Commit Graph

21182 Commits (0c2c7ca9c77ea57d0aeeb9f5888bb6333e709804)

Author SHA1 Message Date
Nitya Dhanushkodi 51b58cd910
fix expose paths (#19257)
When testing adding http probes to apps, I ran into some issues which I fixed here:
- The listener should be listening on the exposed listener port, updated that.
- The listener and route names were pointing to the path of the exposed path. In my test, the path was "/" resulting in an empty string path. Also, the path may not be unique across exposed path listeners, so I decided to use the path+exposed port as the unique identifier.
2023-10-17 14:47:21 -07:00
Dan Stough 9b719e6dec
test: add 1.17 nightly integrations test (#19253) 2023-10-17 16:45:40 -04:00
Blake Covarrubias 9976e08505
docs: Fix example control-plane-request-limit HCL and JSON (#19105)
The control-plane-request-limit config entry does not support
specifying parameter names in snake case format.

This commit updates the HCL and JSON examples to use the supported
camel case key format.
2023-10-17 19:50:12 +00:00
Sophie Gairo 61bd08c8b9
Net 4893- Ensure we're testing all the latest versions of Vault/Nomad (#19119)
* NET-5592 - update Nomad integration testing

* NET-4893: Ensure we're testing all the latest versions of Vault/Nomad
2023-10-17 12:55:16 -05:00
John Maguire b78465b491
[NET-5810] CE changes for multiple virtual hosts (#19246)
CE changes for multiple virtual hosts
2023-10-17 15:08:04 +00:00
Chris Hut a6c990c6fe
Cc 5545: Upgrade HDS packages and modifiers (#19226)
* Upgrade @hashicorp/design-system-tokens to 1.9.0

* Upgrade @hashicorp/design-system-components to 1.8.1

* Upgrade @hashicorp/design-system-components and ember-in-viewport

* Explicitly install ember-modifier@4.1.0

* rename copy-button

* Fix how cleanup is done in with-copyable

* Update aria-menu modifier for new structure

* Update css-prop modifier to new structure

* Convert did-upsert to regular class modifier

* Update notification modifier for new structure

* Update on-oustside modifier for new structure

* Move destroy handler registration in with-copyable

* Update style modifier for new structure

* Update validate modifier for new structure

* Guard against setting on destroyed object

* Upgrade @hashicorp/design-system-components to 2.14.1

* Remove debugger

* Guard against null in aria-menu

* Fix undefined hash in validate addon

* Upgrade ember-on-resize-modifier

* Fix copy button import, missing import and array destructuring

---------

Co-authored-by: wenincode <tyler.wendlandt@hashicorp.com>
2023-10-17 07:27:42 -06:00
John Murret 9f4f99c626
NET-6097 - sidecar proxy controller - give name to first failover policy target (#19239) 2023-10-17 01:45:54 +00:00
Michael Zalimeni 8eb074e7c1
[NET-5944] security: Update Go version to 1.20.10 and `x/net` to 0.17.0 (#19225)
* Bump golang.org/x/net to 0.17.0

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).

* Update Go version to 1.20.10

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
(`net/http`).
2023-10-16 17:49:04 -04:00
Semir Patel 4c5a46e5e1
v2tenancy: rename v1alpha1 -> v2beta1 (#19227) 2023-10-16 21:43:47 +00:00
David Yu b81c8627db
Add reason why port 53 is not used by default (#19222)
* Update dns-configuration.mdx

* Update website/content/docs/services/discovery/dns-configuration.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-10-16 14:21:58 -07:00
Jeff Boruszak dcd593004e
docs: Multi-port corrections (#19224)
* typo fixes and instruction corrections

* typo

* link path correction
2023-10-16 13:52:30 -07:00
R.B. Boyer 6741392a4f
catalog: add FailoverPolicy ACL hook tenancy test (#19179) 2023-10-16 14:05:39 -05:00
R.B. Boyer df8ea430c6
mesh: add DestinationPolicy ACL hook tenancy tests (#19178)
Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.
2023-10-16 13:44:24 -05:00
Semir Patel ad177698f7
resource: enforce lowercase v2 resource names (#19218) 2023-10-16 12:55:30 -05:00
R.B. Boyer 6c7d0759e4
mesh: add xRoute ACL hook tenancy tests (#19177)
Enhance the xRoute ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.
2023-10-16 12:18:56 -05:00
modrake 3716b69792
Relplat 897 copywrite bot workarounds (#19200)
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
2023-10-16 08:53:31 -07:00
John Murret a7fbd00865
NET-5073 - ProxyConfiguration: implement various connection options (#19187)
* NET-5073 - ProxyConfiguration: implement various connection options

* PR feedback - LocalConnection and InboundConnection do not affect exposed routes. configure L7 route destinations. fix connection proto sequence numbers.

* add timeout to L7 Route Destinations
2023-10-14 13:54:08 +00:00
Iryna Shustava 105ebfdd00
catalog, mesh: implement missing ACL hooks (#19143)
This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.
2023-10-13 23:16:26 +00:00
Iryna Shustava 2ea33e9b86
mesh: add more validations to Destinations resource (#19202) 2023-10-13 16:52:20 -06:00
Iryna Shustava e94d6ceca6
mesh: add validation hook to proxy configuration (#19186) 2023-10-13 15:21:39 -06:00
Michael Zalimeni 9b0f4b7fc5
chore: update version and nightly CI for 1.17 (#19208)
Update version file to 1.18-dev, and replace 1.13 nightly test with
1.17.
2023-10-13 21:12:36 +00:00
Ashwin Venkatesh 3d1a606c3b
Clone proto into deepcopy correctly (#19204) 2023-10-13 16:41:22 -04:00
R.B. Boyer 20d1fb8c78
server: run the api checks against the path without params (#19205) 2023-10-13 15:32:06 -05:00
R.B. Boyer 99f7a1219e
catalog: add metadata filtering to refine workload selectors (#19198)
This implements the Filter field on pbcatalog.WorkloadSelector to be
a post-fetch in-memory filter using the https://github.com/hashicorp/go-bexpr
expression language to filter resources based on their envelope metadata fields.

All existing usages of WorkloadSelector should be able to make use of the filter.
2023-10-13 13:37:42 -05:00
R.B. Boyer f0e4897736
mesh: ensure that xRoutes have ParentRefs that have matching Tenancy to the enclosing resource (#19176)
We don't want an xRoute controlling traffic for a Service in another tenancy.
2023-10-13 11:31:56 -05:00
Dhia Ayachi 5fbf0c00d3
Add namespace read write tests (#19173) 2023-10-13 12:03:06 -04:00
Thomas Eckert 76c60fdfac
Golden File Tests for TermGW w/ Cluster Peering (#19096)
Add intention to create golden file for terminating gateway peered trust bundle
2023-10-13 11:56:58 -04:00
Ashwin Venkatesh c2a0d4f9ca
Create DeepCopy() and Json Marshal/Unmarshal for proto-public (#19015)
* Override Marshal/UnmarshalJSON for proto-public types
* Generate Deepcopy() for proto-public types for Kubernetes CRDs.
2023-10-13 14:55:58 +00:00
Poonam Jadhav a50a9e984a
Net-5771/apply command stdin input (#19084)
* feat: apply command now accepts input from stdin

* feat: accept first positional non-flag file path arg

* fix: detect hcl format
2023-10-13 09:24:16 -04:00
Nitya Dhanushkodi 95d9b2c7e4
[NET-4931] xdsv2, sidecarproxycontroller, l4 trafficpermissions: support L7 (#19185)
* xdsv2: support l7 by adding xfcc policy/headers, tweaking routes, and make a bunch of listeners l7 tests pass

* sidecarproxycontroller: add l7 local app support 

* trafficpermissions: make l4 traffic permissions work on l7 workloads

* rename route name field for consistency with l4 cluster name field

* resolve conflicts and rebase

* fix: ensure route name is used in l7 destination route name as well. previously it was only in the route names themselves, now the route name and l7 destination route name line up
2023-10-12 23:45:45 +00:00
Iryna Shustava e3cb4ec35e
mesh: properly handle missing workload protocols (#19172)
Sometimes workloads could come with unspecified protocols such as when running on Kubernetes. Currently, if this is the case, we will just default to tcp protocol.

However, to make sidecar-proxy controller work with l7 protocols we should instead inherit the protocol from service. This change adds tracking for services that a workload is part of and attempts to inherit the protocol whenever services a workload is part of doesn't have conflicting protocols.
2023-10-12 15:41:03 -06:00
Iryna Shustava a39eec0ef4
mesh: fix race in the sidecar-proxy controller test (#19183) 2023-10-12 15:40:33 -06:00
John Murret dbca544d25
NET-5951 - Unique route names for implicit routes (#19174)
* NET-5951 - Unique route names for implicit routes

* remove use of datacenter

* PR feedback
2023-10-12 14:46:31 -06:00
Derek Menteer 9500711881
Add 1.17 upgrade-specific note for upstream normalization. (#19181)
Add 1.17 upgrade-specific note for upstream normalization.

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-10-12 20:33:58 +00:00
trujillo-adam 67393b543b
Update metdata for locality-aware usage page (#19180) 2023-10-12 13:02:34 -07:00
Iryna Shustava 25283f0ec2
get-envoy-bootstrap-params: when v2 is enabled, use computed proxy configuration (#19175) 2023-10-12 14:01:36 -06:00
Iryna Shustava 54a12ab3c9
mesh: sidecar proxy controller improvements (#19083)
This change builds on #19043 and #19067 and updates the sidecar controller to use those computed resources. This achieves several benefits:

   * The cache is now simplified which helps us solve for previous bugs (such as multiple Upstreams/Destinations targeting the same service would overwrite each other)
   * We no longer need proxy config cache
   * We no longer need to do merging of proxy configs as part of the controller logic
   * Controller watches are simplified because we no longer need to have complex mapping using cache and can instead use the simple ReplaceType mapper.

It also makes several other improvements/refactors:

  * Unifies all caches into one. This is because originally the caches were more independent, however, now that they need to interact with each other it made sense to unify them where sidecar proxy controller uses one cache with 3 bimappers
   * Unifies cache and mappers. Mapper already needed all caches anyway and so it made sense to make the cache do the mapping also now that the cache is unified.
   * Gets rid of service endpoints watches. This was needed to get updates in a case when service's identities have changed and we need to update proxy state template's spiffe IDs for those destinations. This will however generate a lot of reconcile requests for this controller as service endpoints objects can change a lot because they contain workload's health status. This is solved by adding a status to the service object tracking "bound identities" and have service endpoints controller update it. Having service's status updated allows us to get updates in the sidecar proxy controller because it's already watching service objects
   * Add a watch for workloads. We need it so that we get updates if workload's ports change. This also ensures that we update cached identities in case workload's identity changes.
2023-10-12 13:20:13 -06:00
Iryna Shustava ad06c96456
mesh: add computed destinations with a controller that computes them (#19067)
This commit adds a new type ComputedDestinations that will contain all destinations from any Destinations resources and will be name-aligned with a workload. This also adds an explicit-destinations controller that computes these resources.

This is needed to simplify the tracking we need to do currently in the sidecar-proxy controller and makes it easier to query all explicit destinations that apply to a workload.
2023-10-12 12:04:12 -06:00
Chris S. Kim 197bcd4164
Refactor connect_auth.go into agent_endpoint.go (#19166) 2023-10-12 12:54:32 -04:00
R.B. Boyer 29ba5b5c79
catalog: block unsupported failover policy settings for now (#19168) 2023-10-12 11:13:56 -05:00
John Murret 6da4798e05
NET-5799 - ensure catalog controllers and dependency mappers function correctly for tenancy fields (#19142)
* use bimapper

* WIP

* clean up

* PR feedback
2023-10-12 02:07:50 +00:00
Iryna Shustava 60b75a55f7
mesh: implement exposed paths (#19044)
Implement exposed paths listeners in the sidecar proxy controller.
2023-10-11 19:23:16 -06:00
Semir Patel 4996eeed4b
Fix BUSL license checker to skip >= 1.17.x target branches (#19152) (#19154)
* Fix BUSL license checker to skip >= 1.17.x target branches

* Update .github/scripts/license_checker.sh



---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2023-10-11 17:15:13 -05:00
R.B. Boyer c26d5cf62c
test: fix container test enterprise drift (#19101) 2023-10-11 15:39:09 -05:00
R.B. Boyer eb06db0c69
sdk: update testutil.WaitForLeader to not use the v1 catalog api (#19146) 2023-10-11 15:28:25 -05:00
John Maguire 7a323c492b
[NET-5457] Golden Files for Multiple Virtual Hosts (#19131)
* Add new golden file tests

* Update with latest deterministic code
2023-10-11 18:11:29 +00:00
trujillo-adam ca1a755f0c
fix broken link (#19140) 2023-10-11 17:14:34 +00:00
R.B. Boyer 5146810acc
cli: do not hide the resource HCL parsing error and replace it with a JSON error (#19107)
We serially attempt to decode resources in the consul resource apply command
using HCL and then falling back on JSON. This causes the HCL errors to be 
dropped completely in the case where the HCL decode failed due to a typo 
instead of it actually being JSON instead.

This PR proposes sniffing to see if the first non-whitespace character in the 
input is { and if so treat it as JSON, otherwise as HCL and not 
double-decode on error.
2023-10-11 11:37:50 -05:00
John Murret 6cbd417f29
NET-5822 - Add default outbound router in TProxy (#19087)
* NET-5822 - Add default outbound router in TProxy

* fixing connection timeout to be 5 s instead of 10 seconds
2023-10-11 10:31:45 -06:00
R.B. Boyer b9ab63c55d
server: when the v2 catalog experiment is enabled reject api and rpc requests that are for the v1 catalog (#19129)
When the v2 catalog experiment is enabled the old v1 catalog apis will be
forcibly disabled at both the API (json) layer and the RPC (msgpack) layer.
This will also disable anti-entropy as it uses the v1 api.

This includes all of /v1/catalog/*, /v1/health/*, most of /v1/agent/*,
/v1/config/*, and most of /v1/internal/*.
2023-10-11 10:44:03 -05:00