consul

Commit Graph

Author	SHA1	Message	Date
Paul Glass	619032cfcd	Deprecate -join and -join-wan (#15598 )	2 years ago
Semir Patel	bafa5c7156	Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700 )	2 years ago
James Oulman	7e78fb7818	Add support for configuring Envoys route idle_timeout (#14340 ) * Add idleTimeout Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>	2 years ago
Derek Menteer	6fa8fa4fca	Fix issue with connect Envoy choosing incorrect TLS settings. (#15466 ) This commit fixes a situation where the API TLS configuration incorrectly influences the GRPC port TLS configuration for XDS.	2 years ago
Dhia Ayachi	225ae55e83	Leadership transfer cmd (#14132 ) * add leadership transfer command * add RPC call test (flaky) * add missing import * add changelog * add command registration * Apply suggestions from code review Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> * add the possibility of providing an id to raft leadership transfer. Add few tests. * delete old file from cherry pick * rename changelog filename to PR # * rename changelog and fix import * fix failing test * check for OperatorWrite Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> * rename from leader-transfer to transfer-leader * remove version check and add test for operator read * move struct to operator.go * first pass * add code for leader transfer in the grpc backend and tests * wire the http endpoint to the new grpc endpoint * remove the RPC endpoint * remove non needed struct * fix naming * add mog glue to API * fix comment * remove dead code * fix linter error * change package name for proto file * remove error wrapping * fix failing test * add command registration * add grpc service mock tests * fix receiver to be pointer * use defined values Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> * reuse MockAclAuthorizer * add documentation * remove usage of external.TokenFromContext * fix failing tests * fix proto generation * Apply suggestions from code review Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Apply suggestions from code review * add more context in doc for the reason * Apply suggestions from docs code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * regenerate proto * fix linter errors Co-authored-by: github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>	2 years ago
Kyle Schochenmaier	bf0f61a878	removes ioutil usage everywhere which was deprecated in go1.16 (#15297 ) * update go version to 1.18 for api and sdk, go mod tidy * removes ioutil usage everywhere which was deprecated in go1.16 in favour of io and os packages. Also introduces a lint rule which forbids use of ioutil going forward. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	2 years ago
Derek Menteer	b64972d486	Bring back parameter ServerExternalAddresses in GenerateToken endpoint (#15267 ) Re-add ServerExternalAddresses parameter in GenerateToken endpoint This reverts commit `5e156772f6` and adds extra functionality to support newer peering behaviors.	2 years ago
Chris S. Kim	0e176dd6aa	Allow consul debug on non-ACL consul servers (#15155 )	2 years ago
Luke Kysow	fbd47e1161	config entry: hardcode proxy-defaults name as global (#14833 ) * config entry: hardcode proxy-defaults name as global proxy-defaults can only have the name global. Because of this, we support not even setting the name in the config file: ``` kind = "proxy-defaults" ``` Previously, writing this would result in the output: ``` Config entry written: proxy-defaults/ ``` Now it will output: ``` Config entry written: proxy-defaults/global ``` This change follows what was done for the new Mesh config entry.	2 years ago
R.B. Boyer	da70daba43	test: ensure that all dependencies in a test agent use the test logger (#14996 )	2 years ago
Chris S. Kim	bde57c0dd0	Regenerate files according to 1.19.2 formatter	2 years ago
Iryna Shustava	2a25669b13	cli/sdk: Allow redirection to a different consul dns port (#15050 )	2 years ago
Curt Bushko	161273a931	Update command/connect/envoy/bootstrap_tpl.go Co-authored-by: Paul Glass <pglass@hashicorp.com>	2 years ago
Curt Bushko	cd185c4c2c	update prometheus template args	2 years ago
Nitya Dhanushkodi	5e156772f6	Remove ability to specify external addresses in GenerateToken endpoint (#14930 ) * Reverts "update generate token endpoint to take external addresses (#13844)" This reverts commit `f47319b7c6`.	2 years ago
Iryna Shustava	5cd0ccfc75	Support auth method with snapshot agent [ENT] (#15020 ) Port of hashicorp/consul-enterprise#3303	2 years ago
Iryna Shustava	4bc4ef135c	cli: Add -node-name flag to redirect-traffic command (#14933 )	2 years ago
cskh	eb26a7dee9	fix(cli): missing error message (#14959 )	2 years ago
Chris S. Kim	b0a4c5c563	Include stream-related information in peering endpoints	2 years ago
freddygv	fac3ddc857	Use internal server certificate for peering TLS A previous commit introduced an internally-managed server certificate to use for peering-related purposes. Now the peering token has been updated to match that behavior: - The server name matches the structure of the server cert - The CA PEMs correspond to the Connect CA Note that if Conect is disabled, and by extension the Connect CA, we fall back to the previous behavior of returning the manually configured certs and local server SNI. Several tests were updated to use the gRPC TLS port since they enable Connect by default. This means that the peering token will embed the Connect CA, and the dialer will expect a TLS listener.	2 years ago
Eric Haberkorn	1b565444be	Rename `PeerName` to `Peer` on prepared queries and exported services (#14854 )	2 years ago
Eric Haberkorn	80e51ff907	Add exported services event to cluster peering replication. (#14797 )	2 years ago
Nick Ethier	1c1b0994b8	add HCP integration component (#14723 ) * add HCP integration * lint: use non-deprecated logging interface	2 years ago
DanStough	2a2debee64	feat(peering): validate server name conflicts on establish	2 years ago
Chris S. Kim	7370f0a953	Fix test ordering (#14543 )	2 years ago
Derek Menteer	bf769daae4	Merge branch 'main' of github.com:hashicorp/consul into derekm/split-grpc-ports	2 years ago
Derek Menteer	f64771c707	Address PR comments.	2 years ago
DanStough	e617e7df3e	feat(cli): add initial peering cli commands	2 years ago
Derek Menteer	1255a8a20d	Add separate grpc_tls port. To ease the transition for users, the original gRPC port can still operate in a deprecated mode as either plain-text or TLS mode. This behavior should be removed in a future release whenever we no longer support this. The resulting behavior from this commit is: `ports.grpc > 0 && ports.grpc_tls > 0` spawns both plain-text and tls ports. `ports.grpc > 0 && grpc.tls == undefined` spawns a single plain-text port. `ports.grpc > 0 && grpc.tls != undefined` spawns a single tls port (backwards compat mode).	2 years ago
Dao Thanh Tung	fead3c537b	Fix Consul KV CLI 'GET' flags 'keys' and 'recurse' to be set together (#13493 ) allow flags -recurse and -keys to be run at the same time in consul kv get CLI	2 years ago
Jared Kirschner	1200e83c3b	Merge pull request #14034 from hashicorp/make-proxy-sidecar-for-case-insensitive Allow uppercase in proxy launch -sidecar-for arg	2 years ago
Daniel Upton	6e0de48e60	cli: update agent log preamble to reflect per-listener TLS config	2 years ago
Jared Kirschner	22511ec491	Allow uppercase in proxy launch -sidecar-for arg Previously, when launching a sidecar proxy with one of the following commands: - consul connect envoy -sidecar-for=... - consul connect proxy -sidecar-for=... ... the -sidecar-for argument could only contain lowercase letters, even if the service was registered with some uppercase letters. Now, the -sidecar-for argument is treated as case-insensitive.	2 years ago
cskh	155c4bc2af	fix(cli): error message in service deregister subcommand (#14028 )	2 years ago
cskh	6640997fc1	fix (cli): import empty directory to kv (#13939 ) * fix (cli): import empty directory to kv - when import an empty directory like foo/, the import command will remove the trailing /, making it a non-directory key. - This change fixes the bug by adding back the / if the imported key is an directory	2 years ago
Chris S. Kim	8ed49ea4d0	Update envoy metrics label extraction for peered clusters and listeners (#13818 ) Now that peered upstreams can generate envoy resources (#13758), we need a way to disambiguate local from peered resources in our metrics. The key difference is that datacenter and partition will be replaced with peer, since in the context of peered resources partition is ambiguous (could refer to the partition in a remote cluster or one that exists locally). The partition and datacenter of the proxy will always be that of the source service. Regexes were updated to make emitting datacenter and partition labels mutually exclusive with peer labels. Listener filter names were updated to better match the existing regex. Cluster names assigned to peered upstreams were updated to be synthesized from local peer name (it previously used the externally provided primary SNI, which contained the peer name from the other side of the peering). Integration tests were updated to assert for the new peer labels.	2 years ago
DanStough	2da8949d78	feat: convert destination address to slice	2 years ago
Paul Glass	77afe0e76e	Extract AWS auth implementation out of Consul (#13760 )	2 years ago
Jared Kirschner	067272b53f	Merge pull request #13787 from hashicorp/fix-acl-read-token-self-expanded-panic Fix panic on acl token read with -self and -expanded	2 years ago
Jared Kirschner	927033e672	Fix panic on acl token read with -self and -expanded	2 years ago
cskh	cf6b6dddaf	feat(cli): enable to delete config entry from an input file (#13677 ) * feat(cli): enable to delete config entry from an input file - A new flag to config delete to delete a config entry in a valid config file, e.g., config delete -filename intention-allow.hcl - Updated flag validation; -filename and -kind can't be set at the same time - Move decode config entry method from config_write.go to helpers.go for reusing ParseConfigEntry() - add changelog Co-authored-by: Dan Upton <daniel@floppy.co>	2 years ago
Kyle Havlovitz	407e858389	Fix syntax for bootstrap sds secret config	2 years ago
R.B. Boyer	31b95c747b	xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629 ) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.	2 years ago
Kyle Havlovitz	55109eb9f6	command: Add TLS support for envoy prometheus endpoint	2 years ago
Riddhi Shah	411edc876b	[OSS] Support merge-central-config option in node services list API (#13450 ) Adds the merge-central-config query param option to the /catalog/node-services/:node-name API, to get a service definition in the response that is merged with central defaults (proxy-defaults/service-defaults). Updated the consul connect envoy command to use this option when retrieving the proxy service details so as to render the bootstrap configuration correctly.	2 years ago
Mark Anderson	61a8995847	Fix issue with consul version tests Signed-off-by: Mark Anderson <manderson@hashicorp.com>	2 years ago
Mark Anderson	4cd42a2e1f	Fixup agent startup Signed-off-by: Mark Anderson <manderson@hashicorp.com>	2 years ago
Mark Anderson	8945b68a9d	Cleanup and extend basic build date Signed-off-by: Mark Anderson <manderson@hashicorp.com>	2 years ago
Mark Anderson	b35e749305	Add BuildDate to version structure Signed-off-by: Mark Anderson <manderson@hashicorp.com>	2 years ago
Riddhi Shah	7a039b46a2	[OSS] consul connect envoy command changes for agentless (#13361 ) Changes the sourcing of the envoy bootstrap configuration to not use agent APIs and instead use the catalog(server) API. This is done by passing a node-name flag to the command, (which can only be used with proxy-id). Also fixes a bug where the golden envoy bootstrap config files used for tests did not use the expected destination service name in certain places for connect proxy kind.	3 years ago
Dhia Ayachi	1b779240ae	update gateway-services table with endpoints (#13217 ) * update gateway-services table with endpoints * fix failing test * remove unneeded config in test * rename "endpoint" to "destination" * more endpoint renaming to destination in tests * update isDestination based on service-defaults config entry creation * use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist) * set unknown state to empty to avoid modifying alot of tests * fix logic to set the kind correctly on CRUD * fix failing tests * add missing tests and fix service delete * fix failing test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * fix a bug with kind and add relevant test * fix compile error * fix failing tests * add kind to clone * fix failing tests * fix failing tests in catalog endpoint * fix service dump test * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com> * remove duplicate tests * rename consts and fix kind when no destination is defined in the service-defaults. * rename Kind to ServiceKind and change switch to use .(type) Co-authored-by: Dan Stough <dan.stough@hashicorp.com>	3 years ago
Chris S. Kim	8e24a56134	Refactor some functions for better enterprise use (#13280 )	3 years ago
Chris S. Kim	b2c4e8b2fe	Add build tag for oss (#13279 )	3 years ago
Mathew Estafanous	428e32706e	Replace CLI command registry with a new pattern. (#12729 )	3 years ago
DanStough	817449041d	chore(test): Update bats version	3 years ago
Mark Anderson	2fcac5224e	Merge pull request #12878 from hashicorp/ma/x-forwarded-client-cert Support x-forwarded-client-cert	3 years ago
Dan Upton	a668c36930	acl: gRPC login and logout endpoints (#12935 ) Introduces two new public gRPC endpoints (`Login` and `Logout`) and includes refactoring of the equivalent net/rpc endpoints to enable the majority of logic to be reused (i.e. by extracting the `Binder` and `TokenWriter` types). This contains the OSS portions of the following enterprise commits: - 75fcdbfcfa6af21d7128cb2544829ead0b1df603 - bce14b714151af74a7f0110843d640204082630a - cc508b70fbf58eda144d9af3d71bd0f483985893	3 years ago
Mark Anderson	6430af1c0e	Update mesh config tests Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
R.B. Boyer	1a491886fa	structs: ensure exported-services PeerName field can be addressed as peer_name (#12862 )	3 years ago
Evan Culver	000d0621b4	connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805 ) Co-authored-by: R.B. Boyer <rb@hashicorp.com>	3 years ago
Kyle Havlovitz	3e88f579fc	Fix namespace default field names in expanded token output	3 years ago
Mark Anderson	98a2e282be	Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
R.B. Boyer	d06183ba7f	syncing changes back from enterprise (#12701 )	3 years ago
Kyle Havlovitz	059bd0a92e	Merge pull request #12670 from hashicorp/token-read-expanded oss: Add expanded token read flag and endpoint option	3 years ago
Dhia Ayachi	16b19dd82d	auto-reload configuration when config files change (#12329 ) * add config watcher to the config package * add logging to watcher * add test and refactor to add WatcherEvent. * add all API calls and fix a bug with recreated files * add tests for watcher * remove the unnecessary use of context * Add debug log and a test for file rename * use inode to detect if the file is recreated/replaced and only listen to create events. * tidy ups (#1535) * tidy ups * Add tests for inode reconcile * fix linux vs windows syscall * fix linux vs windows syscall * fix windows compile error * increase timeout * use ctime ID * remove remove/creation test as it's a use case that fail in linux * fix linux/windows to use Ino/CreationTime * fix the watcher to only overwrite current file id * fix linter error * fix remove/create test * set reconcile loop to 200 Milliseconds * fix watcher to not trigger event on remove, add more tests * on a remove event try to add the file back to the watcher and trigger the handler if success * fix race condition * fix flaky test * fix race conditions * set level to info * fix when file is removed and get an event for it after * fix to trigger handler when we get a remove but re-add fail * fix error message * add tests for directory watch and fixes * detect if a file is a symlink and return an error on Add * rename Watcher to FileWatcher and remove symlink deref * add fsnotify@v1.5.1 * fix go mod * do not reset timer on errors, rename OS specific files * rename New func * events trigger on write and rename * add missing test * fix flaking tests * fix flaky test * check reconcile when removed * delete invalid file * fix test to create files with different mod time. * back date file instead of sleeping * add watching file in agent command. * fix watcher call to use new API * add configuration and stop watcher when server stop * add certs as watched files * move FileWatcher to the agent start instead of the command code * stop watcher before replacing it * save watched files in agent * add add and remove interfaces to the file watcher * fix remove to not return an error * use `Add` and `Remove` to update certs files * fix tests * close events channel on the file watcher even when the context is done * extract `NotAutoReloadableRuntimeConfig` is a separate struct * fix linter errors * add Ca configs and outgoing verify to the not auto reloadable config * add some logs and fix to use background context * add tests to auto-config reload * remove stale test * add tests to changes to config files * add check to see if old cert files still trigger updates * rename `NotAutoReloadableRuntimeConfig` to `StaticRuntimeConfig` * fix to re add both key and cert file. Add test to cover this case. * review suggestion Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add check to static runtime config changes * fix test * add changelog file * fix review comments * Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * update flag description Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> * fix compilation error * add static runtime config support * fix test * fix review comments * fix log test * Update .changelog/12329.txt Co-authored-by: Dan Upton <daniel@floppy.co> * transfer tests to runtime_test.go * fix filewatcher Replace to not deadlock. * avoid having lingering locks Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * split ReloadConfig func * fix warning message Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * convert `FileWatcher` into an interface * fix compilation errors * fix tests * extract func for adding and removing files Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: FFMMM <FFMMM@users.noreply.github.com> Co-authored-by: Daniel Upton <daniel@floppy.co>	3 years ago
Kyle Havlovitz	b21b4346b4	Add expanded token read flag and endpoint option	3 years ago
Paul Glass	706c844423	Add IAM Auth Method (#12583 ) This adds an aws-iam auth method type which supports authenticating to Consul using AWS IAM identities. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
R.B. Boyer	e79ce8ab03	xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601 ) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966	3 years ago
Dan Upton	b36d4e16b6	Support per-listener TLS configuration ⚙️ (#12504 ) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.	3 years ago
R.B. Boyer	957146401e	catalog: compare node names case insensitively in more places (#12444 ) Many places in consul already treated node names case insensitively. The state store indexes already do it, but there are a few places that did a direct byte comparison which have now been corrected. One place of particular consideration is ensureCheckIfNodeMatches which is executed during snapshot restore (among other places). If a node check used a slightly different casing than the casing of the node during register then the snapshot restore here would deterministically fail. This has been fixed. Primary approach: git grep -i "node.[!=]=.node" -- ':!_test.go' ':!docs' git grep -i '\[[^]]member[^]]\] git grep -i '\[[^]]$member\\|name\\|node$[^]]\]' -- ':!_test.go' ':!website' ':!ui' ':!agent/proxycfg/testing.go:' ':!*.md'	3 years ago
Daniel Nephin	53ae4b3e2c	debug: update CLI docs To clarify how trace is captured. Also remove the minimum seconds check, because that is already done in prepare()	3 years ago
Daniel Nephin	cc2c005fad	debug: limit the size of the trace We've noticed that a trace that is captured over the full duration is too large to open on most machines. A trace.out captured over just the interval period (30s by default) should be a more than enough time to capture trace data.	3 years ago
FFMMM	78264a8030	Vendor in rpc mono repo for net/rpc fork, go-msgpack, msgpackrpc. (#12311 ) This commit syncs ENT changes to the OSS repo. Original commit details in ENT: ``` commit 569d25f7f4578981c3801e6e067295668210f748 Author: FFMMM <FFMMM@users.noreply.github.com> Date: Thu Feb 10 10:23:33 2022 -0800 Vendor fork net rpc (#1538) * replace net/rpc w consul-net-rpc/net/rpc Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * replace msgpackrpc and go-msgpack with fork from mono repo Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * gofmt all files touched Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> ``` Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
R.B. Boyer	b60d89e7ef	bulk rewrite using this script set -euo pipefail unset CDPATH cd "$(dirname "$0")" for f in $(git grep '\brequire := require\.New(' \| cut -d':' -f1 \| sort -u); do echo "=== require: $f ===" sed -i '/require := require.New(t)/d' $f # require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($[^tr]$/require.\1(t,\2/g' $f # require.XXX(tblah) but not require.XXX(t, blah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($t[^,]$/require.\1(t,\2/g' $f # require.XXX(rblah) but not require.XXX(r, blah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($r[^,]$/require.\1(t,\2/g' $f gofmt -s -w $f done for f in $(git grep '\bassert := assert\.New(' \| cut -d':' -f1 \| sort -u); do echo "=== assert: $f ===" sed -i '/assert := assert.New(t)/d' $f # assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($[^tr]$/assert.\1(t,\2/g' $f # assert.XXX(tblah) but not assert.XXX(t, blah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($t[^,]$/assert.\1(t,\2/g' $f # assert.XXX(rblah) but not assert.XXX(r, blah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($r[^,]$/assert.\1(t,\2/g' $f gofmt -s -w $f done	3 years ago
R.B. Boyer	31f6f55bbe	test: normalize require.New and assert.New syntax	3 years ago
Mike Morris	1b1a97e8f9	ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576 ) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>	3 years ago
Daniel Nephin	ff7f3a9737	cli: use file mode 0600 when saving a snapshot So that other users on the machine can not access the snapshot data.	3 years ago
Blake Covarrubias	e898cf1d41	cli: Show node identities in acl token list output (#11926 ) Fix the pretty CLI output of `consul acl token list` so that it properly displays node identities that are associated with a token.	3 years ago
Daniel Nephin	da95a0e449	Merge pull request #11884 from assareh/patch-1 consul pls cert create usage example provided in CLI help shows outdated arguments	3 years ago
Daniel Nephin	1eb3178468	Merge pull request #11781 from marco-m/private-key-0600-permission cli: consul tls: create private keys with mode 0600	3 years ago
Andy Assareh	fab47eb70f	usage example given uses outdated arguments the usage example shows incorrect arguments for ca cert and key. the correct arguments are now -ca and -key	3 years ago
freddygv	6bbf109bdd	Update golden files	3 years ago
freddygv	68424b318a	Get partition label from upstream metrics	3 years ago
Evan Culver	a0c754d44f	connect: update SNI label extraction to support new taxonomy for partitions (#11786 )	3 years ago
Chris S. Kim	71bad67a4d	Add partitions to prettyformatters (#11789 )	3 years ago
Marco Molteni	8a4b92c176	cli: consul tls: create private keys with mode 0600 This applies to consul tls ca create consul tls cert create -client consul tls cert create -server Closes: #11741	3 years ago
Dan Upton	205ce9a69d	Remove references to "master" ACL tokens in tests (#11751 )	3 years ago
freddygv	9b44861ce4	Update api module and decoding tests	3 years ago
freddygv	ed6076db26	Rename partition-exports to exported-services Using a name less tied to partitions gives us more flexibility to use this config entry in OSS for exports between datacenters/meshes.	3 years ago
R.B. Boyer	c46f9f9f31	agent: add variation of force-leave that exclusively works on the WAN (#11722 ) Fixes #6548	3 years ago
Daniel Nephin	81afb208ac	Merge pull request #11677 from hashicorp/dnephin/freeport-interface sdk: use t.Cleanup in freeport and remove unnecessary calls	3 years ago
Dan Upton	bf56a2c495	Rename `agent_master` ACL token in the API and CLI (#11669 )	3 years ago
Daniel Nephin	e8312d6b5a	testing: remove unnecessary calls to freeport Previously we believe it was necessary for all code that required ports to use freeport to prevent conflicts. https://github.com/dnephin/freeport-test shows that it is actually save to use port 0 (`127.0.0.1:0`) as long as it is passed directly to `net.Listen`, and the listener holds the port for as long as it is needed. This works because freeport explicitly avoids the ephemeral port range, and port 0 always uses that range. As you can see from the test output of https://github.com/dnephin/freeport-test, the two systems never use overlapping ports. This commit converts all uses of freeport that were being passed directly to a net.Listen to use port 0 instead. This allows us to remove a bit of wrapping we had around httptest, in a couple places.	3 years ago
Daniel Nephin	5a61893642	testing: use httptest with freeport	3 years ago
Daniel Nephin	56f9238d15	go-sso: remove returnFunc now that freeport handles return	3 years ago
R.B. Boyer	1e02460bd1	re-run gofmt on 1.17 (#11579 ) This should let freshly recompiled golangci-lint binaries using Go 1.17 pass 'make lint'	3 years ago
R.B. Boyer	eb21649f82	partitions: various refactors to support partitioning the serf LAN pool (#11568 )	3 years ago
freddygv	5bc4aa49bd	Fix test	3 years ago
freddygv	4c9c1b52ce	Support partitions in connect expose cmd	3 years ago
freddygv	a6d985040f	Fixup shared oss/ent tests	3 years ago
Nitya Dhanushkodi	139c4eb844	command/redirect_traffic: Redirect DNS requests to Consul if -consul-dns-ip is passed in (#11480 ) * command/redirect_traffic: add rules to redirect DNS to Consul. Currently uses a hack to get the consul dns service ip, and this hack only works when the service is deployed in the same namespace as consul. * command/redirect_traffic: redirect DNS to Consul when -consul-dns-ip is passed in * Add unit tests to Consul DNS IP table redirect rules Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>	3 years ago
Dhia Ayachi	98735a6d12	KV refactoring, part 2 (#11512 ) * add partition to the kv get pretty print * fix failing test * add test for kvs RPC endpoint	3 years ago
Daniel Upton	d47b7311b8	Support Check-And-Set deletion of config entries (#11419 ) Implements #11372	3 years ago
R.B. Boyer	61361c2e5d	cli: update consul members output to display partitions and sort the results usefully (#11446 )	3 years ago
R.B. Boyer	c8cafb7654	agent: for various /v1/agent endpoints parse the partition parameter on the request (#11444 ) Also update the corresponding CLI commands to send the parameter appropriately. NOTE: Behavioral changes are not happening in this PR.	3 years ago
Freddy	b1b6f682e1	Merge pull request #11416 from hashicorp/ap/exports-update Rename service-exports to partition-exports	3 years ago
R.B. Boyer	ef559dfdd4	agent: refactor the agent delegate interface to be partition friendly (#11429 )	3 years ago
freddygv	5c24ed61a8	Rename service-exports to partition-exports Existing config entries prefixed by service- are specific to individual services. Since this config entry applies to partitions it is being renamed. Additionally, the Partition label was changed to Name because using Partition at the top-level and in the enterprise meta was leading to the enterprise meta partition being dropped by msgpack.	3 years ago
Kyle Havlovitz	04cd2c983e	Add new service-exports config entry	3 years ago
Oleg Butuzov	f9c290890f	refactor: replace (bytes.Buffer).WriteString with (bytes.Buffer).Write This PR change one method of bytes.Buffer struct package with a similar one, as result - code produce less allocations on heap.	3 years ago
Evan Culver	be667e280f	connect: Remove envoy_version from bootstrap template (#11215 )	3 years ago
Evan Culver	c7747212c3	Merge pull request #11115 from hashicorp/eculver/envoy-1.19.1 Add support for Envoy 1.19.1	3 years ago
Daniel Nephin	cc310224aa	command/envoy: stop using the DebugConfig from Self endpoint The DebugConfig in the self endpoint can change at any time. It's not a stable API. This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read this new field. It includes support for the old API as well, in case a newer CLI is used with an older API, and adds a test for both cases.	3 years ago
Daniel Nephin	1502547e38	Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc" This reverts commit `74fb650b6b`, reversing changes made to `58bd817336`.	3 years ago
Evan Culver	9b73e7319d	Merge branch 'main' into eculver/envoy-1.19.1	3 years ago
Bisakh	981ef464d6	acl: update GetPolicyByName method implementation (#11055 )	3 years ago
Evan Culver	1709309cc7	regenerate more envoy golden files	3 years ago
freddygv	e0a7900f52	Fixup api config and Envoy test	3 years ago
freddygv	cecf5b18f8	Bring back entmeta args defaulting	3 years ago
freddygv	7ecbac9228	Ensure Envoy can subscribe to non-default partition	3 years ago
Freddy	8d83d27674	connect: update envoy supported versions to latest patch release (#10961) Relevant advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h	3 years ago
Dhia Ayachi	fe8b3dfccf	add partition flag to catalog commands (#10949 ) * add partition flag to catalog commands * add missing files	3 years ago
R.B. Boyer	097e1645e3	agent: ensure that most agent behavior correctly respects partition configuration (#10880 )	3 years ago
Daniel Nephin	797ee061e4	debug: use human readable dates for filenames The unix timestamps that were used make the debug data a little bit more difficult to consume. By using human readable dates we can easily see when the profile data was collected. This commit also improves the test coverage. Two test cases are removed and the assertions from those cases are moved to TestDebugCommand. Now TestDebugCommand is able to validate the contents of all files. This change reduces the test runtime of the command/debug package by almost 50%. It also makes much more strict assertions about the contents by using gotest.tools/v3/fs.	3 years ago
Daniel Nephin	2f8d0e12cf	debug: small cleanup Use the new WriteJsonFile function to write index.json Remove .String() from time.local() since that is done by %s Remove an unused field.	3 years ago
Daniel Nephin	4359e38114	debug: restore cancel on SigInt Some previous changes broke interrupting the debug on SigInterupt. This change restores the original behaviour by passing a context to requests. Since a new API client function was required to pass the context, I had it also return an io.ReadCloser, so that output can be streamed to files instead of fully buffering in process memory.	3 years ago
Daniel Nephin	31bcd80528	debug: improve a couple of the test cases Use gotest.tools/v3/fs to make better assertions about the files Remove the TestAgent from TestDebugCommand_Prepare_ValidateTiming, since we can test that validation without making any API calls.	3 years ago
Daniel Nephin	bbf6a94c9a	debug: rename cluster target to members The API is called members. Using the same name as the API should help describe the contents of the file.	3 years ago
Daniel Nephin	251026e374	debug: remove unused	3 years ago
Daniel Nephin	70c2cdc8f1	cli: remove a test case for updating a legacy token Legacy tokens are no longer accepted, so we don't need to test their upgrade path.	3 years ago
Mark Anderson	d3cebbd32c	Fixup to support unix domain socket via command line (#10758 ) Missed the need to add support for unix domain socket config via api/command line. This is a variant of the problems described in it is easy to drop one. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Blake Covarrubias	1ee8655bfc	cli: Fix broken KV import on Windows (#10820 ) Consul 1.10 (PR #9792) introduced the ability to specify a prefix when importing KV's. This however introduced a regression on Windows systems which breaks `kv import`. The key name is joined with specified`-prefix` using `filepath.Join()` which uses a forward slash (/) to delimit values on Unix-based systems, and a backslash (\) to delimit values on Windows – the latter of which is incompatible with Consul KV paths. This commit replaces filepath.Join() with path.Join() which uses a forward slash as the delimiter, providing consistent key join behavior across supported operating systems. Fixes #10583	3 years ago
Blake Covarrubias	e41d6ee60f	cli: Use admin bind address in self_admin cluster (#10757 ) Configure the self_admin cluster to use the admin bind address provided when starting Envoy. Fixes #10747	3 years ago
Blake Covarrubias	6a68bfc5e1	cli: Test API access using /status/leader in consul watch (#10795 ) Replace call to /agent/self with /status/leader to verify agent reachability before initializing a watch. This endpoint is not guarded by ACLs, and as such can be queried by any API client regardless of their permissions. Fixes #9353	3 years ago
Daniel Nephin	9dd6d26d05	acl: remove rule == nil checks	3 years ago
Evan Culver	24db06f503	Fix maint test	3 years ago
Daniel Nephin	beea1c2218	http: emit indented JSON in the metrics stream endpoint To remove the need to decode and re-encode in the CLI	3 years ago
Daniel Nephin	c3149ec0fd	debug: use the new metrics stream in debug command	3 years ago
Dhia Ayachi	de124d0aa1	add http flag for admin partition (#10683 )	3 years ago
R.B. Boyer	b0657973f2	add partition cli flag to all cli commands that have namespace flag (#10668 )	3 years ago
Blake Covarrubias	6c462d399b	cli: Document pass-through option for `consul connect envoy` (#10666 ) Update help text of `consul connect envoy` command to mention the ability to provide pass-through options.	3 years ago
Evan Culver	0527dcff57	acls: Show `AuthMethodNamespace` when reading/listing ACL token meta (#10598 )	3 years ago
Daniel Nephin	74fb650b6b	Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc config: rename `ports.grpc` to `ports.xds`	3 years ago
Daniel Nephin	233d03dbbd	Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Daniel Nephin	4ad80ccee3	command/envoy: stop using the DebugConfig from Self endpoint The DebugConfig in the self endpoint can change at any time. It's not a stable API. With the previous change to rename GRPCPort to XDSPort this command would have broken. This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read this new field. It includes support for the old API as well, in case a newer CLI is used with an older API, and adds a test for both cases.	3 years ago
Iryna Shustava	95305881ce	cli/sdk: Allow applying redirect-traffic rules in a provided Linux namespace (#10564 )	3 years ago
Daniel Nephin	895bf9adec	config: update GRPCPort and addr in runtime config	3 years ago
Evan Culver	13bd86527b	Add support for returning ACL secret IDs for accessors with acl:write (#10546 )	3 years ago
R.B. Boyer	c94b8c6a39	config: add agent config flag for enterprise clients to indicate they wish to join a particular partition (#10572 )	3 years ago
Daniel Nephin	2c4f22a9f0	Merge pull request #10552 from hashicorp/dnephin/ca-remove-rotation-period ca: remove unused RotationPeriod field	3 years ago
jkirschner-hashicorp	5f73de6fbc	Merge pull request #10560 from jkirschner-hashicorp/change-sane-to-reasonable Replace use of 'sane' where appropriate	3 years ago
Daniel Nephin	3a045cca8d	ca: remove unused RotationPeriod field This field was never used. Since it is persisted as part of a map[string]interface{} it is pretty easy to remove it.	3 years ago
Jared Kirschner	bd536151e1	Replace use of 'sane' where appropriate HashiCorp voice, style, and language guidelines recommend avoiding ableist language unless its reference to ability is accurate in a particular use.	3 years ago
Daniel Nephin	690dc41c55	Merge pull request #10515 from hashicorp/dnephin/fix-arm32-atomic-aligment Fix panic on 32-bit platforms	3 years ago
Daniel Nephin	4d741531b4	Update references to the main branch The main branch is being renamed from master->main. This commit should update all references to the main branch to the new name. Co-Authored-By: Mike Morris <mikemorris@users.noreply.github.com>	3 years ago
Daniel Nephin	f34d3543b1	testing: fix a test for 32-bit The hcl decoding apparently uses strconv.ParseInt, which fails to parse a 64bit int. Since hcl v1 is basically EOl, it seems unlikely we'll fix this in hcl. Since this test is only about loading values from config files, the extra large number doesn't seem important. Trim a few zeros from the numbers so that they parse properly on 32bit platforms. Also skip a slow test when -short is used.	3 years ago
Kyle Nusbaum	07cec75be2	command/agent: change io.Discard to ioutil.Discard	3 years ago
Freddy	ffb13f35f1	Rename CatalogDestinationsOnly (#10397 ) CatalogDestinationsOnly is a passthrough that would enable dialing addresses outside of Consul's catalog. However, when this flag is set to true only _connect_ endpoints for services can be dialed. This flag is being renamed to signal that non-Connect endpoints can't be dialed by transparent proxies when the value is set to true.	3 years ago
Freddy	429f9d8bb8	Add flag for transparent proxies to dial individual instances (#10329 )	4 years ago
Dhia Ayachi	005ad9e46d	generate a single debug file for a long duration capture (#10279 ) * debug: remove the CLI check for debug_enabled The API allows collecting profiles even debug_enabled=false as long as ACLs are enabled. Remove this check from the CLI so that users do not need to set debug_enabled=true for no reason. Also: - fix the API client to return errors on non-200 status codes for debug endpoints - improve the failure messages when pprof data can not be collected Co-Authored-By: Dhia Ayachi <dhia@hashicorp.com> * remove parallel test runs parallel runs create a race condition that fail the debug tests * snapshot the timestamp at the beginning of the capture - timestamp used to create the capture sub folder is snapshot only at the beginning of the capture and reused for subsequent captures - capture append to the file if it already exist * Revert "snapshot the timestamp at the beginning of the capture" This reverts commit `c2d03346` * Refactor captureDynamic to extract capture logic for each item in a different func * snapshot the timestamp at the beginning of the capture - timestamp used to create the capture sub folder is snapshot only at the beginning of the capture and reused for subsequent captures - capture append to the file if it already exist * Revert "snapshot the timestamp at the beginning of the capture" This reverts commit `c2d03346` * Refactor captureDynamic to extract capture logic for each item in a different func * extract wait group outside the go routine to avoid a race condition * capture pprof in a separate go routine * perform a single capture for pprof data for the whole duration * add missing vendor dependency * add a change log and fix documentation to reflect the change * create function for timestamp dir creation and simplify error handling * use error groups and ticker to simplify interval capture loop * Logs, profile and traces are captured for the full duration. Metrics, Heap and Go routines are captured every interval * refactor Logs capture routine and add log capture specific test * improve error reporting when log test fail * change test duration to 1s * make time parsing in log line more robust * refactor log time format in a const * test on log line empty the earliest possible and return Co-authored-by: Freddy <freddygv@users.noreply.github.com> * rename function to captureShortLived * more specific changelog Co-authored-by: Paul Banks <banks@banksco.de> * update documentation to reflect current implementation * add test for behavior when invalid param is passed to the command * fix argument line in test * a more detailed description of the new behaviour Co-authored-by: Paul Banks <banks@banksco.de> * print success right after the capture is done * remove an unnecessary error check Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * upgraded github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57 => v0.0.0-20210601050228-01bbb1931b22 Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>	4 years ago
Dhia Ayachi	dda3e68791	fix monitor to only start the monitor in json format when requested (#10358 ) * fix monitor to only start the monitor in json format when requested * add release notes * add test to validate json format when requested	4 years ago
Daniel Nephin	cec8bc88a9	cmd: remove unnecessary GatedUi The intent of this struct was to prevent non-json output to stdout. With the previous cleanup, this can now be done by simply changing the stdout stream to io.Discard. This is just one example of why passing around io.Writers for the streams is better than the UI interface.	4 years ago
Daniel Nephin	2261a469e3	cmd: move agent running message to logs Previously this line was mixed up with logging, which made the output quite ugly. Use the logger to output this message, instead of printing directly to stdout. This has the advantage that the message will be visible when json logs are enabled.	4 years ago
Daniel Nephin	b4b85bd83a	agent: fix agent logging Remove the leading whitespace on every log line. This was causing problems for a customer because their logging system was interpretting the logs as a single multi-line log.	4 years ago
Daniel Nephin	2fc988d51d	cmd: introduce a shim to expose Stdout/Stderr writers This will allow commands to do the right thing, and write to the proper output stream.	4 years ago
Daniel Nephin	e573641995	cmd: remove unnecessary args to agent.New The version args are static and passed in from the caller. Instead read the static values in New. The shutdownCh was never closed, so did nothing. Remove it as a field and an arg.	4 years ago
Daniel Nephin	eb4f8b17e9	Merge pull request #10324 from hashicorp/dnephin/fix-envoy-bootstrap-exec envoy: fix deadlock when input is larger than named pipe buffer size	4 years ago
Dhia Ayachi	15dddc9edb	make tests use a dummy node_name to avoid environment related failures (#10262 ) * fix tests to use a dummy nodeName and not fail when hostname is not a valid nodeName * remove conditional testing * add test when node name is invalid	4 years ago
Daniel Nephin	2054402a53	envoy: improve comments	4 years ago
Daniel Nephin	c9bc5f92b7	envoy: fix bootstrap deadlock caused by a full named pipe Normally the named pipe would buffer up to 64k, but in some cases when a soft limit is reached, they will start only buffering up to 4k. In either case, we should not deadlock. This commit changes the pipe-bootstrap command to first buffer all of stdin into the process, before trying to write it to the named pipe. This allows the process memory to act as the buffer, instead of the named pipe. Also changed the order of operations in `makeBootstrapPipe`. The new test added in this PR showed that simply buffering in the process memory was not enough to fix the issue. We also need to ensure that the `pipe-bootstrap` process is started before we try to write to its stdin. Otherwise the write will still block. Also set stdout/stderr on the subprocess, so that any errors are visible to the user.	4 years ago
Daniel Nephin	e1b1ab7ef6	envoy: start timeout func after validation This removes the need to check arg length in the timeout function.	4 years ago
Dhia Ayachi	4c7f5f31c7	debug: remove the CLI check for debug_enabled (#10273 ) * debug: remove the CLI check for debug_enabled The API allows collecting profiles even debug_enabled=false as long as ACLs are enabled. Remove this check from the CLI so that users do not need to set debug_enabled=true for no reason. Also: - fix the API client to return errors on non-200 status codes for debug endpoints - improve the failure messages when pprof data can not be collected Co-Authored-By: Dhia Ayachi <dhia@hashicorp.com> * remove parallel test runs parallel runs create a race condition that fail the debug tests * Add changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>	4 years ago
Daniel Nephin	5a7059f45c	redirecttraffic: fix a flaky test https://app.circleci.com/pipelines/github/hashicorp/consul-enterprise/6408/workflows/e90b1140-daa2-458f-8197-d1821e3693e3/jobs/94694/tests#failed-test-0 The ExcludeInboundPorts can be in a different order sometimes, although I'm not sure how. Also removes t.Parallel. We should only need to use t.Parallel in large packages with many slow tests. In this case there is only a single slow test so we don't get any benefit. Also add struct field names to the testcases list, so that it is easier to see what each value is doing, and to make it easier to add new fields in the future.	4 years ago
Iryna Shustava	d7d44f6ae7	Save exposed ports in agent's store and expose them via API (#10173 ) * Save exposed HTTP or GRPC ports to the agent's store * Add those the health checks API so we can retrieve them from the API * Change redirect-traffic command to also exclude those ports from inbound traffic redirection when expose.checks is set to true.	4 years ago
R.B. Boyer	3b50a55533	connect: update supported envoy versions to 1.18.3, 1.17.3, 1.16.4, and 1.15.5 (#10231 )	4 years ago
Daniel Nephin	347f3d2128	Merge pull request #10155 from hashicorp/dnephin/config-entry-remove-fields config-entry: remove Kind and Name field from Mesh config entry	4 years ago
Mark Anderson	06f0f79218	Continue working through proxy and agent Rework/listeners, rename makeListener Refactor, tests pass Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago
Luke Kysow	8d6cbe7281	Give descriptive error if auth method not found (#10163 ) * Give descriptive error if auth method not found Previously during a `consul login -method=blah`, if the auth method was not found, the error returned would be "ACL not found". This is potentially confusing because there may be many different ACLs involved in a login: the ACL of the Consul client, perhaps the binding rule or the auth method. Now the error will be "auth method blah not found", which is much easier to debug.	4 years ago
Daniel Nephin	a07a58a873	config-entry: use custom MarshalJSON for mesh type So that the Kind field is added to the JSON object.	4 years ago
Daniel Nephin	62efaaab21	config-entry: remove Kind and Name field from Mesh config entry No config entry needs a Kind field. It is only used to determine the Go type to target. As we introduce new config entries (like this one) we can remove the kind field and have the GetKind method return the single supported value. In this case (similar to proxy-defaults) the Name field is also unnecessary. We always use the same value. So we can omit the name field entirely.	4 years ago
R.B. Boyer	abc1dc0fe9	connect: update supported envoy versions to 1.18.2, 1.17.2, 1.16.3, and 1.15.4 (#10101 ) The only thing that needed fixing up pertained to this section of the 1.18.x release notes: > grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default. For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default. Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.	4 years ago
R.B. Boyer	71d45a3460	Support Incremental xDS mode (#9855 ) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time	4 years ago
Iryna Shustava	8dffb89131	Implement traffic redirection exclusion based on proxy config and user-provided values (#10134 ) * Use proxy outbound port from TransparentProxyConfig if provided * If -proxy-id is provided to the redirect-traffic command, exclude any listener ports from inbound traffic redirection. This includes envoy_prometheus_bind_addr, envoy_stats_bind_addr, and the ListenerPort from the Expose configuration. * Allow users to provide additional inbound and outbound ports, outbound CIDRs and additional user IDs to be excluded from traffic redirection. This affects both the traffic-redirect command and the iptables SDK package.	4 years ago
Freddy	078c40425f	Rename "cluster" config entry to "mesh" (#10127 ) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.	4 years ago
Paul Banks	c501468d78	Fix panic bug in snapshot inspect (#10091 ) * Fix panic bug in snapshot inspect * Add changelog entry * Update .changelog/10091.txt * Undo bad GitHub UI merge * Undo bad GitHub UI merge	4 years ago
Paul Banks	d717d2cdc4	CLI: Allow snapshot inspect to work on internal raft snapshots directly. (#10089 ) * CLI: Add support for reading internal raft snapshots to snapshot inspect * Add snapshot inspect test for raw state files * Add changelog entry * Update .changelog/10089.txt	4 years ago
R.B. Boyer	4db8b78854	connect: update centralized upstreams representation in service-defaults (#10015 )	4 years ago
freddygv	e1808af729	Fixup tests	4 years ago
freddygv	7cb3f32672	Convert new tproxy structs in api module into ptrs This way we avoid serializing these when empty. Otherwise users of the latest version of the api submodule cannot interact with older versions of Consul, because a new api client would send keys that the older Consul doesn't recognize yet.	4 years ago
freddygv	7bd51ff536	Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.	4 years ago
Iryna Shustava	5755c97bc7	cli: Add new `consul connect redirect-traffic` command for applying traffic redirection rules when Transparent Proxy is enabled. (#9910 ) * Add new consul connect redirect-traffic command for applying traffic redirection rules when Transparent Proxy is enabled. * Add new iptables package for applying traffic redirection rules with iptables.	4 years ago
Freddy	a02245b75a	Merge pull request #9976 from hashicorp/centralized-upstream-fixups	4 years ago
freddygv	ab752c1c86	Avoid sending zero-value upstream defaults from api	4 years ago
R.B. Boyer	5bcfe930c6	command: when generating envoy bootstrap configs to stdout do not mix informational logs into the json (#9980 ) Fixes #9921	4 years ago
R.B. Boyer	499fee73b3	connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973 ) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.	4 years ago
Hans Hasselberg	53e9c134af	introduce certopts (#9606 ) * introduce cert opts * it should be using the same signer * lint and omit serial	4 years ago
woz5999	39f448589d	support env var expansion in envoy statsd urls Fixes #8561	4 years ago
Freddy	8207b832df	Add TransparentProxy option to proxy definitions	4 years ago
Freddy	c664938bae	Add per-upstream configuration to service-defaults	4 years ago
freddygv	8b46d8dcbb	Restore old Envoy prefix on escape hatches This is done because after removing ID and NodeName from ServiceConfigRequest we will no longer know whether a request coming in is for a Consul client earlier than v1.10.	4 years ago

... 2 3 4 5 6 ...

2417 Commits (main)