Commit Graph

10385 Commits (44c2da3518c60d3221c45e4cbac91f67e2c84b49)

Author SHA1 Message Date
R.B. Boyer ae79cdab1b
connect: introduce ExternalSNI field on service-defaults (#6324)
Compiling this will set an optional SNI field on each DiscoveryTarget.
When set this value should be used for TLS connections to the instances
of the target. If not set the default should be used.

Setting ExternalSNI will disable mesh gateway use for that target. It also 
disables several service-resolver features that do not make sense for an 
external service.
2019-08-19 12:19:44 -05:00
R.B. Boyer 1351f6d345 update changelog 2019-08-19 10:45:10 -05:00
R.B. Boyer 1a485011d0
connect: updating a service-defaults config entry should leave an unset protocol alone (#6342)
If the entry is updated for reasons other than protocol it is surprising
that the value is explicitly persisted as 'tcp' rather than leaving it
empty and letting it fall back dynamically on the proxy-defaults value.
2019-08-19 10:44:06 -05:00
Jack Pearkes 589f77b2ab
website: update the vs. envoy and proxies page (#6326)
* website: update the vs. envoy and proxies page

This is the second result on Google for "consul envoy" and
it seemed like it needed a bit of an upgrade to help clarify the
current state.

* Update website/source/intro/vs/proxies.html.md

Co-Authored-By: Judith Malnick <judith.patudith@gmail.com>

* Update website/source/intro/vs/proxies.html.md

Co-Authored-By: Judith Malnick <judith.patudith@gmail.com>

* Update website/source/intro/vs/proxies.html.md

Co-Authored-By: Judith Malnick <judith.patudith@gmail.com>

* Update website/source/intro/vs/proxies.html.md

Co-Authored-By: Judith Malnick <judith.patudith@gmail.com>

* Apply suggestions from code review

Co-Authored-By: Judith Malnick <judith.patudith@gmail.com>
2019-08-16 14:25:24 -07:00
tryan225 47ca1fa988 Clarifying autopilot bootstrap and config options 2019-08-16 10:54:13 -07:00
Matt Keeler 6012343e6b
Update CHANGELOG.md 2019-08-16 10:35:36 -04:00
Matt Keeler 318b9ebbe3
Filter out left/leaving serf members when determining if new AC… (#6332) 2019-08-16 10:34:18 -04:00
R.B. Boyer 87d6eec378 update changelog 2019-08-16 09:32:10 -05:00
R.B. Boyer 72207256b9
xds: improve how envoy metrics are emitted (#6312)
Since generated envoy clusters all are named using (mostly) SNI syntax
we can have envoy read the various fields out of that structure and emit
it as stats labels to the various telemetry backends.

I changed the delimiter for the 'customization hash' from ':' to '~'
because ':' is always reencoded by envoy as '_' when generating metrics
keys.
2019-08-16 09:30:17 -05:00
hashicorp-ci 868780f237 Merge Consul OSS branch 'master' at commit 23cf22960a 2019-08-16 02:00:30 +00:00
mattc41190 23cf22960a Fix 404 (#6300)
On page: https://www.consul.io/discovery.html

If you click the link for Health Checks -> Learn More the underlying resource is:

https://learn.hashicorp.com/consul/getting-started/checks

This page for me is a 404. I think you've bundled it together in the following page:

Register a Service and Health Check - Service Discovery

Located at: https://learn.hashicorp.com/consul/getting-started/services

Thanks for Consul, it's really awesome.
2019-08-15 14:04:30 -07:00
Matt Keeler acac627412
Update CHANGELOG.md 2019-08-14 10:41:53 -04:00
Matt Keeler a2ddaaca0a
Update to google.golang.org/grpc v1.23.0 (#6320) 2019-08-14 10:41:27 -04:00
Matt Keeler d594e05f86
Update CHANGELOG.md 2019-08-14 10:40:39 -04:00
R.B. Boyer d431e22e94 update changelog 2019-08-14 09:12:12 -05:00
R.B. Boyer 3975cb89bf
agent: blocking central config RPCs iterations should not interfere with each other (#6316) 2019-08-14 09:08:46 -05:00
Matt Keeler 6d995246a8
Update toolchain to Go 1.12.8 (#6319) 2019-08-14 09:40:57 -04:00
hashicorp-ci 71f98661de
Release v1.6.0-rc1 2019-08-13 15:28:07 +00:00
hashicorp-ci d7bb2bbee4
update bindata_assetfs.go 2019-08-13 15:28:06 +00:00
Matt Keeler 9ffdc2c655
Fix changelog format (and alphabatize stuff) 2019-08-13 11:13:55 -04:00
hashicorp-ci 5919c7c184 Merge Consul OSS branch 'master' at commit 8f7586b339 2019-08-13 02:00:43 +00:00
Mike Morris 8f7586b339 changelog: add snapshot half-close fix 2019-08-12 17:06:34 -04:00
Mike Morris 9fc8c6d123 changelog: add managed proxy removal to breaking changes 2019-08-12 17:03:08 -04:00
Sarah Adams f4a21bd372
Update CHANGELOG.md 2019-08-12 13:57:58 -07:00
Matt Keeler 69c7d64701
Add missing LicenseReset API function (#6311) 2019-08-12 15:24:02 -04:00
Sarah Adams 8ff1f481fe
add flag to allow /operator/keyring requests to only hit local servers (#6279)
Add parameter local-only to operator keyring list requests to force queries to only hit local servers (no WAN traffic).

HTTP API: GET /operator/keyring?local-only=true
CLI: consul keyring -list --local-only

Sending the local-only flag with any non-GET/list request will result in an error.
2019-08-12 11:11:11 -07:00
Mike Morris 61206fdf42
snapshot: add TLS support to HalfCloser interface (#6216)
Calls net.TCPConn.CloseWrite or mtls.Conn.CloseWrite, which was added in https://go-review.googlesource.com/c/go/+/31318/
2019-08-12 12:47:02 -04:00
hashicorp-ci 5ecffb0c0a Merge Consul OSS branch 'master' at commit 8241787e92 2019-08-11 02:01:18 +00:00
Matt Keeler 71bc9931cc
Update CHANGELOG.md 2019-08-10 09:16:55 -04:00
Matt Keeler 6a1e0dfed8
Update the v1/agent/service/:service endpoint to output tagged… (#6304) 2019-08-10 09:15:19 -04:00
Jake Lundberg 8241787e92 docs: Update consul-helm example to pull latest tag 2019-08-09 16:33:43 -06:00
R.B. Boyer 82e2cef4e1 update changelog 2019-08-09 15:07:48 -05:00
R.B. Boyer 913d85ea5b
connect: allow mesh gateways to use central config (#6302) 2019-08-09 15:07:01 -05:00
Mike Morris b9f07fa9c3
website: restore accidental JSON deletion [skip ci] (#6303) 2019-08-09 15:32:54 -04:00
Mike Morris 65be58703c
connect: remove managed proxies (#6220)
* connect: remove managed proxies implementation and all supporting config options and structs

* connect: remove deprecated ProxyDestination

* command: remove CONNECT_PROXY_TOKEN env var

* agent: remove entire proxyprocess proxy manager

* test: remove all managed proxy tests

* test: remove irrelevant managed proxy note from TestService_ServerTLSConfig

* test: update ContentHash to reflect managed proxy removal

* test: remove deprecated ProxyDestination test

* telemetry: remove managed proxy note

* http: remove /v1/agent/connect/proxy endpoint

* ci: remove deprecated test exclusion

* website: update managed proxies deprecation page to note removal

* website: remove managed proxy configuration API docs

* website: remove managed proxy note from built-in proxy config

* website: add note on removing proxy subdirectory of data_dir
2019-08-09 15:19:30 -04:00
R.B. Boyer ca1a9746a7 update changelog 2019-08-07 16:42:45 -05:00
R.B. Boyer 165e5cd6b1
command: ensure that the json form of config entries can be submitted with 'consul config write' (#6290)
The json decoder inside of the HCLv1 hcl.Decode function behaves
unexpectedly when decoding generically into a map[string]interface{} as
is done for 'consul config write' pre-submit decoding.

This results in some subtle (service-router Match and Destinations being
separated) and some not so subtle (service-resolver subsets and failover
panic if multiple subsets are referenced) bugs when subsequently passed
through mapstructure to finish decoding.

Given that HCLv1 is basically frozen and the HCL part of it is fine
instead of trying to figure out what the underlying bug is in the json
decoder for our purposes just sniff the byte slice and selectively use
the stdlib json decoder for JSON and hcl decoder for HCL.
2019-08-07 16:41:33 -05:00
Matt Keeler b53b98fa26
mesh-gateway ACL tokens should also have `node:read` on everyth… (#6291) 2019-08-07 13:52:57 -04:00
R.B. Boyer 3a3086ecd2 update changelog 2019-08-07 11:35:21 -05:00
R.B. Boyer 9bbbea1777
connect: ensure intention replication continues to work when the replication ACL token changes (#6288) 2019-08-07 11:34:09 -05:00
hashicorp-ci 913784e1bf Merge Consul OSS branch 'master' at commit d84863799d 2019-08-06 02:00:30 +00:00
R.B. Boyer 30b091bd06 update changelog 2019-08-05 17:16:22 -05:00
R.B. Boyer 9753c77a79
api: un-deprecate api.DecodeConfigEntry (#6278)
Add clarifying commentary about when it is not safe to use it. Also add
tests.
2019-08-05 17:15:22 -05:00
Sarah Adams d84863799d
fallback to proxy config global protocol when upstream services' protocol is unset (#6277)
fallback to proxy config global protocol when upstream services' protocol is unset

Fixes #5857
2019-08-05 12:52:35 -07:00
R.B. Boyer 0036a3652c
Update CHANGELOG.md 2019-08-05 13:33:07 -05:00
R.B. Boyer 8e22d80e35
connect: fix failover through a mesh gateway to a remote datacenter (#6259)
Failover is pushed entirely down to the data plane by creating envoy
clusters and putting each successive destination in a different load
assignment priority band. For example this shows that normally requests
go to 1.2.3.4:8080 but when that fails they go to 6.7.8.9:8080:

- name: foo
  load_assignment:
    cluster_name: foo
    policy:
      overprovisioning_factor: 100000
    endpoints:
    - priority: 0
      lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: 1.2.3.4
              port_value: 8080
    - priority: 1
      lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: 6.7.8.9
              port_value: 8080

Mesh gateways route requests based solely on the SNI header tacked onto
the TLS layer. Envoy currently only lets you configure the outbound SNI
header at the cluster layer.

If you try to failover through a mesh gateway you ideally would
configure the SNI value per endpoint, but that's not possible in envoy
today.

This PR introduces a simpler way around the problem for now:

1. We identify any target of failover that will use mesh gateway mode local or
   remote and then further isolate any resolver node in the compiled discovery
   chain that has a failover destination set to one of those targets.

2. For each of these resolvers we will perform a small measurement of
   comparative healths of the endpoints that come back from the health API for the
   set of primary target and serial failover targets. We walk the list of targets
   in order and if any endpoint is healthy we return that target, otherwise we
   move on to the next target.

3. The CDS and EDS endpoints both perform the measurements in (2) for the
   affected resolver nodes.

4. For CDS this measurement selects which TLS SNI field to use for the cluster
   (note the cluster is always going to be named for the primary target)

5. For EDS this measurement selects which set of endpoints will populate the
   cluster. Priority tiered failover is ignored.

One of the big downsides to this approach to failover is that the failover
detection and correction is going to be controlled by consul rather than
deferring that entirely to the data plane as with the prior version. This also
means that we are bound to only failover using official health signals and
cannot make use of data plane signals like outlier detection to affect
failover.

In this specific scenario the lack of data plane signals is ok because the
effectiveness is already muted by the fact that the ultimate destination
endpoints will have their data plane signals scrambled when they pass through
the mesh gateway wrapper anyway so we're not losing much.

Another related fix is that we now use the endpoint health from the
underlying service, not the health of the gateway (regardless of
failover mode).
2019-08-05 13:30:35 -05:00
Alvin Huang 9f58504f1c
Merge pull request #6274 from hashicorp/merge-master-de01a1e
Merge master at de01a1e279
2019-08-02 19:13:54 -04:00
Alvin Huang 37ea271eb7 fix grpc-addr-config hosts template 2019-08-02 19:00:39 -04:00
Alvin Huang 206b2016a4 Merge remote-tracking branch 'origin/master' into release/1-6 2019-08-02 18:09:32 -04:00
R.B. Boyer 856090e893 update changelog 2019-08-02 15:36:13 -05:00