test: Disable tap::rejects_incorrect_identity_when_identity_is_expected (#2231)

The `tap::rejects_incorrect_identity_when_identity_is_expected` test
passes incorrectly. This change updates the test to assert the expected
condition; and then the test is skipped (like the other tap integration
tests). These tests all need discovery configuration to operate as
intended.

This change also updates the devcontainer.json spec with an increased
memory limit. This is necessary to run tests.

.devcontainer/devcontainer.json

@@ -1,23 +1,27 @@
 {
 	"name": "linkerd2-proxy",
 	"image": "ghcr.io/linkerd/dev:v38",
-	"extensions": [
+	"customizations": {
-		"DavidAnson.vscode-markdownlint",
+		"vscode": {
-		"kokakiwi.vscode-just",
+			"extensions": [
-		"NathanRidley.autotrim",
+				"DavidAnson.vscode-markdownlint",
-		"rust-lang.rust-analyzer",
+				"kokakiwi.vscode-just",
-		"samverschueren.final-newline",
+				"NathanRidley.autotrim",
-		"tamasfe.even-better-toml",
+				"rust-lang.rust-analyzer",
-		"zxh404.vscode-proto3"
+				"samverschueren.final-newline",
-	],
+				"tamasfe.even-better-toml",
-	"settings": {},
+				"zxh404.vscode-proto3"
+			],
+			"settings": {}
+		}
+	},
 	"onCreateCommand": ".devcontainer/on-create.sh",
 	// Support docker + debugger
 	"runArgs": [
 		"--init",
 		// Limit container memory usage.
-		"--memory=12g",
+		"--memory=24g",
-		"--memory-swap=12g",
+		"--memory-swap=24g",
 		// Use the host network so we can access k3d, etc.
 		"--net=host",
 		// For lldb

linkerd/app/integration/src/tests/tap.rs

@@ -1,6 +1,7 @@
 use crate::tap::TapEventExt;
 use crate::*;
 use std::time::SystemTime;
+use tracing::debug;
 
 #[tokio::test]
 async fn tap_enabled_when_tap_svc_name_set() {
@@ -40,6 +41,8 @@ async fn tap_disabled_when_tap_svc_name_not_set() {
     assert!(proxy.tap.is_none())
 }
 
+// FIXME(ver) this test requires discovery configuration.
+#[ignore]
 #[tokio::test]
 async fn rejects_incorrect_identity_when_identity_is_expected() {
     let _trace = trace_init();
@@ -51,27 +54,37 @@ async fn rejects_incorrect_identity_when_identity_is_expected() {
     let mut expected_identity_env = identity_env.env.clone();
     expected_identity_env.put(app::env::ENV_TAP_SVC_NAME, expected_identity.to_owned());
 
+    debug!("Starting server");
     let srv = server::http1().route("/", "hello").run().await;
 
+    debug!("Starting inbound proxy");
     let in_proxy = proxy::new()
         .inbound(srv)
         .identity(identity_env.service().run().await)
         .run_with_test_env(expected_identity_env)
         .await;
 
+    debug!("Starting outbound tap proxy");
     let tap_proxy = proxy::new()
         .outbound_ip(in_proxy.tap.unwrap())
         .identity(identity_env.service().run().await)
         .run_with_test_env(identity_env.env.clone())
         .await;
 
+    debug!("Observing tap events");
     let mut tap = tap::client(tap_proxy.outbound);
     let mut events = tap.observe(tap::observe_request()).await.take(1);
 
+    debug!("Sending inbound request");
     let client = client::http1(in_proxy.inbound, "localhost");
     assert_eq!(client.get("/").await, "hello");
 
-    assert!(events.next().await.expect("next1").is_err());
+    debug!("Waiting for tap event");
+    let event = events.next().await.expect("next1");
+    assert_eq!(
+        event.expect_err("tap observation must fail").code(),
+        tonic::Code::PermissionDenied
+    );
 }
 
 // FIXME(ver) this test was marked flakey, but now it consistently fails.