The consul-k8s endpoints controller issues catalog register and manual virtual ip
updates without first checking to see if the updates would be effectively not
changing anything. This is supposed to be reasonable because the state store
functions do the check for a no-op update and should discard repeat updates so
that downstream blocking queries watching one of the resources don't fire
pointlessly (and CPU wastefully).
While this is true for the check/service/node catalog updates, it is not true for
the "manual virtual ip" updates triggered by the PUT /v1/internal/service-virtual-ip.
Forcing the connect injector pod to recycle while watching some lightly
modified FSM code can show that a lot of updates are of the update list of ips
from [A] to [A]. Immediately following this stray update you can see a lot of
activity in proxycfg and xds packages waking up due to blocking queries
triggered by this.
This PR skips updates that change nothing both:
- at the RPC layer before passing it to raft (ideally)
- if the write does make it through raft and get applied to the FSM (failsafe)
* Update routes.mdx
Currently backendRefs refers to api-gateway.consul.hashicorp.com as the API Group that should be used when kind is set to Mesh Service. Based on mesh service template, it should just be consul.hashicorp.com.
* Update backendRefs in route to peered doc
* NET-11737 - sec vulnerability - remediate ability to use bexpr to filter results without ACL read on endpoint
* add changelog
* update test descriptions to make more sense
* upgrade hcl package and account for possiblity of duplicates existing already in the cache
* upgrade to new tag
* add defensive line to prevent potential forever loop
* o mod tidy and changelog
* Update acl/policy.go
* fix raft reversion
* go mod tidy
* fix test
* remove duplicate key in test
* remove duplicates from test cases
* clean up
* go mod tidy
* go mod tidy
* pull in new hcl tag
Also prevent de-registered retired v2 types from being restored from a
snapshot, such as these hcp resources. Without doing this, anyone with
any of these types in their state store will retain them forever with no
avenue to remove them.
* Added the docs for all the grafana dashboards.
Author: Yasmin Lorin Kaygalak <ykaygala@villanova.edu>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
* ci(security-scanner): add support for Red Hat UBI images and fix typo
* hclfmt
* clean-up comments
Co-authored-by: Kent Gruber <kent@hashicorp.com>
---------
Co-authored-by: Kent Gruber <kent@hashicorp.com>
* Update Envoy compatibility matrices to include consul 1.20.x and dataplane 1.6.x
* Remove non-LTS version from LTS table
* Fix incorrect version in dataplane release matrix
* Remove releases that don't span versions from the matrix of releases that span versions
Update matrices and clarify statements as to when Consul expands
support to new major versions of Envoy and Consul dataplane in light of
Consul LTS or Envoy EOL status.
mesh: add options for HTTP incoming request normalization
Expose global mesh configuration to enforce inbound HTTP request
normalization on mesh traffic via Envoy xDS config.
mesh: enable inbound URL path normalization by default
mesh: add support for L7 header match contains and ignore_case
Enable partial string and case-insensitive matching in L7 intentions
header match rules.
ui: support L7 header match contains and ignore_case
Co-authored-by: Phil Renaud <phil@riotindustries.com>
test: add request normalization integration bats tests
Add both "positive" and "negative" test suites, showing normalization in
action as well as expected results when it is not enabled, for the same
set of test cases.
Also add some alternative service container test helpers for verifying
raw HTTP request paths, which is difficult to do with Fortio.
docs: update security and reference docs for L7 intentions bypass prevention
- Update security docs with best practices for service intentions
configuration
- Update configuration entry references for mesh and intentions to
reflect new values and add guidance on usage
* Update active version list in .release/versions.hcl
* Remove nightly tests for 1.17.x
* Add nightly tests for 1.20.x
* Gate nightly tests for 1.19.x to Enterprise only
* Update CHANGELOG.md
* Add partition field for catalog deregister docs
* Update website/content/api-docs/catalog.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
ci: fix conditional skip and add safeguard
Adopt a third-party action to avoid script bugs, and to fix a current
issue where the script fails to detect all changes when processing push
events on PR branches.
Adapted from hashicorp/consul-dataplane#637. See that PR for testing
details and background context.
* Update test-integrations.yml
Update Vault/Nomad versions to ensure we're testing the latest versions .
* Update test to test latest available CE versions