Commit Graph

20724 Commits (3b806d41c007226c9d8fab60f7e6b508150434cd)

Author SHA1 Message Date
Dhia Ayachi 226590541c
Activate verifier when running WAL with experimental features (#19102)
* activate verifier when running WAL with experimental features

* only change verifier parameters if it's disabled (default value)
2023-10-10 14:14:20 -04:00
Chris S. Kim 92ce814693
Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
Chris Thain dcdf2fc6ba
Update Vault CA provider namespace configuration (#19095) 2023-10-10 13:53:00 +00:00
Chris S. Kim d6200faefb
Minor update to ratelimit wording (#19106) 2023-10-10 09:24:14 -04:00
Ashesh Vidyut b9314de14f
Stop windows integration tests (#19118)
stop windows integration tests
2023-10-09 17:11:10 +05:30
Ashesh Vidyut a30ccdf5dc
NET-4135 - Fix NodeMeta filtering Catalog List Services API (#18322)
* logs for debugging

* Init

* white spaces fix

* added change log

* Fix tests

* fix typo

* using queryoptionfilter to populate args.filter

* tests

* fix test

* fix tests

* fix tests

* fix tests

* fix tests

* fix variable name

* fix tests

* fix tests

* fix tests

* Update .changelog/18322.txt

Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* fix change log

* address nits

* removed unused line

* doing join only when filter has nodemeta

* fix tests

* fix tests

* Update agent/consul/catalog_endpoint.go

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* fix tests

* removed unwanted code

---------

Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2023-10-08 12:48:31 +00:00
Matt Keeler 4713317457
protohcl: allow attribute syntax for all map fields (#19108) 2023-10-06 19:07:08 -04:00
trujillo-adam a9747dc38c
Docs/ce 470 locality aware (#19071)
* updated nav; renamed L7 traffic folder

* Added locality-aware routing to traffic mgmt overview

* Added route to local upstreams topic

* Updated agent configuration reference

* Added locality param to services conf ref

* Added locality param to conf entries

* mentioned traffic management in proxies overview

* added locality-aware to failover overview

* added docs for service rate limiting

* updated service defaults conf entry

* Apply suggestions from code review

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* updated links and added redirects

---------

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-10-06 12:48:05 -07:00
Derek Menteer af3439b53d
Ensure that upstream configuration is properly normalized. (#19076)
This PR fixes an issue where upstreams did not correctly inherit the proper
namespace / partition from the parent service when attempting to fetch the
upstream protocol due to inconsistent normalization.

Some of the merge-service-configuration logic would normalize to default, while
some of the proxycfg logic would normalize to match the parent service. Due to
this mismatch in logic, an incorrect service-defaults configuration entry would
be fetched and have its protocol applied to the upstream.
2023-10-06 13:59:47 -05:00
Eric Haberkorn ad3aab1ef7
Add traffic permissions integration tests. (#19008)
Add traffic permissions integration tests.
2023-10-06 12:06:12 -04:00
Dhia Ayachi ed882e2522
Make raft-wal default when `resource-apis` is active (#19090)
Make raft-wal default when v2 catalog experiment is on
2023-10-06 10:24:21 -04:00
David Yu 677e16a830
Replace `hub` with `gh` for member roles on JIRA sync checks (#19089)
Update jira-pr.yaml

Change from `hub` to `gh` for checking member roles
2023-10-05 15:56:20 -07:00
R.B. Boyer 754ab9abf2
mesh: ensure we add the virtual port number for L7 implicit upstreams (#19085) 2023-10-05 17:07:41 -05:00
Thomas Eckert 342306c312
Allow connections through Terminating Gateways from peered clusters NET-3463 (#18959)
* Add InboundPeerTrustBundle maps to Terminating Gateway

* Add notify and cancelation of watch for inbound peer trust bundles

* Pass peer trust bundles to the RBAC creation function

* Regenerate Golden Files

* add changelog, also adds another spot that needed peeredTrustBundles

* Add basic test for terminating gateway with peer trust bundle

* Add intention to cluster peered golden test

* rerun codegen

* update changelog

* really update the changelog

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
2023-10-05 21:54:23 +00:00
Chris S. Kim aa526db225
Retry flaky tests (#19088) 2023-10-05 21:27:28 +00:00
Chris S. Kim ad26494016
[CE] Add workload bind type and templated policy (#19077) 2023-10-05 19:45:41 +00:00
Chris S. Kim ca4ff6ba1d
Bump up compatibility test runner (#19081) 2023-10-05 13:02:12 -04:00
cskh 079c9d6927
docs: clarify the requriment for cross-partition network (#19052) 2023-10-05 15:19:15 +00:00
trujillo-adam 788c58699e
Docs/ce 477 dataplanes on ecs (#19010)
* updated architecture topic

* fixed type in arch diagram filenames

* fixed path to img file

* updated index page - still need to add links

* moved arch and tech specs to reference folder

* moved other ref topics to ref folder

* set up the Deploy folder and TF install topics

* merged secure conf into TF deploy instructions

* moved bind addr and route conf to their own topics

* moved arch and tech specs back to main folder

* update migrate-existing-tasks content

* merged manual deploy content; added serv conf ref

* fixed links

* added procedure for upgrading to dataplanes

* fixed linked reported by checker

* added updates to dataplanes overview page

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* updated links and added redirects

* removed old architecture content

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
2023-10-05 07:33:44 -07:00
Ashesh Vidyut af9a486fdc
Fixes docs of Consul Debug - Adds info about Since Flag (#19056)
fix docs
2023-10-05 11:05:18 +05:30
Valeriia Ruban 344f4638bb
chor: update rule to run frontend github tasks when changes are made … (#19053) 2023-10-04 13:15:12 -07:00
Chris S. Kim cf9e1b6158
Add upgrade warnings (#19061) 2023-10-04 16:10:19 -04:00
Eric Haberkorn 9656fd157f
Fix Explicit Destination Integration Test (#19060)
fix explicit destination integration test
2023-10-04 12:52:12 -04:00
Chris S. Kim 1a9666c49d
Remove parallel flag (#19057) 2023-10-04 08:47:47 -07:00
Chris S. Kim b43cde5d19
Add workload identity hooks (#19045) 2023-10-04 14:24:32 +00:00
Eric Haberkorn f2b7b4591a
Fix Traffic Permissions Default Deny (#19028)
Whenver a traffic permission exists for a given workload identity, turn on default deny.

Previously, this was only working at the port level.
2023-10-04 09:58:28 -04:00
John Murret d67e5c6e35
NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params (#19049)
* NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params

* gofmt file
2023-10-03 22:02:23 +00:00
Chris S. Kim 41e6f6cd8b
Reduce number of ports that consul test agents take (#19047) 2023-10-03 18:57:53 +00:00
R.B. Boyer df930a59ac
chore: fix ce/ent drift in sdk and testing/deployer submodules (#19041) 2023-10-03 10:06:50 -05:00
Poonam Jadhav 6c92dd1359
NET-5600/container-test-acl-enabled (#18887)
* feat: add container tests for resource http api with acl enabled

* refactor: clean up
2023-10-03 10:55:31 -04:00
sarahalsmiller 9addd9ed7c
[NET-5788] Fix needed for JWTAuth in Consul Enterprise (#19038)
change needed for fix in consul-enterprise
2023-10-03 09:48:50 -05:00
Chris S. Kim 2467660ab2
Remove explicit -p from CI tests (#18999) 2023-10-03 10:11:47 -04:00
cskh a62cfd997b
docs: fix the description of meshgateway.mode=local in peering doc (#19042)
docs: fix the description of meshgateway=local in peering doc
2023-10-02 19:12:15 -04:00
skpratt 21ea527089
TrafficPermissions: add ACL hooks (#19023)
* add ACL hooks

* add hooks for CTPs
2023-10-02 15:24:19 -05:00
Nitya Dhanushkodi 9a48266712
remove log (#19029) 2023-09-29 16:11:50 -07:00
Chris Thain 5e45db18b7
Include RequestTimeout in marshal/unmarshal of ServiceResolverConfigE… (#19031) 2023-09-29 10:39:46 -07:00
Eric Haberkorn 7ce6ebaeb3
Handle Traffic Permissions With Empty Sources Properly (#19024)
Fix issues with empty sources

* Validate that each permission on traffic permissions resources has at least one source.
* Don't construct RBAC policies when there aren't any principals. This resulted in Envoy rejecting xDS updates with a validation error.

```
error=
  | rpc error: code = Internal desc = Error adding/updating listener(s) public_listener: Proto constraint validation failed (RBACValidationError.Rules: embedded message failed validation | caused by RBACValidationError.Policies[consul-intentions-layer4-1]: embedded message failed validation | caused by PolicyValidationError.Principals: value must contain at least 1 item(s)): rules {
```
2023-09-28 15:11:59 -04:00
David Yu e6a111af1a
Update release notes to indicate folks should upgrade to to 1.16.2 or later (#19002)
* Update v1_16_x.mdx

* Update upgrade-specific.mdx

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-09-27 19:17:31 +00:00
Blake Covarrubias fbc2b93bc4
docs: Rename Consul OSS to Consul CE (#19009)
Rename references of Consul OSS to Consul Community Edition (CE).

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2023-09-27 09:31:28 -07:00
Ashesh Vidyut 23062489c2
Fix type of datacenter in Service Resolvers Config Entry (#19004) 2023-09-27 06:55:21 +05:30
Matt Keeler 2240e746dd
Skip the catalog v2 upgrade test (#19005)
We intentionally broke api compatibility here as we are not yet maintaining backwards compat for the v2 apis
2023-09-26 17:05:19 -04:00
John Murret 6f0df20d10
NET-5657 - consul-containers test for explicit upstreams (#18952)
* Explicit container test

* remove static resources

* fix passing serviceBindPorts

* WIP

* fix explicit upstream test

* use my image in CI until dataplane is fixed.

* gofmt

* fixing reference to v2beta1 in test-containers

* WIP

* remove bad references

* add missing license headers

* allow access internal/resource/resourcetest

* fix check-allowed-imports to append array items

* use preview image for dataplane

* revert some inadverntent comment updates in peering_topology

* add building local consul-dataplane image to compatibility-tests CI

* fix substitution in CI

* change upstreams to destinations based on incoming change

* fixing use of upstreams in resource update

* remove commented out lines and enable envoy concurrency on dataplane.

* changes to addess PR feedback

* small fixes

---------

Co-authored-by: Eric <eric@haberkorn.co>
2023-09-26 16:21:47 -04:00
Iryna Shustava d85fc535fb
acl: default tenancy with the no-auth ACL resolver (#19006)
When using the no-auth acl resolver (the case for most controllers and the get-envoy-boostrap-params endpoint), ResolveTokenAndDefaultMeta
method only returns an acl resolver. However, the resource service relies on the ent meta to be filled in to do the tenancy defaulting and
inheriting it from the token when one is present.

So this change makes sure that the ent meta defaulting always happens in the ACL resolver.
2023-09-26 11:52:53 -06:00
Iryna Shustava 06c15d0656
auth: register auth controllers with the server (#19000) 2023-09-25 22:54:03 +00:00
Iryna Shustava 3ea6afb4d4
mesh: rename Upstreams and UpstreamsConfiguration to Destinations* (#18995) 2023-09-25 12:03:45 -06:00
skpratt 202090e5d5
v2 explicit destination traffic permissions (#18823)
* workload identity boilerplate

* notes from discussion with Iryna

* WIP traffic permissions controller poc

* workload identity, traffic permissions validation, errors, types

* traffic permissions mapper framing, traffic permissions controller updates.

* more roughing out of the controller

* cleanup

* controller and mapper logic

* tests

* refactor mapper logic, add tests

* clean up tenancy and integration test stubs

* consolidate mapping

* cleanup cache leak, revert bimapper changes

* address review comments

* test fix and rebase

* use resource helper

---------

Co-authored-by: John Landa <john.landa@hashicorp.com>
2023-09-25 16:50:07 +00:00
cskh bd2fdb7f7d
grafana: fix a query metrics from ent and add consul version (#18998) 2023-09-25 12:41:13 -04:00
Tim Gross e5f5fc9301
api: add `CheckRegisterOpts` method to Agent API (#18943)
Ongoing work to support Nomad Workload Identity for authenticating with Consul
will mean that Nomad's service registration sync with Consul will want to use
Consul tokens scoped to individual workloads for registering services and
checks. The `CheckRegister` method in the API doesn't have an option to pass the
token in, which prevent us from sharing the same Consul connection for all
workloads. Add a `CheckRegisterOpts` to match the behavior of
`ServiceRegisterOpts`.
2023-09-25 08:25:02 -07:00
Tim Gross aedc03b7ae
api: add Token field to ServiceRegisterOpts (#18983)
Ongoing work to support Nomad Workload Identity for authenticating with Consul
will mean that Nomad's service registration sync with Consul will want to use
Consul tokens scoped to individual workloads for registering services and
checks. The `ServiceRegisterOpts` type in the API doesn't have an option to pass
the token in, which prevent us from sharing the same Consul connection for all
workloads. Add a `Token` field to match the behavior of `ServiceDeregisterOpts`.
2023-09-25 08:24:30 -07:00
Nitya Dhanushkodi 58d06175ab
docs: add changelog (#18994) 2023-09-25 10:46:51 -04:00