Commit Graph

20672 Commits (24f2d0b3ed9b9220ef3633bf6eec559fb4d4e727)

Author SHA1 Message Date
hc-github-team-consul-core 24f2d0b3ed
Backport of NET-6097 - sidecar proxy controller - give name to first failover policy target into release/1.17.x (#19243)
backport of commit 091d5ecead

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-10-17 02:03:54 +00:00
hc-github-team-consul-core 2dcda57490
Backport of [NET-5944] security: Update Go version to 1.20.10 and `x/net` to 0.17.0 into release/1.17.x (#19235)
* backport of commit d7d9de9564

* backport of commit 0794b1ce74

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2023-10-16 22:09:58 +00:00
Jeff Boruszak e3088548da
docs: Multi-port corrections backport (#19229)
docs: Multi-port corrections (#19224)

* typo fixes and instruction corrections

* typo

* link path correction
2023-10-16 14:17:45 -07:00
hc-github-team-consul-core 168a640a90
Backport of catalog: add FailoverPolicy ACL hook tenancy test into release/1.17.x (#19223)
backport of commit b98d6458e3

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2023-10-16 19:47:39 +00:00
hc-github-team-consul-core 5f0b1f140b
Backport of mesh: add DestinationPolicy ACL hook tenancy tests into release/1.17.x (#19221)
mesh: add DestinationPolicy ACL hook tenancy tests (#19178)

Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2023-10-16 19:27:29 +00:00
hc-github-team-consul-core 449f190e00
Backport of Relplat 897 copywrite bot workarounds into release/1.17.x (#19217)
* backport of commit 30051fc5fe

* backport of commit 5b71320100

* backport of commit 9603006e96

---------

Co-authored-by: Morgan Drake <12264057+modrake@users.noreply.github.com>
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
2023-10-16 18:58:51 +00:00
hc-github-team-consul-core 3764c96d7e
Backport of mesh: add xRoute ACL hook tenancy tests into release/1.17.x (#19219)
* backport of commit 584b6563d4

* backport of commit 761090d96d

---------

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2023-10-16 17:41:34 +00:00
hc-github-team-consul-core fd356d905d
Backport of NET-5073 - ProxyConfiguration: implement various connection options into release/1.17.x (#19213)
* server: run the api checks against the path without params (#19205)

* Clone proto into deepcopy correctly (#19204)

* chore: update version and nightly CI for 1.17 (#19208)

Update version file to 1.18-dev, and replace 1.13 nightly test with
1.17.

* mesh: add validation hook to proxy configuration (#19186)

* mesh: add more validations to Destinations resource (#19202)

* catalog, mesh: implement missing ACL hooks (#19143)

This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.

* NET-5073 - ProxyConfiguration: implement various connection options

* PR feedback - LocalConnection and InboundConnection do not affect exposed routes. configure L7 route destinations. fix connection proto sequence numbers.

* backport of commit c9c1b86789

* backport of commit 44c6c8c896

---------

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-10-14 14:11:57 +00:00
hc-github-team-consul-core 689f32c59d
Backport of catalog, mesh: implement missing ACL hooks into release/1.17.x (#19212)
catalog, mesh: implement missing ACL hooks (#19143)

This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
2023-10-14 01:50:22 +00:00
hc-github-team-consul-core 41a986c6e0
Backport of mesh: add more validations to Destinations resource into release/1.17.x (#19211)
backport of commit f6c7c4ddc1

Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-13 23:08:06 +00:00
hc-github-team-consul-core 9ceec775dc
Backport of mesh: add validation hook to proxy configuration into release/1.17.x (#19209)
* server: run the api checks against the path without params (#19205)

* Clone proto into deepcopy correctly (#19204)

* mesh: add validation hook to proxy configuration

* backport of commit b08d9d4b47

* backport of commit 55b9363539

---------

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-13 22:16:41 +00:00
hc-github-team-consul-core 73ab8c5c48
Backport of Clone proto into deepcopy correctly into release/1.17.x (#19207)
backport of commit eb08b9d684

Co-authored-by: Ashwin Venkatesh <ashwin.what@gmail.com>
2023-10-13 22:07:49 +00:00
hc-github-team-consul-core 813d666a6e
Backport of server: run the api checks against the path without params into release/1.17.x (#19206)
backport of commit 3894d93d61

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2023-10-13 20:47:51 +00:00
R.B. Boyer 99f7a1219e
catalog: add metadata filtering to refine workload selectors (#19198)
This implements the Filter field on pbcatalog.WorkloadSelector to be
a post-fetch in-memory filter using the https://github.com/hashicorp/go-bexpr
expression language to filter resources based on their envelope metadata fields.

All existing usages of WorkloadSelector should be able to make use of the filter.
2023-10-13 13:37:42 -05:00
R.B. Boyer f0e4897736
mesh: ensure that xRoutes have ParentRefs that have matching Tenancy to the enclosing resource (#19176)
We don't want an xRoute controlling traffic for a Service in another tenancy.
2023-10-13 11:31:56 -05:00
Dhia Ayachi 5fbf0c00d3
Add namespace read write tests (#19173) 2023-10-13 12:03:06 -04:00
Thomas Eckert 76c60fdfac
Golden File Tests for TermGW w/ Cluster Peering (#19096)
Add intention to create golden file for terminating gateway peered trust bundle
2023-10-13 11:56:58 -04:00
Ashwin Venkatesh c2a0d4f9ca
Create DeepCopy() and Json Marshal/Unmarshal for proto-public (#19015)
* Override Marshal/UnmarshalJSON for proto-public types
* Generate Deepcopy() for proto-public types for Kubernetes CRDs.
2023-10-13 14:55:58 +00:00
Poonam Jadhav a50a9e984a
Net-5771/apply command stdin input (#19084)
* feat: apply command now accepts input from stdin

* feat: accept first positional non-flag file path arg

* fix: detect hcl format
2023-10-13 09:24:16 -04:00
Nitya Dhanushkodi 95d9b2c7e4
[NET-4931] xdsv2, sidecarproxycontroller, l4 trafficpermissions: support L7 (#19185)
* xdsv2: support l7 by adding xfcc policy/headers, tweaking routes, and make a bunch of listeners l7 tests pass

* sidecarproxycontroller: add l7 local app support 

* trafficpermissions: make l4 traffic permissions work on l7 workloads

* rename route name field for consistency with l4 cluster name field

* resolve conflicts and rebase

* fix: ensure route name is used in l7 destination route name as well. previously it was only in the route names themselves, now the route name and l7 destination route name line up
2023-10-12 23:45:45 +00:00
Iryna Shustava e3cb4ec35e
mesh: properly handle missing workload protocols (#19172)
Sometimes workloads could come with unspecified protocols such as when running on Kubernetes. Currently, if this is the case, we will just default to tcp protocol.

However, to make sidecar-proxy controller work with l7 protocols we should instead inherit the protocol from service. This change adds tracking for services that a workload is part of and attempts to inherit the protocol whenever services a workload is part of doesn't have conflicting protocols.
2023-10-12 15:41:03 -06:00
Iryna Shustava a39eec0ef4
mesh: fix race in the sidecar-proxy controller test (#19183) 2023-10-12 15:40:33 -06:00
John Murret dbca544d25
NET-5951 - Unique route names for implicit routes (#19174)
* NET-5951 - Unique route names for implicit routes

* remove use of datacenter

* PR feedback
2023-10-12 14:46:31 -06:00
Derek Menteer 9500711881
Add 1.17 upgrade-specific note for upstream normalization. (#19181)
Add 1.17 upgrade-specific note for upstream normalization.

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-10-12 20:33:58 +00:00
trujillo-adam 67393b543b
Update metdata for locality-aware usage page (#19180) 2023-10-12 13:02:34 -07:00
Iryna Shustava 25283f0ec2
get-envoy-bootstrap-params: when v2 is enabled, use computed proxy configuration (#19175) 2023-10-12 14:01:36 -06:00
Iryna Shustava 54a12ab3c9
mesh: sidecar proxy controller improvements (#19083)
This change builds on #19043 and #19067 and updates the sidecar controller to use those computed resources. This achieves several benefits:

   * The cache is now simplified which helps us solve for previous bugs (such as multiple Upstreams/Destinations targeting the same service would overwrite each other)
   * We no longer need proxy config cache
   * We no longer need to do merging of proxy configs as part of the controller logic
   * Controller watches are simplified because we no longer need to have complex mapping using cache and can instead use the simple ReplaceType mapper.

It also makes several other improvements/refactors:

  * Unifies all caches into one. This is because originally the caches were more independent, however, now that they need to interact with each other it made sense to unify them where sidecar proxy controller uses one cache with 3 bimappers
   * Unifies cache and mappers. Mapper already needed all caches anyway and so it made sense to make the cache do the mapping also now that the cache is unified.
   * Gets rid of service endpoints watches. This was needed to get updates in a case when service's identities have changed and we need to update proxy state template's spiffe IDs for those destinations. This will however generate a lot of reconcile requests for this controller as service endpoints objects can change a lot because they contain workload's health status. This is solved by adding a status to the service object tracking "bound identities" and have service endpoints controller update it. Having service's status updated allows us to get updates in the sidecar proxy controller because it's already watching service objects
   * Add a watch for workloads. We need it so that we get updates if workload's ports change. This also ensures that we update cached identities in case workload's identity changes.
2023-10-12 13:20:13 -06:00
Iryna Shustava ad06c96456
mesh: add computed destinations with a controller that computes them (#19067)
This commit adds a new type ComputedDestinations that will contain all destinations from any Destinations resources and will be name-aligned with a workload. This also adds an explicit-destinations controller that computes these resources.

This is needed to simplify the tracking we need to do currently in the sidecar-proxy controller and makes it easier to query all explicit destinations that apply to a workload.
2023-10-12 12:04:12 -06:00
Chris S. Kim 197bcd4164
Refactor connect_auth.go into agent_endpoint.go (#19166) 2023-10-12 12:54:32 -04:00
R.B. Boyer 29ba5b5c79
catalog: block unsupported failover policy settings for now (#19168) 2023-10-12 11:13:56 -05:00
John Murret 6da4798e05
NET-5799 - ensure catalog controllers and dependency mappers function correctly for tenancy fields (#19142)
* use bimapper

* WIP

* clean up

* PR feedback
2023-10-12 02:07:50 +00:00
Iryna Shustava 60b75a55f7
mesh: implement exposed paths (#19044)
Implement exposed paths listeners in the sidecar proxy controller.
2023-10-11 19:23:16 -06:00
Semir Patel 4996eeed4b
Fix BUSL license checker to skip >= 1.17.x target branches (#19152) (#19154)
* Fix BUSL license checker to skip >= 1.17.x target branches

* Update .github/scripts/license_checker.sh



---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2023-10-11 17:15:13 -05:00
R.B. Boyer c26d5cf62c
test: fix container test enterprise drift (#19101) 2023-10-11 15:39:09 -05:00
R.B. Boyer eb06db0c69
sdk: update testutil.WaitForLeader to not use the v1 catalog api (#19146) 2023-10-11 15:28:25 -05:00
John Maguire 7a323c492b
[NET-5457] Golden Files for Multiple Virtual Hosts (#19131)
* Add new golden file tests

* Update with latest deterministic code
2023-10-11 18:11:29 +00:00
trujillo-adam ca1a755f0c
fix broken link (#19140) 2023-10-11 17:14:34 +00:00
R.B. Boyer 5146810acc
cli: do not hide the resource HCL parsing error and replace it with a JSON error (#19107)
We serially attempt to decode resources in the consul resource apply command
using HCL and then falling back on JSON. This causes the HCL errors to be 
dropped completely in the case where the HCL decode failed due to a typo 
instead of it actually being JSON instead.

This PR proposes sniffing to see if the first non-whitespace character in the 
input is { and if so treat it as JSON, otherwise as HCL and not 
double-decode on error.
2023-10-11 11:37:50 -05:00
John Murret 6cbd417f29
NET-5822 - Add default outbound router in TProxy (#19087)
* NET-5822 - Add default outbound router in TProxy

* fixing connection timeout to be 5 s instead of 10 seconds
2023-10-11 10:31:45 -06:00
R.B. Boyer b9ab63c55d
server: when the v2 catalog experiment is enabled reject api and rpc requests that are for the v1 catalog (#19129)
When the v2 catalog experiment is enabled the old v1 catalog apis will be
forcibly disabled at both the API (json) layer and the RPC (msgpack) layer.
This will also disable anti-entropy as it uses the v1 api.

This includes all of /v1/catalog/*, /v1/health/*, most of /v1/agent/*,
/v1/config/*, and most of /v1/internal/*.
2023-10-11 10:44:03 -05:00
Dhia Ayachi ab1e08f1a4
fix flaking container tests (#19134) 2023-10-11 11:26:07 -04:00
Tu Nguyen 1b35c81834
Add 1.17 release notes (#19135)
add 1.17 release notes
2023-10-11 15:11:41 +00:00
Jeff Boruszak d6b61da988
docs: Multi-port and catalog changes (#19050)
* Page creation + nav listing

* Overview page

* Updated end-to-end configuration

* Nav error fix

* Edits

* Fixes

* Background/catalog explanation updates

* updates

* Updates

* Typo fix

* Additional method

* additional fixes

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Code review and other fixes

* "similar to" fix

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
2023-10-10 16:44:36 -07:00
Iryna Shustava c35df12c95
mesh: Add ComputedProxyConfiguration and a controller that computes it. (#19043)
* Introduce a new type `ComputedProxyConfiguration` and add a controller for it. This is needed for two reasons. The first one is that external integrations like kubernetes may need to read the fully computed and sorted proxy configuration per workload. The second reasons is that it makes sidecar-proxy controller logic quite a bit simpler as it no longer needs to do this.
* Generalize workload selection mapper and fix a bug where it would delete IDs from the tree if only one is left after a removal is done.
2023-10-10 17:34:53 -06:00
Jeff Boruszak 679b0f650f
docs: Sameness groups GA (#19103)
* New page creation

* Initial DNS edits

* IncludeLocal added

* Beta callout removal

* Create group page updates

* K8s page edits

* Failover usage intro

* sameness grop failover task

* Upstreams and DNS for VMs and K8s

* Additional failover and links

* <Tab> corrections

* HCP Consul Central edit

* Update website/content/docs/connect/cluster-peering/usage/create-sameness-groups.mdx

* Suggestions from review

* path update in links

* conflict fix

* nav fix

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-10-10 16:20:36 -07:00
trujillo-adam 78938c163a
Docs/api-gw-jwts-openshift-1-17-x (#19035)
* update main apigw overview

* moved the tech specs to main gw folder

* merged tech specs into single topic

* restructure nav part 1

* fix typo in nav json file

* moved k8s install up one level

* restructure nav part 2

* moved and created all listeners and routes content

* moved errors ref and upgrades

* fix error in upgrade-k8s link

* moved conf refs to appropriate spots

* updated conf overview

* fixed some links and bad formatting

* fixed link

* added JWT on VMs usage page

* added JWT conf to APIGW conf entry

* added JWTs to HTTP route conf entry

* added new gatwaypolicy k8s conf reference

* added metadesc for gatewaypolicy conf ref

* added http route auth filter k8s conf ref

* added http route auth filter k8s conf ref to nav

* updates to k8s route conf ref to include extensionRef

* added JWTs usage page for k8s

* fixed link in gwpolicy conf ref

* added openshift installation info to installation pages

* fixed bad link on tech specs

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* fixed VerityClaims param

* best guess at verifyclaims params

* tweaks to gateway policy dconf ref

* Docs/ce 475 retries timeouts for apigw (#19086)

* added timeout and retry conf ref for k8s

* added retry and TO filters to HTTP routes conf ref for VMs

* Apply suggestions from code review

Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* fix copy/paste error in http route conf entry

---------

Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* update links across site and add redirects

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Applied feedback from review

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* Update CRD configuration for responseHeaderModifiers

* Update Config Entry for http-route

* Add ResponseFilter example to service

* Update website/redirects.js

errant curly brace breaking the preview

* fix links and bad MD

* fixed md formatting issues

* fix formatting errors

* fix formatting errors

* Update website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx

* Apply suggestions from code review

* fixed typo

* Fix headers in http-route

* Apply suggestions from code review

Co-authored-by: John Maguire <john.maguire@hashicorp.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: John Maguire <john.maguire@hashicorp.com>
2023-10-10 13:29:55 -07:00
John Maguire 8bebfc147d
[NET-5457] Fix CE code for jwt multiple virtual hosts bug (#19123)
* Fix CE code for jwt multiple virtual hosts bug

* Fix struct definition

* fix bug with always appending route to jwt config

* Update comment to be correct

* Update comment
2023-10-10 16:25:36 -04:00
Semir Patel 830c4ea81c
v2tenancy: cluster scoped reads (#19082) 2023-10-10 13:30:23 -05:00
Dhia Ayachi 226590541c
Activate verifier when running WAL with experimental features (#19102)
* activate verifier when running WAL with experimental features

* only change verifier parameters if it's disabled (default value)
2023-10-10 14:14:20 -04:00
Chris S. Kim 92ce814693
Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00