Commit Graph

360 Commits (4f929f8ff5a37333cd233fb00f978024f9d6442c)

Author SHA1 Message Date
Mark Anderson 98a2e282be Fixup acl.EnterpriseMeta
3 years ago
Kyle Havlovitz 6cf22a5cef
Merge pull request #12672 from hashicorp/tgate-san-validation
3 years ago
Kyle Havlovitz 1a3b885027 Use the GatewayService SNI field for upstream SAN validation
3 years ago
Eric e0a15690ae Implement Lambda Patching in the Serverless Plugin
3 years ago
R.B. Boyer e79ce8ab03
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601)
3 years ago
R.B. Boyer ac5bea862a
server: ensure that service-defaults meta is incorporated into the discovery chain response (#12511)
3 years ago
Eric cf3e517d0e Create and wire up the serverless patcher
3 years ago
R.B. Boyer 2a56e0055b
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531)
3 years ago
freddygv ceb52d649a Account for upstream targets in another DC.
3 years ago
freddygv cbea3d203c Fix race of upstreams with same passthrough ip
3 years ago
freddygv 659ebc05a9 Ensure passthrough addresses get cleaned up
3 years ago
freddygv c31c1158a6 Add failing test
3 years ago
R.B. Boyer b60d89e7ef bulk rewrite using this script
3 years ago
R.B. Boyer 424f3cdd2c
proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125)
3 years ago
Dhia Ayachi e653f81919
reset `coalesceTimer` to nil as soon as the event is consumed (#11924)
3 years ago
freddygv 21f2c2e68d Purge chain if it shouldn't be there
3 years ago
freddygv d26b4860fd Account for new upstreams constraint in tests
3 years ago
freddygv 2fe27b748d Check ingress upstreams when gating chain watches
3 years ago
freddygv 6af9a0d8cf Avoid storing chain without an upstream
3 years ago
freddygv ba12dc215b Clean up chains separately from their watches
3 years ago
freddygv 70d6358426 Store intention upstreams in snapshot
3 years ago
R.B. Boyer 81ea8129d7
proxycfg: ensure all of the watches are canceled if they are cancelable (#11824)
3 years ago
R.B. Boyer 4aabbe529c
proxycfg: use external addresses in tproxy when crossing partition boundaries (#11823)
3 years ago
R.B. Boyer 631c649291
various partition related todos (#11822)
3 years ago
R.B. Boyer 1e02460bd1
re-run gofmt on 1.17 (#11579)
3 years ago
freddygv 0e507492d0 Update proxycfg for ingress service partitions
3 years ago
Freddy 00b5b0a0a2
Update filter chain creation for sidecar/ingress listeners (#11245)
3 years ago
Daniel Upton 50a1f20ff9
xds: prefer fed state gateway definitions if they're fresher (#11522)
3 years ago
freddygv 60066e5154 Exclude default partition from GatewayKey string
3 years ago
freddygv e3666b0bc4 Update GatewayKeys deduplication
3 years ago
freddygv 90ce897456 Store GatewayKey in proxycfg snapshot for re-use
3 years ago
freddygv 4d4ccedb3a Update locality check in proxycfg
3 years ago
freddygv 3a2061544d Fixup partitions assertion
3 years ago
freddygv d28b9052b2 Move the exportingpartitions constant to enterprise
3 years ago
freddygv 448701dbd8 Replace default partition check
3 years ago
freddygv 12923f5ebc PR comments
3 years ago
freddygv a33b6923e0 Account for partitions in xds gen for mesh gw
3 years ago
freddygv 110fae820a Update xds pkg to account for GatewayKey
3 years ago
freddygv 7e65678c52 Update mesh gateway proxy watches for partitions
3 years ago
freddygv 37a16e9487 Replace Split with SplitN
3 years ago
freddygv b9b6447977 Finish removing useInDatacenter
3 years ago
freddygv 62e0fc62c1 Configure sidecars to watch gateways in partitions
3 years ago
Paul Banks 78a00f2e1c Add support for enabling connect-based ingress TLS per listener.
3 years ago
Daniel Nephin eb632c53a2 structs: rename the last helper method.
3 years ago
Daniel Nephin 6d72517682 structs: remove two methods that were only used once each.
3 years ago
Paul Banks 136928a90f Minor PR typo and cleanup fixes
3 years ago
Paul Banks 20d0bf81f7 Revert abandonned changes to proxycfg for Ent test consistency
3 years ago
Paul Banks 659321d008 Handle namespaces in route names correctly; add tests for enterprise
3 years ago
Paul Banks ccbda0c285 Update proxycfg to hold more ingress config state
3 years ago
Paul Banks 4e39f03d5b Add ingress-gateway config for SDS
3 years ago
freddygv 49248a0802 Fixup proxycfg tproxy case
3 years ago
freddygv 95a6db9cfa Account for partitions in ixn match/decision
3 years ago
freddygv 3f3a61c6e1 Fixup manager tests
3 years ago
freddygv 77681b9f6c Pass partition to intention match query
3 years ago
Paul Banks e22cc9c53a Header manip for split legs plumbing
3 years ago
Paul Banks 83fc8723a3 Header manip for service-router plumbed through
3 years ago
Paul Banks f439dfc04f Ingress gateway header manip plumbing
3 years ago
Dhia Ayachi bc0e4f2f46
partition dicovery chains (#10983)
3 years ago
Dhia Ayachi 09197c989c
add partition to SNI when partition is non default (#10917)
3 years ago
freddygv f52bd80f6d Update comment for test function
3 years ago
freddygv af52d21884 Update prepared query cluster SAN validation
3 years ago
freddygv 85878685b7 Fixup proxy config test fixtures
3 years ago
Dhia Ayachi 1950ebbe1f
oss portion of ent #1069 (#10883)
3 years ago
R.B. Boyer 097e1645e3
agent: ensure that most agent behavior correctly respects partition configuration (#10880)
3 years ago
Daniel Nephin 0575498d0d proxycfg: Lookup the agent token as a default
3 years ago
Daniel Nephin b313f495b8 proxycfg: Add a test to show the bug
3 years ago
Freddy 19f6e1ca31
Log the correlation ID when blocking queries fire (#10689)
3 years ago
R.B. Boyer 188e8dc51f
agent/structs: add a bunch more EnterpriseMeta helper functions to help with partitioning (#10669)
3 years ago
freddygv b4c5c58c9b Add TODOs about partition handling
3 years ago
freddygv 47da00d3c7 Validate SANs for passthrough clusters and failovers
3 years ago
Daniel Nephin 10051cf6d3 proxycfg: remove unused method
3 years ago
Daniel Nephin 6bc5255028 proxycfg: move each handler into a seprate file
3 years ago
Daniel Nephin 19d3eeff3c
Merge pull request #9489 from hashicorp/dnephin/proxycfg-state-2
3 years ago
Nitya Dhanushkodi 52043830b4 proxycfg: reference to entry in map should not panic
3 years ago
Daniel Nephin e738fa3b80 Replace type conversion with embedded structs
3 years ago
Daniel Nephin 32c15d9a88 proxycfg: split state into kind-specific types
4 years ago
Daniel Nephin cd05df7157 proxycfg: unmethod hostnameEndpoints
4 years ago
Daniel Nephin 97c6ee00d7 Remove duplicate import
4 years ago
Daniel Nephin 0547d0c046
Merge pull request #9466 from hashicorp/dnephin/proxycfg-state
4 years ago
Nitya Dhanushkodi b8b44419a0
proxycfg: Ensure that endpoints for explicit upstreams in other datacenters are watched in transparent mode (#10391)
4 years ago
Daniel Nephin 016c5611d1 proxycfg: extract two types from state struct
4 years ago
Daniel Nephin 9c40aa729f proxycfg: pass context around where it is needed
4 years ago
Freddy 429f9d8bb8
Add flag for transparent proxies to dial individual instances (#10329)
4 years ago
freddygv c73703c08b Ensure entmeta is encoded in test correlationID
4 years ago
Daniel Nephin 347f3d2128
Merge pull request #10155 from hashicorp/dnephin/config-entry-remove-fields
4 years ago
Mark Anderson 6be9cebad0 Add tests for xds/listeners
4 years ago
Mark Anderson 06f0f79218 Continue working through proxy and agent
4 years ago
Freddy ed1082510d
Fixup discovery chain handling in transparent mode (#10168)
4 years ago
Daniel Nephin 62efaaab21 config-entry: remove Kind and Name field from Mesh config entry
4 years ago
R.B. Boyer 71d45a3460
Support Incremental xDS mode (#9855)
4 years ago
Freddy 078c40425f
Rename "cluster" config entry to "mesh" (#10127)
4 years ago
Daniel Nephin 2a26085b2c connect: do not set QuerySource.Node
4 years ago
Freddy 439a7fce2d
Split Upstream.Identifier() so non-empty namespace is always prepended in ent (#10031)
4 years ago
freddygv 8857195437 Fixup wildcard ent assertion
4 years ago
freddygv 7bd51ff536 Replace TransparentProxy bool with ProxyMode
4 years ago
freddygv b21224a4c8 PR comments
4 years ago
freddygv 49a4a78fd5 Ensure mesh gateway mode override is set for upstreams for intentions
4 years ago
freddygv 5140c3e51f Finish resolving upstream defaults in proxycfg
4 years ago
R.B. Boyer 499fee73b3
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973)
4 years ago
freddygv 098b9af901 Fixup enterprise tests from tproxy changes
4 years ago
freddygv eb1e0a1751 Cancel watch on all errors
4 years ago
freddygv f4f45af6d0 Merge master and fix upstream config protocol defaulting
4 years ago
freddygv 0da8702f34 PR comments
4 years ago
freddygv a54d6a9010 Update proxycfg for transparent proxy
4 years ago
Daniel Nephin f40b76af2d proxycfg: use rpcclient/health.Client instead of passing around cache name
4 years ago
Daniel Nephin 906834ce8e proxycfg: Use streaming in connect state
4 years ago
Freddy 82c269a7c5
Avoid potential proxycfg/xDS deadlock using non-blocking send
4 years ago
freddygv ec5f75776b Update comments on avoiding proxycfg deadlock
4 years ago
R.B. Boyer 43193a35c6
xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists (#9651)
4 years ago
freddygv 6e443e5536 Retry send after timer fires, in case no updates occur
4 years ago
freddygv 95e7641faa Update proxycfg logging, labels were already attached
4 years ago
freddygv 5ba14ad41d Add trace logs to proxycfg state runner and xds srv
4 years ago
freddygv 37190c0d0d Avoid potential deadlock using non-blocking send
4 years ago
Daniel Nephin b9e60c0775 testing: skip slow tests with -short
4 years ago
freddygv 856d5a25ee Fix text type assertion
4 years ago
freddygv 7fd518ff1d Merge master
4 years ago
freddygv 87541ab80a Fix type assertion
4 years ago
freddygv 768dbaa68d Add session flag to cookie config
4 years ago
freddygv eab90ea9fa Revert EnvoyConfig nesting
4 years ago
freddygv 30ba080d25 Add explicit protocol overrides in tgw xds test cases
4 years ago
freddygv f81fe6a1a1 Remove LB infix and move injection to xds
4 years ago
freddygv 63f79e5f9b Restructure structs and other PR comments
4 years ago
freddygv 28d0602fc1 Pass LB config to Envoy via xDS
4 years ago
R.B. Boyer 74d5df7c7a
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
4 years ago
Matt Keeler be01c4241d
Default Cache rate limiting options in New
4 years ago
Pierre Souchay 505de6dc29
Added ratelimit to handle throtling cache (#8226)
4 years ago
Matt Keeler 12acdd7481
Disable background cache refresh for Connect Leaf Certs
4 years ago
Daniel Nephin 010a609912 Fix a bunch of unparam lint issues
4 years ago
Freddy 5baa7b1b04
Always return a gateway cluster (#8158)
5 years ago
Daniel Nephin 5afcf5c1bc
Merge pull request #8034 from hashicorp/dnephin/add-linter-staticcheck-4
5 years ago
Daniel Nephin 068b43df90 Enable gofmt simplify
5 years ago
Daniel Nephin cb050b280c ci: enable SA4006 staticcheck check
5 years ago
freddygv 19e3954603 Move compound service names to use ServiceName type
5 years ago
Freddy 166a8b2a58
Only pass one hostname via EDS and prefer healthy ones (#8084)
5 years ago
Freddy 9ed325ba8b
Enable gateways to resolve hostnames to IPv4 addresses (#7999)
5 years ago
Daniel Nephin c88fae0aac ci: Add staticcheck and fix most errors
5 years ago
Kyle Havlovitz b14696e32a
Standardize support for Tagged and BindAddresses in Ingress Gateways (#7924)
5 years ago
Chris Piraino 9d9e23cc44 Add service id context to the proxycfg logger
5 years ago
Kyle Havlovitz 136549205c
Merge pull request #7759 from hashicorp/ingress/tls-hosts
5 years ago
Chris Piraino a0e1f57ac2 Remove development log line
5 years ago
Chris Piraino 26f92e74f6 Compute all valid DNSSANs for ingress gateways
5 years ago
Freddy c32a4f1ece
Fix up enterprise compatibility for gateways (#7813)
5 years ago
Chris Piraino 0bd5618cb2 Cleanup proxycfg for TLS
5 years ago
Freddy b069887b2a
Remove timeout and call to Fatal from goroutine (#7797)
5 years ago
Kyle Havlovitz f14c54e25e Add TLS option and DNS SAN support to ingress config
5 years ago
Chris Piraino 881760f701 xds: Use only the port number as the configured route name
5 years ago
Chris Piraino f40833d094 Allow Hosts field to be set on an ingress config entry
5 years ago
Kyle Havlovitz 711d1389aa Support multiple listeners referencing the same service in gateway definitions
5 years ago
Kyle Havlovitz 247f9eaf13 Allow ingress gateways to route traffic based on Host header
5 years ago
Freddy 137a2c32c6
TLS Origination for Terminating Gateways (#7671)
5 years ago
freddygv 034d7d83d4 Fix snapshot IsEmpty
5 years ago
Freddy 3b1b24c2ce Update agent/proxycfg/state_test.go
5 years ago
freddygv eddd5bd73b PR comments
5 years ago
freddygv 6abc71f915 Skip filter chain creation if no client cert
5 years ago
freddygv 09a8e5f36d Use golden files for gateway certs and fix listener test flakiness
5 years ago
freddygv 840d27a9d5 Un-nest switch in gateway update handler
5 years ago
freddygv c0e1751878 Allow terminating-gateway to setup listener before servicegroups are known
5 years ago
freddygv 913b13f31f Add subset support
5 years ago
freddygv 219c78e586 Add xds cluster/listener/endpoint management
5 years ago
freddygv 24207226ca Add proxycfg state management for terminating-gateways
5 years ago
Chris Piraino cb9df538d5 Add all the xds ingress tests
5 years ago
Chris Piraino 0ca9b606e8 Pull out setupTestVariationConfigEntriesAndSnapshot in proxycfg
5 years ago
Daniel Nephin 5fe7043439 agent/cache: Make all cache options RegisterOptions
5 years ago
Kyle Havlovitz e9e8c0e730
Ingress Gateways for TCP services (#7509)
5 years ago
Chris Piraino 584f90bbeb
Fix flapping of mesh gateway connect-service watches (#7575)
5 years ago
Andy Lindeman c1cb18c648
proxycfg: support path exposed with non-HTTP2 protocol (#7510)
5 years ago
R.B. Boyer 6adad71125
wan federation via mesh gateways (#6884)
5 years ago
Matt Keeler 4c9577678e
xDS Mesh Gateway Resolver Subset Fixes (#7294)
5 years ago
Lars Lehtonen 6bcd596539
agent/proxycfg: fix dropped error in state.initWatchesMeshGateway() (#7267)
5 years ago
Matt Keeler 9e5fd7f925
OSS Changes for various config entry namespacing bugs (#7226)
5 years ago
Matt Keeler dfb0177dbc
Testing updates to support namespaced testing of the agent/xds… (#7185)
5 years ago
Chris Piraino 401221de58
Allow users to configure either unstructured or JSON logging (#7130)
5 years ago
Matt Keeler c09693e545
Updates to Config Entries and Connect for Namespaces (#7116)
5 years ago
Aestek ba8fd8296f Add support for dual stack IPv4/IPv6 network (#6640)
5 years ago
Matt Keeler 27f49eede9
Move where the service-resolver watch is done so that it happen… (#7025)
5 years ago
Matt Keeler 5934f803bf
Sync of OSS changes to support namespaces (#6909)
5 years ago
R.B. Boyer 2011f3d7dc
xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply (#6787)
5 years ago
R.B. Boyer 97aa050c20
agent: allow mesh gateways to initialize even if there are no connect services registered yet (#6576)
5 years ago
R.B. Boyer 9566df524e
agent: cache notifications work after error if the underlying RPC returns index=1 (#6547)
5 years ago
Freddy fdd10dd8b8
Expose HTTP-based paths through Connect proxy (#6446)
5 years ago
R.B. Boyer af01d397a5
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492)
5 years ago
R.B. Boyer dfcdc41ef8
connect: allow 'envoy_cluster_json' escape hatch to continue to function (#6378)
5 years ago
R.B. Boyer 561b2fe606
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340)
5 years ago
R.B. Boyer ae79cdab1b
connect: introduce ExternalSNI field on service-defaults (#6324)
5 years ago
Mike Morris 65be58703c
connect: remove managed proxies (#6220)
5 years ago
R.B. Boyer 8e22d80e35
connect: fix failover through a mesh gateway to a remote datacenter (#6259)
5 years ago
R.B. Boyer c395affc93
connect: expose an API endpoint to compile the discovery chain (#6248)
5 years ago
R.B. Boyer f02924fafe
connect: simplify the compiled discovery chain data structures (#6242)
5 years ago
R.B. Boyer 6393edba53
connect: reconcile how upstream configuration works with discovery chains (#6225)
5 years ago
Matt Keeler fcc18c1675
Fix prepared query upstream endpoint generation (#6236)
5 years ago
R.B. Boyer e039dfd7f8
connect: rework how the service resolver subset OnlyPassing flag works (#6173)
5 years ago
R.B. Boyer e8132b61c0
add test for discovery chain agent cache-type (#6130)
5 years ago
Matt Keeler 4728329aeb
Various Gateway Fixes (#6093)
5 years ago
R.B. Boyer bcd2de3a2e
implement some missing service-router features and add more xDS testing (#6065)
5 years ago
Jack Pearkes e6f1b78efb Make cluster names SNI always (#6081)
5 years ago
Matt Keeler 3d562bee5c Fix Internal.ServiceDump blocking (#6076)
5 years ago
hashicorp-ci 7a32c5a618 Merge Consul OSS branch 'master' at commit a58d8e91ac
5 years ago
Matt Keeler a8e2e866e3 Update xds/proxycfg tests to use the same looking trust domain as a normal system
5 years ago
Matt Keeler a7421c160f Implement mesh gateway management of service subsets
5 years ago
R.B. Boyer 4bdb690a25
activate most discovery chain features in xDS for envoy (#6024)
5 years ago