Commit Graph

17267 Commits (28b4b3a85d9de2c9d6aff223738012634a3b3c54)

Author SHA1 Message Date
Mark Anderson 28b4b3a85d Add x-forwarded-client-cert headers
Description
Add x-fowarded-client-cert information on trusted incoming connections.

Envoy provides support forwarding and annotating the
x-forwarded-client-cert header via the forward_client_cert_details
set_current_client_cert_details filter fields. It would be helpful for
consul to support this directly in its config. The escape hatches are
a bit cumbersome for this purpose.

This has been implemented on incoming connections to envoy. Outgoing
(from the local service through the sidecar) will not have a
certificate, and so are left alone.

A service on an incoming connection will now get headers something like this:

```
X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard]
```

Closes #12852
2022-05-04 08:50:58 -07:00
claire labry 8ebb515bfc
Merge pull request #12917 from hashicorp/add-release-config-key
Add config key to the promote-staging event
2022-05-03 17:26:46 -04:00
Amier Chery 03ac931b52
Merge pull request #12631 from driesgroblerw/patch-1
Updated the link to acl-policies
2022-05-03 14:59:05 -04:00
DanStough 8d655ded4c chore(ci): fix backport-assistant for stable website 2022-05-03 14:36:46 -04:00
Kyle Havlovitz 0696ed24c8
Merge pull request #12885 from hashicorp/acl-err-cache
Store and return RPC error in ACL cache entries
2022-05-03 10:44:22 -07:00
Kyle Havlovitz 76d62a14f5 Return ACLRemoteError from cache and test it correctly 2022-05-03 10:05:26 -07:00
DanStough e899e06c29 chore(ci): fix backport assistant 2022-05-03 12:41:12 -04:00
R.B. Boyer bd87505bf2
ci: upgrade bats and the circle machine executors to get integration tests to function again (#12918)
Bonus change: send less context when building the test-sds-server to
speed up the setup.
2022-05-03 11:21:32 -05:00
Claire Labry 561221a343
Add config key to the promote-staging event 2022-05-03 11:58:14 -04:00
FFMMM 3b3f001580
[sync oss] api: add peering api module (#12911) 2022-05-02 11:49:05 -07:00
Blake Covarrubias 54119f3225
docs: Add example Envoy escape hatch configs (#12764)
Add example escape hatch configurations for all supported override
types.
2022-05-02 11:25:59 -07:00
DanStough b2a005342b chore(ci): add initial support for backport assistant 2022-05-02 11:14:32 -04:00
Jared Kirschner cf12f8af20
Merge pull request #12762 from hashicorp/jkirschner-hashicorp-patch-1
docs: use correct previous name of recovery token
2022-04-29 18:35:56 -04:00
Chris S. Kim 9791bad136
peering: Make Upstream peer-aware (#12900)
Adds DestinationPeer field to Upstream.
Adds Peer field to UpstreamID and its string conversion functions.
2022-04-29 18:12:51 -04:00
Jared Kirschner 5be6f3402d
Merge pull request #12902 from hashicorp/jkirschner-hashicorp-patch-2
docs: fix typo
2022-04-29 17:59:26 -04:00
Jared Kirschner c1aacc2728
docs: fix typo 2022-04-29 17:57:21 -04:00
Jared Kirschner 0028d927e3
Merge pull request #12893 from hashicorp/docs/improve-consul-server-resilience
docs: add guidance on improving Consul resilience
2022-04-29 15:42:09 -04:00
Chris S. Kim 0d66301ea7
Cleanup peering files that used error types that were removed (#12892) 2022-04-29 14:02:26 -04:00
Jared Kirschner de51780eb8 docs: add guidance on improving Consul resilience
Discuss available strategies for improving server-level and infrastructure-level
fault tolerance in Consul.
2022-04-29 10:58:03 -07:00
Jeff Apple e286dc2a50
Merge pull request #12891 from hashicorp/docs-api-gateway-0.2.1
Docs: update for API Gateway v0.2.1
2022-04-29 10:50:04 -07:00
Mathew Estafanous 474385d153
Unify various status errors into one HTTP error type. (#12594)
Replaces specific error types for HTTP Status codes with 
a generic HTTPError type.

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2022-04-29 13:42:49 -04:00
Jeff-Apple e8a1a1eb68 Dcos: update for API Gateway v0.2.1 2022-04-29 09:52:00 -07:00
Jared Kirschner d04fe6ca2c
Merge pull request #11810 from hashicorp/update-enterprise-packaging-in-feature-docs
Update enterprise packaging in feature docs
2022-04-28 19:38:59 -04:00
Jared Kirschner 964afedd13 docs: improve ent overview headings 2022-04-28 16:27:34 -07:00
Jared Kirschner 1ca903d28d docs: explicitly fill all ent feature matrix cells 2022-04-28 12:41:37 -07:00
Chris S. Kim 2626963db9
Add a Github action to remind people about backport automation (#12884) 2022-04-28 14:52:41 -04:00
Kyle Havlovitz 0d8b187ea1 Store and return rpc error in acl cache entries 2022-04-28 09:08:55 -07:00
Jeff Apple 62311368c6
Merge pull request #12874 from hashicorp/japple-api-gw-fix-install-doc
Docs: updated versions on install page and other minor fixes.
2022-04-27 17:24:51 -07:00
Jeff-Apple 144a27da3d Docs: updated versions on install page and other minor fixes. 2022-04-27 16:52:52 -07:00
Mike Morris 80417f02dc
website(consul-api-gateway): fixup stray div tag and step 8 link rendering (#12873) 2022-04-27 19:36:01 -04:00
Karl Cardenas 3bf17020d9
Merge pull request #12872 from hashicorp/markdown-fix
docs: fixes makdown leakage
2022-04-27 14:20:19 -07:00
Karl Cardenas dbaed47da2
docs: fixes makdown leakage 2022-04-27 14:15:39 -07:00
Jared Kirschner 33ccefcc4e docs: update HCP Consul feature matrix 2022-04-27 12:44:00 -07:00
Nathan Coleman 6a4ca9c5a7
Merge pull request #12871 from hashicorp/apigw-crd-version
Update version pin for consul-api-gateway install docs
2022-04-27 14:23:05 -05:00
Nathan Coleman 8208c2daf9 Update version pin for consul-api-gateway CRD install 2022-04-27 15:07:02 -04:00
Jeff Apple 359d62a49d
Merge pull request #12863 from hashicorp/api-gateway-v0.2-docs
Update product docs for release of Consul API Gateway v0.2
2022-04-27 12:01:23 -07:00
Nathan Coleman 1e84407681 Update minimum Consul version in Tech Specs 2022-04-27 14:55:55 -04:00
Jeff-Apple 24682ccc8a correction to the API Gateway 0.2 release notes. 2022-04-27 11:53:27 -07:00
Nathan Coleman 0104383203 Instruct user to update apiGateway.image in values.yaml 2022-04-27 14:47:15 -04:00
Jeff-Apple fb1dcc6eb1 Adding release notes for API Gateway v0.2 2022-04-27 11:44:39 -07:00
Nathan Coleman d039e0088f Hide clipboard for codeblocks that shouldn't be copied 2022-04-27 14:37:51 -04:00
trujillo-adam ac04a1251f hid copy fn for codeblocks that don't need it 2022-04-27 11:34:44 -07:00
Mike Morris 195ec096bb
website(consul-api-gateway): add ReferencePolicy to overview docs (#12861)
* website(consul-api-gateway): add ReferencePolicy to overview docs

* website(consul-api-gateway): bump required Consul Helm chart version

For allowing Consul API Gateway controller to read ReferencePolicy
resources and UX improvement re-using connectInject.consulNamespaces
config for Consul API Gateway config.

* added referencepolicy documentation to route section

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

* Update consul-api-gateway-install.mdx

* Update consul-api-gateway-install.mdx

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx

* Update website/content/docs/api-gateway/index.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/api-gateway/index.mdx

* Update website/content/docs/api-gateway/index.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-04-27 14:25:42 -04:00
Nathan Coleman 0474b35c62
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:24:28 -04:00
Nathan Coleman ba0080a80e
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:23:57 -04:00
Nathan Coleman 21b7b18197
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:23:48 -04:00
Nathan Coleman d2234fc6f7
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:14:36 -04:00
Nathan Coleman 45be1d370f
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:14:27 -04:00
Nathan Coleman 1c17b2c9c3 Update consul-api-gateway pin in installation instructions 2022-04-27 14:12:19 -04:00
Nathan Coleman d3a23229bb Remove Consul pin from installation instructions
The consul-k8s chart has the correct version defaulted, and having it pinned here is another thing we have to include in all upgrade instructions
2022-04-27 14:11:51 -04:00