consul

Commit Graph

Author	SHA1	Message	Date
Mark Anderson	aaefe15613	Bulk acl message fixup oss (#12470 ) * First pass for helper for bulk changes Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Convert ACLRead and ACLWrite to new form Signed-off-by: Mark Anderson <manderson@hashicorp.com> * AgentRead and AgentWRite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fix EventWrite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * KeyRead, KeyWrite, KeyList Signed-off-by: Mark Anderson <manderson@hashicorp.com> * KeyRing Signed-off-by: Mark Anderson <manderson@hashicorp.com> * NodeRead NodeWrite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * OperatorRead and OperatorWrite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * PreparedQuery Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Intention partial Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fix ServiceRead, Write ,etc Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Error check ServiceRead? Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fix Sessionread/Write Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fixup snapshot ACL Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Error fixups for txn Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Add changelog Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fixup review comments Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Eric	f5c9fa6fa6	Make an xdscommon package that will be shared between Consul and Envoy plugins	3 years ago
R.B. Boyer	2a56e0055b	proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531 ) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.	3 years ago
Evan Culver	522676ed8d	connect: Update supported Envoy versions to include 1.19.3 and 1.18.6	3 years ago
Evan Culver	b95f010ac0	connect: Upgrade Envoy 1.20 to 1.20.2 (#12443 )	3 years ago
Kyle Havlovitz	3fe358b831	xds: respect chain protocol on default discovery chain	3 years ago
Freddy	9580f79f86	Merge pull request #12223 from hashicorp/proxycfg/passthrough-cleanup	3 years ago
freddygv	cbea3d203c	Fix race of upstreams with same passthrough ip Due to timing, a transparent proxy could have two upstreams to dial directly with the same address. For example: - The orders service can dial upstreams shipping and payment directly. - An instance of shipping at address 10.0.0.1 is deregistered. - Payments is scaled up and scheduled to have address 10.0.0.1. - The orders service receives the event for the new payments instance before seeing the deregistration for the shipping instance. At this point two upstreams have the same passthrough address and Envoy will reject the listener configuration. To disambiguate this commit considers the Raft index when storing passthrough addresses. In the example above, 10.0.0.1 would only be associated with the newer payments service instance.	3 years ago
freddygv	659ebc05a9	Ensure passthrough addresses get cleaned up Transparent proxies can set up filter chains that allow direct connections to upstream service instances. Services that can be dialed directly are stored in the PassthroughUpstreams map of the proxycfg snapshot. Previously these addresses were not being cleaned up based on new service health data. The list of addresses associated with an upstream service would only ever grow. As services scale up and down, eventually they will have instances assigned to an IP that was previously assigned to a different service. When IP addresses are duplicated across filter chain match rules the listener config will be rejected by Envoy. This commit updates the proxycfg snapshot management so that passthrough addresses can get cleaned up when no longer associated with a given upstream. There is still the possibility of a race condition here where due to timing an address is shared between multiple passthrough upstreams. That concern is mitigated by #12195, but will be further addressed in a follow-up.	3 years ago
Freddy	378a7258e3	Prevent xDS tight loop on cfg errors (#12195 )	3 years ago
R.B. Boyer	89bd1f57b5	xds: allow only one outstanding delta request at a time (#12236 ) Fixes #11876 This enforces that multiple xDS mutations are not issued on the same ADS connection at once, so that we can 100% control the order that they are applied. The original code made assumptions about the way multiple in-flight mutations were applied on the Envoy side that was incorrect.	3 years ago
R.B. Boyer	d2c0945f52	xds: fix for delta xDS reconnect bug in LDS/CDS (#12174 ) When a wildcard xDS type (LDS/CDS/SRDS) reconnects from a delta xDS stream, prior to envoy `1.19.0` it would populate the `ResourceNamesSubscribe` field with the full list of currently subscribed items, instead of simply omitting it to infer that it wanted everything (which is what wildcard mode means). This upstream issue was filed in envoyproxy/envoy#16063 and fixed in envoyproxy/envoy#16153 which went out in Envoy `1.19.0` and is fixed in later versions (later refactored in envoyproxy/envoy#16855). This PR conditionally forces LDS/CDS to be wildcard-only even when the connected Envoy requests a non-wildcard subscription, but only does so on versions prior to `1.19.0`, as we should not need to do this on later versions. This fixes the failure case as described here: #11833 (comment) Co-authored-by: Huan Wang <fredwanghuan@gmail.com>	3 years ago
R.B. Boyer	424f3cdd2c	proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125 ) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.	3 years ago
Evan Culver	e35dd08a63	connect: Upgrade Envoy 1.20 to 1.20.1 (#11895 )	3 years ago
Kyle Havlovitz	0db874c38b	Add virtual IP generation for term gateway backed services	3 years ago
Mike Morris	1b1a97e8f9	ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576 ) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>	3 years ago
freddygv	fe85138453	additional test fixes	3 years ago
freddygv	d26b4860fd	Account for new upstreams constraint in tests	3 years ago
freddygv	c5c290c503	Validate chains are associated with upstreams Previously we could get into a state where discovery chain entries were not cleaned up after the associated watch was cancelled. These changes add handling for that case where stray chain references are encountered.	3 years ago
Daniel Nephin	dccd3f5806	Merge remote-tracking branch 'origin/main' into serve-panic-recovery	3 years ago
freddygv	e7a7042c69	Update listener generation to account for consul VIP	3 years ago
R.B. Boyer	1e02460bd1	re-run gofmt on 1.17 (#11579 ) This should let freshly recompiled golangci-lint binaries using Go 1.17 pass 'make lint'	3 years ago
Freddy	00b5b0a0a2	Update filter chain creation for sidecar/ingress listeners (#11245 ) The duo of `makeUpstreamFilterChainForDiscoveryChain` and `makeListenerForDiscoveryChain` were really hard to reason about, and led to concealing a bug in their branching logic. There were several issues here: - They tried to accomplish too much: determining filter name, cluster name, and whether RDS should be used. - They embedded logic to handle significantly different kinds of upstream listeners (passthrough, prepared query, typical services, and catch-all) - They needed to coalesce different data sources (Upstream and CompiledDiscoveryChain) Rather than handling all of those tasks inside of these functions, this PR pulls out the RDS/clusterName/filterName logic. This refactor also fixed a bug with the handling of [UpstreamDefaults](https://www.consul.io/docs/connect/config-entries/service-defaults#defaults). These defaults get stored as UpstreamConfig in the proxy snapshot with a DestinationName of "", since they apply to all upstreams. However, this wildcard destination name must not be used when creating the name of the associated upstream cluster. The coalescing logic in the original functions here was in some situations creating clusters with a `.` prefix, which is not a valid destination.	3 years ago
Daniel Upton	50a1f20ff9	xds: prefer fed state gateway definitions if they're fresher (#11522 ) Fixes an issue described in #10132, where if two DCs are WAN federated over mesh gateways, and the gateway in the non-primary DC is terminated and receives a new IP address (as is commonly the case when running them on ephemeral compute instances) the primary DC is unable to re-establish its connection until the agent running on its own gateway is restarted. This was happening because we always preferred gateways discovered by the `Internal.ServiceDump` RPC (which would fail because there's no way to dial the remote DC) over those discovered in the federation state, which is replicated as long as the primary DC's gateway is reachable.	3 years ago
Giulio Micheloni	af7b7b5693	Merge branch 'main' into serve-panic-recovery	3 years ago
Daniel Nephin	8ba760a2fc	acl: remove id and revision from Policy constructors The fields were removed in a previous commit. Also remove an unused constructor for PolicyMerger	3 years ago
freddygv	90ce897456	Store GatewayKey in proxycfg snapshot for re-use	3 years ago
freddygv	bbe46e9522	Update locality check in xds	3 years ago
Evan Culver	61be9371f5	connect: Remove support for Envoy 1.16 (#11354 )	3 years ago
Evan Culver	bec08f4ec3	connect: Add support for Envoy 1.20 (#11277 )	3 years ago
freddygv	e93c144d2f	Update comments	3 years ago
freddygv	9480670b72	Fixup imports	3 years ago
freddygv	c72bbb6e8d	Split up locality check from hostname check	3 years ago
freddygv	448701dbd8	Replace default partition check	3 years ago
freddygv	12923f5ebc	PR comments	3 years ago
freddygv	a33b6923e0	Account for partitions in xds gen for mesh gw This commit avoids skipping gateways in remote partitions of the local DC when generating listeners/clusters/endpoints.	3 years ago
freddygv	935112a47a	Account for partition in SNI for gateways	3 years ago
freddygv	110fae820a	Update xds pkg to account for GatewayKey	3 years ago
freddygv	8006c6df73	Swap in structs.EqualPartitions for cmp	3 years ago
freddygv	b9b6447977	Finish removing useInDatacenter	3 years ago
freddygv	e1691d1627	Update XDS for sidecars dialing through gateways	3 years ago
Paul Banks	c891f30c24	Rebase and rebuild golden files for Envoy version bump	3 years ago
Paul Banks	6faf85bccd	Refactor `resolveListenerSDSConfig` to pass in whole config	3 years ago
Paul Banks	78a00f2e1c	Add support for enabling connect-based ingress TLS per listener.	3 years ago
Giulio Micheloni	fecce25658	Separete test file and no stack trace in ret error	3 years ago
Giulio Micheloni	0c78ddacde	Merge branch 'main' of https://github.com/hashicorp/consul into hashicorp-main	3 years ago
Evan Culver	e808620463	Merge pull request #11118 from hashicorp/eculver/remove-envoy-1.15 Remove support for Envoy 1.15	3 years ago
Evan Culver	c7747212c3	Merge pull request #11115 from hashicorp/eculver/envoy-1.19.1 Add support for Envoy 1.19.1	3 years ago
Evan Culver	db397d62c5	Add 1.15 versions to too old list	3 years ago
Evan Culver	e41830af8a	Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15	3 years ago
Evan Culver	fdbb742ffd	regenerate more envoy golden files	3 years ago
Daniel Nephin	cc310224aa	command/envoy: stop using the DebugConfig from Self endpoint The DebugConfig in the self endpoint can change at any time. It's not a stable API. This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read this new field. It includes support for the old API as well, in case a newer CLI is used with an older API, and adds a test for both cases.	3 years ago
Daniel Nephin	1502547e38	Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc" This reverts commit `74fb650b6b`, reversing changes made to `58bd817336`.	3 years ago
Evan Culver	60170dfbe7	Merge remote-tracking branch 'origin/eculver/remove-envoy-1.15' into eculver/remove-envoy-1.15	3 years ago
Evan Culver	4f1a8d4ea6	Fix typo Co-authored-by: Freddy <freddygv@users.noreply.github.com>	3 years ago
Evan Culver	03e44da9f7	Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15	3 years ago
Evan Culver	585d9363ed	Merge branch 'main' into eculver/envoy-1.19.1	3 years ago
Paul Banks	7b4cbe3143	Final readability tweaks from review	3 years ago
Paul Banks	70bc89b7f4	Fix subtle loop bug and add test	3 years ago
Paul Banks	5cfd030d03	Refactor Ingress-specific lister code to separate file	3 years ago
Paul Banks	136928a90f	Minor PR typo and cleanup fixes	3 years ago
Paul Banks	a9119e36a5	Fix merge conflict in xds tests	3 years ago
Paul Banks	9fa60c7472	Remove unused argument to fix lint error	3 years ago
Paul Banks	659321d008	Handle namespaces in route names correctly; add tests for enterprise	3 years ago
Paul Banks	2a3d3d3c23	Update xDS routes to support ingress services with different TLS config	3 years ago
Paul Banks	16b3b1c737	Update xDS Listeners with SDS support	3 years ago
Chris S. Kim	f972048ebc	connect: Allow upstream listener escape hatch for prepared queries (#11109 )	3 years ago
Evan Culver	7e20a5e4f9	connect: remove support for Envoy 1.15	3 years ago
Evan Culver	2d23f92b35	add 1.19.x versions to test config	3 years ago
Evan Culver	2798383dbc	regenerate envoy golden files	3 years ago
Evan Culver	7605dff46e	add envoy 1.19.1	3 years ago
R.B. Boyer	b2d17ac448	xds: fix representation of incremental xDS subscriptions (#10987 ) Fixes #10563 The `resourceVersion` map was doing two jobs prior to this PR. The first job was to track what version of every resource we know envoy currently has. The second was to track subscriptions to those resources (by way of the empty string for a version). This mostly works out fine, but occasionally leads to consul removing a resource and accidentally (effectively) unsubscribing at the same time. The fix separates these two jobs. When all of the resources for a subscription are removed we continue to track the subscription until envoy explicitly unsubscribes	3 years ago
R.B. Boyer	5fe613dd05	xds: ensure the active streams counters are 64 bit aligned on 32 bit systems (#11085 )	3 years ago
freddygv	9cd30e8650	Ensure partition is used for SAN validation	3 years ago
freddygv	d90e30f009	Update spiffe ID patterns used for RBAC	3 years ago
freddygv	5e54f253d7	Expand testing of simplifyNotSourceSlice for partitions	3 years ago
freddygv	19da23be28	Expand testing of removeSameSourceIntentions for partitions	3 years ago
freddygv	beab0cd962	Account for partition when matching src intentions	3 years ago
Paul Banks	e22cc9c53a	Header manip for split legs plumbing	3 years ago
Paul Banks	83fc8723a3	Header manip for service-router plumbed through	3 years ago
Paul Banks	f439dfc04f	Ingress gateway header manip plumbing	3 years ago
Dhia Ayachi	bc0e4f2f46	partition dicovery chains (#10983 ) * partition dicovery chains * fix default partition for OSS	3 years ago
Dhia Ayachi	09197c989c	add partition to SNI when partition is non default (#10917 )	3 years ago
Freddy	8d83d27674	connect: update envoy supported versions to latest patch release (#10961) Relevant advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h	3 years ago
Giulio Micheloni	7fa01105cc	Fix merge conflicts	3 years ago
Giulio Micheloni	655da1fc42	Merge branch 'main' into serve-panic-recovery	3 years ago
Giulio Micheloni	4b0eaa4bff	grpc, xds: recovery middleware to return and log error in case of panic 1) xds and grpc servers: 1.1) to use recovery middleware with callback that prints stack trace to log 1.2) callback turn the panic into a core.Internal error 2) added unit test for grpc server	3 years ago
freddygv	01936ddb70	Avoid passing zero value into variadic	3 years ago
freddygv	af52d21884	Update prepared query cluster SAN validation Previously SAN validation for prepared queries was broken because we validated against the name, namespace, and datacenter for prepared queries. However, prepared queries can target: - Services with a name that isn't their own - Services in multiple datacenters This means that the SpiffeID to validate needs to be based on the prepared query endpoints, and not the prepared query's upstream definition. This commit updates prepared query clusters to account for that.	3 years ago
freddygv	85878685b7	Fixup proxy config test fixtures - The TestNodeService helper created services with the fixed name "web", and now that name is overridable. - The discovery chain snapshot didn't have prepared query endpoints so the endpoints tests were missing data for prepared queries	3 years ago
Dhia Ayachi	1950ebbe1f	oss portion of ent #1069 (#10883 )	3 years ago
Daniel Nephin	8252a2691c	xds: document how authorization works	3 years ago
Daniel Nephin	e637cd71f3	acl: use authz consistently as the variable name for an acl.Authorizer Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r682147950 Renames all variables for acl.Authorizer to use `authz`. Previously some places used `rule` which I believe was an old name carried over from the legacy ACL system. A couple places also used authorizer. This commit also removes another couple of authorizer nil checks that are no longer necessary.	3 years ago
Giulio Micheloni	2b14a9b59a	grpc Server: turn panic into error through middleware	3 years ago
Daniel Nephin	84fac3ce0e	acl: use acl.ManangeAll when ACLs are disabled Instead of returning nil and checking for nilness Removes a bunch of nil checks, and fixes one test failures.	3 years ago
R.B. Boyer	188e8dc51f	agent/structs: add a bunch more EnterpriseMeta helper functions to help with partitioning (#10669 )	3 years ago
Freddy	12b7e07d5c	Merge pull request #10621 from hashicorp/vuln/validate-sans	3 years ago
R.B. Boyer	20feb42d3a	xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619 )	3 years ago
freddygv	b4c5c58c9b	Add TODOs about partition handling	3 years ago
freddygv	5a82656510	Update golden files	3 years ago

1 2 3 4 5 ...

358 Commits (CSLC-91-egress-connect-proxy)