Commit Graph

19040 Commits (0d4b11c01be208d360ad46296c4df8a7602cac62)

Author SHA1 Message Date
freddygv 0d4b11c01b Update upgrade docs for 1.13.2.
In 1.13.2 we added a new flag called use_auto_cert to address issues
previously documented in the upgrade guide. Originally there was no way
to disable TLS for gRPC when auto-encrypt was in use, because TLS was
enabled for gRPC due to the presence of auto-encrypt certs.

As of 1.13.2, using auto-encrypt certs as the signal to enable TLS for
gRPC is opt-in only. Meaning that if anyone who had upgraded to 1.13
relied on that side-effect, they now need to explicitly configure it.
2022-10-18 09:43:32 -06:00
Dhia Ayachi 5eb2bad8fd
bump relevant modules versions (#14972) 2022-10-18 11:24:26 -04:00
Iryna Shustava 5cd0ccfc75
Support auth method with snapshot agent [ENT] (#15020)
Port of hashicorp/consul-enterprise#3303
2022-10-17 15:57:48 -06:00
R.B. Boyer fe2d41ddad
cache: prevent goroutine leak in agent cache (#14908)
There is a bug in the error handling code for the Agent cache subsystem discovered:

1. NotifyCallback calls notifyBlockingQuery which calls getWithIndex in
   a loop (which backs off on-error up to 1 minute)

2. getWithIndex calls fetch if there’s no valid entry in the cache

3. fetch starts a goroutine which calls Fetch on the cache-type, waits
   for a while (again with backoff up to 1 minute for errors) and then
   calls fetch to trigger a refresh

The end result being that every 1 minute notifyBlockingQuery spawns an
ancestry of goroutines that essentially lives forever.

This PR ensures that the goroutine started by `fetch` cancels any prior
goroutine spawned by the same line for the same key.

In isolated testing where a cache type was tweaked to indefinitely
error, this patch prevented goroutine counts from skyrocketing.
2022-10-17 14:38:10 -05:00
R.B. Boyer 02a858efa0
ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one (#15005)
In practice this was masked by #14956 and was only uncovered fixing the
other bug.

  go test ./agent -run TestAgentConnectCALeafCert_goodNotLocal

would fail when only #14956 was fixed.
2022-10-17 13:24:27 -05:00
David Yu efe25cfe46
docs: formatting on backend application and delete peering CRDs (#15007)
* docs: formatting on backend application and delete peering CRDs

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-10-17 10:34:05 -07:00
Dan Upton 641347fe14
proto: deep-copy PeeringTrustBundle using proto.Clone (#15004)
Fixes a `go vet` warning caused by the pragma.DoNotCopy on the protobuf
message type.

Originally I'd hoped we wouldn't need any reflection in the proxycfg hot
path, but it seems proto.Clone is the only supported way to copy a message.
2022-10-17 16:30:35 +01:00
Chris S. Kim 3d2dffff16
Merge pull request #13388 from deblasis/feature/health-checks_windows_service
Feature: Health checks windows service
2022-10-17 09:26:19 -04:00
Dan Upton f8b4b41205
proxycfg: fix goroutine leak when service is re-registered (#14988)
Fixes a bug where we'd leak a goroutine in state.run when the given
context was canceled while there was a pending update.
2022-10-17 11:31:10 +01:00
Kyle Havlovitz 3a60885259
Merge pull request #14800 from hashicorp/mgw-tcp-keepalives
Add TCP keepalive settings to proxy config for mesh gateways
2022-10-14 19:01:02 -07:00
Kyle Havlovitz aaf892a383 Extend tcp keepalive settings to work for terminating gateways as well 2022-10-14 17:05:46 -07:00
Kyle Havlovitz 2c569f6b9c Update docs and add tcp_keepalive_probes setting 2022-10-14 17:05:46 -07:00
Kyle Havlovitz 2242d1ec4a Add TCP keepalive settings to proxy config for mesh gateways 2022-10-14 17:05:46 -07:00
David Yu 1a883891a7
docs: improvements on language from cluster peering steps (#14993)
* docs: improvements on language from cluster peering steps

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-10-14 14:29:11 -07:00
Derek Menteer 2a33d0ff96 Fix issue with incorrect method signature on test. 2022-10-14 11:04:57 -05:00
Freddy 24d0c8801a
Merge pull request #14981 from hashicorp/peering/dial-through-gateways 2022-10-14 09:44:56 -06:00
Tyler Wendlandt 0c8563f060
Merge pull request #14986 from hashicorp/ui/feature/filter-node-healthchecks-agentless
UI: filter node healthchecks on agentless service instances
2022-10-14 09:33:45 -06:00
Dan Upton 328e3ff563
proxycfg: rate-limit delivery of config snapshots (#14960)
Adds a user-configurable rate limiter to proxycfg snapshot delivery,
with a default limit of 250 updates per second.

This addresses a problem observed in our load testing of Consul
Dataplane where updating a "global" resource such as a wildcard
intention or the proxy-defaults config entry could starve the Raft or
Memberlist goroutines of CPU time, causing general cluster instability.
2022-10-14 15:52:00 +01:00
Derek Menteer 29ebcf5ff0 Add tests for peering state snapshots / restores. 2022-10-14 09:48:04 -05:00
Derek Menteer e3ff9912d0 Add test for ExportedServicesForAllPeersByName 2022-10-14 09:48:04 -05:00
Alessandro De Blasis 5f99f578a9
Update website/content/api-docs/agent/check.mdx 2022-10-14 12:32:55 +01:00
Dan Upton e6b55d1d81
perf: remove expensive reflection from xDS hot path (#14934)
Replaces the reflection-based implementation of proxycfg's
ConfigSnapshot.Clone with code generated by deep-copy.

While load testing server-based xDS (for consul-dataplane) we discovered
this method is extremely expensive. The ConfigSnapshot struct, directly
or indirectly, contains a copy of many of the structs in the agent/structs
package, which creates a large graph for copystructure.Copy to traverse
at runtime, on every proxy reconfiguration.
2022-10-14 10:26:42 +01:00
Michael Klein 03734a1bac
Merge pull request #14977 from hashicorp/ui/fix/scrollbar-bento-box
ui: Bento-Box show scrollbars only when necessary
2022-10-14 09:07:57 +02:00
wenincode c85d70e80d Address linting errors 2022-10-13 19:05:19 -06:00
wenincode 363db8c849 Add changelog entry 2022-10-13 18:54:39 -06:00
wenincode 9355d0d4f6 Add tests for filtering node health checks 2022-10-13 18:45:15 -06:00
freddygv c77123a2aa Use split var in tests 2022-10-13 17:12:47 -06:00
freddygv bf51021c07 Use split wildcard partition name
This way OSS avoids passing a non-empty label, which will be rejected in
OSS consul.
2022-10-13 16:55:28 -06:00
Freddy ee4cdc4985
Merge pull request #14935 from hashicorp/fix/alias-leak 2022-10-13 16:31:15 -06:00
freddygv da68ed70c1 Add changelog entry 2022-10-13 16:09:32 -06:00
freddygv f48d7fbe04 Add changelog entry 2022-10-13 16:03:15 -06:00
freddygv 573aa408a1 Lint 2022-10-13 15:55:55 -06:00
wenincode 4530e2e547 Format healthchecks template 2022-10-13 15:48:18 -06:00
wenincode 0eb250d3a0 Filter healthchecks for synthetic-nodes 2022-10-13 15:47:47 -06:00
David Yu 2c5f6a4678
1.14 dataplane docs beta: Bump to beta3 (#14979)
Bump to beta
2022-10-13 14:40:40 -07:00
Derek Menteer 0f424e3cdf Reset wait on ensureServerAddrSubscription 2022-10-13 15:58:26 -05:00
freddygv 96fdd3728a Fix CA init error code 2022-10-13 14:58:11 -06:00
freddygv 472a8e82dc Add integ test for peering through gateways 2022-10-13 14:58:05 -06:00
freddygv 2c99a21596 Update leader routine to maybe use gateways 2022-10-13 14:58:00 -06:00
freddygv e69bc727ec Update peering establishment to maybe use gateways
When peering through mesh gateways we expect outbound dials to peer
servers to flow through the local mesh gateway addresses.

Now when establishing a peering we get a list of dial addresses as a
ring buffer that includes local mesh gateway addresses if the local DC
is configured to peer through mesh gateways. The ring buffer includes
the mesh gateway addresses first, but also includes the remote server
addresses as a fallback.

This fallback is present because it's possible that direct egress from
the servers may be allowed. If not allowed then the leader will cycle
back to a mesh gateway address through the ring.

When attempting to dial the remote servers we retry up to a fixed
timeout. If using mesh gateways we also have an initial wait in
order to allow for the mesh gateways to configure themselves.

Note that if we encounter a permission denied error we do not retry
since that error indicates that the secret in the peering token is
invalid.
2022-10-13 14:57:55 -06:00
malizz b0b0cbb8ee
increase protobuf size limit for cluster peering (#14976) 2022-10-13 13:46:51 -07:00
Jasmine W e04c56a3a1
Merge pull request #14975 from hashicorp/ui/bugfix/peering-misspelling
UI: Copy changes for peering detail page
2022-10-13 15:28:21 -04:00
Derek Menteer 4e140c98bc Address PR comments. 2022-10-13 14:11:02 -05:00
Derek Menteer 1e394da400 Disallow peering to the same cluster. 2022-10-13 14:11:02 -05:00
wenincode 12a24a6d8c Update peers show tests to look for serverAddresses tab 2022-10-13 13:06:11 -06:00
Jasmine W 09513e7ef2 Update index.js 2022-10-13 14:42:13 -04:00
Michael Klein 8a1609f6da Bento-Box show scrollbars only when necessary 2022-10-13 20:27:19 +02:00
Derek Menteer 8742fbe14f Prevent consul peer-exports by discovery chain. 2022-10-13 12:45:09 -05:00
Derek Menteer f366edcb8d Prevent the "consul" service from being exported. 2022-10-13 12:45:09 -05:00
Jasmine W 56e3c0884e UI: Copy changes for peering detail page 2022-10-13 13:45:03 -04:00