Commit Graph

17550 Commits (8ea55cc439f7c68caf6f99f2022e2c812a13d2f0)

Author SHA1 Message Date
trujillo-adam 8ea55cc439 Added note about manually creating mesh gw not being supported 2022-06-17 14:57:37 -07:00
trujillo-adam f0e3bce6e0 tweaks to the secure TF install section 2022-06-17 14:42:51 -07:00
trujillo-adam d651218538 minor tweaks to TF install 2022-06-17 14:15:29 -07:00
trujillo-adam be04910680 updates to ECS Terraform install 2022-06-17 12:58:47 -07:00
trujillo-adam 77898e4071 Merge branch 'main' of github.com:hashicorp/consul into docs-ecs-mesh-gw 2022-06-17 11:32:05 -07:00
Kyle Schochenmaier a407d378af
update helm values docs and annotations (#13487) 2022-06-17 12:47:47 -05:00
John Murret 567662f0fe
Docs - k8s - Webhook Certs on Vault (#13441)
* Docs - k8s - Webhook Certs on Vault

* Adding webhook certs to data-integration overview page

* marking items as code

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Updating prerequisites intro

* Updating prerequisites intro

* Updating `Create a Vault auth roles that link the policy to each Consul on Kubernetes service account that requires access` to `Link the Vault policy to Consul workloads`

* changing `Configure the Vault Kubernetes auth role in the Consul on Kubernetes helm chart` to `Update the Consul on Kubernetes helm chart`.

* Changed `Create a Vault PKI role that establishes the domains that it is allowed to issue certificates for` to `Configure allowed domains for PKI certificates`

* Moved `Create a Vault policy that authorizes the desired level of access to the secret` to the Set up per Consul Datacenter section

* Update website/content/docs/k8s/installation/vault/data-integration/webhook-certs.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Moving Overview above Prerequisites.  Adding sentence where missing after page title.

* Moving Overview above Prerequisites for webhook certs page.

* fixing the end of the overview section that was not moved.

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-06-17 10:23:54 -06:00
trujillo-adam b91fadcde5 referred to mesh gateway functionality in ECS overview 2022-06-17 09:04:52 -07:00
Tu Nguyen 5759046edc
Merge pull request #13466 from hashicorp/consul-lambda-broken-link
Fix broken link in lambda docs
2022-06-17 08:31:10 -07:00
Dan Upton e00e3a0bc3
Move ACLResolveResult into acl/resolver package (#13467)
Having this type live in the agent/consul package makes it difficult to
put anything that relies on token resolution (e.g. the new gRPC services)
in separate packages without introducing import cycles.

For example, if package foo imports agent/consul for the ACLResolveResult
type it means that agent/consul cannot import foo to register its service.

We've previously worked around this by wrapping the ACLResolver to
"downgrade" its return type to an acl.Authorizer - aside from the
added complexity, this also loses the resolved identity information.

In the future, we may want to move the whole ACLResolver into the
acl/resolver package. For now, putting the result type there at least,
fixes the immediate import cycle issues.
2022-06-17 10:24:43 +01:00
DanStough 4b402e3119 feat: tgtwy xDS generation for destinations
Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-06-16 16:17:49 -04:00
alex bd4ddb3720
peering: block Intention.Apply ops (#13451)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-16 12:07:28 -07:00
alex b3e99784a6
peering, state: account for peer intentions (#13443)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-16 10:27:31 -07:00
Luke Kysow ee032e9869
Add type info to options (#13477) 2022-06-16 10:09:39 -07:00
Luke Kysow 27dbb3e87d
Update index.mdx (#13476) 2022-06-16 09:59:49 -07:00
Sam Salisbury ceb1fdd80f
Merge pull request #13469 from hashicorp/correct-redhat-tags
Correct redhat tags
2022-06-16 17:13:37 +01:00
Eric Haberkorn 130151bdf1
Lambda documentation tweaks (#13459)
Lambda documentation tweaks
2022-06-16 09:00:21 -04:00
Sam Salisbury 2070d41fe9 correct redgat_tag ospid 2022-06-16 13:28:36 +01:00
Sam Salisbury 49a89e2b5a strip trailing whitespace 2022-06-16 13:27:37 +01:00
John Cowen 7761d0abe4
ui: Fix intl keys in order to render correct messages for empty states (#13409)
* ui: Fix intl keys in order to render correct messages for empty states

* Add a debug only debug log to warn about missing keys
2022-06-16 12:07:04 +01:00
Tu Nguyen 2460925566
Fix broken link in lambda docs 2022-06-15 21:23:56 -07:00
R.B. Boyer da8cea58c9
xds: begin refactor to always pass test snapshots through all xDS types (#13461) 2022-06-15 14:58:28 -05:00
R.B. Boyer 201d1458c3
xds: mesh gateways now have their own leaf certificate when involved in a peering (#13460)
This is only configured in xDS when a service with an L7 protocol is
exported.

They also load any relevant trust bundles for the peered services to
eventually use for L7 SPIFFE validation during mTLS termination.
2022-06-15 14:36:18 -05:00
Daniel Upton 72cdb203dc docs: instructions for interacting with the private gRPC server locally 2022-06-15 18:26:58 +01:00
Riddhi Shah 411edc876b
[OSS] Support merge-central-config option in node services list API (#13450)
Adds the merge-central-config query param option to the /catalog/node-services/:node-name API,
to get a service definition in the response that is merged with central defaults (proxy-defaults/service-defaults).

Updated the consul connect envoy command to use this option when
retrieving the proxy service details so as to render the bootstrap configuration correctly.
2022-06-15 08:30:31 -07:00
Eric Haberkorn 0a9c1c0649
Lambda Beta Documentation (#13426)
* Document the `enable_serverless_plugin` Agent Configuration Option (#13372)
* Initial AWS Lambda documentation (#13245)
2022-06-15 11:14:16 -04:00
cskh 76855e20a0
Load test, upgrade packer version, fix k6s installation (#13382)
- fix sg: need remote access to test server
- Give the load generator a name
- Update loadtest hcl filename in readme
- Add terraform init
- Disable access to the server machine by default
2022-06-15 09:29:38 -04:00
Jared Kirschner 226d089894
Merge pull request #13353 from hashicorp/jkirschner-hashicorp-patch-1
docs: show HCP Consul supports CTS enterprise
2022-06-15 00:05:30 -04:00
Evan Culver 7f8c650d61
connect: Use Envoy 1.22.2 instead of 1.22.1 (#13444) 2022-06-14 15:29:41 -07:00
Freddy 039cfec840
Merge pull request #13445 from hashicorp/peering/finalize-deletions 2022-06-14 15:58:44 -06:00
freddygv f3843809da Avoid deleting peerings marked as terminated.
When our peer deletes the peering it is locally marked as terminated.
This termination should kick off deleting all imported data, but should
not delete the peering object itself.

Keeping peerings marked as terminated acts as a signal that the action
took place.
2022-06-14 15:37:09 -06:00
freddygv 6453375ab2 Add leader routine to clean up peerings
Once a peering is marked for deletion a new leader routine will now
clean up all imported resources and then the peering itself.

A lot of the logic was grabbed from the namespace/partitions deferred
deletions but with a handful of simplifications:
- The rate limiting is not configurable.

- Deleting imported nodes/services/checks is done by deleting nodes with
  the Txn API. The services and checks are deleted as a side-effect.

- There is no "round rate limiter" like with namespaces and partitions.
  This is because peerings are purely local, and deleting a peering in
  the datacenter does not depend on deleting data from other DCs like
  with WAN-federated namespaces. All rate limiting is handled by the
  Raft rate limiter.
2022-06-14 15:36:50 -06:00
Evan Culver ba6136eb42
connect: Update Envoy support matrix to latest patch releases (#13431) 2022-06-14 13:19:09 -07:00
alex a0a49ce2a6
peering: intentions list test (#13435) 2022-06-14 10:59:53 -07:00
Kyle Schochenmaier 765eb0453f
[docs] update terminating gateway docs for trust store path (#13432)
* update terminating gateway docs for trust store
* Update website/content/docs/k8s/connect/terminating-gateways.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-06-14 12:29:33 -05:00
Freddy 9890dfac95
Merge pull request #13430 from hashicorp/peering/deletion 2022-06-13 12:53:43 -06:00
freddygv 20955742a7 Fixup api test 2022-06-13 12:20:22 -06:00
freddygv 6c8ab1bbac Fixup stream tear-down steps.
1. Fix a bug where the peering leader routine would not track all active
   peerings in the "stored" reconciliation map. This could lead to
   tearing down streams where the token was generated, since the
   ConnectedStreams() method used for reconciliation returns all streams
   and not just the ones initiated by this leader routine.

2. Fix a race where stream contexts were being canceled before
   termination messages were being processed by a peer.

   Previously the leader routine would tear down streams by canceling
   their context right after the termination message was sent. This
   context cancelation could be propagated to the server side faster
   than the termination message. Now there is a change where the
   dialing peer uses CloseSend() to signal when no more messages will
   be sent. Eventually the server peer will read an EOF after receiving
   and processing the preceding termination message.

   Using CloseSend() is actually not enough to address the issue
   mentioned, since it doesn't wait for the server peer to finish
   processing messages. Because of this now the dialing peer also reads
   from the stream until an error signals that there are no more
   messages. Receiving an EOF from our peer indicates that they
   processed the termination message and have no additional work to do.

   Given that the stream is being closed, all the messages received by
   Recv are discarded. We only check for errors to avoid importing new
   data.
2022-06-13 12:10:42 -06:00
freddygv cc921a9c78 Update peering state and RPC for deferred deletion
When deleting a peering we do not want to delete the peering and all
imported data in a single operation, since deleting a large amount of
data at once could overload Consul.

Instead we defer deletion of peerings so that:

1. When a peering deletion request is received via gRPC the peering is
   marked for deletion by setting the DeletedAt field.

2. A leader routine will monitor for peerings that are marked for
   deletion and kick off a throttled deletion of all imported resources
   before deleting the peering itself.

This commit mostly addresses point #1 by modifying the peering service
to mark peerings for deletion. Another key change is to add a
PeeringListDeleted state store function which can return all peerings
marked for deletion. This function is what will be watched by the
deferred deletion leader routine.
2022-06-13 12:10:32 -06:00
Freddy 71b254522e
Clean up imported nodes/services/checks as needed (#13367)
Previously, imported data would never be deleted. As
nodes/services/checks were registered and deregistered, resources
deleted from the exporting cluster would accumulate in the imported
cluster.

This commit makes updates to replication so that whenever an update is
received for a service name we reconcile what was present in the catalog
against what was received.

This handleUpdateService method can handle both updates and deletions.
2022-06-13 11:52:28 -06:00
Mark Anderson edbf19f4e8
Merge pull request #13357 from hashicorp/ma/add-build-date-oss
Add build date (oss)
2022-06-13 08:43:20 -07:00
Mark Anderson a5efa461dd Fix infinite recursion in bash_env
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-06-10 20:24:15 -07:00
Chris S. Kim a02e9abcc1
Update RBAC to handle imported services (#13404)
When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain.

This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 17:15:22 -04:00
R.B. Boyer f557509e58
xds: allow for peered upstreams to use tagged addresses that are hostnames (#13422)
Mesh gateways can use hostnames in their tagged addresses (#7999). This is useful
if you were to expose a mesh gateway using a cloud networking load balancer appliance
that gives you a DNS name but no reliable static IPs.

Envoy cannot accept hostnames via EDS and those must be configured using CDS.
There was already logic when configuring gateways in other locations in the code, but
given the illusions in play for peering the downstream of a peered service wasn't aware
that it should be doing that.

Also:
- ensuring that we always try to use wan-like addresses to cross peer boundaries.
2022-06-10 16:11:40 -05:00
Kyle Havlovitz 3f0de89a28
Merge pull request #13421 from hashicorp/dns-node-query-partitions
OSS: Add dns node lookup support in partitions
2022-06-10 12:22:34 -07:00
Kyle Havlovitz 14119d372d Add changelog note 2022-06-10 12:05:05 -07:00
Kyle Havlovitz 7f62571419 Add dns node lookup support in partitions 2022-06-10 11:23:51 -07:00
Mark Anderson 9e27cc02d9
Merge pull request #13316 from hashicorp/ma/vault-docs-report-backport
Update website/content/docs/connect/ca/vault.mdx
2022-06-10 09:59:15 -07:00
R.B. Boyer 7001e1151c
peering: rename initiate to establish in the context of the APIs (#13419) 2022-06-10 11:10:46 -05:00
Mark Anderson 175728b292 Minor cleanup for build-date script
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-06-09 17:07:41 -07:00