Commit Graph

20691 Commits (13adff9d617ae496ccf516fdb967e59c7e8c7f40)

Author SHA1 Message Date
hc-github-team-consul-core 13adff9d61
Backport of mesh: ensure route configs are named uniquely per port into release/1.17.x (#19324)
backport of commit 21e659d6b3

Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-20 23:18:53 +00:00
hc-github-team-consul-core 4d7c295e93
Backport of skip envoy version check in ci into release/1.17.x (#19318)
no-op commit due to failed cherry-picking

Co-authored-by: temp <temp@hashicorp.com>
2023-10-20 11:54:05 -07:00
hc-github-team-consul-core c613594416
Backport of Vault CA bugfixes into release/1.17.x (#19309)
* backport of commit 8a6a858584

* backport of commit 1922b5f539

* backport of commit a4dff42744

* backport of commit cb7e5ded36

* backport of commit fcc9ee6542

* backport of commit 61d1c264d8

---------

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2023-10-20 17:05:05 +00:00
hc-github-team-consul-core ac676df491
Backport of mesh: provide missing domain to route configurations in ProxyStateTemplate into release/1.17.x (#19302)
* backport of commit 21c8b5e028

* backport of commit 925d695863

---------

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2023-10-20 02:48:07 +00:00
hc-github-team-consul-core 748e705255
Backport of enable verify envoy script into release/1.17.x (#19304)
no-op commit due to failed cherry-picking

Co-authored-by: temp <temp@hashicorp.com>
2023-10-20 00:47:36 +00:00
Chris Thain 35b6fbf5ee
release/1.17.x - Update supported Envoy versions (#19274) 2023-10-19 14:46:03 -07:00
hc-github-team-consul-core 321ccbcea3
Backport of NET-6239: Temporarily disable verify envoy check into release/1.17.x (#19300)
backport of commit 3ddc538d8a

Co-authored-by: NiniOak <anita.akaeze@hashicorp.com>
2023-10-19 20:42:15 +00:00
hc-github-team-consul-core 8a3a15eb8f
Backport of acls,catalog,mesh: properly authorize workload selectors on writes into release/1.17.x (#19296)
backport of commit 6350a814db

Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-19 17:28:03 +00:00
hc-github-team-consul-core d191257f57
Backport of reformatted the JSON schema server conf ref into release/1.17.x (#19294)
backport of commit 8d16fc3252

Co-authored-by: trujillo-adam <ajosetru@gmail.com>
2023-10-19 15:33:28 +00:00
hc-github-team-consul-core dff37763c0
Backport of fix: allow snake case keys for ip based rate limit config entry into release/1.17.x (#19293)
* backport of commit 5c2deeb4c6

* backport of commit e91fd9c7d7

---------

Co-authored-by: Poonam Jadhav <poonam.jadhav@hashicorp.com>
2023-10-19 15:10:21 +00:00
hc-github-team-consul-core fa564e95fe
Backport of [NET-6221] Ensure LB policy set for locality-aware routing (CE) into release/1.17.x (#19289)
backport of commit a2de5916df

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2023-10-19 14:31:20 +00:00
Jeff Boruszak e089b8fae5
backport: docs: Multiport HCP constraint update (#19261) (#19287)
docs: Multiport HCP constraint update (#19261)

* Add sentence

* link text adjustment
2023-10-18 15:59:33 -07:00
hc-github-team-consul-core 5567003dbb
Backport of build(docker): always publish full and minor version tags for dev images into release/1.17.x (#19282)
backport of commit c6bb4a5341

Co-authored-by: DanStough <dan.stough@hashicorp.com>
2023-10-18 19:58:06 +00:00
David Yu 76b4295d7c
backport: docs: Fix multi-port install (#19262) (#19265)
docs: Fix multi-port install (#19262)

* Update configure.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-10-18 08:18:20 -07:00
hc-github-team-consul-core 057f39e834
Backport of fix expose paths into release/1.17.x (#19259)
* backport of commit f5491d7707

* backport of commit 2d4958c309

---------

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2023-10-17 22:04:36 +00:00
hc-github-team-consul-core a0e0f50cdf
Backport of docs: Fix example control-plane-request-limit HCL and JSON into release/1.17.x (#19255)
backport of commit e5b6120abb

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2023-10-17 19:58:30 +00:00
hc-github-team-consul-core aa942066f7
Backport of Net 4893- Ensure we're testing all the latest versions of Vault/Nomad into release/1.17.x (#19251)
* backport of commit 828c6c8c75

* backport of commit 92d31cd996

---------

Co-authored-by: sophie-gairo <sophie.gairo@hashicorp.com>
2023-10-17 18:24:10 +00:00
hc-github-team-consul-core 1c91abd23d
Backport of [NET-5810] CE changes for multiple virtual hosts into release/1.17.x (#19247)
backport of commit c5018c1da7

Co-authored-by: jm96441n <john.maguire@hashicorp.com>
2023-10-17 15:33:12 +00:00
hc-github-team-consul-core bf42dd6c4c
Backport of Cc 5545: Upgrade HDS packages and modifiers into release/1.17.x (#19245)
* server: run the api checks against the path without params (#19205)

* Clone proto into deepcopy correctly (#19204)

* chore: update version and nightly CI for 1.17 (#19208)

Update version file to 1.18-dev, and replace 1.13 nightly test with
1.17.

* mesh: add validation hook to proxy configuration (#19186)

* mesh: add more validations to Destinations resource (#19202)

* catalog, mesh: implement missing ACL hooks (#19143)

This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.

* NET-5073 - ProxyConfiguration: implement various connection options (#19187)

* NET-5073 - ProxyConfiguration: implement various connection options

* PR feedback - LocalConnection and InboundConnection do not affect exposed routes. configure L7 route destinations. fix connection proto sequence numbers.

* add timeout to L7 Route Destinations

* Relplat 897 copywrite bot workarounds (#19200)

Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>

* mesh: add xRoute ACL hook tenancy tests (#19177)

Enhance the xRoute ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.

* resource: enforce lowercase v2 resource names (#19218)

* mesh: add DestinationPolicy ACL hook tenancy tests (#19178)

Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.

* catalog: add FailoverPolicy ACL hook tenancy test (#19179)

* Upgrade @hashicorp/design-system-tokens to 1.9.0

* Upgrade @hashicorp/design-system-components to 1.8.1

* Upgrade @hashicorp/design-system-components and ember-in-viewport

* Explicitly install ember-modifier@4.1.0

* rename copy-button

* backport of commit 1a1b95127d

* backport of commit b7295ee1a7

* backport of commit 73089ed9ea

* backport of commit cea2ab90e6

* backport of commit 964ef50df3

* backport of commit 0fd98e7e05

* backport of commit 0519b9bd73

* backport of commit 50cbd00683

* backport of commit 838a8a9745

* backport of commit 4882490c6f

* backport of commit 42a9f03a2b

* backport of commit bbedb3fff0

* backport of commit 4576fbee1e

* backport of commit 07584faa58

* backport of commit ef39122bad

* backport of commit c77d8a06f3

* backport of commit 13e3d1cdb5

---------

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
Co-authored-by: modrake <12264057+modrake@users.noreply.github.com>
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
Co-authored-by: wenincode <tyler.wendlandt@hashicorp.com>
Co-authored-by: Chris Hut <tophernuts@gmail.com>
2023-10-17 14:16:57 +00:00
hc-github-team-consul-core 24f2d0b3ed
Backport of NET-6097 - sidecar proxy controller - give name to first failover policy target into release/1.17.x (#19243)
backport of commit 091d5ecead

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-10-17 02:03:54 +00:00
hc-github-team-consul-core 2dcda57490
Backport of [NET-5944] security: Update Go version to 1.20.10 and `x/net` to 0.17.0 into release/1.17.x (#19235)
* backport of commit d7d9de9564

* backport of commit 0794b1ce74

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2023-10-16 22:09:58 +00:00
Jeff Boruszak e3088548da
docs: Multi-port corrections backport (#19229)
docs: Multi-port corrections (#19224)

* typo fixes and instruction corrections

* typo

* link path correction
2023-10-16 14:17:45 -07:00
hc-github-team-consul-core 168a640a90
Backport of catalog: add FailoverPolicy ACL hook tenancy test into release/1.17.x (#19223)
backport of commit b98d6458e3

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2023-10-16 19:47:39 +00:00
hc-github-team-consul-core 5f0b1f140b
Backport of mesh: add DestinationPolicy ACL hook tenancy tests into release/1.17.x (#19221)
mesh: add DestinationPolicy ACL hook tenancy tests (#19178)

Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2023-10-16 19:27:29 +00:00
hc-github-team-consul-core 449f190e00
Backport of Relplat 897 copywrite bot workarounds into release/1.17.x (#19217)
* backport of commit 30051fc5fe

* backport of commit 5b71320100

* backport of commit 9603006e96

---------

Co-authored-by: Morgan Drake <12264057+modrake@users.noreply.github.com>
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
2023-10-16 18:58:51 +00:00
hc-github-team-consul-core 3764c96d7e
Backport of mesh: add xRoute ACL hook tenancy tests into release/1.17.x (#19219)
* backport of commit 584b6563d4

* backport of commit 761090d96d

---------

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2023-10-16 17:41:34 +00:00
hc-github-team-consul-core fd356d905d
Backport of NET-5073 - ProxyConfiguration: implement various connection options into release/1.17.x (#19213)
* server: run the api checks against the path without params (#19205)

* Clone proto into deepcopy correctly (#19204)

* chore: update version and nightly CI for 1.17 (#19208)

Update version file to 1.18-dev, and replace 1.13 nightly test with
1.17.

* mesh: add validation hook to proxy configuration (#19186)

* mesh: add more validations to Destinations resource (#19202)

* catalog, mesh: implement missing ACL hooks (#19143)

This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.

* NET-5073 - ProxyConfiguration: implement various connection options

* PR feedback - LocalConnection and InboundConnection do not affect exposed routes. configure L7 route destinations. fix connection proto sequence numbers.

* backport of commit c9c1b86789

* backport of commit 44c6c8c896

---------

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-10-14 14:11:57 +00:00
hc-github-team-consul-core 689f32c59d
Backport of catalog, mesh: implement missing ACL hooks into release/1.17.x (#19212)
catalog, mesh: implement missing ACL hooks (#19143)

This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
2023-10-14 01:50:22 +00:00
hc-github-team-consul-core 41a986c6e0
Backport of mesh: add more validations to Destinations resource into release/1.17.x (#19211)
backport of commit f6c7c4ddc1

Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-13 23:08:06 +00:00
hc-github-team-consul-core 9ceec775dc
Backport of mesh: add validation hook to proxy configuration into release/1.17.x (#19209)
* server: run the api checks against the path without params (#19205)

* Clone proto into deepcopy correctly (#19204)

* mesh: add validation hook to proxy configuration

* backport of commit b08d9d4b47

* backport of commit 55b9363539

---------

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-13 22:16:41 +00:00
hc-github-team-consul-core 73ab8c5c48
Backport of Clone proto into deepcopy correctly into release/1.17.x (#19207)
backport of commit eb08b9d684

Co-authored-by: Ashwin Venkatesh <ashwin.what@gmail.com>
2023-10-13 22:07:49 +00:00
hc-github-team-consul-core 813d666a6e
Backport of server: run the api checks against the path without params into release/1.17.x (#19206)
backport of commit 3894d93d61

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2023-10-13 20:47:51 +00:00
R.B. Boyer 99f7a1219e
catalog: add metadata filtering to refine workload selectors (#19198)
This implements the Filter field on pbcatalog.WorkloadSelector to be
a post-fetch in-memory filter using the https://github.com/hashicorp/go-bexpr
expression language to filter resources based on their envelope metadata fields.

All existing usages of WorkloadSelector should be able to make use of the filter.
2023-10-13 13:37:42 -05:00
R.B. Boyer f0e4897736
mesh: ensure that xRoutes have ParentRefs that have matching Tenancy to the enclosing resource (#19176)
We don't want an xRoute controlling traffic for a Service in another tenancy.
2023-10-13 11:31:56 -05:00
Dhia Ayachi 5fbf0c00d3
Add namespace read write tests (#19173) 2023-10-13 12:03:06 -04:00
Thomas Eckert 76c60fdfac
Golden File Tests for TermGW w/ Cluster Peering (#19096)
Add intention to create golden file for terminating gateway peered trust bundle
2023-10-13 11:56:58 -04:00
Ashwin Venkatesh c2a0d4f9ca
Create DeepCopy() and Json Marshal/Unmarshal for proto-public (#19015)
* Override Marshal/UnmarshalJSON for proto-public types
* Generate Deepcopy() for proto-public types for Kubernetes CRDs.
2023-10-13 14:55:58 +00:00
Poonam Jadhav a50a9e984a
Net-5771/apply command stdin input (#19084)
* feat: apply command now accepts input from stdin

* feat: accept first positional non-flag file path arg

* fix: detect hcl format
2023-10-13 09:24:16 -04:00
Nitya Dhanushkodi 95d9b2c7e4
[NET-4931] xdsv2, sidecarproxycontroller, l4 trafficpermissions: support L7 (#19185)
* xdsv2: support l7 by adding xfcc policy/headers, tweaking routes, and make a bunch of listeners l7 tests pass

* sidecarproxycontroller: add l7 local app support 

* trafficpermissions: make l4 traffic permissions work on l7 workloads

* rename route name field for consistency with l4 cluster name field

* resolve conflicts and rebase

* fix: ensure route name is used in l7 destination route name as well. previously it was only in the route names themselves, now the route name and l7 destination route name line up
2023-10-12 23:45:45 +00:00
Iryna Shustava e3cb4ec35e
mesh: properly handle missing workload protocols (#19172)
Sometimes workloads could come with unspecified protocols such as when running on Kubernetes. Currently, if this is the case, we will just default to tcp protocol.

However, to make sidecar-proxy controller work with l7 protocols we should instead inherit the protocol from service. This change adds tracking for services that a workload is part of and attempts to inherit the protocol whenever services a workload is part of doesn't have conflicting protocols.
2023-10-12 15:41:03 -06:00
Iryna Shustava a39eec0ef4
mesh: fix race in the sidecar-proxy controller test (#19183) 2023-10-12 15:40:33 -06:00
John Murret dbca544d25
NET-5951 - Unique route names for implicit routes (#19174)
* NET-5951 - Unique route names for implicit routes

* remove use of datacenter

* PR feedback
2023-10-12 14:46:31 -06:00
Derek Menteer 9500711881
Add 1.17 upgrade-specific note for upstream normalization. (#19181)
Add 1.17 upgrade-specific note for upstream normalization.

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-10-12 20:33:58 +00:00
trujillo-adam 67393b543b
Update metdata for locality-aware usage page (#19180) 2023-10-12 13:02:34 -07:00
Iryna Shustava 25283f0ec2
get-envoy-bootstrap-params: when v2 is enabled, use computed proxy configuration (#19175) 2023-10-12 14:01:36 -06:00
Iryna Shustava 54a12ab3c9
mesh: sidecar proxy controller improvements (#19083)
This change builds on #19043 and #19067 and updates the sidecar controller to use those computed resources. This achieves several benefits:

   * The cache is now simplified which helps us solve for previous bugs (such as multiple Upstreams/Destinations targeting the same service would overwrite each other)
   * We no longer need proxy config cache
   * We no longer need to do merging of proxy configs as part of the controller logic
   * Controller watches are simplified because we no longer need to have complex mapping using cache and can instead use the simple ReplaceType mapper.

It also makes several other improvements/refactors:

  * Unifies all caches into one. This is because originally the caches were more independent, however, now that they need to interact with each other it made sense to unify them where sidecar proxy controller uses one cache with 3 bimappers
   * Unifies cache and mappers. Mapper already needed all caches anyway and so it made sense to make the cache do the mapping also now that the cache is unified.
   * Gets rid of service endpoints watches. This was needed to get updates in a case when service's identities have changed and we need to update proxy state template's spiffe IDs for those destinations. This will however generate a lot of reconcile requests for this controller as service endpoints objects can change a lot because they contain workload's health status. This is solved by adding a status to the service object tracking "bound identities" and have service endpoints controller update it. Having service's status updated allows us to get updates in the sidecar proxy controller because it's already watching service objects
   * Add a watch for workloads. We need it so that we get updates if workload's ports change. This also ensures that we update cached identities in case workload's identity changes.
2023-10-12 13:20:13 -06:00
Iryna Shustava ad06c96456
mesh: add computed destinations with a controller that computes them (#19067)
This commit adds a new type ComputedDestinations that will contain all destinations from any Destinations resources and will be name-aligned with a workload. This also adds an explicit-destinations controller that computes these resources.

This is needed to simplify the tracking we need to do currently in the sidecar-proxy controller and makes it easier to query all explicit destinations that apply to a workload.
2023-10-12 12:04:12 -06:00
Chris S. Kim 197bcd4164
Refactor connect_auth.go into agent_endpoint.go (#19166) 2023-10-12 12:54:32 -04:00
R.B. Boyer 29ba5b5c79
catalog: block unsupported failover policy settings for now (#19168) 2023-10-12 11:13:56 -05:00
John Murret 6da4798e05
NET-5799 - ensure catalog controllers and dependency mappers function correctly for tenancy fields (#19142)
* use bimapper

* WIP

* clean up

* PR feedback
2023-10-12 02:07:50 +00:00