* server: run the api checks against the path without params (#19205)
* Clone proto into deepcopy correctly (#19204)
* chore: update version and nightly CI for 1.17 (#19208)
Update version file to 1.18-dev, and replace 1.13 nightly test with
1.17.
* mesh: add validation hook to proxy configuration (#19186)
* mesh: add more validations to Destinations resource (#19202)
* catalog, mesh: implement missing ACL hooks (#19143)
This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.
It refactors a lot of the common testing functions so that they can be re-used between resources.
There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.
* NET-5073 - ProxyConfiguration: implement various connection options (#19187)
* NET-5073 - ProxyConfiguration: implement various connection options
* PR feedback - LocalConnection and InboundConnection do not affect exposed routes. configure L7 route destinations. fix connection proto sequence numbers.
* add timeout to L7 Route Destinations
* Relplat 897 copywrite bot workarounds (#19200)
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
* mesh: add xRoute ACL hook tenancy tests (#19177)
Enhance the xRoute ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.
* resource: enforce lowercase v2 resource names (#19218)
* mesh: add DestinationPolicy ACL hook tenancy tests (#19178)
Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.
* catalog: add FailoverPolicy ACL hook tenancy test (#19179)
* Upgrade @hashicorp/design-system-tokens to 1.9.0
* Upgrade @hashicorp/design-system-components to 1.8.1
* Upgrade @hashicorp/design-system-components and ember-in-viewport
* Explicitly install ember-modifier@4.1.0
* rename copy-button
* backport of commit 1a1b95127d
* backport of commit b7295ee1a7
* backport of commit 73089ed9ea
* backport of commit cea2ab90e6
* backport of commit 964ef50df3
* backport of commit 0fd98e7e05
* backport of commit 0519b9bd73
* backport of commit 50cbd00683
* backport of commit 838a8a9745
* backport of commit 4882490c6f
* backport of commit 42a9f03a2b
* backport of commit bbedb3fff0
* backport of commit 4576fbee1e
* backport of commit 07584faa58
* backport of commit ef39122bad
* backport of commit c77d8a06f3
* backport of commit 13e3d1cdb5
---------
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
Co-authored-by: modrake <12264057+modrake@users.noreply.github.com>
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
Co-authored-by: wenincode <tyler.wendlandt@hashicorp.com>
Co-authored-by: Chris Hut <tophernuts@gmail.com>
mesh: add DestinationPolicy ACL hook tenancy tests (#19178)
Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* backport of commit 30051fc5fe
* backport of commit 5b71320100
* backport of commit 9603006e96
---------
Co-authored-by: Morgan Drake <12264057+modrake@users.noreply.github.com>
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
* server: run the api checks against the path without params (#19205)
* Clone proto into deepcopy correctly (#19204)
* chore: update version and nightly CI for 1.17 (#19208)
Update version file to 1.18-dev, and replace 1.13 nightly test with
1.17.
* mesh: add validation hook to proxy configuration (#19186)
* mesh: add more validations to Destinations resource (#19202)
* catalog, mesh: implement missing ACL hooks (#19143)
This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.
It refactors a lot of the common testing functions so that they can be re-used between resources.
There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.
* NET-5073 - ProxyConfiguration: implement various connection options
* PR feedback - LocalConnection and InboundConnection do not affect exposed routes. configure L7 route destinations. fix connection proto sequence numbers.
* backport of commit c9c1b86789
* backport of commit 44c6c8c896
---------
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
catalog, mesh: implement missing ACL hooks (#19143)
This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.
It refactors a lot of the common testing functions so that they can be re-used between resources.
There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
* server: run the api checks against the path without params (#19205)
* Clone proto into deepcopy correctly (#19204)
* mesh: add validation hook to proxy configuration
* backport of commit b08d9d4b47
* backport of commit 55b9363539
---------
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
This implements the Filter field on pbcatalog.WorkloadSelector to be
a post-fetch in-memory filter using the https://github.com/hashicorp/go-bexpr
expression language to filter resources based on their envelope metadata fields.
All existing usages of WorkloadSelector should be able to make use of the filter.
* xdsv2: support l7 by adding xfcc policy/headers, tweaking routes, and make a bunch of listeners l7 tests pass
* sidecarproxycontroller: add l7 local app support
* trafficpermissions: make l4 traffic permissions work on l7 workloads
* rename route name field for consistency with l4 cluster name field
* resolve conflicts and rebase
* fix: ensure route name is used in l7 destination route name as well. previously it was only in the route names themselves, now the route name and l7 destination route name line up
Sometimes workloads could come with unspecified protocols such as when running on Kubernetes. Currently, if this is the case, we will just default to tcp protocol.
However, to make sidecar-proxy controller work with l7 protocols we should instead inherit the protocol from service. This change adds tracking for services that a workload is part of and attempts to inherit the protocol whenever services a workload is part of doesn't have conflicting protocols.
This change builds on #19043 and #19067 and updates the sidecar controller to use those computed resources. This achieves several benefits:
* The cache is now simplified which helps us solve for previous bugs (such as multiple Upstreams/Destinations targeting the same service would overwrite each other)
* We no longer need proxy config cache
* We no longer need to do merging of proxy configs as part of the controller logic
* Controller watches are simplified because we no longer need to have complex mapping using cache and can instead use the simple ReplaceType mapper.
It also makes several other improvements/refactors:
* Unifies all caches into one. This is because originally the caches were more independent, however, now that they need to interact with each other it made sense to unify them where sidecar proxy controller uses one cache with 3 bimappers
* Unifies cache and mappers. Mapper already needed all caches anyway and so it made sense to make the cache do the mapping also now that the cache is unified.
* Gets rid of service endpoints watches. This was needed to get updates in a case when service's identities have changed and we need to update proxy state template's spiffe IDs for those destinations. This will however generate a lot of reconcile requests for this controller as service endpoints objects can change a lot because they contain workload's health status. This is solved by adding a status to the service object tracking "bound identities" and have service endpoints controller update it. Having service's status updated allows us to get updates in the sidecar proxy controller because it's already watching service objects
* Add a watch for workloads. We need it so that we get updates if workload's ports change. This also ensures that we update cached identities in case workload's identity changes.
This commit adds a new type ComputedDestinations that will contain all destinations from any Destinations resources and will be name-aligned with a workload. This also adds an explicit-destinations controller that computes these resources.
This is needed to simplify the tracking we need to do currently in the sidecar-proxy controller and makes it easier to query all explicit destinations that apply to a workload.
We serially attempt to decode resources in the consul resource apply command
using HCL and then falling back on JSON. This causes the HCL errors to be
dropped completely in the case where the HCL decode failed due to a typo
instead of it actually being JSON instead.
This PR proposes sniffing to see if the first non-whitespace character in the
input is { and if so treat it as JSON, otherwise as HCL and not
double-decode on error.
When the v2 catalog experiment is enabled the old v1 catalog apis will be
forcibly disabled at both the API (json) layer and the RPC (msgpack) layer.
This will also disable anti-entropy as it uses the v1 api.
This includes all of /v1/catalog/*, /v1/health/*, most of /v1/agent/*,
/v1/config/*, and most of /v1/internal/*.