From 09fbf23350f999eb685d6bea212902d4d835de76 Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Thu, 4 Apr 2024 11:33:30 -0400
Subject: [PATCH] tproxy: E2E tests

Add the `consul-cni` plugin to the Linux AMI for E2E, and add a test case that
covers the transparent proxy feature.

Ref: https://github.com/hashicorp/nomad/pull/20175
---
 e2e/connect/connect_test.go                   | 25 +++++
 e2e/connect/input/tproxy.nomad.hcl            | 99 +++++++++++++++++++
 .../packer/ubuntu-jammy-amd64/setup.sh        | 23 ++++-
 3 files changed, 145 insertions(+), 2 deletions(-)
 create mode 100644 e2e/connect/input/tproxy.nomad.hcl

diff --git a/e2e/connect/connect_test.go b/e2e/connect/connect_test.go
index 95e14ff9a1e..e94b9e6f332 100644
--- a/e2e/connect/connect_test.go
+++ b/e2e/connect/connect_test.go
@@ -32,6 +32,7 @@ func TestConnect(t *testing.T) {
 	t.Run("ConnectMultiIngress", testConnectMultiIngressGateway)
 	t.Run("ConnectTerminatingGateway", testConnectTerminatingGateway)
 	t.Run("ConnectMultiService", testConnectMultiService)
+	t.Run("ConnectTransparentProxy", testConnectTransparentProxy)
 }
 
 // testConnectDemo tests the demo job file used in Connect Integration examples.
@@ -120,6 +121,30 @@ func testConnectMultiService(t *testing.T) {
 	assertServiceOk(t, cc, "echo2-sidecar-proxy")
 }
 
+// testConnectTransparentProxy tests the Connect Transparent Proxy integration
+func testConnectTransparentProxy(t *testing.T) {
+	_, cleanup := jobs3.Submit(t, "./input/tproxy.nomad.hcl", jobs3.Timeout(time.Second*60))
+	t.Cleanup(cleanup)
+
+	cc := e2eutil.ConsulClient(t)
+
+	ixn := &capi.Intention{
+		SourceName:      "count-dashboard",
+		DestinationName: "count-api",
+		Action:          "allow",
+	}
+	_, err := cc.Connect().IntentionUpsert(ixn, nil)
+	must.NoError(t, err, must.Sprint("could not create intention"))
+
+	t.Cleanup(func() {
+		_, err := cc.Connect().IntentionDeleteExact("count-dashboard", "count-api", nil)
+		test.NoError(t, err)
+	})
+
+	assertServiceOk(t, cc, "count-api-sidecar-proxy")
+	assertServiceOk(t, cc, "count-dashboard-sidecar-proxy")
+}
+
 // assertServiceOk is a test helper to assert a service is passing health checks, if any
 func assertServiceOk(t *testing.T, cc *capi.Client, name string) {
 	t.Helper()
diff --git a/e2e/connect/input/tproxy.nomad.hcl b/e2e/connect/input/tproxy.nomad.hcl
new file mode 100644
index 00000000000..e5105a2fd75
--- /dev/null
+++ b/e2e/connect/input/tproxy.nomad.hcl
@@ -0,0 +1,99 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+job "countdash" {
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "api" {
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "count-api"
+      port = "9001"
+
+      check {
+        type     = "http"
+        path     = "/health"
+        expose   = true
+        interval = "3s"
+        timeout  = "1s"
+
+        check_restart {
+          limit = 0
+        }
+      }
+
+      connect {
+        sidecar_service {
+          proxy {
+            transparent_proxy {}
+          }
+        }
+      }
+    }
+
+    task "web" {
+      driver = "docker"
+
+      config {
+        image          = "hashicorpdev/counter-api:v3"
+        auth_soft_fail = true
+      }
+    }
+  }
+
+  group "dashboard" {
+    network {
+      mode = "bridge"
+
+      port "http" {
+        static = 9010
+        to     = 9002
+      }
+    }
+
+    service {
+      name = "count-dashboard"
+      port = "9002"
+
+      check {
+        type     = "http"
+        path     = "/health"
+        expose   = true
+        interval = "3s"
+        timeout  = "1s"
+
+        check_restart {
+          limit = 0
+        }
+      }
+
+      connect {
+        sidecar_service {
+          proxy {
+            transparent_proxy {}
+          }
+        }
+      }
+    }
+
+    task "dashboard" {
+      driver = "docker"
+
+      env {
+        COUNTING_SERVICE_URL = "http://count-api.virtual.consul"
+      }
+
+      config {
+        image          = "hashicorpdev/counter-dashboard:v3"
+        auth_soft_fail = true
+      }
+    }
+  }
+}
diff --git a/e2e/terraform/packer/ubuntu-jammy-amd64/setup.sh b/e2e/terraform/packer/ubuntu-jammy-amd64/setup.sh
index 14f7f93510d..30366717fc2 100755
--- a/e2e/terraform/packer/ubuntu-jammy-amd64/setup.sh
+++ b/e2e/terraform/packer/ubuntu-jammy-amd64/setup.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+ #!/usr/bin/env bash
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
@@ -20,6 +20,7 @@ echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selecti
 
 mkdir_for_root /opt
 mkdir_for_root /srv/data # for host volumes
+mkdir_for_root /opt/cni/bin
 
 # Dependencies
 sudo apt-get update
@@ -63,6 +64,25 @@ sudo apt-get install -y \
      consul-enterprise \
      nomad
 
+# TODO(tgross: replace with downloading the binary from releases.hashicorp.com
+# once the official 1.4.2 release has shipped
+echo "Installing consul-cni plugin"
+sudo apt-get install -y build-essential git curl
+
+pushd /tmp
+curl -LO https://go.dev/dl/go1.22.2.linux-amd64.tar.gz
+sudo tar -C /usr/local -xzf go1.22.2.linux-amd64.tar.gz
+git clone https://github.com/hashicorp/consul-k8s.git
+pushd consul-k8s
+export PATH="$PATH:/usr/local/go/bin"
+make control-plane-dev
+
+sudo mv control-plane/cni/bin/consul-cni /opt/cni/bin
+sudo chown root:root /opt/cni/bin/consul-cni
+sudo chmod +x /opt/cni/bin/consul-cni
+popd
+popd
+
 # Note: neither service will start on boot because we haven't enabled
 # the systemd unit file and we haven't uploaded any configuration
 # files for Consul and Nomad
@@ -90,7 +110,6 @@ sudo apt-get install -y openjdk-17-jdk-headless
 
 # CNI
 echo "Installing CNI plugins"
-sudo mkdir -p /opt/cni/bin
 wget -q -O - \
      https://github.com/containernetworking/plugins/releases/download/v1.0.0/cni-plugins-linux-amd64-v1.0.0.tgz \
     | sudo tar -C /opt/cni/bin -xz