Commit Graph

21317 Commits (a975b0430297eea3de7f8ad6077de00e0a673c03)

Author SHA1 Message Date
John Murret a975b04302
NET-5879 - move the filter for non-passing to occur in the health RPC layer rather than the callers of the RPC (#21098)
* NET-5879 - move the filter for non-passing to occur in the health RPC layer rather than the callers of the RPC

* fix import of slices

* fix test
2024-05-14 07:05:54 -06:00
Blake Covarrubias 48df56f7d2
docs: Add fault injection to Envoy extensions list (#21087)
Add fault injection to Envoy extensions list
2024-05-13 16:38:36 -07:00
Blake Covarrubias d0ebc85765
docs: Fix docs for `-ui-content-path` CLI flag (#21095)
Fix the rendering of the documentation for the `-ui-content-path` CLI
flag.
2024-05-13 15:05:23 -07:00
Michael Zalimeni d312d0461b
ci: temporarily re-enable retired CE backport labels (#21094)
To ease migration during this week's patch releases, temporarily use the
more permissive version of BPA to allow old + new backport labels to be
used simultaneously.
2024-05-13 18:01:16 +00:00
Michael Zalimeni 6bf42140ce
ci: test BPA 0.4.1 with no-op doc change (#21091)
Add a newline to docs/README.md to test a backport without functional
changes.
2024-05-13 16:43:17 +00:00
Jeanne Angeles Franco 0b03a9251e
Roll bpa version and cleanup (#21090) 2024-05-13 16:35:00 +00:00
nicoche 794e73080d
docs: fix typo in security/acl (#21003) 2024-05-10 16:25:50 -07:00
John Murret dc19ce36ef
NET-9143 - sameness group queries in DNS do not respect DefaultForFailover setting and always assume failover behavior (#21029)
* NET-9143 - sameness group queries in DNS do not respect DefaultForFailover setting and always assume failover behavior

* update config entry docs for sameness groups

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2024-05-10 09:17:56 -06:00
John Murret 17df32e5cb
NET-9084 - add tests to peering endpoint and blockingquery package to assert blocking works properly. (#21078) 2024-05-09 14:55:13 -04:00
Michael Zalimeni 8d4525ae50
doc: add clarifying note to versions.hcl (#21071)
Make it obvious that this file is only consumed from the default branch.
2024-05-09 14:29:18 -04:00
Michael Zalimeni f56405e745
security: Upgrade Go to 1.21.10 (#21074)
This resolves CVE-2024-24787 and CVE-2024-24788.
2024-05-09 11:11:01 -04:00
Jeanne Angeles Franco f51d08052b
Backport assistant onboarding with LTS support #9224 (#21058)
* Config changes to use backport-assistant with lts support

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

---------

Co-authored-by: claire labry <claire@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2024-05-08 10:55:28 -07:00
Michael Zalimeni 093618d923
[NET-9141] ci: skip LICENSE copy for Ent linux packages (#21060)
ci: skip LICENSE copy for Ent linux packages
2024-05-07 12:02:02 -04:00
R.B. Boyer 1535844c62
gossip: refactor some gossip related libraries into a central place (#21036)
This refactors and relocates the following packages to live under internal/gossip instead of either in the toplevel lib or agent/consul:

- librtt : related to serf coordinates
- libserf : random serf stuff
2024-05-07 10:30:49 -05:00
R.B. Boyer 502346029d
test: remove v2 integration tests (#21056)
This removes any references to v2 integration tests from:

- envoy integration tests (test/integration/connect)
- container tests (test/integration/consul-container)
- deployer tests (test-integ)
2024-05-07 10:24:50 -05:00
Nathan Coleman b5b3a63183
[NET-9098] Narrow scope of peering config on terminating gw filter chain to TCP services (#21054) 2024-05-06 16:21:09 -04:00
Michael Zalimeni 86b0818c1f
[NET-8601] security: upgrade vault/api to remove go-jose.v2 (#20910)
security: upgrade vault/api to remove go-jose.v2

This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.

Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
2024-05-04 00:18:51 +00:00
wangxinyi7 4ad1757dfe
add license file (#21035) 2024-05-03 15:10:04 -07:00
R.B. Boyer 8bea6cd82a
deployer: ensure the proxy/dns/pause containers do not continually get replaced due to a change in a docker default (#21043) 2024-05-03 15:21:43 -05:00
Deniz Onur Duzgun 8209b3ff86
security: fine-tune release scanner and bump coredns (#21038)
* security: bump coredns

* add changelog

* Revert "security: bump coredns"

This reverts commit dcca09d83e.

* security: bump coredns

* fine-tune security scanner on release

* dismiss changelog
2024-05-03 15:09:40 -04:00
Dan Stough 1793b506d5
chore: fix JIRA workflow (#21037)
fix JIRA workflow
2024-05-03 14:07:12 -04:00
natemollica-dev 126784ee9a
Update snapshot CLI command addition of Decode subcommand from PR#20824 (#21005)
docs: update snapshot for subcommand decode add by PR#20824
2024-05-02 14:43:51 -07:00
Dan Stough 37e3ebe564
chore: remove workstream from JIRA sync (#21031) 2024-05-02 15:18:17 -04:00
Deniz Onur Duzgun 3a6f2fba18
security: bump envoy version and k8s.io/apimachinery (#21017)
* security: bump envoy version

* add changelog
2024-05-02 13:36:02 -04:00
Jeff Boruszak bbd8080ec0
HCP Consul Dedicated Rebrand changes (#21026)
* HCP Consul Dedicated rebrand

* Dedicated rebrand

* path change

* Update website/content/docs/architecture/index.mdx

Co-authored-by: Krastin Krastev <krastin@hashicorp.com>

* typo

---------

Co-authored-by: Krastin Krastev <krastin@hashicorp.com>
2024-05-01 09:09:08 -07:00
Ranjandas b9296f8e65
Fixed broken link in the ECS documentation (#21018) 2024-04-29 08:00:15 -07:00
Jeff Boruszak e341fa04ec
docs: DNS caching tutorial becomes doc (#21010)
* DNS cache page

* Add page to nav

* Replace old link text

* Page edits

* fix content check error

* formatting fixes

* Heading adjustment

* nav

* It was an H1 error all along
2024-04-24 15:24:19 -07:00
Jeff Boruszak dbc0889c6f
docs: Enterprise upgrade instruction (#20985)
* Upgrade general process updates

* Add alert + adjust structure

* typo
2024-04-24 14:17:54 +03:00
Jeff Boruszak 4a3c3c0b4a
docs: Redirect fix (#21008)
Redirect fix
2024-04-23 08:38:07 -07:00
Dan Stough 03ab7367a6
feat(dataplane): allow token and tenancy information for proxied DNS (#20899)
* feat(dataplane): allow token and tenancy information for proxied DNS

* changelog
2024-04-22 14:30:43 -04:00
Jeff Boruszak 057ad7e952
docs: Initial HCP Rebrand (#21000)
* Initial rebrand for HCP Terraform

* Apply suggestions from code review

Co-authored-by: Rose M Koron <32436232+rkoron007@users.noreply.github.com>

* path fix and redirect

* reintroduce nav from #20873 and #20994

---------

Co-authored-by: Rose M Koron <32436232+rkoron007@users.noreply.github.com>
Co-authored-by: Krastin Krastev <krastin@hashicorp.com>
2024-04-22 16:07:14 +03:00
Jeff Boruszak d106c7f665
docs: KV tutorial becomes usage doc (#20994)
* Add KV store usage page

* nav typo
2024-04-18 10:50:51 -07:00
Michael Zalimeni 5eea0b6c76
test: force IPv4 on Docker 26+ to fix Envoy int tests (#20986)
As of Docker Engine 26.0.0 (https://github.com/moby/moby/pull/47062),
IPv6 is enabled by default where supported. This causes issues for our
tests attempting to resolve requests to other containers over
localhost, since on Linux IPv6 will be preferred over IPv4 when
available when applying the default behavior defined in RFC3484.

As a workaround, force IPv4 with a flag passed to `docker run`.
2024-04-17 19:49:33 +00:00
sarahalsmiller 08761f16c8
Net 6820 customize mesh gateway limits (#20945)
* add upstream limits to mesh gateway cluster generation

* changelog

* go mod tidy

* readd changelog data

* undo reversion from rebase

* run codegen

* Update .changelog/20945.txt

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* address notes

* gofmt

* clean up

* gofmt

* Update agent/proxycfg/mesh_gateway.go

* gofmt

* nil check

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2024-04-16 10:59:41 -05:00
Nathan Coleman 5e9f02d4be
[NET-8091] Add file-system-certificate config entry for API gateway (#20873)
* Define file-system-certificate config entry

* Collect file-system-certificate(s) referenced by api-gateway onto snapshot

* Add file-system-certificate to config entry kind allow lists

* Remove inapplicable validation

This validation makes sense for inline certificates since Consul server is holding the certificate; however, for file system certificates, Consul server never actually sees the certificate.

* Support file-system-certificate as source for listener TLS certificate

* Add more required mappings for the new config entry type

* Construct proper TLS context based on certificate kind

* Add support or SDS in xdscommon

* Remove unused param

* Adds back verification of certs for inline-certificates

* Undo tangential changes to TLS config consumption

* Remove stray curly braces

* Undo some more tangential changes

* Improve function name for generating API gateway secrets

* Add changelog entry

* Update .changelog/20873.txt

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* Add some nil-checking, remove outdated TODO

* Update test assertions to include file-system-certificate

* Add documentation for file-system-certificate config entry

Add new doc to nav

* Fix grammar mistake

* Rename watchmaps, remove outdated TODO

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2024-04-15 16:45:05 -04:00
Di Sheng e52b1702e9
FIX: wrong indentation of to block in Example yaml (#20974)
docs: Fix wrong indentation of `to` block in cross-namespace `backendRef` example YAML file
2024-04-11 15:23:15 -07:00
Michael Zalimeni a8d08e759f
fix: consume ignored entries in CE downgrade via Ent snapshot (#20977)
This operation would previously fail due to unconsumed bytes in the
decoder buffer when reading the Ent snapshot (the first byte of the
record would be misinterpreted as a type indicator, and the remaining
bytes would fail to be deserialized or read as invalid data).

Ensure restore succeeds by decoding the ignored record as an
interface{}, which will consume the record bytes without requiring a
concrete target struct, then moving on to the next record.
2024-04-11 21:08:44 +00:00
Eric Haberkorn e231f0ee9b
Add an agent config option to diable per tenancy usage metrics. (#20976) 2024-04-11 15:20:09 -04:00
John Murret d261a987f1
update go-control-plane envoy dependency to 0.12.0 (#20973)
* update go-control-plane envoy dependency to 0.12.0

* add changelog

* go mod tidy

* fix linting issues

* add agent/grpc-internal to the list of SA1019 ignores
2024-04-10 01:23:04 +00:00
Michael Zalimeni 159fcfb2fa
security: ignore test and internal tool modules (#20963) 2024-04-08 17:30:04 -04:00
Michael Zalimeni ad23e96a32
ci: fix Envoy int test versions (#20964)
Follow-up to #20956
2024-04-08 21:27:38 +00:00
Deniz Onur Duzgun 3152ac3702
security: bump go, x/net and envoy versions (#20956)
* Bump go version

* Bump x/net

* Bump envoy version

* Add changelog

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2024-04-08 19:18:40 +00:00
Freddy 8659c06a73
Add diagrams for write flow through Raft (#20948)
Add diagrams about write flow through Raft
2024-04-04 09:28:53 -06:00
Jared Kirschner 174f92aa24
docs: fix apply DNS ACL token via CLI (#20951) 2024-04-03 15:28:35 -04:00
sarahalsmiller be8d572eb2
NET-8524 Remove registation of api gateway controller (#20950)
remove registation of api gateway controller
2024-04-03 19:13:57 +00:00
Nathan Coleman 9af713ff17
[NET-5772] Make tcp external service registered on terminating gw reachable from peered cluster (#19881)
* Include SNI + root PEMs from peered cluster on terminating gw filter chain

This allows an external service registered on a terminating gateway to be exported to and reachable from a peered cluster

* Abstract existing logic into re-usable function

* Regenerate golden files w/ new listener logic

* Add changelog entry

* Use peering bundles that are stable across test runs
2024-04-03 12:38:09 -04:00
Manu Nicolas 3dc27518d2
Documentation: update python SDKs list (#20935)
Update python SDKs

The original python-consul is unmaintained with no activity for 6 years.
The python-consul2 fork has had no activity for 3 years, whether it's commits or responding to PRs and issues.
2024-04-02 04:07:25 +00:00
John Murret a6d9ad5225
remove self-referencing link on network segments page (#20937) 2024-04-01 08:59:32 -06:00
George Ma 44facc2ea3
chore: remove repetitive words (#20890)
Signed-off-by: availhang <mayangang@outlook.com>
2024-03-28 16:31:55 -07:00
John Murret 39112c7a98
GH-20889 - put conditionals are hcp initialization for consul server (#20926)
* put conditionals are hcp initialization for consul server

* put more things behind configuration flags

* add changelog

* TestServer_hcpManager

* fix TestAgent_scadaProvider
2024-03-28 14:47:11 -06:00