Commit Graph

17845 Commits (64da99a927ebc5b065da72a5f707e02906b8450e)

Author SHA1 Message Date
Dan Upton b9e525d689
grpc: rename public/private directories to external/internal (#13721)
Previously, public referred to gRPC services that are both exposed on
the dedicated gRPC port and have their definitions in the proto-public
directory (so were considered usable by 3rd parties). Whereas private
referred to services on the multiplexed server port that are only usable
by agents and other servers.

Now, we're splitting these definitions, such that external/internal
refers to the port and public/private refers to whether they can be used
by 3rd parties.

This is necessary because the peering replication API needs to be
exposed on the dedicated port, but is not (yet) suitable for use by 3rd
parties.
2022-07-13 16:33:48 +01:00
R.B. Boyer 30fffd0c90
peerstream: some cosmetic refactors to make this easier to follow (#13732)
- Use some protobuf construction helper methods for brevity.
- Rename a local variable to avoid later shadowing.
- Rename the Nonce field to be more like xDS's naming.
- Be more explicit about which PeerID fields are empty.
2022-07-13 10:00:35 -05:00
John Cowen 6fa68a5b57
ui: Remove UNDEFINED state from being undeleteable (#13702)
* ui: Remove UNDEFINED state from being undeleteable

* Fixup node tests
2022-07-13 12:06:16 +01:00
John Cowen 6b67b74a19
ui: Remove horizontal scrollbar from peering list rows (#13701) 2022-07-13 11:22:49 +01:00
Kyle Havlovitz 7d0c692374 Use protocol from resolved config entry, not gateway service 2022-07-12 16:23:40 -07:00
Kyle Havlovitz 7162e3bde2 Enable http2 options for grpc protocol 2022-07-12 14:38:44 -07:00
R.B. Boyer c5c216008d
peering: always send the mesh gateway SpiffeID even for tcp services (#13728)
If someone were to switch a peer-exported service from L4 to L7 there
would be a brief SAN validation hiccup as traffic shifted to the mesh
gateway for termination.

This PR sends the mesh gateway SpiffeID down all the time so the clients
always expect a switch.
2022-07-12 11:38:13 -05:00
R.B. Boyer f0e6e4e697
state: prohibit changing an exported tcp discovery chain in a way that would break SAN validation (#13727)
For L4/tcp exported services the mesh gateways will not be terminating
TLS. A caller in one peer will be directly establishing TLS connections
to the ultimate exported service in the other peer.

The caller will be doing SAN validation using the replicated SpiffeID
values shipped from the exporting side. There are a class of discovery
chain edits that could be done on the exporting side that would cause
the introduction of a new SpiffeID value. In between the time of the
config entry update on the exporting side and the importing side getting
updated peer stream data requests to the exported service would fail due
to SAN validation errors.

This is unacceptable so instead prohibit the exporting peer from making
changes that would break peering in this way.
2022-07-12 11:17:33 -05:00
R.B. Boyer 2317f37b4d
state: prohibit exported discovery chains to have cross-datacenter or cross-partition references (#13726)
Because peerings are pairwise, between two tuples of (datacenter,
partition) having any exported reference via a discovery chain that
crosses out of the peered datacenter or partition will ultimately not be
able to work for various reasons. The biggest one is that there is no
way in the ultimate destination to configure an intention that can allow
an external SpiffeID to access a service.

This PR ensures that a user simply cannot do this, so they won't run
into weird situations like this.
2022-07-12 11:03:41 -05:00
Michael Klein 75768a2039
ui: peer permission handling (#13724)
* Request peering permissions when peerings is active

* Update peering ability to use peering resource

* fix canDelete peer permission to check write permission

* use super call in abilities.peer#canDelete
2022-07-12 16:16:47 +01:00
Chris S. Kim a6634db4a5
Return error if ServerAddresses is empty (#13714) 2022-07-12 11:09:00 -04:00
Michael Klein 123047d5b5
ui: use environment variable for feature flagging peers (#13703)
* ui: use environment variable for feature flagging peers

* Add documentation for `features`-service

* Allow setting feature flag for peers via bookmarklet

* don't use features service for flagging peers

* add ability for checking if peers feature is enabled

* Use abilities to conditionally use peers feature

* Remove unused features service
2022-07-12 12:02:45 +01:00
Michael Wilkerson dadc18c294
update docs (#13711)
* update docs

* Update website/content/docs/nia/enterprise/index.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-07-11 15:03:18 -07:00
R.B. Boyer 9a56eed86c
proto: ensure buf formatter has been applied to protobufs (#13709) 2022-07-11 13:44:51 -05:00
Jeff Boruszak 42b049726f
Merge pull request #13693 from hashicorp/docs-cluster-peering-updates
docs: Cluster Peering docs fixes
2022-07-11 12:34:07 -05:00
Nathan Coleman 4da7e04a4d
Merge pull request #13681 from hashicorp/docs/install-capigw-version-env-var
docs(consul-api-gateway): use VERSION env var in install steps
2022-07-11 10:32:19 -05:00
Nathan Coleman 6938ce4b39
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx 2022-07-11 11:26:04 -04:00
cskh cf6b6dddaf
feat(cli): enable to delete config entry from an input file (#13677)
* feat(cli): enable to delete config entry from an input file

- A new flag to config delete to delete a config entry in a
  valid config file, e.g., config delete -filename
  intention-allow.hcl
- Updated flag validation; -filename and -kind can't be set
  at the same time
- Move decode config entry method from config_write.go to
  helpers.go for reusing ParseConfigEntry()
- add changelog

Co-authored-by: Dan Upton <daniel@floppy.co>
2022-07-11 10:13:40 -04:00
Kyle Havlovitz e68487f254
Merge pull request #13678 from hashicorp/envoy-prometheus-tls-fix
Fix syntax for envoy bootstrap prometheus secret config
2022-07-08 15:58:19 -07:00
Kyle Havlovitz 608d0fe2c1 Add changelog note 2022-07-08 15:23:00 -07:00
Kyle Havlovitz 439eccdd80 Respect http2 protocol for upstreams of terminating gateways 2022-07-08 14:30:45 -07:00
R.B. Boyer af04851637
peering: move peer replication to the external gRPC port (#13698)
Peer replication is intended to be between separate Consul installs and
effectively should be considered "external". This PR moves the peer
stream replication bidirectional RPC endpoint to the external gRPC
server and ensures that things continue to function.
2022-07-08 12:01:13 -05:00
sarahalsmiller 50cc6067e9
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-08 09:54:47 -05:00
Mike Morris 8f74cb52f3
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:38:30 -04:00
Mike Morris 66fdf29d42
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:37:12 -04:00
boruszak 9ba349de8c Clarification around "peering_token.json" and adding Partition names 2022-07-07 16:10:21 -05:00
Chris Thain 3766870719
Docs: Fix path to consul-ecs Terraform modules (#13689) 2022-07-07 13:30:19 -07:00
sarahalsmiller a384d0d667
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:23:46 -05:00
sarahalsmiller 8fbb040e82
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:23:22 -05:00
sarahalsmiller 8a5b597afe
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:23:13 -05:00
sarahalsmiller 7bb6e8379a
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:23:03 -05:00
sarahalsmiller 396a75ff06
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:22:52 -05:00
sarahalsmiller e305fb232d
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:22:47 -05:00
sarahalsmiller bf53a73dde
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:22:39 -05:00
sarahalsmiller 446c6dff31
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:22:26 -05:00
sarahalsmiller 7f28c388ba
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:21:45 -05:00
sarahalsmiller d9f0a98121
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-07 15:21:40 -05:00
R.B. Boyer ea58f235f5
server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data (#13687)
Currently servers exchange information about their WAN serf port
and RPC port with serf tags, so that they all learn of each other's
addressing information. We intend to make larger use of the new
public-facing gRPC port exposed on all of the servers, so this PR
addresses that by passing around the gRPC port via serf tags and
then ensuring the generated consul service in the catalog has
metadata about that new port as well for ease of non-serf-based lookup.
2022-07-07 13:55:41 -05:00
John Cowen 70274865a0
ui: Peer Deletion (#13665)
* ui: Peer Deletion (#13665)
* ui: Add sorting peer listing by State (#13684)
* ui: Add filtering peer listing by State (#13685)
2022-07-07 18:23:26 +01:00
John Cowen 2dc949f17d
ui: CopyableCode component (#13686)
* ui: CopyableCode component plus switch into existing implementations
2022-07-07 17:42:47 +01:00
boruszak 759f5a2bf5 "<service-name" fix - added brackets 2022-07-07 10:08:53 -05:00
Mike Morris ccb2ee48e0 docs(consul-api-gateway): use VERSION env var in install steps 2022-07-06 17:22:05 -04:00
Sarah Alsmiller 7a8da641c3 fix render issue 2022-07-06 15:38:49 -05:00
Usha Kodali f332fa8f86
Consul on ECS compatibility matrix docs update (#13060) 2022-07-06 12:34:14 -07:00
Sarah Alsmiller ef36a80ebf fix render issue 2022-07-06 11:59:40 -05:00
Kyle Havlovitz 407e858389 Fix syntax for bootstrap sds secret config 2022-07-06 09:53:40 -07:00
Freddy 3542138e4d
Parse peer name for virtual IP DNS queries (#13602)
This commit updates the DNS query locality parsing so that the virtual
IP for an imported service can be queried.

Note that:
- Support for parsing a peer in other service discovery queries was not
  added.
- Querying another datacenter for a virtual IP is not supported. This
  was technically allowed in 1.11 but is being rolled back for 1.13
  because it is not a use-case we intended to support. Virtual IPs in
  different datacenters are going to collide because they are allocated
  sequentially.
2022-07-06 10:30:04 -06:00
Sarah Alsmiller 96ef69ffb4 delete extra file 2022-07-06 09:52:58 -05:00
Sarah Alsmiller a178e87e14 merge 2022-07-05 17:59:56 -05:00
Sarah Alsmiller 952ebb7b93 restructure documentation 2022-07-05 17:53:56 -05:00