProxyConfig(t *testing.T) {