consul

Commit Graph

Author	SHA1	Message	Date
hc-github-team-consul-core	983582aa3b	Backport of NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint into release/1.20.x (#21962 ) * backport of commit `07a618b1fc` * backport of commit `16e024100a` * backport of commit `a1d9d43849` --------- Co-authored-by: John Murret <john.murret@hashicorp.com>	3 days ago
hc-github-team-consul-core	39f4cb77c4	Backport of Fix PeerUpstreamEndpoints and UpstreamPeerTrustBundles to only Cancel watch when needed, otherwise keep the watch active into release/1.20.x (#21956 ) * backport of commit `e4068befa2` * backport of commit `6e3c944e0e` * backport of commit `48b1103c74` * backport of commit `ba9155b5ce` --------- Co-authored-by: Dhia Ayachi <dhia.ayachi@gmail.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>	5 days ago
hc-github-team-consul-core	e7aac01f90	Backport of Allow multiple endpoints in Envoy clusters configured with hostnames into release/1.20.x (#21882 ) * backport of commit `a80ee727dd` * backport of commit `f270ab5946` --------- Co-authored-by: Tom Davies <tom@t-davies.com>	4 weeks ago
hc-github-team-consul-core	424f5a808a	Backport of [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass into release/1.20.x (#21839 ) backport of commit `9e7757da16` Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>	1 month ago
John Maguire	a3ac555a5e	[NET-10952] fix cluster dns lookup family to gracefully handle ipv6 (#21703 ) * update jwks cluster creation to gracefully handle ipv6 * update unit tests for dns lookup family * Add changelog	2 months ago
sarahalsmiller	07fae7bb0b	[Security] Fix XSS Vulnerability where content-type header wasn't explicitly set (#21704 ) * explicitly add content-type anywhere possible and add middleware to set and warn * added tests, fixed typo * clean up unused constants * changelog * fix call order in middleware	2 months ago
R.B. Boyer	3e6f1c1fe1	remove v2 tenancy, catalog, and mesh (#21592 ) * remove v2 tenancy, catalog, and mesh - Inline the v2tenancy experiment to false - Inline the resource-apis experiment to false - Inline the hcp-v2-resource-apis experiment to false - Remove ACL policy templates and rule language changes related to workload identities (a v2-only concept) (e.g. identity and identity_prefix) - Update the gRPC endpoint used by consul-dataplane to no longer respond specially for v2 - Remove stray v2 references scattered throughout the DNS v1.5 newer implementation. * changelog * go mod tidy on consul containers * lint fixes from ENT --------- Co-authored-by: John Murret <john.murret@hashicorp.com>	3 months ago
Jorge Marey	d12f9cf4d1	Set replication metric to 0 when losing leadership (#20665 ) * Set replication metric to 0 when losing leadership * Fix replication metrics on replication.go also --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>	3 months ago
Poonam Jadhav	cc2c8fb92b	NET-5912/service-defaults protocol validation (#21593 ) * fix: add validation for protocol field on service-defaults config entry * test: update test cases with correct protocol	3 months ago
Nitya Dhanushkodi	ed738a6f98	fix: use Envoy's default for validate_clusters to fix breaking routes when some backend clusters don't exist (#21587 )	3 months ago
John Murret	f76da16000	Fix TestDNS_ServiceLookup_ARecordLimits so that it only creates test agents the minimal amount of time (#21608 ) * get rid of unused column * get rid of duplicate section now that deletion of unused column makes the section duplicate.. * explicit set protocol rathern than infer it in checkDNSService * explicit have attribute for whether to set EDNS0 in the test cases rathern than infer it in checkDNSService * now modify so that test agents are only created for each unique configuration which is based on the a_record_limit. * Fix TestDNS_ServiceLookup_AnswerLimits so that it only creates test agents the minimal amount of time. (#21609) Fix TestDNS_ServiceLookup_AnswerLimits so that it only creates test agents the minimal amount of time	3 months ago
John Maguire	58fad92cd3	fix where jwt clusters are generated (#21606 )	3 months ago
John Maguire	1fa428552b	[NET-10719] Fix cluster generation for jwt clusters for external jwt providers (#21604 ) * Fix cluster generation for jwt clusters for external jwt providers * add changelog	3 months ago
John Maguire	8555404662	[NET-10733] fix generation of xds resources (#21603 ) fix generation of xds resources	3 months ago
John Murret	dcad90639f	NET-10685 - Remove dns v2 code (#21598 ) * NET-10685 - Remove dns v2 code * adding missing erro * add missing license info.	3 months ago
John Murret	c526659b7f	NET-10610 - stop logging no data as errors in DNS lookups (#21578 )	4 months ago
John Maguire	c0faddbe1f	[NET-10246] use correct enterprise meta for service name for LinkedService (#21382 ) * use correct enterprise meta for service name for LinkedService * add changelog	5 months ago
Dan Stough	a251f8ad80	fix(dns): spam ttl logs for prepared queries (#21381 )	5 months ago
Dan Stough	763cd0bffb	fix(txn): validate verbs (#21519 ) * fix(txn): validate verbs * changelog	5 months ago
Kiran Naidoo	88bade6cc0	security: fix AliasCheck panic (update) (#21510 ) Updated `checkServiceExistsOnRemoteServer` to ensure there are services returned from the specified node before proceeding with the service matcher.	5 months ago
Dan Stough	a4a3aec567	fix(dns): bug with standard lookup tags not working; SRV questions returning duplicate hostnames (#21361 )	5 months ago
sarahalsmiller	c18c911ac8	[Security] Close cross scripting vulnerability (#21342 ) * close vulnerability * add changelog	5 months ago
Deniz Onur Duzgun	7a19d2e7a4	security: fix AliasCheck panic (#21339 ) * security: fix AliasCheck panic * add changelog	5 months ago
Nathan Coleman	04d95d2eda	Use text/template instead of html/template for ACL template policy generation (#21303 )	6 months ago
Deniz Onur Duzgun	68a7648d14	security: resolve incorrect type conversions (#21251 ) * security: resolve incorrect type conversions * add changelog * fix more incorrect type conversions	6 months ago
John Murret	6450b6a3b4	update TestHTTPHandlers_AgentMetrics_LeaderShipMetrics to use 3 servers instead of 2 to allow quorum when leadership flails. (#21239 ) * update TestHTTPHandlers_AgentMetrics_LeaderShipMetrics to use 3 servers instead of 2 to allow quorom when leadership flails. * properly sequence defers	6 months ago
John Murret	11bcf521ae	dns v2 - both empty string and default should be allowed for namespace and partition in CE (#21230 ) * dns v2 - both empty string and default should be allowed for namespace and partition in Ce * add changelog * use default partition constant * use constants in validation. --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>	6 months ago
Dhia Ayachi	1f4caaedf2	upgrade deep-copy version, upgrade go to 1.22.3 (#21113 ) * upgrade deep-copy version, upgrade go to 1.22.3 * add changelog	6 months ago
John Murret	9b9c836915	latest ui files in main (#21119 )	6 months ago
John Murret	04940e2c78	additional changes to ensure sameness groups without DefaultForFailover can be used for DNS (#21107 )	6 months ago
John Murret	9b2c1be053	NET-5879 - expose sameness group param on service health endpoint and move sameness group health fallback logic into HealthService RPC layer (#21096 ) * NET-5879 - move the filter for non-passing to occur in the health RPC layer rather than the callers of the RPC * fix import of slices * NET-5879 - expose sameness group param on service health endpoint and move sameness group health fallback logic into HealthService RPC layer * fixing deepcopy * fix license headers	6 months ago
John Murret	a975b04302	NET-5879 - move the filter for non-passing to occur in the health RPC layer rather than the callers of the RPC (#21098 ) * NET-5879 - move the filter for non-passing to occur in the health RPC layer rather than the callers of the RPC * fix import of slices * fix test	6 months ago
John Murret	17df32e5cb	NET-9084 - add tests to peering endpoint and blockingquery package to assert blocking works properly. (#21078 )	7 months ago
R.B. Boyer	1535844c62	gossip: refactor some gossip related libraries into a central place (#21036 ) This refactors and relocates the following packages to live under internal/gossip instead of either in the toplevel lib or agent/consul: - librtt : related to serf coordinates - libserf : random serf stuff	7 months ago
Nathan Coleman	b5b3a63183	[NET-9098] Narrow scope of peering config on terminating gw filter chain to TCP services (#21054 )	7 months ago
Dan Stough	03ab7367a6	feat(dataplane): allow token and tenancy information for proxied DNS (#20899 ) * feat(dataplane): allow token and tenancy information for proxied DNS * changelog	7 months ago
sarahalsmiller	08761f16c8	Net 6820 customize mesh gateway limits (#20945 ) * add upstream limits to mesh gateway cluster generation * changelog * go mod tidy * readd changelog data * undo reversion from rebase * run codegen * Update .changelog/20945.txt Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * address notes * gofmt * clean up * gofmt * Update agent/proxycfg/mesh_gateway.go * gofmt * nil check --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>	7 months ago
Nathan Coleman	5e9f02d4be	[NET-8091] Add file-system-certificate config entry for API gateway (#20873 ) * Define file-system-certificate config entry * Collect file-system-certificate(s) referenced by api-gateway onto snapshot * Add file-system-certificate to config entry kind allow lists * Remove inapplicable validation This validation makes sense for inline certificates since Consul server is holding the certificate; however, for file system certificates, Consul server never actually sees the certificate. * Support file-system-certificate as source for listener TLS certificate * Add more required mappings for the new config entry type * Construct proper TLS context based on certificate kind * Add support or SDS in xdscommon * Remove unused param * Adds back verification of certs for inline-certificates * Undo tangential changes to TLS config consumption * Remove stray curly braces * Undo some more tangential changes * Improve function name for generating API gateway secrets * Add changelog entry * Update .changelog/20873.txt Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Add some nil-checking, remove outdated TODO * Update test assertions to include file-system-certificate * Add documentation for file-system-certificate config entry Add new doc to nav * Fix grammar mistake * Rename watchmaps, remove outdated TODO --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>	7 months ago
Michael Zalimeni	a8d08e759f	fix: consume ignored entries in CE downgrade via Ent snapshot (#20977 ) This operation would previously fail due to unconsumed bytes in the decoder buffer when reading the Ent snapshot (the first byte of the record would be misinterpreted as a type indicator, and the remaining bytes would fail to be deserialized or read as invalid data). Ensure restore succeeds by decoding the ignored record as an interface{}, which will consume the record bytes without requiring a concrete target struct, then moving on to the next record.	8 months ago
Eric Haberkorn	e231f0ee9b	Add an agent config option to diable per tenancy usage metrics. (#20976 )	8 months ago
John Murret	d261a987f1	update go-control-plane envoy dependency to 0.12.0 (#20973 ) * update go-control-plane envoy dependency to 0.12.0 * add changelog * go mod tidy * fix linting issues * add agent/grpc-internal to the list of SA1019 ignores	8 months ago
Nathan Coleman	9af713ff17	[NET-5772] Make tcp external service registered on terminating gw reachable from peered cluster (#19881 ) * Include SNI + root PEMs from peered cluster on terminating gw filter chain This allows an external service registered on a terminating gateway to be exported to and reachable from a peered cluster * Abstract existing logic into re-usable function * Regenerate golden files w/ new listener logic * Add changelog entry * Use peering bundles that are stable across test runs	8 months ago
George Ma	44facc2ea3	chore: remove repetitive words (#20890 ) Signed-off-by: availhang <mayangang@outlook.com>	8 months ago
John Murret	39112c7a98	GH-20889 - put conditionals are hcp initialization for consul server (#20926 ) * put conditionals are hcp initialization for consul server * put more things behind configuration flags * add changelog * TestServer_hcpManager * fix TestAgent_scadaProvider	8 months ago
Dan Stough	6026ada0c9	[CE] feat(v2dns): enable v2 dns as default (#20715 ) * feat(v2dns): enable v2 dns as default * changelog	8 months ago
Iryna Shustava	d747b51dab	Handle ACL errors consistently when blocking query timeout is reached. (#20876 ) Currently, when a client starts a blocking query and an ACL token expires within that time, Consul will return ACL not found error with a 403 status code. However, sometimes if an ACL token is invalidated at the same time as the query's deadline is reached, Consul will instead return an empty response with a 200 status code. This is because of the events being executed. 1. Client issues a blocking query request with timeout `t`. 2. ACL is deleted. 3. Server detects a change in ACLs and force closes the gRPC stream. 4. Client resubscribes with the same token and resets its state (view). 5. Client sees "ACL not found" error. If ACL is deleted before step 4, the client is unaware that the stream was closed due to an ACL error and will return an empty view (from the reset state) with the 200 status code. To fix this problem, we introduce another state to the subsciption to indicate when a change to ACLs has occured. If the server sees that there was an error due to ACL change, it will re-authenticate the request and return an error if the token is no longer valid. Fixes #20790	8 months ago
Chris S. Kim	f3f2175edd	Update go-jose library (#20888 )	8 months ago
Derek Menteer	ac83ac1343	Fix streaming RPCs for agentless. (#20868 ) * Fix streaming RPCs for agentless. This PR fixes an issue where cross-dc RPCs were unable to utilize the streaming backend due to having the node name set. The result of this was the agent-cache being utilized, which would cause high cpu utilization and memory consumption due to the fact that it keeps queries alive for 72 hours before purging inactive entries. This resource consumption is compounded by the fact that each pod in consul-k8s gets a unique token. Since the agent-cache uses the token as a component of the key, the same query is duplicated for each pod that is deployed. * Add changelog.	8 months ago
Derek Menteer	0ac8ae6c3b	Fix xDS deadlock due to syncLoop termination. (#20867 ) * Fix xDS deadlock due to syncLoop termination. This fixes an issue where agentless xDS streams can deadlock permanently until a server is restarted. When this issue occurs, no new proxies are able to successfully connect to the server. Effectively, the trigger for this deadlock stems from the following return statement: https://github.com/hashicorp/consul/blob/v1.18.0/agent/proxycfg-sources/catalog/config_source.go#L199-L202 When this happens, the entire `syncLoop()` terminates and stops consuming from the following channel: https://github.com/hashicorp/consul/blob/v1.18.0/agent/proxycfg-sources/catalog/config_source.go#L182-L192 Which results in the `ConfigSource.cleanup()` function never receiving a response and holding a mutex indefinitely: https://github.com/hashicorp/consul/blob/v1.18.0/agent/proxycfg-sources/catalog/config_source.go#L241-L247 Because this mutex is shared, it effectively deadlocks the server's ability to process new xDS streams. ---- The fix to this issue involves removing the `chan chan struct{}` used like an RPC-over-channels pattern and replacing it with two distinct channels: + `stopSyncLoopCh` - indicates that the `syncLoop()` should terminate soon. + `syncLoopDoneCh` - indicates that the `syncLoop()` has terminated. Splitting these two concepts out and deferring a `close(syncLoopDoneCh)` in the `syncLoop()` function ensures that the deadlock above should no longer occur. We also now evict xDS connections of all proxies for the corresponding `syncLoop()` whenever it encounters an irrecoverable error. This is done by hoisting the new `syncLoopDoneCh` upwards so that it's visible to the xDS delta processing. Prior to this fix, the behavior was to simply orphan them so they would never receive catalog-registration or service-defaults updates. * Add changelog.	8 months ago
Derek Menteer	eabff257d7	Various bug-fixes and improvements (#20866 ) * Shuffle the list of servers returned by `pbserverdiscovery.WatchServers`. This randomizes the list of servers to help reduce the chance of clients all connecting to the same server simultaneously. Consul-dataplane is one such client that does not randomize its own list of servers. * Fix potential goroutine leak in xDS recv loop. This commit ensures that the goroutine which receives xDS messages from proxies will not block forever if the stream's context is cancelled but the `processDelta()` function never consumes the message (due to being terminated). * Add changelog.	8 months ago

1 2 3 4 5 ...

5526 Commits (backport/docs/change-backendRefs-api-group/largely-working-woodcock)