Commit Graph

21155 Commits (7c3a379e48455ffab3e574c83e81f0c8adca6fd1)

Author SHA1 Message Date
Michael Zalimeni fe10339caa
[NET-7009] security: update x/crypto to 0.17.0 (#20023)
security: update x/crypto to 0.17.0

This addresses CVE-2023-48795 (x/crypto/ssh).
2023-12-21 20:11:19 +00:00
David Yu e7c7bc74c4
Dockerfile: bump up to `ubi-minimal:9.3` (#20014)
* Update Dockerfile
2023-12-21 11:55:20 -08:00
Nathan Coleman 874e68f1eb
[NET-6899] Create name-aligned Service when reconciling MeshGateway resource (#19900)
* NET-6899 Create name-aligned Service when reconciling MeshGateway resource

The Service has an owner reference added to it indicating that it belongs to a MeshGateway

* Specify port list when creating Service

* Use constants, add TODO w/ ticket reference

* Include gateway-kind in metadata of Service resource
2023-12-21 13:26:25 -05:00
Michael Zalimeni d0bc091a60
[NET-6969] security: Re-enable Go Module + secrets security scans for release branches (#19978)
* security: re-enable security scan release block

This was previously disabled due to an unresolved false-positive CVE.
Re-enabling both secrets and OSV + Go Modules scanning, which per our
current scan results should not be a blocker to future releases.

* security: run security scans on main and release branches
2023-12-21 15:11:05 +00:00
Valeriia Ruban a87ab8b093
feat: updated github checks with frontend-test-ce end frontend-test-e… (#19995) 2023-12-20 12:47:24 -08:00
Nitya Dhanushkodi 9975b8bd73
[NET-5455] Allow disabling request and idle timeouts with negative values in service router and service resolver (#19992)
* add coverage for testing these timeouts
2023-12-19 15:36:07 -08:00
wangxinyi7 013bcefe5c
grpc client in tls mode (#19680)
* client in tls mode
2023-12-19 10:04:55 -08:00
cskh cff872749d
agent: prevent empty server_metadata.json (#19935) 2023-12-19 10:01:56 -05:00
Ashesh Vidyut 4e451f2358
NET 6409 (#19515)
* Update website/content/docs/k8s/k8s-cli.mdx

Co-authored-by: David Yu <dyu@hashicorp.com>

* Update website/content/docs/k8s/k8s-cli.mdx

Co-authored-by: David Yu <dyu@hashicorp.com>

* fix doc

* Update website/content/docs/k8s/k8s-cli.mdx

Co-authored-by: David Yu <dyu@hashicorp.com>

---------

Co-authored-by: David Yu <dyu@hashicorp.com>
2023-12-18 14:28:16 -08:00
David Yu a3fa683ba5
docs: Update network segments in compat matrix for Enterprise features (#19933)
Update index.mdx
2023-12-18 14:27:43 -08:00
Ashesh Vidyut f1dee1a718
Net 6603 (#19718)
* Update docs for NET-6603

* json format

* json caps

* Update website/content/docs/k8s/k8s-cli.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-12-18 14:27:23 -08:00
Nathan Coleman 010bf533d1
NET-6663 Modify sidecarproxy controller to skip xGateway resources (#19902)
* NET-6663 Modify sidecarproxy controller to skip xGateway resources

* Check workload metadata after nil-check for workload

* Add test asserting that workloads with meta gateway-kind are ignored

* Use more common pattern for map access to increase readability
2023-12-18 21:54:41 +00:00
David Yu de86ba76ee
docs: typo formatting consul-k8s docs (#19973)
Update install-cli.mdx
2023-12-18 12:14:53 -08:00
aahel ae998a698a
added computed failover policy resource (#19975) 2023-12-18 05:52:24 +00:00
wangxinyi7 cae23821dc
update changelog (#19966) 2023-12-15 10:03:01 -08:00
Derek Menteer bbdbf3e4f8
Fix bug with prepared queries using sameness-groups. (#19970)
This commit fixes an issue where the partition was not properly set
on the peering query failover target created from sameness-groups.
Before this change, it was always empty, meaning that the data
would be queried with respect to the default partition always. This
resulted in a situation where a PQ that was attempting to use a
sameness-group for failover would select peers from the default
partition, rather than the partition of the sameness-group itself.
2023-12-15 11:42:13 -06:00
Michael Zalimeni 79e02f8a89
ci: upload test results to DataDog on test failure (#19956)
Due to the unintuitive behavior of GHA w.r.t. implicit status check
`success()`, test results were only being uploaded on success (failures
presumably came from retried tests that passed).
2023-12-14 23:13:04 +00:00
Nathan Coleman 02d4520235
Fix typo in service-defaults documentation (#19957) 2023-12-14 22:12:28 +00:00
John Murret 83cbe15b44
cli: Deprecate the `-admin-access-log-path` flag from `consul connect envoy` command in favor of: `-admin-access-log-config`. (#19943)
* cli: Deprecate the `-admin-access-log-path` flag from `consul connect envoy` command in favor of: `-admin-access-log-config`.

* fix changelog

* add in documentation change.
2023-12-14 20:36:47 +00:00
John Murret a995505976
NET-6317 - update usage of deprecated fields: http2_protocol_options and access_log_path (#19940)
* updating usage of http2_protocol_options and access_log_path

* add changelog

* update template for AdminAccessLogConfig

* remove mucking with AdminAccessLogConfig
2023-12-14 13:08:53 -07:00
natemollica-dev afc6fe8308
Update telemetry.mdx RPC Metrics (#19593)
* Update telemetry.mdx RPC Metrics

Update Server Workload telemetry section to demonstrate explicitly enabling metric emission as they're [default disabled](f5bf256425/agent/config/builder.go (L2763C1-L2763C1)).

* Update telemetry.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update telemetry.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-12-14 10:52:45 -08:00
Tauhid Anjum 0250e230a3
NET-6785: updating peering docs to include stream status and remote data (#19929)
Updating peering docs to include stream status and remote data
2023-12-14 12:07:35 +05:30
aahel a6496898de
added tenancy to TestBuildL4TrafficPermissions (#19932) 2023-12-14 10:41:24 +05:30
cskh 33a90edfab
Upgrade test(LTS): use network area to federate cluster (#19934)
- Join areas
- wait for members alive and validate cross area service discovery
2023-12-13 20:15:55 -05:00
Ashesh Vidyut 3443db7885
NET 6762 (#19931)
NET-6762
2023-12-14 06:37:01 +05:30
Matt Keeler 123bc95e1a
Add Common Controller Caching Infrastructure (#19767)
* Add Common Controller Caching Infrastructure
2023-12-13 10:06:39 -05:00
Jeff Boruszak c870c00e70
docs: service rate limiting examples (#19925)
* Include examples on usage page.

* Description/example alignment
2023-12-12 15:58:14 -08:00
Semir Patel 69e3f93ee8
resource: add partition resource to proto-public to keep ENT and CE in sync (#19920) 2023-12-12 14:50:19 -05:00
John Murret a5d5fd348b
fix actions to no longer use envoy 1.24.x to match supported versions. (#19918) 2023-12-12 12:37:07 -05:00
Valeriia Ruban d7e0fca28b
fix: token list in Role details page is updated with tokens linked to… (#19912) 2023-12-12 09:36:50 -08:00
Tyler Wendlandt e8164c7c04
NET-6900: stop reconciling services when peering is enabled (#19907)
stop reconciling services when peering is enabled
2023-12-12 07:36:35 -07:00
Dhia Ayachi f2b26ac194
Hash based config entry replication (#19795)
* add a hash to config entries when normalizing

* add GetHash and implement comparing hashes

* only update if the Hash is different

* only update if the Hash is different and not 0

* fix proto to include the Hash

* fix proto gen

* buf format

* add SetHash and fix tests

* fix config load tests

* fix state test and config test

* recalculate hash when restoring config entries

* fix snapshot restore test

* add changelog

* fix missing normalize, fix proto indexes and add normalize test
2023-12-12 08:29:13 -05:00
Ganesh S 90010587f0
Move enterprise multicluster types to Register function (#19913)
* Move enterprise types to Register function

* Fix function name

* Address comments
2023-12-12 17:05:10 +05:30
Ganesh S 173fe11c2b
Refactor exported services controller tests (#19906) 2023-12-12 10:57:27 +05:30
Tauhid Anjum 1484c6db47
NET-6771 - Adding sameness group protobuff in consul CE (#19883)
Adding sameness group protobuff in consul CE
2023-12-12 10:43:20 +05:30
Ashesh Vidyut c5cce63777
NET 6761 (#19837)
NET-6761 explicit destinations tests updated
2023-12-12 10:38:00 +05:30
Valeriia Ruban a6d6164ba0
fix: remove test to unblock CI (#19908) 2023-12-11 20:11:36 -08:00
Ronald e13fbc743e
Remove warning for consul 1.17 deprecation (#19897) 2023-12-11 23:28:04 +00:00
Jeff Boruszak 659868ee73
docs: Updates to required ports (#19755)
* improvements

* Anchor link fixes

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Explicit list of six ports

* Apply suggestions from code review

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-12-11 14:42:57 -08:00
Derek Menteer ccb2bf6170
Add documentation for proxy-config-map and xds_fetch_timeout_ms. (#19893)
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-12-11 15:53:35 -06:00
Ronald 195e3aab8c
[NET-6842] splitting go version on different lines (#19887) 2023-12-11 11:15:32 -05:00
Derek Menteer dfab5ade50
Fix ClusterLoadAssignment timeouts dropping endpoints. (#19871)
When a large number of upstreams are configured on a single envoy
proxy, there was a chance that it would timeout when waiting for
ClusterLoadAssignments. While this doesn't always immediately cause
issues, consul-dataplane instances appear to consistently drop
endpoints from their configurations after an xDS connection is
re-established (the server dies, random disconnect, etc).

This commit adds an `xds_fetch_timeout_ms` config to service registrations
so that users can set the value higher for large instances that have
many upstreams. The timeout can be disabled by setting a value of `0`.

This configuration was introduced to reduce the risk of causing a
breaking change for users if there is ever a scenario where endpoints
would never be received. Rather than just always blocking indefinitely
or for a significantly longer period of time, this config will affect
only the service instance associated with it.
2023-12-11 09:25:11 -06:00
John Murret 5ec84dbfd8
security: update supported envoy version 1.28.0 in addition to 1.25.11, 1.26.6, 1.27.2, 1.28.0 to address CVE-2023-44487 (#19879)
* update too support envoy 1.28.0

* add changelog

* update docs
2023-12-08 14:42:04 -07:00
Michael Zalimeni 1d9234a87a
ci: sanitize commit message for Slack failure alerts (#19876)
To ensure that shell code cannot be injected, capture the commit message
in an env var, then format it as needed.

Also fix several other issues with formatting and JSON escaping by
wrapping the entire message in a `toJSON` expression.
2023-12-08 16:04:45 -05:00
Derek Menteer 0ac958f27b
Fix xDS missing endpoint race condition. (#19866)
This fixes the following race condition:
- Send update endpoints
- Send update cluster
- Recv ACK endpoints
- Recv ACK cluster

Prior to this fix, it would have resulted in the endpoints NOT existing in
Envoy. This occurred because the cluster update implicitly clears the endpoints
in Envoy, but we would never re-send the endpoint data to compensate for the
loss, because we would incorrectly ACK the invalid old endpoint hash. Since the
endpoint's hash did not actually change, they would not be resent.

The fix for this is to effectively clear out the invalid pending ACKs for child
resources whenever the parent changes. This ensures that we do not store the
child's hash as accepted when the race occurs.

An escape-hatch environment variable `XDS_PROTOCOL_LEGACY_CHILD_RESEND` was
added so that users can revert back to the old legacy behavior in the event
that this produces unknown side-effects. Visit the following thread for some
extra context on why certainty around these race conditions is difficult:
https://github.com/envoyproxy/envoy/issues/13009

This bug report and fix was mostly implemented by @ksmiley with some minor
tweaks.

Co-authored-by: Keith Smiley <ksmiley@salesforce.com>
2023-12-08 11:37:12 -06:00
cskh 0ca070b301
upgrade test(LTS): add segments to version 1.10 (#19861) 2023-12-08 12:22:16 -05:00
Matt Keeler d4fda945bb
Fix a test flake where a retry timer was being reused causing tests after the first to exit early (#19864)
Fix a test flake where a retry timer was being reused causing tests after the first to exit too early.
2023-12-08 11:31:59 -05:00
Thomas Eckert 8125a32a4e
Add CE version of Gateway Upstream Disambiguation (#19860)
* Add CE version of gateway-upstream-disambiguation

* Use NamespaceOrDefault and PartitionOrDefault

* Add Changelog entry

* Remove the unneeded reassignment

* Use c.ID()
2023-12-07 17:56:14 -05:00
Dhia Ayachi d93f7f730d
parse config protocol on write to optimize disco-chain compilation (#19829)
* parse config protocol on write to optimize disco-chain compilation

* add changelog
2023-12-07 13:46:46 -05:00
Matt Keeler bfad6a4e07
Ensure that the default namespace always exists even prior to resource creation (#19852) 2023-12-07 13:23:06 -05:00