Commit Graph

78 Commits (5a20bc4530d76b94b120b6d404db22de5f58feae)

Author SHA1 Message Date
hc-github-team-consul-core 5f0b1f140b
Backport of mesh: add DestinationPolicy ACL hook tenancy tests into release/1.17.x (#19221)
mesh: add DestinationPolicy ACL hook tenancy tests (#19178)

Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2023-10-16 19:27:29 +00:00
hc-github-team-consul-core 3764c96d7e
Backport of mesh: add xRoute ACL hook tenancy tests into release/1.17.x (#19219)
* backport of commit 584b6563d4

* backport of commit 761090d96d

---------

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2023-10-16 17:41:34 +00:00
hc-github-team-consul-core 689f32c59d
Backport of catalog, mesh: implement missing ACL hooks into release/1.17.x (#19212)
catalog, mesh: implement missing ACL hooks (#19143)

This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
2023-10-14 01:50:22 +00:00
hc-github-team-consul-core 41a986c6e0
Backport of mesh: add more validations to Destinations resource into release/1.17.x (#19211)
backport of commit f6c7c4ddc1

Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-13 23:08:06 +00:00
hc-github-team-consul-core 9ceec775dc
Backport of mesh: add validation hook to proxy configuration into release/1.17.x (#19209)
* server: run the api checks against the path without params (#19205)

* Clone proto into deepcopy correctly (#19204)

* mesh: add validation hook to proxy configuration

* backport of commit b08d9d4b47

* backport of commit 55b9363539

---------

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
2023-10-13 22:16:41 +00:00
hc-github-team-consul-core 73ab8c5c48
Backport of Clone proto into deepcopy correctly into release/1.17.x (#19207)
backport of commit eb08b9d684

Co-authored-by: Ashwin Venkatesh <ashwin.what@gmail.com>
2023-10-13 22:07:49 +00:00
R.B. Boyer 99f7a1219e
catalog: add metadata filtering to refine workload selectors (#19198)
This implements the Filter field on pbcatalog.WorkloadSelector to be
a post-fetch in-memory filter using the https://github.com/hashicorp/go-bexpr
expression language to filter resources based on their envelope metadata fields.

All existing usages of WorkloadSelector should be able to make use of the filter.
2023-10-13 13:37:42 -05:00
R.B. Boyer f0e4897736
mesh: ensure that xRoutes have ParentRefs that have matching Tenancy to the enclosing resource (#19176)
We don't want an xRoute controlling traffic for a Service in another tenancy.
2023-10-13 11:31:56 -05:00
Ashwin Venkatesh c2a0d4f9ca
Create DeepCopy() and Json Marshal/Unmarshal for proto-public (#19015)
* Override Marshal/UnmarshalJSON for proto-public types
* Generate Deepcopy() for proto-public types for Kubernetes CRDs.
2023-10-13 14:55:58 +00:00
Iryna Shustava c35df12c95
mesh: Add ComputedProxyConfiguration and a controller that computes it. (#19043)
* Introduce a new type `ComputedProxyConfiguration` and add a controller for it. This is needed for two reasons. The first one is that external integrations like kubernetes may need to read the fully computed and sorted proxy configuration per workload. The second reasons is that it makes sidecar-proxy controller logic quite a bit simpler as it no longer needs to do this.
* Generalize workload selection mapper and fix a bug where it would delete IDs from the tree if only one is left after a removal is done.
2023-10-10 17:34:53 -06:00
Semir Patel 830c4ea81c
v2tenancy: cluster scoped reads (#19082) 2023-10-10 13:30:23 -05:00
Chris S. Kim 92ce814693
Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
Eric Haberkorn ad3aab1ef7
Add traffic permissions integration tests. (#19008)
Add traffic permissions integration tests.
2023-10-06 12:06:12 -04:00
skpratt 202090e5d5
v2 explicit destination traffic permissions (#18823)
* workload identity boilerplate

* notes from discussion with Iryna

* WIP traffic permissions controller poc

* workload identity, traffic permissions validation, errors, types

* traffic permissions mapper framing, traffic permissions controller updates.

* more roughing out of the controller

* cleanup

* controller and mapper logic

* tests

* refactor mapper logic, add tests

* clean up tenancy and integration test stubs

* consolidate mapping

* cleanup cache leak, revert bimapper changes

* address review comments

* test fix and rebase

* use resource helper

---------

Co-authored-by: John Landa <john.landa@hashicorp.com>
2023-09-25 16:50:07 +00:00
R.B. Boyer 11d6b0df45
mesh: store bound reference pointers on a ComputedRoutes resource and use during reconcile (#18965)
xRoute resource types contain a slice of parentRefs to services that they 
manipulate traffic for. All xRoutes that have a parentRef to given Service 
will be merged together to generate a ComputedRoutes resource 
name-aligned with that Service.

This means that a write of an xRoute with 2 parent ref pointers will cause 
at most 2 reconciles for ComputedRoutes.

If that xRoute's list of parentRefs were ever to be reduced, or otherwise
 lose an item, that subsequent map event will only emit events for the current 
set of refs. The removed ref will not cause the generated ComputedRoutes 
related to that service to be re-reconciled to omit the influence of that xRoute.

To combat this, we will store on the ComputedRoutes resource a 
BoundResources []*pbresource.Reference field with references to all 
resources that were used to influence the generated output.

When the routes controller reconciles, it will use a bimapper to index this
 influence, and the dependency mappers for the xRoutes will look 
themselves up in that index to discover additional (former) ComputedRoutes
 that need to be notified as well.
2023-09-22 15:46:14 -05:00
Eric Haberkorn 4d6ff29392
Traffic Permissions Validations (#18907)
add TP validations and mutation and add CTP validations
2023-09-22 16:10:10 -04:00
Iryna Shustava d88888ee8b
catalog,mesh,auth: Bump versions to v2beta1 (#18930) 2023-09-22 10:51:15 -06:00
R.B. Boyer ef6f2494c7
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925)
The ACLs.Read hook for a resource only allows for the identity of a 
resource to be passed in for use in authz consideration. For some 
resources we wish to allow for the current stored value to dictate how 
to enforce the ACLs (such as reading a list of applicable services from 
the payload and allowing service:read on any of them to control reading the enclosing resource).

This change update the interface to usually accept a *pbresource.ID, 
but if the hook decides it needs more data it returns a sentinel error 
and the resource service knows to defer the authz check until after
 fetching the data from storage.
2023-09-22 09:53:55 -05:00
Matt Keeler 53fcc5d9a5
Add protoc generator to emit resource type variables (#18957)
The annotations include a little more data than is strictly necessary because we will also have a protoc generator for openapi output.
2023-09-21 17:18:47 -04:00
R.B. Boyer d574473fd1
mesh: make FailoverPolicy work in xdsv2 and ProxyStateTemplate (#18900)
Ensure that configuring a FailoverPolicy for a service that is reachable via a xRoute or a direct upstream causes an envoy aggregate cluster to be created for the original cluster name, but with separate clusters for each one of the possible destinations.
2023-09-20 11:59:01 -05:00
R.B. Boyer 07d916e84f
resource: ensure resource.AuthorizerContext properly strips the local… (#18908)
resource: ensure resource.AuthorizerContext properly strips the local peer name
2023-09-19 17:14:15 -05:00
Eric Haberkorn 170417ac97
Honor Default Traffic Permissions in V2 (#18886)
wire up v2 default traffic permissions
2023-09-19 10:42:32 -04:00
Semir Patel 62796a1454
resource: mutate and validate before acls on write (#18868) 2023-09-18 17:04:29 -05:00
Dhia Ayachi 4435e4a420
add v2 tenancy bridge Flag and v2 Tenancy Bridge initial implementation (#18830)
* add v2 tenancy bridge and a feature flag for v2 tenancy

* move tenancy bridge v2 under resource package
2023-09-18 12:25:05 -04:00
skpratt 1fda2965e8
Allow empty data writes for resources (#18819)
* allow nil data writes for resources

* update demo to test valid type with no data
2023-09-15 14:00:23 -05:00
Semir Patel d3dad14030
resource: default peername to "local" for now (#18822) 2023-09-15 09:34:18 -05:00
R.B. Boyer 66e1cdf40c
mesh: Wire ComputedRoutes into the ProxyStateTemplate via the sidecar controller (#18752)
Reworks the sidecar controller to accept ComputedRoutes as an input and use it to generate appropriate ProxyStateTemplate resources containing L4/L7 mesh configuration.
2023-09-14 17:19:04 -05:00
R.B. Boyer 07f54fe3b8
resource: add helper to normalize inner Reference tenancy during mutate (#18765)
When one resource contains an inner field that is of type *pbresource.Reference we want the
Tenancy to be reasonably defaulted by the following rules:

1. The final values will be limited by the scope of the referenced type.
2. Values will be inferred from the parent's tenancy, and if that is insufficient then using
   the default tenancy for the type's scope.
3. Namespace will only be used from a parent if the reference and the parent share a
   partition, otherwise the default namespace will be used.

Until we tackle peering, this hard codes an assumption of peer name being local. The
logic for defaulting may need adjustment when that is addressed.
2023-09-13 12:08:12 -05:00
Nitya Dhanushkodi 78b170ad50
xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756)
* Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager.

The leaf cert logic in the controller:
* Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too).
* Gets the leaf cert from the leaf cert cache
* Stores the leaf cert in the ProxyState that's pushed to xds
* For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates

Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource.
The wrapper allows mapping events to resources (as opposed to mapping resources to resources)

The controller tests:
Unit: Ensure that we resolve leaf cert references
Lifecycle: Ensure that when the CA is updated, the leaf cert is as well

Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id.

* Pulls out some leaf cert test helpers into a helpers file so it
can be used in the xds controller tests.
* Wires up leaf cert manager dependency
* Support getting token from proxytracker
* Add workload identity spiffe id type to the authorize and sign functions



---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-09-12 12:56:43 -07:00
Poonam Jadhav 264166fcc0
fix: write endpoint errors out gracefully (#18743) 2023-09-12 09:22:15 -04:00
Iryna Shustava 3c70e14713
sidecar-proxy controller: L4 controller with explicit upstreams (NET-3988) (#18352)
* This controller generates and saves ProxyStateTemplate for sidecar proxies.
* It currently supports single-port L4 ports only.
* It keeps a cache of all destinations to make it easier to compute and retrieve destinations.
* It will update the status of the pbmesh.Upstreams resource if anything is invalid.
* This commit also changes service endpoints to include workload identity. This made the implementation a bit easier as we don't need to look up as many workloads and instead rely on endpoints data.
2023-09-07 09:37:15 -06:00
wangxinyi7 df9d12a56a
Net 2714/xw cli read command (#18462)
enable `consul resource read` command in cli
2023-09-05 09:17:19 -07:00
Semir Patel b96cff7436
resource: Require scope for resource registration (#18635) 2023-09-01 09:44:53 -05:00
Semir Patel 067a0112e2
resource: Make resource listbyowner tenancy aware (#18566) 2023-08-24 10:49:46 -05:00
R.B. Boyer 17667a1c75
mesh: adding type aliases for mesh resource usage (#18448)
Introduces some simple type aliases for DecodedResource[*X] wrappers for each type which cut down on the verbosity
2023-08-22 12:31:06 -05:00
Semir Patel 53e28a4963
OSS -> CE (community edition) changes (#18517) 2023-08-22 09:46:03 -05:00
Matt Keeler 547f4f8395
Reduce required type arguments for DecodedResource (#18540) 2023-08-21 20:20:19 -04:00
Iryna Shustava 0b580ffd22
bimapper: fix data race (#18519) 2023-08-18 07:55:12 -06:00
Iryna Shustava cc596ce772
bimapper: allow to untrack links and support reference or id (#18451) 2023-08-17 18:03:05 -06:00
Semir Patel 217107f627
resource: Make resource list tenancy aware (#18475) 2023-08-15 16:57:59 -05:00
Poonam Jadhav f88d4fe28f
Net-2707/list resource endpoint (#18444)
feat: list resources endpoint
2023-08-15 09:11:50 -04:00
wangxinyi7 cda884ac81
read endpoint (#18268)
implement http read endpoint to expose resource grpc service read method
2023-08-11 14:11:11 -07:00
Poonam Jadhav 559c61e6b6
Net-2712/resource hcl parsing (#18250)
* Initial protohcl implementation

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: Daniel Upton <daniel@floppy.co>

* resourcehcl: implement resource decoding on top of protohcl

Co-authored-by: Daniel Upton <daniel@floppy.co>

* fix: resolve ci failures

* test: add additional unmarshalling tests

* refactor: update function test to clean protohcl package imports

---------

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: Daniel Upton <daniel@floppy.co>
2023-08-11 15:52:51 -04:00
Poonam Jadhav 5717cbd466
Net-2708/delete resource endpoint (#18420)
* feat: add http delete endpoint for resource service

* refactor: clean up
2023-08-11 13:22:30 +00:00
hashicorp-copywrite[bot] 5fb9df1640
[COMPLIANCE] License changes (#18443)
* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Updating the license from MPL to Business Source License

Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl.

* add missing license headers

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

---------

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 09:12:13 -04:00
Semir Patel bee12c6b1f
resource: Make resource write tenancy aware (#18423) 2023-08-10 09:53:38 -05:00
R.B. Boyer 42efc11b4e
catalog: adding a controller to reconcile FailoverPolicy resources (#18399)
Add most of the semantic cross-resource validation for FailoverPolicy resources using a new controller.
2023-08-09 11:02:17 -05:00
Matt Keeler 91d331bbaa
Add ServiceEndpoints Mutation hook tests (#18404)
* Add ServiceEndpoints Mutation hook tests

* Move endpoint owner validation into the validation hook

Also there were some minor changes to error validation to account for go-cmp not liking to peer through an errors.errorstring type that get created by errors.New
2023-08-08 15:22:14 -04:00
Semir Patel 63cc037110
resource: Make resource read tenancy aware (#18397) 2023-08-07 16:37:03 -05:00
R.B. Boyer 1ebd001a07
bimapper: fix a bug and add some more test coverage (#18387) 2023-08-04 16:45:10 -05:00