Commit Graph

20078 Commits (b1d3ec0cdbd39ecdb84f9bbeb64693ad2197f0fd)

Author SHA1 Message Date
John Eikenberry bd76fdeaeb
enable auto-tidy expired issuers in vault (as CA)
When using vault as a CA and generating the local signing cert, try to
enable the PKI endpoint's auto-tidy feature with it set to tidy expired
issuers.
2023-05-03 20:30:37 +00:00
Nathan Coleman bdef22354b
Use auth context when evaluating service read permissions (#17207)
Co-authored-by: Blake Covarrubias <1812+blake@users.noreply.github.com>
2023-05-02 16:23:42 -04:00
Eddie Rowe 90fc9bd9e5
Fix broken lightstep link (#17201) 2023-05-01 14:24:52 +00:00
Poonam Jadhav ef5d54fd4c
feat: add no-op reporting background routine (#17178) 2023-04-28 20:07:03 -04:00
Freddy 0fc4fc6429
Revert "[CC-4519] Include Consul NodeID in Envoy bootstrap metadata" (#17191) 2023-04-28 15:23:55 -06:00
Eric Haberkorn 2c0da88ce7
fix panic in `injectSANMatcher` when `tlsContext` is `nil` (#17185) 2023-04-28 16:27:57 -04:00
Paul Glass e4a341c88a
Permissive mTLS: Config entry filtering and CLI warnings (#17183)
This adds filtering for service-defaults: consul config list -filter 'MutualTLSMode == "permissive"'.

It adds CLI warnings when the CLI writes a config entry and sees that either service-defaults or proxy-defaults contains MutualTLSMode=permissive, or sees that the mesh config entry contains AllowEnablingPermissiveMutualTLSMode=true.
2023-04-28 12:51:36 -05:00
R.B. Boyer 6b4986907d
peering: ensure that merged central configs of peered upstreams for partitioned downstreams work (#17179)
Partitioned downstreams with peered upstreams could not properly merge central config info (i.e. proxy-defaults and service-defaults things like mesh gateway modes) if the upstream had an empty DestinationPartition field in Enterprise.

Due to data flow, if this setup is done using Consul client agents the field is never empty and thus does not experience the bug.

When a service is registered directly to the catalog as is the case for consul-dataplane use this field may be empty and and the internal machinery of the merging function doesn't handle this well.

This PR ensures the internal machinery of that function is referentially self-consistent.
2023-04-28 12:36:08 -05:00
Semir Patel 1037bf7f69
Sync .golangci.yml from ENT (#17180) 2023-04-28 17:14:37 +00:00
John Landa eded58b62a
Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry (#17066)
* Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry

* Add changelog

* Remove test on default MaxTokenTTL

* Change to imperitive tense for changelog entry
2023-04-28 10:57:30 -05:00
Semir Patel 9fef1c7f17
Create tombstone on resource `Delete` (#17108) 2023-04-28 10:49:08 -05:00
Dan Upton eff5dd1812
resource: owner references must include a uid (#17169) 2023-04-28 11:22:42 +01:00
Freddy e02ef16f02
Update HCP bootstrapping to support existing clusters (#16916)
* Persist HCP management token from server config

We want to move away from injecting an initial management token into
Consul clusters linked to HCP. The reasoning is that by using a separate
class of token we can have more flexibility in terms of allowing HCP's
token to co-exist with the user's management token.

Down the line we can also more easily adjust the permissions attached to
HCP's token to limit it's scope.

With these changes, the cloud management token is like the initial
management token in that iit has the same global management policy and
if it is created it effectively bootstraps the ACL system.

* Update SDK and mock HCP server

The HCP management token will now be sent in a special field rather than
as Consul's "initial management" token configuration.

This commit also updates the mock HCP server to more accurately reflect
the behavior of the CCM backend.

* Refactor HCP bootstrapping logic and add tests

We want to allow users to link Consul clusters that already exist to
HCP. Existing clusters need care when bootstrapped by HCP, since we do
not want to do things like change ACL/TLS settings for a running
cluster.

Additional changes:

* Deconstruct MaybeBootstrap so that it can be tested. The HCP Go SDK
  requires HTTPS to fetch a token from the Auth URL, even if the backend
  server is mocked. By pulling the hcp.Client creation out we can modify
  its TLS configuration in tests while keeping the secure behavior in
  production code.

* Add light validation for data received/loaded.

* Sanitize initial_management token from received config, since HCP will
  only ever use the CloudConfig.MangementToken.

* Add changelog entry
2023-04-27 22:27:39 +02:00
John Maguire 391ed069c4
APIGW: Update how status conditions for certificates are handled (#17115)
* Move status condition for invalid certifcate to reference the listener
that is using the certificate

* Fix where we set the condition status for listeners and certificate
refs, added tests

* Add changelog
2023-04-27 15:54:44 +00:00
Anita Akaeze f03d6a06be
Merge pull request #5288 from hashicorp/NET-3648_fix (#17163)
NET-3648: perform envoy version verification
2023-04-26 20:29:43 -04:00
Semir Patel 5eaeb7b8e5
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979)
* Add MaxEjectionPercent to config entry

* Add BaseEjectionTime to config entry

* Add MaxEjectionPercent and BaseEjectionTime to protobufs

* Add MaxEjectionPercent and BaseEjectionTime to api

* Fix integration test breakage

* Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings

* Website docs for MaxEjectionPercent and BaseEjection time

* Add `make docs` to browse docs at http://localhost:3000

* Changelog entry

* so that is the difference between consul-docker and dev-docker

* blah

* update proto funcs

* update proto

---------

Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2023-04-26 15:59:48 -07:00
Michael Wilkerson 80b1dbcc7d
fixed aliases for sameness group (sameness_group) (#17161) 2023-04-26 14:53:23 -07:00
Mike Morris f93bb65913
docs: fixup note about node scope for admin partitions (#17147) 2023-04-26 13:46:22 -04:00
Paul Glass b431b04d0c
TProxy integration test (#17103)
* TProxy integration test
* Fix GHA compatibility integration test command

Previously, when test splitting allocated multiple test directories to a
runner, the workflow ran `go tests "./test/dir1 ./test/dir2"` which
results in a directory not found error. This fixes that.
2023-04-26 11:49:38 -05:00
Freddy c5c35ec924
[CC-4519] Include Consul NodeID in Envoy bootstrap metadata (#17139)
This is being added so that metrics sent to HCP can be augmented with the source node's ID.

Opting not to add this to stats_tag out of caution, since it would increase the cardinality of metrics emitted by Envoy for all users.

There is no functional impact to Envoy expected from this change.
2023-04-26 10:04:57 -06:00
Dan Upton 75669ed4c4
proto-public: document resource service (#17119) 2023-04-26 16:26:54 +01:00
Eric Haberkorn cd1837388a
fix backward compat issue caused by localities being set to `null` when they are unset (#17144) 2023-04-26 11:02:20 -04:00
R.B. Boyer c501da01eb
api: ensure empty locality field is not transmitted to Consul (#17137) 2023-04-26 10:01:17 -05:00
Eric Haberkorn a87115c598
add acl filter logs (#17143) 2023-04-26 10:57:35 -04:00
Eric Haberkorn c1e63cba7d
add sameness intentions in api package (#17096) 2023-04-26 10:00:18 -04:00
Dan Upton eeaa636164
Cleanup from unblocking the pipeline 🧹 (#17121) 2023-04-26 13:59:58 +01:00
Dan Upton faae7bb5f2
testing: `RunResourceService` helper (#17068) 2023-04-26 11:57:10 +01:00
Semir Patel e7bb8fdf15
Fix or disable pipeline breaking changes that made it into main in last day or so (#17130)
* Fix straggler from renaming Register->RegisterTypes

* somehow a lint failure got through previously

* Fix lint-consul-retry errors

* adding in fix for success jobs getting skipped. (#17132)

* Temporarily disable inmem backend conformance test to get green pipeline

* Another test needs disabling

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-04-25 15:17:48 -05:00
David Yu cc5cbcba7c
Update single-dc-multi-k8s.mdx (#17126) 2023-04-25 09:42:31 -07:00
Paul Banks 9e35c47bbd
De-flake snapshot test (#17120) 2023-04-25 15:25:26 +01:00
Dan Upton b9c485dcb8
Controller Supervision (#17016) 2023-04-25 12:52:35 +01:00
Dan Upton ba4a314772
storage: fix bug where WatchList would (rarely) return duplicate events (#17067) 2023-04-25 11:48:13 +01:00
JUN YANG e66b18d048
Fix broken link in changelog (#17093)
Co-authored-by: David Yu <dyu@hashicorp.com>
2023-04-25 01:32:22 +00:00
Rosemary Wang 3f6069bd34
Clarify OpenTelemetry support for tracing (#17082) 2023-04-24 17:04:32 -07:00
malizz 2d3038874f
remove envoy endpoint flag from k8s docs (#17105) 2023-04-24 15:30:00 -07:00
John Murret f56b25472d
ci: fix runner calculation to exclude the top level directory as part of the calculation (#17090)
* fix runner calculation to exclude the top level directory as part of the calculation

* fix the logic for generating the directories/functions

* De-scope tenenacy requirements to OSS only for now. (#17087)

Partition and namespace must be "default"
Peername must be "local"

* Fix virtual services being included in intention topology as downstreams. (#17099)

* Merge pull request #5200 from hashicorp/NET-3758 (#17102)

* Merge pull request #5200 from hashicorp/NET-3758

NET-3758: connect: update supported envoy versions to 1.26.0

* lint

* CI: remove uneeded AWS creds from test-integrations (#17104)

* Update test-integrations.yml

* removing permission lies now that vault is not used in this job.

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>

* update based on feedback

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
Co-authored-by: Anita Akaeze <anita.akaeze@hashicorp.com>
Co-authored-by: Dan Bond <danbond@protonmail.com>
2023-04-24 14:25:57 -06:00
John Maguire e47f3216e5
APIGW Normalize Status Conditions (#16994)
* normalize status conditions for gateways and routes

* Added tests for checking condition status and panic conditions for
validating combinations, added dummy code for fsm store

* get rid of unneeded gateway condition generator struct

* Remove unused file

* run go mod tidy

* Update tests, add conflicted gateway status

* put back removed status for test

* Fix linting violation, remove custom conflicted status

* Update fsm commands oss

* Fix incorrect combination of type/condition/status

* cleaning up from PR review

* Change "invalidCertificate" to be of accepted status

* Move status condition enums into api package

* Update gateways controller and generated code

* Update conditions in fsm oss tests

* run go mod tidy on consul-container module to fix linting

* Fix type for gateway endpoint test

* go mod tidy from changes to api

* go mod tidy on troubleshoot

* Fix route conflicted reason

* fix route conflict reason rename

* Fix text for gateway conflicted status

* Add valid certificate ref condition setting

* Revert change to resolved refs to be handled in future PR
2023-04-24 16:22:55 -04:00
Michael Wilkerson 001d540afc
Add sameness group field to prepared queries (#17089)
* added method for converting SamenessGroupConfigEntry
- added new method `ToQueryFailoverTargets` for converting a SamenessGroupConfigEntry's members to a list of QueryFailoverTargets
- renamed `ToFailoverTargets` ToServiceResolverFailoverTargets to distinguish it from `ToQueryFailoverTargets`

* Added SamenessGroup to PreparedQuery
- exposed Service.Partition to API when defining a prepared query
- added a method for determining if a QueryFailoverOptions is empty
- This will be useful for validation
- added unit tests

* added method for retrieving a SamenessGroup to state store

* added logic for using PQ with SamenessGroup
- added branching path for SamenessGroup handling in execute. It will be handled separate from the normal PQ case
- added a new interface so that the `GetSamenessGroupFailoverTargets` can be properly tested
- separated the execute logic into a `targetSelector` function so that it can be used for both failover and sameness group PQs
- split OSS only methods into new PQ OSS files
- added validation that `samenessGroup` is an enterprise only feature

* added documentation for PQ SamenessGroup
2023-04-24 13:21:28 -07:00
Dan Bond 9ce50aefbb
CI: remove uneeded AWS creds from test-integrations (#17104)
* Update test-integrations.yml

* removing permission lies now that vault is not used in this job.

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-04-24 11:34:53 -07:00
Anita Akaeze d4cacc7232
Merge pull request #5200 from hashicorp/NET-3758 (#17102)
* Merge pull request #5200 from hashicorp/NET-3758

NET-3758: connect: update supported envoy versions to 1.26.0

* lint
2023-04-24 18:23:24 +00:00
Derek Menteer a33b224a55
Fix virtual services being included in intention topology as downstreams. (#17099) 2023-04-24 12:03:26 -05:00
Semir Patel 46816071df
De-scope tenenacy requirements to OSS only for now. (#17087)
Partition and namespace must be "default"
Peername must be "local"
2023-04-24 08:14:51 -05:00
Paul Banks a011d8c944
Bump raft to 1.5.0 (#17081)
* Bump raft to 1.5.0

* Add CHANGELOG entry

* Add CHANGELOG entry with right extension (thanks VSCode)

* Add CHANGELOG entry with right extension (thanks VSCode)

* Go mod tidy
2023-04-21 20:13:55 +01:00
Kyle Havlovitz 6d01d07cf8
Include virtual services from discovery chain in intention topology (#16862) 2023-04-21 16:58:13 +00:00
Kyle Havlovitz d5277af70d
Add manual virtual IP support to state store (#16815) 2023-04-21 09:19:02 -07:00
John Murret b19359ce2b
ci: fix test splits that have less test packages than runner count from hanging (#17080)
* use proper TOTAL_RUNNER setting when generating runner matrix.  if matrix size is smaller than total_runners, use the smaller number

* try again

* try again 2

* try again 3

* try again 4

* try again 5

* try scenario where number is less

* reset

* get rid of cat "$GITHUB_OUTPUT"

* Apply suggestions from code review

Co-authored-by: Dan Bond <danbond@protonmail.com>

* removing push trigger that was added for debug

---------

Co-authored-by: Dan Bond <danbond@protonmail.com>
2023-04-21 10:01:32 -06:00
John Murret 9a893956cc
ci: fix test splits that have less test packages than runner count from hanging (#17080)
* use proper TOTAL_RUNNER setting when generating runner matrix.  if matrix size is smaller than total_runners, use the smaller number

* try again

* try again 2

* try again 3

* try again 4

* try again 5

* try scenario where number is less

* reset

* get rid of cat "$GITHUB_OUTPUT"

* Apply suggestions from code review

Co-authored-by: Dan Bond <danbond@protonmail.com>

* removing push trigger that was added for debug

---------

Co-authored-by: Dan Bond <danbond@protonmail.com>
2023-04-21 10:01:05 -06:00
Eric Haberkorn 53cdda8d17
Fix a bug with disco chain config entry fetching (#17078)
Before this change, we were not fetching service resolvers (and therefore
service defaults) configuration entries for services on members of sameness
groups.
2023-04-21 09:18:32 -04:00
R.B. Boyer 9db223f54b
fix the linter (#17077) 2023-04-20 17:49:08 -04:00
Anita Akaeze fece53c48e
NET-3648: Add script to get consul and envoy version (#17060) 2023-04-20 13:11:11 -04:00