Some test fixes after various updates.

- Fix `dns_lookup_family` Envoy setting for upgraded config location.

- Fix/restore Envoy negative DNS TTL handling for NXDOMAIN responses
  (and not just the DNS server being down).

- Fix the new Caddy test server binding to all addresses and port 80 by
  default.

- Generate new test SSL certificate, since the previous dummy one
  expired this month after 10 years. The new one is also good for 10
  years.

Author: GUI

src/api-umbrella/utils/active_config_store/set_envoy_config.lua

@@ -91,10 +91,10 @@ local function build_cluster_resource(cluster_name, options)
         ["@type"] = "type.googleapis.com/envoy.extensions.clusters.dns.v3.DnsCluster",
         typed_dns_resolver_config = dns_resolver_config,
         respect_dns_ttl = true,
+        dns_lookup_family = dns_lookup_family,
       },
     },
     wait_for_warm_on_init = false,
-    dns_lookup_family = dns_lookup_family,
     ignore_health_on_host_removal = true,
     load_assignment = {
       cluster_name = cluster_name,
@@ -136,12 +136,16 @@ local function build_cluster_resource(cluster_name, options)
     },
   }
 
-  -- Use the "negative_ttl" time as Envoy's DNS refresh rate when failures
-  -- occur. Since we have "respect_dns_ttl" enabled, successful DNS requests
-  -- will use that refresh rate instead of this one. Since this is only used in
-  -- failure situations we can use this to provide a TTL for negative
-  -- responses.
+  -- Use the `negative_ttl` time as Envoy's DNS refresh rate.
+  --
+  -- Since we have `respect_dns_ttl` enabled, successful DNS requests will use
+  -- that refresh rate instead of this one. That means this setting is really
+  -- only used in failure situations. We configure `dns_refresh_rate` to
+  -- provide the TTL for successful, but negative responses (like NXDOMAIN
+  -- responses), while `dns_failure_refresh_rate` is used if the DNS servers
+  -- themselves are down/unresponsive.
   if file_config["dns_resolver"]["negative_ttl"] then
+    resource["cluster_type"]["typed_config"]["dns_refresh_rate"] = file_config["dns_resolver"]["negative_ttl"] .. "s"
     resource["cluster_type"]["typed_config"]["dns_failure_refresh_rate"] = {
       base_interval = file_config["dns_resolver"]["negative_ttl"] .. "s",
       max_interval = file_config["dns_resolver"]["negative_ttl"] .. "s",

templates/etc/envoy/envoy.yaml.etlua

@@ -18,7 +18,7 @@ static_resources:
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.clusters.dns.v3.DnsCluster
           respect_dns_ttl: true
-      dns_lookup_family: V4_PREFERRED
+          dns_lookup_family: V4_PREFERRED
       ignore_health_on_host_removal: true
       load_assignment:
         cluster_name: api-umbrella-cluster

templates/etc/test-env/Caddyfile.etlua

@@ -1,3 +1,8 @@
+{
+  auto_https disable_redirects
+  default_bind 127.0.0.1
+}
+
 http://localhost:<%- config["caddy"]["http_port"] %> {
   tls internal
   log

test/config/ssl_test.crt

@@ -1,20 +1,31 @@
 -----BEGIN CERTIFICATE-----
-MIIDPTCCAiWgAwIBAgIJAKcCZCYljmEkMA0GCSqGSIb3DQEBBQUAMDUxFTATBgNV
-BAoMDEFQSSBVbWJyZWxsYTEcMBoGA1UEAwwTc3NsdGVzdC5leGFtcGxlLmNvbTAe
-Fw0xNTExMjcxNjM1NDlaFw0yNTExMjQxNjM1NDlaMDUxFTATBgNVBAoMDEFQSSBV
-bWJyZWxsYTEcMBoGA1UEAwwTc3NsdGVzdC5leGFtcGxlLmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBANLdPBuVSwtQIFfT2MOCfBBGb1SfNQrL4mrF
-vPDesbiwiHOPxYwS7mbsXbzvjoKBmP4S8cgMXsZF84eMc0u+7hsZOBHnh8rzaWj4
-8VFRtITc9uyo1aLGZVx3+Wrmwlz/4Surq7cMRJaflnppuyc+2++ZPdBE9Mp4NwsE
-qahyKpRQA/nhoMNxRF0g5qus4E4xBeoYoBQZYLmheoo/ja2OwmPAm3NYbN9xZGwa
-84Z1DBu2QEnkn+5XfCVqQL0KXYp1RdgpfI1rhYkz1HAswhj/wYwfx1rWIS91Xsi9
-37OYk5tbctEqqj1EypIr0ejjREtHQXqjo9f2GFDMnQsLahK8uMkCAwEAAaNQME4w
-HQYDVR0OBBYEFPXFKiuwDSZSERD6q9KRyCUdwzxrMB8GA1UdIwQYMBaAFPXFKiuw
-DSZSERD6q9KRyCUdwzxrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
-ALYNLUBrSHUATfoYjyqTB+JfXgfQfWmLXSrv7DVrBdSx1+2/3varbrq+C/MXBLju
-TI5ivTnR4+5HSFYfpAo3KWgOh8n0t+h4wKOOngJ+n3q5ERRmlm9SoY1Fw83p6I3I
-AL+sF2C2TmZFyZxACa3MctDTh5HLXoy1xVF7Fs2wvGHedg8vANdxbOTPxwT4Qs1n
-piA03rD7uWvJxHebObYqy5DJN4nZGgH558N7WtbwHKKcF97jNHfqGGaj61krL8G5
-/Vch7kLiPgsUjmdMIeBHOVlAsZhmzkHaS5ZPPeJHF2P0kRnTHclxasko4xDhJMo6
-SpEaZvlBrzOVKJ4ePiE2S2Y=
+MIIFSzCCAzOgAwIBAgIUbzUQEFYGJM3zddsXmHLBByXUItkwDQYJKoZIhvcNAQEL
+BQAwNTEVMBMGA1UECgwMQVBJIFVtYnJlbGxhMRwwGgYDVQQDDBNzc2x0ZXN0LmV4
+YW1wbGUuY29tMB4XDTI1MTIzMTEzMTA0MFoXDTM1MTIyOTEzMTA0MFowNTEVMBMG
+A1UECgwMQVBJIFVtYnJlbGxhMRwwGgYDVQQDDBNzc2x0ZXN0LmV4YW1wbGUuY29t
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx+xgliSS45tU5Sc8Mns0
+c6n8ytRT6qc61nNjRri+jFrCZFj7K2+jW/MiWb7DrG//4NNVJEgB27makuSAWD+h
+7op+L4/DJCxsKO9eO8J9KtHiOR4WxMmdlglgZQmbMXJEm3INP3dQlhsRDK940mHW
+psnmAwZFzMCYFu+KmPcSJvreMwMeFQGtQDWkkyVrbnffwT+nWOwjJmuCODgTcKRz
+jv/vg7PBlUvhxAVDsxGuTKDjaoQ4DveJ3P3NqrUy17V53jY9NH2iy2gSIo/3tmde
+tSbwX36xTQY2UbR1NFHLYiPlQsX+tTqFT271Ncdu49MzbWz+SPCsb7sBjSoThDit
+LMApL1uk5PorM7AFBhjTband22Dv+ez5E6NstoZj4vAA9lYEYtPeM/s+pFqNQbFu
+K3El0u7oKTdt6Lg+klwTtmaKN2/zWbEhYQ2USH8Gk3dPsdY6WXrQrH79BRmTgVH5
+UcsqisN38+jWs6hNHjZ/mPLEhDBZ0N2h/WRlUsiC8cAo47x1wEAS77KLgoaNp24l
+pfVTVRpJdfM5FEsonjwjPyZz1hE5p4d23wjhkYMGpypIomVaLJH7MtHE6CDf20M8
+kfqMiBd8UDpmqT5vfu8pSHhqZI61z6gMwCNPTOH25b8eAlzjuQUR2Xv6fxz4Yz5c
+dy/EbSRPHc5MlUyVm4MI1LMCAwEAAaNTMFEwHQYDVR0OBBYEFAVXII6MtD1Pz/nB
+4CWxmTu8IaI5MB8GA1UdIwQYMBaAFAVXII6MtD1Pz/nB4CWxmTu8IaI5MA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAHFJ7pa2PrY5cr8Ds7Gwoo88
+A2l1YPURHaYhCivK3AyQmOrBHSmYD+cLERnHtu7CwHLfqUBYz2f/GpPe15FleKNt
+2CfP2RS7N+slWAEuzq2zdDbpiSdDlXQzAOJPAp1epWAF4zTXJ/R4SAKrqXyuUycX
+zhU8NzzMV5B9hQ2rTbpjyXAzr2JxS3pBixUBlGV7gNagF+JF0F86/NNQ1lGMI67I
+zQFHLqyLJi0V6fMChCwcCpbW6XvMrugOKePuZwtHnZJK5nxJdUjoHzhgOZtFEIru
+LX6Sb0PL14GwjohAsIohwZ/hjbMpLrNMFo7kNiTvlsLYFIM7aJ2M3sjgz0Q8xA2L
+4tY/VRds5zkeCf5mqnVzcIYJqMksurkjseuBiKAPxSkX7+PLAxHJG+HhhejxSje1
+Sh3eyuST6wKgFgE7/A+GWpIp4ZG/Mu9nzArEGiZG0FDyVgD/y040hRZsgwF11b97
+q3rJe7fVF9ywKI9EuSOVU6Y7aXSBNwzj+rHIneF9GCvw2oZGiVSJZGwnH57O0uFM
+uELKb9YItjZqF1+9b2qEC9V1oX9pOc0zVZofg0cIg0xMtlp/hyBP7Nle6i7ve8Of
++5EHkAl8+efYtH0eQS7j7dpb902WEJTOCmM5fugx+wcrkWlhYaQ96+jO+xs8JmMK
+1laLtNjpBIGnJsW+LvNJ
 -----END CERTIFICATE-----

test/config/ssl_test.key

@@ -1,28 +1,52 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDS3TwblUsLUCBX
-09jDgnwQRm9UnzUKy+Jqxbzw3rG4sIhzj8WMEu5m7F28746CgZj+EvHIDF7GRfOH
-jHNLvu4bGTgR54fK82lo+PFRUbSE3PbsqNWixmVcd/lq5sJc/+Erq6u3DESWn5Z6
-absnPtvvmT3QRPTKeDcLBKmociqUUAP54aDDcURdIOarrOBOMQXqGKAUGWC5oXqK
-P42tjsJjwJtzWGzfcWRsGvOGdQwbtkBJ5J/uV3wlakC9Cl2KdUXYKXyNa4WJM9Rw
-LMIY/8GMH8da1iEvdV7Ivd+zmJObW3LRKqo9RMqSK9Ho40RLR0F6o6PX9hhQzJ0L
-C2oSvLjJAgMBAAECggEAHXCh+b/oUFYJjfmX5AQNyj/rP0dTIoTAweOFs6OD8KNF
-Cc1i6WGjQ19w3vYbUYFCmQaQFzwS51/Q1nX3ivXHTKVCvM00mlNNvkgzeQUNTReE
-qhoQab+FW1msyw4YyN840t4PBWmDEfyKB+FHLf2Ku3MLvE5EVxhdpv4pqcj2xOn+
-IqN7uNaYjcROkh60jLrObFaks62vspi3mXrWGHy7S74iMz3V4D3+owhh11R/vhq1
-HLW9rMy3Yp1RFrzi8MFuC5EkXdadoyWmlIgQBU3MP98mhp/y4FtDRb4+Yt2Fqssd
-Xxg3iajWn73HHXZBzdtuC2wYJn930lwlaOHOozp7+QKBgQDqxdSA1mZ4eAmvcx58
-AGCbGBnj5lxAhu7LkP7s4K3OWqUrGX62klv35tyaeIVOlly5+RlMAHVb9b110MIA
-gqvN6XK6RBBKUCTWlSCEVzzZCQm8PkXrVRqbY34SyysA6zVIKr8sGBZcC8vd/pof
-IkVNQziLr5KGetUEQqTMzJQL0wKBgQDl7gEyKKBwybQ4N1huZFOaPTvBGARR0sb9
-eYxK+3eX+WZBB4mp0hhrw6mJIQIQYBH6f0UiR+fwpGFQ4XvaKJ96lypBKwAmMKEL
-j1Ir0AkIsjfUctWqg2UDfkZ0okLrXrX4OkSV38j5nbKFMu8+cwDWbIRXtSEyUsAm
-jBoUYEJTcwKBgFKA+T/ZmKMnVAgDRahAHbMDUj3ju3G1uX9yUhP+lTXaZwbxa7VP
-U+CXkdj7F6XZc3arkndCBfwuLMmVdkflo+i17GqG9s6WwYtjVs0LN0fyRCiSHdIo
-0zPeT/Tczx0Ai3X0B8DAKkNopdk62wCr83zGbb2xEqYNzoQzw2RxVGmfAoGAO1SZ
-7GZ9V/1ESslFQV8UD5XDaIUZAEAiZt/JasPOzWFmmFsok7CJ6qzXf3IMBUu09+2F
-Wl4xpG/WSLeWbOnUlR6SobRF2pTryX7XFkUdP6g1LdXf+prjIu6foZMJL5EF5aKr
-df0D8B1YJnTJNVUZnzrrP3KWuVSPDqNSS3W3R68CgYEAsp3Km/wV/2Joec5B1bRI
-T86t1uNNlMl1z8iWahTC4hl8YO3aLtcLpiMc77vk52Y+L4C5TLadTx9yC4cCS+lx
-8lT6pv+3KdcnBmJ7sIjNI+ml2pimM62tiNCUdsxQaJv8g6TpsI41jECSi7PsBTVE
-7vnmnCmVYGREFOTU69T4D0g=
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDH7GCWJJLjm1Tl
+JzwyezRzqfzK1FPqpzrWc2NGuL6MWsJkWPsrb6Nb8yJZvsOsb//g01UkSAHbuZqS
+5IBYP6Huin4vj8MkLGwo7147wn0q0eI5HhbEyZ2WCWBlCZsxckSbcg0/d1CWGxEM
+r3jSYdamyeYDBkXMwJgW74qY9xIm+t4zAx4VAa1ANaSTJWtud9/BP6dY7CMma4I4
+OBNwpHOO/++Ds8GVS+HEBUOzEa5MoONqhDgO94nc/c2qtTLXtXneNj00faLLaBIi
+j/e2Z161JvBffrFNBjZRtHU0UctiI+VCxf61OoVPbvU1x27j0zNtbP5I8KxvuwGN
+KhOEOK0swCkvW6Tk+iszsAUGGNNtqd3bYO/57PkTo2y2hmPi8AD2VgRi094z+z6k
+Wo1BsW4rcSXS7ugpN23ouD6SXBO2Zoo3b/NZsSFhDZRIfwaTd0+x1jpZetCsfv0F
+GZOBUflRyyqKw3fz6NazqE0eNn+Y8sSEMFnQ3aH9ZGVSyILxwCjjvHXAQBLvsouC
+ho2nbiWl9VNVGkl18zkUSyiePCM/JnPWETmnh3bfCOGRgwanKkiiZVoskfsy0cTo
+IN/bQzyR+oyIF3xQOmapPm9+7ylIeGpkjrXPqAzAI09M4fblvx4CXOO5BRHZe/p/
+HPhjPlx3L8RtJE8dzkyVTJWbgwjUswIDAQABAoICAEMvyJvcqbKtCoBCScQrTIrM
+Z0Sgy5zR23+jYosrXfocLDT+BFbqGyu1D2e6qNbEAumDDBt3yYwWmYBhI1LE+74H
+M/X26d03wpeVLgWGTHs98rlAR+WVXgzElO0Pp+SborvcveAE0IPJj9bEB6YoNDN0
+KYT9sCpp1RLsKJdUfPi1mUPqecsUd61a+bZrvmlvBrbSlgJXxU5NlgMfsUTLN3yo
+vUz09YsfZ71xCXnd6MYe0Z6D1bUN8npenyYN5ArDFbQcZUBFMpcKIAIWgOh/X8Ag
+WGq3UI1yl4Go1DSjgma2an8gvAMaqh9yShzrK3SMDz3ogaJwo3qfDZvrtohaZbPK
+x3Bu+hbuzr8SKautFaRa1S8psGyRzeED79TN6havP6Ii7OZXlAU1HTEkNnvdgFFN
+2Wf/SBOlEPKjFH+7hQQD/KursbkIKi8FdV5+Twuw217NN7wqxpTbxyhqgDyGtsLu
+ZxmhZUpAJMHjXUp/Y2tI+luKf1U6CUvpumd20D+vPCYRMX6UoqLtY8OYP11syndc
+958BOgIR5QVMXW6JcEYfNq7tsszpi25DIms3BTGUc8olysjq0wI9XzImURBzQhoJ
+Lz6p9GOcwJE499bkKAu9GZIAto1rF+RMOzZtaWmnL48KGuuyGEfGS6s+AQOJhIJb
+5oa+CBHi0QqGuOnc1XshAoIBAQDjEFtESzu8nzM/dIU26P9AHuEE00+TShQguBS2
+DZWVh1t1zzaZ26Z+Vl3/77b9ItFTc48+WQjSaY5N69ioYftbaDQGy/dR32Tf8xlF
+9XZdbDVxuGWap1AJ/hXcLnOvUEczBwlwD5JebdCeX9BgLsEndTZN2pJLqrOYggmm
+UXsCZnAoeH/pIq0PqRJSYEcxTTICUuwI8Arrty6jtI+pnKxpiTW0qCuZm47F/JlG
+3CgL8LPolAtco4umuMGhxzIjFMTNLfs75CxCrj7DLGjAyl7MWfNvosoroMuvRkPU
+usgZheM44aP4PljSHHCSovt87+NtMIQhmEo9dDakZgqkjx5TAoIBAQDhZpkq0bby
+FGpjYvKEEIcbeTPfvAxukM7wPZx8yI2saps2U0BFfVzHRm7kSZuyqLyg276PBNN+
+DYKUaPOZFF3XUEFZBBZNzvmYn92i1W1ritx+d9X2b1ma58pAk+mq1Adm2WZRn90c
+KVddUqrtU0gnNWyqThqS765rix6rsh+cvsTnNlSsW0PH5yPg5VrvgqciO8n61Cnr
+/+GO5W1Vc97TM2wXqvYazOuPoU++Hey2zDqCaX6T+a7G7g0g0nU5KaPvGvBFRJun
+AVjuAfrNXkTWtng4Udms+BgK8Si05hEfGOCgxMDp7tYqHvGwZDsBSdkMXtGNymJA
+Gp0K6PbZnOQhAoIBAQC59mlo81zHTHNCYwG/SO/T6fZMZ2viq2b0rQ55U4LQ5fyn
+7b9AHz6qdb2ioQbzJpLdj+UfIPgyq7SaaLAWp7ie0ibZ8i5p5VXOfGCUhUYdmUPk
+EStVj/XjWS86Fuk0CcFmLzsxhe9QWwviyYH1ZBVZZYvGE16BjhpsqwOQLWdbPd5Z
+pubLX1TxYHza7nMgE6MDeDpLz5yCFJKkDHskZGZoQLG1dY3PzjEOQaSe/ivmK4qM
+zsLHakIzl1kuT9/mD1pm2GPMV0FQkzhfzH02eAdPwdO3+FEvjg+DSz6+eQLstFS1
+/0a1RwqjehtQXR8u4aEXigaNJRaYYhdmaRQKVhR1AoIBAQDRaxu/9tz9Cg7WjGY6
+YYjF89RIeVUrnQtHllbAcS2AFgRjcvHyHkmHNF9vZxxr3+5xnfjstFUzdqXt8Zzy
+i0Os+vncFLoMTNMGBPJNifKByqCWOAzpTAd6rwTw/vxJJXpDCpXQHLG4qohrQpVg
+rtII69AsYyi5gEsTzEwQxgws++nB0G7XPGw7XPuuxim5AjD604YTr+/LPxB4TZ1J
+mcBbhhlV3BeQSvhJmFyYjQETzahG5nEeVwsV9LLp3d/f3lpbmzHFibr8bXoMmHZH
+PODEhQApg5K07ESaVfm2KVObCugZNvTt5GPC+sEfW+Cej9hDcA1OqcyjNpbWPiCr
+iuNBAoIBAQCMuDW0qz7P2QC9hZdqkPDg1duFVD159TknlFuddLTvt673JmCi0feO
+FOZAQzmqfnu+Y72oXsRRjp+exABUJN63j4sHMlEc9Tw/x7Kl0DfwoAxS6FymJnKM
+rifX8z2a7j6UqxjbwHcReRcB7aP2wXkWTUAc56AwzkJ6rc/ac4557JWMFe+lDotN
+B1S3efqp2gdk3G2S8Gf+M0DOd+8xtP6kpEqtbOwOz1TWsYk8qls6NA1lNdv0Gptc
+Z5fZ10U4SmVfm12+5BKSEG3BSCweb1ZG8h5xRaihpOfhUkDBnQVi+ojpLzYziQ7H
+tGVHzPQOqmo+ZYolAJNiRD68cNGtMSiB
 -----END PRIVATE KEY-----

test/proxy/dns/test_negative_caching.rb

@@ -64,7 +64,7 @@ def assert_negative_ttl(negative_ttl)
         :body => /no healthy upstream/,
       })
 
-      # The negative TTL caching begins after TrafficServer sees the first
+      # The negative TTL caching begins after Envoy sees the first
       # request and tries to resolve it. So start our timer after the first
       # request.
       start_time = Time.now.utc