consul

Commit Graph

Author	SHA1	Message	Date
Evan Culver	000d0621b4	connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805 ) Co-authored-by: R.B. Boyer <rb@hashicorp.com>	3 years ago
Evan Culver	881e17fae1	connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 (#12777 )	3 years ago
Eric	b01bb41553	Implement routing and intentions for AWS Lambdas	3 years ago
R.B. Boyer	25ba9c147a	xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections (#12711 ) Just like standard upstreams the order of applicability in descending precedence: 1. caller's `service-defaults` upstream override for destination 2. caller's `service-defaults` upstream defaults 3. destination's `service-resolver` ConnectTimeout 4. system default of 5s Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>	3 years ago
Kyle Havlovitz	6cf22a5cef	Merge pull request #12672 from hashicorp/tgate-san-validation Respect SNI with terminating gateways and log a warning if it isn't set alongside TLS	3 years ago
Eric	5682f3ce1f	Tweak the Lambda Envoy configuration generated by the serverless patcher - Move from `strip_matching_host_port` to `strip_any_host_port` - Remove `auto_host_rewrite` since it conflicts with `strip_any_host_port`	3 years ago
Kyle Havlovitz	1a3b885027	Use the GatewayService SNI field for upstream SAN validation	3 years ago
Eric	e0a15690ae	Implement Lambda Patching in the Serverless Plugin	3 years ago
Eric Haberkorn	458b1838db	Merge pull request #12659 from hashicorp/bump-go-control-plane Bump Go Control Plane	3 years ago
R.B. Boyer	e79ce8ab03	xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601 ) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966	3 years ago
Eric	e4b4f175ed	Bump go-control-plane * `go get cloud.google.com/go@v0.59.0` * `go get github.com/envoyproxy/go-control-plane@v0.9.9` * `make envoy-library` * Bumpprotoc to 3.15.8	3 years ago
R.B. Boyer	2a56e0055b	proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531 ) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.	3 years ago
Kyle Havlovitz	3fe358b831	xds: respect chain protocol on default discovery chain	3 years ago
freddygv	659ebc05a9	Ensure passthrough addresses get cleaned up Transparent proxies can set up filter chains that allow direct connections to upstream service instances. Services that can be dialed directly are stored in the PassthroughUpstreams map of the proxycfg snapshot. Previously these addresses were not being cleaned up based on new service health data. The list of addresses associated with an upstream service would only ever grow. As services scale up and down, eventually they will have instances assigned to an IP that was previously assigned to a different service. When IP addresses are duplicated across filter chain match rules the listener config will be rejected by Envoy. This commit updates the proxycfg snapshot management so that passthrough addresses can get cleaned up when no longer associated with a given upstream. There is still the possibility of a race condition here where due to timing an address is shared between multiple passthrough upstreams. That concern is mitigated by #12195, but will be further addressed in a follow-up.	3 years ago
R.B. Boyer	424f3cdd2c	proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125 ) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.	3 years ago
Kyle Havlovitz	0db874c38b	Add virtual IP generation for term gateway backed services	3 years ago
Mike Morris	1b1a97e8f9	ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576 ) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>	3 years ago
freddygv	e7a7042c69	Update listener generation to account for consul VIP	3 years ago
Freddy	00b5b0a0a2	Update filter chain creation for sidecar/ingress listeners (#11245 ) The duo of `makeUpstreamFilterChainForDiscoveryChain` and `makeListenerForDiscoveryChain` were really hard to reason about, and led to concealing a bug in their branching logic. There were several issues here: - They tried to accomplish too much: determining filter name, cluster name, and whether RDS should be used. - They embedded logic to handle significantly different kinds of upstream listeners (passthrough, prepared query, typical services, and catch-all) - They needed to coalesce different data sources (Upstream and CompiledDiscoveryChain) Rather than handling all of those tasks inside of these functions, this PR pulls out the RDS/clusterName/filterName logic. This refactor also fixed a bug with the handling of [UpstreamDefaults](https://www.consul.io/docs/connect/config-entries/service-defaults#defaults). These defaults get stored as UpstreamConfig in the proxy snapshot with a DestinationName of "", since they apply to all upstreams. However, this wildcard destination name must not be used when creating the name of the associated upstream cluster. The coalescing logic in the original functions here was in some situations creating clusters with a `.` prefix, which is not a valid destination.	3 years ago
Daniel Upton	50a1f20ff9	xds: prefer fed state gateway definitions if they're fresher (#11522 ) Fixes an issue described in #10132, where if two DCs are WAN federated over mesh gateways, and the gateway in the non-primary DC is terminated and receives a new IP address (as is commonly the case when running them on ephemeral compute instances) the primary DC is unable to re-establish its connection until the agent running on its own gateway is restarted. This was happening because we always preferred gateways discovered by the `Internal.ServiceDump` RPC (which would fail because there's no way to dial the remote DC) over those discovered in the federation state, which is replicated as long as the primary DC's gateway is reachable.	3 years ago
Evan Culver	61be9371f5	connect: Remove support for Envoy 1.16 (#11354 )	3 years ago
Evan Culver	bec08f4ec3	connect: Add support for Envoy 1.20 (#11277 )	3 years ago
freddygv	e1691d1627	Update XDS for sidecars dialing through gateways	3 years ago
Paul Banks	c891f30c24	Rebase and rebuild golden files for Envoy version bump	3 years ago
Paul Banks	78a00f2e1c	Add support for enabling connect-based ingress TLS per listener.	3 years ago
Evan Culver	fdbb742ffd	regenerate more envoy golden files	3 years ago
Evan Culver	585d9363ed	Merge branch 'main' into eculver/envoy-1.19.1	3 years ago
Paul Banks	a9119e36a5	Fix merge conflict in xds tests	3 years ago
Paul Banks	2a3d3d3c23	Update xDS routes to support ingress services with different TLS config	3 years ago
Paul Banks	16b3b1c737	Update xDS Listeners with SDS support	3 years ago
Chris S. Kim	f972048ebc	connect: Allow upstream listener escape hatch for prepared queries (#11109 )	3 years ago
Evan Culver	2798383dbc	regenerate envoy golden files	3 years ago
Paul Banks	e22cc9c53a	Header manip for split legs plumbing	3 years ago
Paul Banks	83fc8723a3	Header manip for service-router plumbed through	3 years ago
Paul Banks	f439dfc04f	Ingress gateway header manip plumbing	3 years ago
Dhia Ayachi	bc0e4f2f46	partition dicovery chains (#10983 ) * partition dicovery chains * fix default partition for OSS	3 years ago
freddygv	af52d21884	Update prepared query cluster SAN validation Previously SAN validation for prepared queries was broken because we validated against the name, namespace, and datacenter for prepared queries. However, prepared queries can target: - Services with a name that isn't their own - Services in multiple datacenters This means that the SpiffeID to validate needs to be based on the prepared query endpoints, and not the prepared query's upstream definition. This commit updates prepared query clusters to account for that.	3 years ago
freddygv	85878685b7	Fixup proxy config test fixtures - The TestNodeService helper created services with the fixed name "web", and now that name is overridable. - The discovery chain snapshot didn't have prepared query endpoints so the endpoints tests were missing data for prepared queries	3 years ago
Freddy	12b7e07d5c	Merge pull request #10621 from hashicorp/vuln/validate-sans	3 years ago
R.B. Boyer	20feb42d3a	xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619 )	3 years ago
freddygv	5a82656510	Update golden files	3 years ago
freddygv	5454147c09	Update golden files to account for SAN validation	3 years ago
freddygv	924a5ba642	Regen golden files	3 years ago
freddygv	0aec6761dc	Update ingress gateway stats labeling In the absence of stats_tags to handle this pattern, when we pass "ingress_upstream.$port" as the stat_prefix, Envoy splits up that prefix and makes the port a part of the metric name. For example: - stat_prefix: ingress_upstream.8080 This leads to metric names like envoy_http_8080_no_route. Changing the stat_prefix to ingress_upstream_80880 yields the expected metric names such as envoy_http_no_route. Note that we don't encode the destination's name/ns/dc in this stat_prefix because for HTTP services ingress gateways use a single filter chain. Only cluster metrics are available on a per-upstream basis.	3 years ago
freddygv	6f8c6043b6	Update terminating gateway stats labeling This change makes it so that the stat prefix for terminating gateways matches that of connect proxies. By using the structure of "upstream.svc.ns.dc" we can extract labels for the destination service, namespace, and datacenter.	3 years ago
Freddy	429f9d8bb8	Add flag for transparent proxies to dial individual instances (#10329 )	4 years ago
Freddy	7577f0e991	Revert "Avoid adding original_dst filter when not needed" (#10365 )	4 years ago
Freddy	353280660f	Ensure passthrough clusters can be created (#10301 )	4 years ago
Freddy	19334e8abf	Avoid adding original_dst filter when not needed (#10302 )	4 years ago
Mark Anderson	ff7fca756b	Add simple test for downstream sockets Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago

1 2 3

130 Commits (9bb2a805334a52fbbba7023e6c13d6bb6c25a2bb)