Commit Graph

11324 Commits (63d6c3cfbb7b09b43044ab4902329c76769f2d5e)

Author SHA1 Message Date
Daniel Nephin 61ec7aa5c9 ci: Run all connect/ca tests from the integration suite
To reduce the chance of some tests not being run because it does not
match the regex passed to '-run'.

Also document why some tests are allowed to be skipped on CI.
2020-03-24 15:22:01 -04:00
Daniel Nephin f4a35dfd84 ci: Do not skip tests because of missing binaries on CI
If the CI environment is not correct for running tests the tests
should fail, so that we don't accidentally stop running some tests
because of a change to our CI environment.

Also removed a duplicate delcaration from init. I believe one was
overriding the other as they are both in the same package.
2020-03-24 14:34:13 -04:00
Daniel Nephin 2468affcf8
Merge pull request #7482 from hashicorp/dnephin/fix-cherry-pick-job
ci: fix cherry-pick job by using newer git
2020-03-24 14:12:21 -04:00
Daniel Nephin 9f46759ba2
Merge pull request #7484 from hashicorp/dnephin/fix-envoy-tests
Fix tests failing on master
2020-03-23 17:15:49 -04:00
Daniel Nephin 6e10616b13 Fix tests failing on master
The default version was changed in https://github.com/hashicorp/consul/pull/7452
which caused these tests to fail.
2020-03-23 16:38:14 -04:00
Daniel Nephin 3418835677 ci: fix cherry-pick job by using newer git
37897bfc27 made it possible to use
the -m flag with cherry-pick, even when the target is not a merge commit.

This commit changes the image used to run the cherry-pick job to alpine so that we get
a more recent version of git.

The alpine image will also download much faster when the CI node does not have the image cached.
2020-03-23 14:30:32 -04:00
kaitlincarter-hc 98a2d5a798
Add link to Learn to the top, move service mesh higher up on list of features. (#7474) 2020-03-23 12:10:42 -05:00
Daniel Nephin 9519223127 docs: Update config reference for log-file 2020-03-19 18:06:46 -04:00
Daniel Nephin a103c62f33
Merge pull request #7466 from hashicorp/dnephin/support-cherry-pick-merge-PRs
ci: support cherry-picking of merge PRs
2020-03-18 13:12:42 -04:00
Daniel Nephin 887e410cd6 ci: support cherry-picking of merge PRs
This change assumes that it is always safe to use the first commit
parent as the mainline. I believe this assumption is safe with a
github merge workflow.
2020-03-18 12:38:04 -04:00
Daniel Nephin 1ff9b748ae
Merge pull request #7458 from hashicorp/dnephin/small-doc-improvements
website/docs: small doc improvements to CLI reference
2020-03-17 18:35:44 -04:00
Hans Hasselberg d5f4b8c3a3
envoy: default to 1.13.1 (#7452) 2020-03-17 22:23:42 +01:00
Kim Ngo 5f9029c65c
Update CHANGELOG.md 2020-03-17 15:02:56 -05:00
Hans Hasselberg bf6a91af94
docs: fix filenames (#7453) 2020-03-17 21:00:45 +01:00
Kim Ngo bef693df9c
agent/xds: Update mesh gateway to use service router timeout (#7444)
* website/connect/proxy/envoy: specify timeout precedence for services behind mesh gateway
2020-03-17 14:50:14 -05:00
Daniel Nephin 3f8578f1e1 ci: Use golangci-lint for linting
Using golangci-lint has a number of advantages:

- adding new linters becomes much easier, its a couple lines of yaml config
  instead of more bash scripting

- it enables whitelisting of issues using inline comments or regex

- when running multiple linters less work is done. The parsed source can be reused
  by multiple linters

- linters are run in parallel to reduce CI runtime.
2020-03-17 13:43:40 -04:00
Chris Piraino 5c7b3762e3
Update CHANGELOG.md 2020-03-17 09:56:20 -05:00
Chris Piraino d3dd49b79c
Log "vew version available" message at info level (#7462) 2020-03-17 09:53:15 -05:00
Pierre Souchay 4f3d2d843e
docs: fixed typo on MIME in Changelog (#7461) 2020-03-17 13:44:55 +01:00
Daniel Nephin fdbc3d82f6 website/docs: small doc improvements to CLI reference
Small improvements to the join docs.

The help text for `lock` says -try is deprecated and replaced with -timeout.
Update the docs to match.
2020-03-16 17:54:45 -04:00
Hans Hasselberg 418cf9658d
Update CHANGELOG.md to include 1.7.2 2020-03-16 22:08:40 +01:00
Hans Hasselberg 316d14f86e
docs: update website version (#7456) 2020-03-16 22:03:36 +01:00
Matt Keeler 646c9f5896
Don’t pass `-u` to get get inside Go build image dockerfile (#7455) 2020-03-16 15:26:07 -04:00
Matt Keeler 251c745d0a
Update CHANGELOG.md 2020-03-16 12:59:28 -04:00
Matt Keeler 80db61193c
Fix ACL mode advertisement and detection (#7451)
These changes are necessary to ensure advertisement happens correctly even when datacenters are connected via network areas in Consul enterprise.

This also changes how we check if ACLs can be upgraded within the local datacenter. Previously we would iterate through all LAN members. Now we just use the ServerLookup type to iterate through all known servers in the DC.
2020-03-16 12:54:45 -04:00
Matt Keeler 8c43f199fd
Update namespace docs for some new CLI commands (#7435)
Co-Authored-By: Hans Hasselberg <me@hans.io>
2020-03-16 09:42:39 -04:00
Charlie Jones 5d734a85d6
docs: fix typo in consul-template tutorial (#7454) 2020-03-16 14:04:28 +01:00
Daniel Nephin 6a29a2b48a
Merge pull request #7438 from hashicorp/dnephin/remove-restore-cache
ci: Remove consul-modcache-v1 from ci config
2020-03-13 12:07:39 -04:00
Freddy c9cb5b54b2
Update CHANGELOG.md 2020-03-12 12:41:41 -06:00
John Cowen 0a2ce86776
Update CHANGELOG.md 2020-03-12 18:31:51 +00:00
Alvin Huang 062823b09a
cherry pick 'docs-cherrypick' label rather than 'docs' to stable-website (#7443) 2020-03-12 13:22:51 -04:00
Daniel Nephin 3cfe1c1943 ci: Remove restore_cache
As of go1.13 it is faster to download dependencies from the module
proxy service, than to download a cached /go/pkg/mod
2020-03-11 15:50:42 -04:00
Freddy 709932f088
Update MSP token and filtering (#7431) 2020-03-11 12:08:49 -06:00
Alvin Huang 8fbd812be9
add Authorization header in GitHub API call (#7436) 2020-03-11 13:25:15 -04:00
Hans Hasselberg 7777891aa6
tls: remove old ciphers (#7282)
Following advice from:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices, this PR removes old ciphers.
2020-03-10 21:44:26 +01:00
R.B. Boyer 0e6cc3d61b update changelog 2020-03-10 14:47:13 -05:00
R.B. Boyer 31943924f9
bump the expected go language version of the main module to 1.13 (#7429) 2020-03-10 14:46:09 -05:00
Daniel Nephin 5ed53754ab docs: fix some errors in upgrade-specific
Fix 2 broken links
    Fix some gramatical errors
2020-03-10 14:20:18 -04:00
Alvin Huang 0dd8c44291
set pr_url outside if (#7424) 2020-03-10 12:31:58 -04:00
R.B. Boyer 3b4306fc42 update changelog 2020-03-10 11:20:30 -05:00
R.B. Boyer 85a08bf8ed
server: strip local ACL tokens from RPCs during forwarding if crossing datacenters (#7419)
Fixes #7414
2020-03-10 11:15:22 -05:00
R.B. Boyer dfe5ba134b
fix flaky TestCatalogListNodesCommand_verticalBar test (#7422) 2020-03-10 11:01:13 -05:00
Matt Keeler e62e862df9
Update intention precedence table in the docs (#7421)
* Update intention precedence table in the docs

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2020-03-10 11:49:08 -04:00
Alvin Huang cb6291a868
add slack notifications for cherry-pick (#7423) 2020-03-10 11:47:23 -04:00
Hans Hasselberg 6a49a42e98
connect: support for envoy 1.13.1 and 1.12.3 (#7380)
* setup new envoy versions for CI
* bump version on the website too.
2020-03-10 11:04:46 +01:00
Kyle Havlovitz 955ee64b95
Merge pull request #7373 from hashicorp/acl-segments-fix
Add stub methods for ACL/segment bug fix from enterprise
2020-03-09 14:25:49 -07:00
R.B. Boyer fbb0bf2195 update changelog 2020-03-09 16:00:59 -05:00
R.B. Boyer 6adad71125
wan federation via mesh gateways (#6884)
This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch:

There are several distinct chunks of code that are affected:

* new flags and config options for the server

* retry join WAN is slightly different

* retry join code is shared to discover primary mesh gateways from secondary datacenters

* because retry join logic runs in the *agent* and the results of that
  operation for primary mesh gateways are needed in the *server* there are
  some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur
  at multiple layers of abstraction just to pass the data down to the right
  layer.

* new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers

* the function signature for RPC dialing picked up a new required field (the
  node name of the destination)

* several new RPCs for manipulating a FederationState object:
  `FederationState:{Apply,Get,List,ListMeshGateways}`

* 3 read-only internal APIs for debugging use to invoke those RPCs from curl

* raft and fsm changes to persist these FederationStates

* replication for FederationStates as they are canonically stored in the
  Primary and replicated to the Secondaries.

* a special derivative of anti-entropy that runs in secondaries to snapshot
  their local mesh gateway `CheckServiceNodes` and sync them into their upstream
  FederationState in the primary (this works in conjunction with the
  replication to distribute addresses for all mesh gateways in all DCs to all
  other DCs)

* a "gateway locator" convenience object to make use of this data to choose
  the addresses of gateways to use for any given RPC or gossip operation to a
  remote DC. This gets data from the "retry join" logic in the agent and also
  directly calls into the FSM.

* RPC (`:8300`) on the server sniffs the first byte of a new connection to
  determine if it's actually doing native TLS. If so it checks the ALPN header
  for protocol determination (just like how the existing system uses the
  type-byte marker).

* 2 new kinds of protocols are exclusively decoded via this native TLS
  mechanism: one for ferrying "packet" operations (udp-like) from the gossip
  layer and one for "stream" operations (tcp-like). The packet operations
  re-use sockets (using length-prefixing) to cut down on TLS re-negotiation
  overhead.

* the server instances specially wrap the `memberlist.NetTransport` when running
  with gateway federation enabled (in a `wanfed.Transport`). The general gist is
  that if it tries to dial a node in the SAME datacenter (deduced by looking
  at the suffix of the node name) there is no change. If dialing a DIFFERENT
  datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh
  gateways to eventually end up in a server's :8300 port.

* a new flag when launching a mesh gateway via `consul connect envoy` to
  indicate that the servers are to be exposed. This sets a special service
  meta when registering the gateway into the catalog.

* `proxycfg/xds` notice this metadata blob to activate additional watches for
  the FederationState objects as well as the location of all of the consul
  servers in that datacenter.

* `xds:` if the extra metadata is in place additional clusters are defined in a
  DC to bulk sink all traffic to another DC's gateways. For the current
  datacenter we listen on a wildcard name (`server.<dc>.consul`) that load
  balances all servers as well as one mini-cluster per node
  (`<node>.server.<dc>.consul`)

* the `consul tls cert create` command got a new flag (`-node`) to help create
  an additional SAN in certs that can be used with this flavor of federation.
2020-03-09 15:59:02 -05:00
Freddy 602aa742d8
Update namespace docs for config entries (#7420) 2020-03-09 14:51:21 -06:00
Dane Harrigan 382d33bb7e
Update envoy.html.md.erb (#7394)
Minor typo
2020-03-09 13:58:29 -04:00