consul

Commit Graph

Author	SHA1	Message	Date
Venu Yanamandra	efc813e92d	Update error message when restoring ENT snapshot in OSS (#15066 )	2 years ago
freddygv	d65e60de86	Return forbidden on permission denied This commit updates the establish endpoint to bubble up a 403 status code to callers when the establishment secret from the token is invalid. This is a signal that a new peering token must be generated.	2 years ago
Chris S. Kim	a7ea26192b	Update expected encoding in test go-memdb was updated in v1.3.3 to make integers in indexes sortable, which changed how integers were encoded.	2 years ago
freddygv	6d9be5fb15	Use plain TaggedAddressWAN	2 years ago
freddygv	8d211cc9cc	Add unit test	2 years ago
cskh	058ee4fb84	fix: wan address isn't used by peering token	2 years ago
Nitya Dhanushkodi	5e156772f6	Remove ability to specify external addresses in GenerateToken endpoint (#14930 ) * Reverts "update generate token endpoint to take external addresses (#13844)" This reverts commit `f47319b7c6`.	2 years ago
Kyle Havlovitz	5c3427608b	Merge pull request #15035 from hashicorp/vault-ttl-update-warn Warn instead of returning error when missing intermediate mount tune permissions	2 years ago
cskh	d562d363fc	peering: skip registering duplicate node and check from the peer (#14994 ) * peering: skip register duplicate node and check from the peer * Prebuilt the nodes map and checks map to avoid repeated for loop * use key type to struct: node id, service id, and check id	2 years ago
Chris S. Kim	29a297d3e9	Refactor client RPC timeouts (#14965 ) Fix an issue where rpc_hold_timeout was being used as the timeout for non-blocking queries. Users should be able to tune read timeouts without fiddling with rpc_hold_timeout. A new configuration `rpc_read_timeout` is created. Refactor some implementation from the original PR 11500 to remove the misleading linkage between RPCInfo's timeout (used to retry in case of certain modes of failures) and the client RPC timeouts.	2 years ago
Kyle Havlovitz	d122108992	Warn instead of returning an error when intermediate mount tune permission is missing	2 years ago
R.B. Boyer	0cca4c088d	test: possibly fix flake in TestIntentionGetExact (#15021 ) Restructure test setup to be similar to TestAgent_ServerCertificate and see if that's enough to avoid flaking after join.	2 years ago
R.B. Boyer	fe2d41ddad	cache: prevent goroutine leak in agent cache (#14908 ) There is a bug in the error handling code for the Agent cache subsystem discovered: 1. NotifyCallback calls notifyBlockingQuery which calls getWithIndex in a loop (which backs off on-error up to 1 minute) 2. getWithIndex calls fetch if there’s no valid entry in the cache 3. fetch starts a goroutine which calls Fetch on the cache-type, waits for a while (again with backoff up to 1 minute for errors) and then calls fetch to trigger a refresh The end result being that every 1 minute notifyBlockingQuery spawns an ancestry of goroutines that essentially lives forever. This PR ensures that the goroutine started by `fetch` cancels any prior goroutine spawned by the same line for the same key. In isolated testing where a cache type was tweaked to indefinitely error, this patch prevented goroutine counts from skyrocketing.	2 years ago
R.B. Boyer	02a858efa0	ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one (#15005 ) In practice this was masked by #14956 and was only uncovered fixing the other bug. go test ./agent -run TestAgentConnectCALeafCert_goodNotLocal would fail when only #14956 was fixed.	2 years ago
Chris S. Kim	3d2dffff16	Merge pull request #13388 from deblasis/feature/health-checks_windows_service Feature: Health checks windows service	2 years ago
Dan Upton	f8b4b41205	proxycfg: fix goroutine leak when service is re-registered (#14988 ) Fixes a bug where we'd leak a goroutine in state.run when the given context was canceled while there was a pending update.	2 years ago
Kyle Havlovitz	aaf892a383	Extend tcp keepalive settings to work for terminating gateways as well	2 years ago
Kyle Havlovitz	2c569f6b9c	Update docs and add tcp_keepalive_probes setting	2 years ago
Kyle Havlovitz	2242d1ec4a	Add TCP keepalive settings to proxy config for mesh gateways	2 years ago
Derek Menteer	2a33d0ff96	Fix issue with incorrect method signature on test.	2 years ago
Freddy	24d0c8801a	Merge pull request #14981 from hashicorp/peering/dial-through-gateways	2 years ago
Dan Upton	328e3ff563	proxycfg: rate-limit delivery of config snapshots (#14960 ) Adds a user-configurable rate limiter to proxycfg snapshot delivery, with a default limit of 250 updates per second. This addresses a problem observed in our load testing of Consul Dataplane where updating a "global" resource such as a wildcard intention or the proxy-defaults config entry could starve the Raft or Memberlist goroutines of CPU time, causing general cluster instability.	2 years ago
Derek Menteer	29ebcf5ff0	Add tests for peering state snapshots / restores.	2 years ago
Derek Menteer	e3ff9912d0	Add test for ExportedServicesForAllPeersByName	2 years ago
Dan Upton	e6b55d1d81	perf: remove expensive reflection from xDS hot path (#14934 ) Replaces the reflection-based implementation of proxycfg's ConfigSnapshot.Clone with code generated by deep-copy. While load testing server-based xDS (for consul-dataplane) we discovered this method is extremely expensive. The ConfigSnapshot struct, directly or indirectly, contains a copy of many of the structs in the agent/structs package, which creates a large graph for copystructure.Copy to traverse at runtime, on every proxy reconfiguration.	2 years ago
freddygv	c77123a2aa	Use split var in tests	2 years ago
freddygv	bf51021c07	Use split wildcard partition name This way OSS avoids passing a non-empty label, which will be rejected in OSS consul.	2 years ago
Freddy	ee4cdc4985	Merge pull request #14935 from hashicorp/fix/alias-leak	2 years ago
freddygv	573aa408a1	Lint	2 years ago
Derek Menteer	0f424e3cdf	Reset wait on ensureServerAddrSubscription	2 years ago
freddygv	96fdd3728a	Fix CA init error code	2 years ago
freddygv	2c99a21596	Update leader routine to maybe use gateways	2 years ago
freddygv	e69bc727ec	Update peering establishment to maybe use gateways When peering through mesh gateways we expect outbound dials to peer servers to flow through the local mesh gateway addresses. Now when establishing a peering we get a list of dial addresses as a ring buffer that includes local mesh gateway addresses if the local DC is configured to peer through mesh gateways. The ring buffer includes the mesh gateway addresses first, but also includes the remote server addresses as a fallback. This fallback is present because it's possible that direct egress from the servers may be allowed. If not allowed then the leader will cycle back to a mesh gateway address through the ring. When attempting to dial the remote servers we retry up to a fixed timeout. If using mesh gateways we also have an initial wait in order to allow for the mesh gateways to configure themselves. Note that if we encounter a permission denied error we do not retry since that error indicates that the secret in the peering token is invalid.	2 years ago
malizz	b0b0cbb8ee	increase protobuf size limit for cluster peering (#14976 )	2 years ago
Derek Menteer	4e140c98bc	Address PR comments.	2 years ago
Derek Menteer	1e394da400	Disallow peering to the same cluster.	2 years ago
Derek Menteer	8742fbe14f	Prevent consul peer-exports by discovery chain.	2 years ago
Derek Menteer	f366edcb8d	Prevent the "consul" service from being exported.	2 years ago
Derek Menteer	caa1396255	Add remote peer partition and datacenter info.	2 years ago
Dan Upton	cbb4a030c4	xds: properly merge central config for "agentless" services (#14962 )	2 years ago
Dan Upton	0af9f16343	bug: fix goroutine leaks caused by incorrect usage of `WatchCh` (#14916 ) memdb's `WatchCh` method creates a goroutine that will publish to the returned channel when the watchset is triggered or the given context is canceled. Although this is called out in its godoc comment, it's not obvious that this method creates a goroutine who's lifecycle you need to manage. In the xDS capacity controller, we were calling `WatchCh` on each iteration of the control loop, meaning the number of goroutines would grow on each autopilot event until there was catalog churn. In the catalog config source, we were calling `WatchCh` with the background context, meaning that the goroutine would keep running after the sync loop had terminated.	2 years ago
Hans Hasselberg	0d5935ab83	adding configuration option cloud.scada_address (#14936 ) * adding scada_address * config tests * add changelog entry	2 years ago
Paul Glass	bcda205f88	Add consul.xds.server.streamStart metric (#14957 ) This adds a new consul.xds.server.streamStart metric to measure the time taken to first generate xDS resources after an xDS stream is opened.	2 years ago
Riddhi Shah	345191a0df	Service http checks data source for agentless proxies (#14924 ) Adds another datasource for proxycfg.HTTPChecks, for use on server agents. Typically these checks are performed by local client agents and there is no equivalent of this in agentless (where servers configure consul-dataplane proxies). Hence, the data source is mostly a no-op on servers but in the case where the service is present within the local state, it delegates to the cache data source.	2 years ago
Freddy	9ca8bb8ec4	Merge pull request #14958 from hashicorp/peering/nonce	2 years ago
freddygv	1b46b35041	Actually track nonce in test	2 years ago
Derek Menteer	f330438a45	Fix incorrect backoff-wait logic.	2 years ago
freddygv	7f9a5d0f58	Add basic nonce management This commit adds a monotonically increasing nonce to include in peering replication response messages. Every ack/nack from the peer handling a response will include this nonce, allowing to correlate the ack/nack with a specific resource. At the moment nothing is done with the nonce when it is received. In the future we may want to add functionality such as retries on NACKs, depending on the class of error.	2 years ago
Paul Glass	d17af23641	gRPC server metrics (#14922 ) * Move stats.go from grpc-internal to grpc-middleware * Update grpc server metrics with server type label * Add stats test to grpc-external * Remove global metrics instance from grpc server tests	2 years ago
cskh	e0356e1502	fix(peering): add missing grpc_tls_port for server address reconciliation (#14944 )	2 years ago
freddygv	f4cc4577ca	Fix alias check leak Preivously when alias check was removed it would not be stopped nor cleaned up from the associated aliasChecks map. This means that any time an alias check was deregistered we would leak a goroutine for CheckAlias.run() because the stopCh would never be closed. This issue mostly affects service mesh deployments on platforms where the client agent is mostly static but proxy services come and go regularly, since by default sidecars are registered with an alias check.	2 years ago
James Oulman	b8bd7a3058	Configure Envoy alpn_protocols based on service protocol (#14356 ) * Configure Envoy alpn_protocols based on service protocol * define alpnProtocols in a more standard way * http2 protocol should be h2 only * formatting * add test for getAlpnProtocol() * create changelog entry * change scope is connect-proxy * ignore errors on ParseProxyConfig; fixes linter * add tests for grpc and http2 public listeners * remove newlines from PR * Add alpn_protocol configuration for ingress gateway * Guard against nil tlsContext * add ingress gateway w/ TLS tests for gRPC and HTTP2 * getAlpnProtocols: add TCP protocol test * add tests for ingress gateway with grpc/http2 and per-listener TLS config * add tests for ingress gateway with grpc/http2 and per-listener TLS config * add Gateway level TLS config with mixed protocol listeners to validate ALPN * update changelog to include ingress-gateway * add http/1.1 to http2 ALPN * go fmt * fix test on custom-trace-listener	2 years ago
freddygv	bf72df7b0e	Fixup test	2 years ago
Chris S. Kim	4f4112662e	Fix nil pointer	2 years ago
Chris S. Kim	b0a4c5c563	Include stream-related information in peering endpoints	2 years ago
Paul Glass	c0c187f1c5	Merge central config for GetEnvoyBootstrapParams (#14869 ) This fixes GetEnvoyBootstrapParams to merge in proxy-defaults and service-defaults. Co-authored-by: Dan Upton <daniel@floppy.co>	2 years ago
Freddy	4abad02abd	Merge pull request #14796 from hashicorp/peering/use-connect-ca	2 years ago
freddygv	7d4da6eb22	Fixup test	2 years ago
freddygv	3034df6a5c	Require Connect and TLS to generate peering tokens By requiring Connect and a gRPC TLS listener we can automatically configure TLS for all peering control-plane traffic.	2 years ago
freddygv	fac3ddc857	Use internal server certificate for peering TLS A previous commit introduced an internally-managed server certificate to use for peering-related purposes. Now the peering token has been updated to match that behavior: - The server name matches the structure of the server cert - The CA PEMs correspond to the Connect CA Note that if Conect is disabled, and by extension the Connect CA, we fall back to the previous behavior of returning the manually configured certs and local server SNI. Several tests were updated to use the gRPC TLS port since they enable Connect by default. This means that the peering token will embed the Connect CA, and the dialer will expect a TLS listener.	2 years ago
freddygv	5f97223822	Simplify mgw watch mgmt	2 years ago
freddygv	d54db25421	Use existing query options to build ctx	2 years ago
DanStough	77ab28c5c7	feat: xDS updates for peerings control plane through mesh gw	2 years ago
Eric Haberkorn	1633cf20ea	Make the mesh gateway changes to allow `local` mode for cluster peering data plane traffic (#14817 ) Make the mesh gateway changes to allow `local` mode for cluster peering data plane traffic	2 years ago
cskh	c1b5f34fb7	fix: missing UDP field in checkType (#14885 ) * fix: missing UDP field in checkType * Add changelog * Update doc	2 years ago
Derek Menteer	a279d2d329	Fix explicit tproxy listeners with discovery chains. (#14751 ) Fix explicit tproxy listeners with discovery chains.	2 years ago
Alex Oskotsky	13da2c5fad	Add the ability to retry on reset connection to service-routers (#12890 )	2 years ago
John Murret	79a541fd7d	Upgrade serf to v0.10.1 and memberlist to v0.5.0 to get memberlist size metrics and broadcast queue depth metric (#14873 ) * updating to serf v0.10.1 and memberlist v0.5.0 to get memberlist size metrics and memberlist broadcast queue depth metric * update changelog * update changelog * correcting changelog * adding "QueueCheckInterval" for memberlist to test * updating integration test containers to grab latest api	2 years ago
Evan Culver	a3be5a5a82	connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 (#14831 )	2 years ago
Eric Haberkorn	1b565444be	Rename `PeerName` to `Peer` on prepared queries and exported services (#14854 )	2 years ago
Freddy	d9fe3578ac	Merge pull request #14734 from hashicorp/NET-643-update-mesh-gateway-envoy-config-for-inbound-peering-control-plane-traffic	2 years ago
freddygv	b15d41534f	Update xds generation for peering over mesh gws This commit adds the xDS resources needed for INBOUND traffic from peer clusters: - 1 filter chain for all inbound peering requests. - 1 cluster for all inbound peering requests. - 1 endpoint per voting server with the gRPC TLS port configured. There is one filter chain and cluster because unlike with WAN federation, peer clusters will not attempt to dial individual servers. Peer clusters will only dial the local mesh gateway addresses.	2 years ago
freddygv	a8c4d6bc55	Share mgw addrs in peering stream if needed This commit adds handling so that the replication stream considers whether the user intends to peer through mesh gateways. The subscription will return server or mesh gateway addresses depending on the mesh configuration setting. These watches can be updated at runtime by modifying the mesh config entry.	2 years ago
freddygv	4ff9d475b0	Return mesh gateway addrs if peering through mgw	2 years ago
chappie	ad7295e5d9	Merge pull request #14811 from hashicorp/chappie/dns Add DNS gRPC proxying support	2 years ago
Chris Chapman	d7b5351b66	Making suggested comments	2 years ago
Chris Chapman	46bea72212	Making suggested changes	2 years ago
Chris Chapman	a05563b788	Update comment	2 years ago
DanStough	7f8971d77f	chore: fix flakey scada provider test	2 years ago
Chris Chapman	81e267171b	Bind a dns mux handler to gRPC proxy	2 years ago
Chris Chapman	7bc9cad180	Adding grpc handler for dns proxy	2 years ago
Eric Haberkorn	80e51ff907	Add exported services event to cluster peering replication. (#14797 )	2 years ago
Ashwin Venkatesh	4ba260958c	bug: watch local mesh gateways in non-default partitions with agentless (#14799 )	2 years ago
cskh	69f40df548	feat(ingress gateway: support configuring limits in ingress-gateway c… (#14749 ) * feat(ingress gateway: support configuring limits in ingress-gateway config entry - a new Defaults field with max_connections, max_pending_connections, max_requests is added to ingress gateway config entry - new field max_connections, max_pending_connections, max_requests in individual services to overwrite the value in Default - added unit test and integration test - updated doc Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Dan Stough <dan.stough@hashicorp.com>	2 years ago
malizz	84b0f408fa	Support Stale Queries for Trust Bundle Lookups (#14724 ) * initial commit * add tags, add conversations * add test for query options utility functions * update previous tests * fix test * don't error out on empty context * add changelog * update decode config	2 years ago
Eric Haberkorn	6570d5f004	Enable outbound peered requests to go through local mesh gateway (#14763 )	2 years ago
Nick Ethier	1c1b0994b8	add HCP integration component (#14723 ) * add HCP integration * lint: use non-deprecated logging interface	2 years ago
Derek Menteer	aa4709ab74	Add envoy connection balancing. (#14616 ) Add envoy connection balancing config.	2 years ago
Chris S. Kim	2203cdc4db	Add new internal endpoint to list exported services to a peer	2 years ago
freddygv	d818d7b096	Manage local server watches depending on mesh cfg Routing peering control plane traffic through mesh gateways can be enabled or disabled at runtime with the mesh config entry. This commit updates proxycfg to add or cancel watches for local servers depending on this central config. Note that WAN federation over mesh gateways is determined by a service metadata flag, and any updates to the gateway service registration will force the creation of a new snapshot. If enabled, WAN-fed over mesh gateways will trigger a local server watch on initialize(). Because of this we will only add/remove server watches if WAN federation over mesh gateways is disabled.	2 years ago
Alessandro De Blasis	461b42ed48	fix(check): added missing OSService props	2 years ago
Alessandro De Blasis	5719fd6560	fix(checks): os_service OK message in output	2 years ago
Alessandro De Blasis	f440966a38	fix(checks): os_service lifecycle bugfix	2 years ago
Alessandro De Blasis	fc0dd92dcf	fix(agent): uninitialized map panic error	2 years ago
malizz	1a0aa38a82	increase the size of txn to support vault (#14599 ) * increase the size of txn to support vault * add test, revert change to acl endpoint * add changelog * update test, add passing test case * Update .changelog/14599.txt Co-authored-by: Freddy <freddygv@users.noreply.github.com> Co-authored-by: Freddy <freddygv@users.noreply.github.com>	2 years ago
freddygv	5fbb26525b	Add awareness of server mode to TLS configurator Preivously the TLS configurator would default to presenting auto TLS certificates as client certificates. Server agents should not have this behavior and should instead present the manually configured certs. The autoTLS certs for servers are exclusively used for peering and should not be used as the default for outbound communication.	2 years ago
freddygv	f30bc96239	Test fixes - Pulls in CLI test fix from main - Updates psutils to fix TestAgent_Host on M1 Mac	2 years ago
freddygv	02d3ce1039	Add server certificate manager This certificate manager will request a leaf certificate for server agents and then keep them up to date.	2 years ago
freddygv	0e5131bd33	Generate ACL token for server management This commit introduces a new ACL token used for internal server management purposes. It has a few key properties: - It has unlimited permissions. - It is persisted through Raft as System Metadata rather than in the ACL tokens table. This is to avoid users seeing or modifying it. - It is re-generated on leadership establishment.	2 years ago
freddygv	0ea3353537	Add handling in agent cache for server leaf certs	2 years ago
Kyle Havlovitz	0d9ae52643	Merge pull request #14598 from hashicorp/root-removal-fix connect/ca: Don't discard old roots on primaryInitialize	2 years ago
Kyle Havlovitz	6105a7fd9f	connect/ca: don't discard old roots on primaryInitialize	2 years ago
Gabriel Santos	e53af28bd7	Middleware: `RequestRecorder` reports calls below 1ms as decimal value (#12905 ) * Typos * Test failing * Convert values <1ms to decimal * Fix test * Update docs and test error msg * Applied suggested changes to test case * Changelog file and suggested changes * Update .changelog/12905.txt Co-authored-by: Chris S. Kim <kisunji92@gmail.com> * suggested change - start duration with microseconds instead of nanoseconds * fix error * suggested change - floats Co-authored-by: alex <8968914+acpana@users.noreply.github.com> Co-authored-by: Chris S. Kim <kisunji92@gmail.com>	2 years ago
Daniel Graña	8c98172f53	[BUGFIX] Do not use interval as timeout (#14619 ) Do not use interval as timeout	2 years ago
Evan Culver	d0416f593c	connect: Bump latest Envoy to 1.23.1 in test matrix (#14573 )	2 years ago
DanStough	485e1b5d4e	fix(peering): generate token metrics only for leader	2 years ago
DanStough	2a2debee64	feat(peering): validate server name conflicts on establish	2 years ago
Kyle Havlovitz	60cee76746	Merge pull request #14516 from hashicorp/ca-ttl-fixes Fix inconsistent TTL behavior in CA providers	2 years ago
Kyle Havlovitz	d67bccd210	Update intermediate pki mount/role when reconfiguring Vault provider	2 years ago
Kyle Havlovitz	f46955101a	connect/ca: Clarify behavior around IntermediateCertTTL in CA config	2 years ago
DanStough	0150e88200	feat: add PeerThroughMeshGateways to mesh config	2 years ago
Derek Menteer	0aa13733a0	Add CSR check for number of URIs. (#14579 ) Add CSR check for number of URIs.	2 years ago
Derek Menteer	db83ff4fa6	Add input validation for auto-config JWT authorization checks.	2 years ago
cskh	f22685b969	Config-entry: Support proxy config in service-defaults (#14395 ) * Config-entry: Support proxy config in service-defaults * Update website/content/docs/connect/config-entries/service-defaults.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>	2 years ago
Eric Haberkorn	aa8268e50c	Implement Cluster Peering Redirects (#14445 ) implement cluster peering redirects	2 years ago
skpratt	b761589340	add non-double-prefixed metrics (#14193 )	2 years ago
skpratt	19f79aa9a6	PR #14057 follow up fix: service id parsing from sidecar id (#14541 ) * fix service id parsing from sidecar id * simplify suffix trimming	2 years ago
Dan Upton	1c2c975b0b	xDS Load Balancing (#14397 ) Prior to #13244, connect proxies and gateways could only be configured by an xDS session served by the local client agent. In an upcoming release, it will be possible to deploy a Consul service mesh without client agents. In this model, xDS sessions will be handled by the servers themselves, which necessitates load-balancing to prevent a single server from receiving a disproportionate amount of load and becoming overwhelmed. This introduces a simple form of load-balancing where Consul will attempt to achieve an even spread of load (xDS sessions) between all healthy servers. It does so by implementing a concurrent session limiter (limiter.SessionLimiter) and adjusting the limit according to autopilot state and proxy service registrations in the catalog. If a server is already over capacity (i.e. the session limit is lowered), Consul will begin draining sessions to rebalance the load. This will result in the client receiving a `RESOURCE_EXHAUSTED` status code. It is the client's responsibility to observe this response and reconnect to a different server. Users of the gRPC client connection brokered by the consul-server-connection-manager library will get this for free. The rate at which Consul will drain sessions to rebalance load is scaled dynamically based on the number of proxies in the catalog.	2 years ago
Derek Menteer	f7c884f0af	Merge branch 'main' of github.com:hashicorp/consul into derekm/split-grpc-ports	2 years ago
Derek Menteer	bfe7c5e8af	Remove rebuilding grpc server.	2 years ago
Derek Menteer	80d31458e5	Various cleanups.	2 years ago
Chris S. Kim	03df6c3ac6	Reuse http.DefaultTransport in UIMetricsProxy (#14521 ) http.Transport keeps a pool of connections and should be reused when possible. We instantiate a new http.DefaultTransport for every metrics request, making large numbers of concurrent requests inefficiently spin up new connections instead of reusing open ones.	2 years ago
Chris S. Kim	1c4a6eef4f	Merge pull request #14285 from hashicorp/NET-638-push-server-address-updates-to-the-peer peering: Subscribe to server address changes and push updates to peers	2 years ago
skpratt	3bf1edfb3f	move port and default check logic to locked step (#14057 )	2 years ago
Freddy	f4dfd42e0a	Add SpiffeID for Consul server agents (#14485 ) Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> By adding a SpiffeID for server agents, servers can now request a leaf certificate from the Connect CA. This new Spiffe ID has a key property: servers are identified by their datacenter name and trust domain. All servers that share these attributes will share a ServerURI. The aim is to use these certificates to verify the server name of ANY server in a Consul datacenter.	2 years ago
Daniel Upton	8c46e48e0d	proxycfg-glue: server-local implementation of IntentionUpstreamsDestination This is the OSS portion of enterprise PR 2463. Generalises the serverIntentionUpstreams type to support matching on a service or destination.	2 years ago
Daniel Upton	f8dba7e9ac	proxycfg-glue: server-local implementation of InternalServiceDump This is the OSS portion of enterprise PR 2489. This PR introduces a server-local implementation of the proxycfg.InternalServiceDump interface that sources data from a blocking query against the server's state store. For simplicity, it only implements the subset of the Internal.ServiceDump RPC handler actually used by proxycfg - as such the result type has been changed to IndexedCheckServiceNodes to avoid confusion.	2 years ago
Daniel Upton	a31738f76f	proxycfg-glue: server-local implementation of ResolvedServiceConfig This is the OSS portion of enterprise PR 2460. Introduces a server-local implementation of the proxycfg.ResolvedServiceConfig interface that sources data from a blocking query against the server's state store. It moves the service config resolution logic into the agent/configentry package so that it can be used in both the RPC handler and data source. I've also done a little re-arranging and adding comments to call out data sources for which there is to be no server-local equivalent.	2 years ago
Derek Menteer	bf769daae4	Merge branch 'main' of github.com:hashicorp/consul into derekm/split-grpc-ports	2 years ago
Derek Menteer	02ae66bda8	Add kv txn get-not-exists operation.	2 years ago
Chris S. Kim	953808e899	PR feedback on terminated state checking	2 years ago
Chris S. Kim	ddb9375cb6	Add testcase for parsing grpc_port	2 years ago
Kyle Havlovitz	d97ccccdd5	Merge pull request #14429 from hashicorp/ca-prune-intermediates Prune old expired intermediate certs when appending a new one	2 years ago
cskh	0f7d4efac3	fix(txn api): missing proxy config in registering proxy service (#14471 ) * fix(txn api): missing proxy config in registering proxy service	2 years ago
Chris S. Kim	ec36755cc0	Properly assert for ServerAddresses replication request	2 years ago
Chris S. Kim	d1d9dbff8e	Fix terminate not returning early	2 years ago
Derek Menteer	f64771c707	Address PR comments.	2 years ago
Kyle Havlovitz	0c2fb7252d	Prune intermediates before appending new one	2 years ago
Luke Kysow	81d7cc41dc	Use proxy address for default check (#14433 ) When a sidecar proxy is registered, a check is automatically added. Previously, the address this check used was the underlying service's address instead of the proxy's address, even though the check is testing if the proxy is up. This worked in most cases because the proxy ran on the same IP as the underlying service but it's not guaranteed and so the proper default address should be the proxy's address.	2 years ago
malizz	f1054dada9	fix TestProxyConfigEntry (#14435 )	2 years ago
malizz	b3ac8f48ca	Add additional parameters to envoy passive health check config (#14238 ) * draft commit * add changelog, update test * remove extra param * fix test * update type to account for nil value * add test for custom passive health check * update comments and tests * update description in docs * fix missing commas	2 years ago
Chris S. Kim	f2b147e575	Add Internal.ServiceDump support for querying by PeerName	2 years ago
Chris S. Kim	e62f830fa8	Merge pull request #13998 from jorgemarey/f-new-tracing-envoy Add new envoy tracing configuration	2 years ago
Derek Menteer	cf7f24a6ec	Change serf-tag references to field references.	2 years ago
malizz	a80e0bcd00	validate args before deleting proxy defaults (#14290 ) * validate args before deleting proxy defaults * add changelog * validate name when normalizing proxy defaults * add test for proxyConfigEntry * add comments	2 years ago
Kyle Havlovitz	113454645d	Prune old expired intermediate certs when appending a new one	2 years ago
Alessandro De Blasis	60c7c831c6	Merge remote-tracking branch 'hashicorp/main' into feature/health-checks_windows_service	2 years ago
Eric Haberkorn	3726a0ab7a	Finish up cluster peering failover (#14396 )	2 years ago
Chris S. Kim	560d410c6d	Merge branch 'main' into NET-638-push-server-address-updates-to-the-peer # Conflicts: # agent/grpc-external/services/peerstream/stream_test.go	2 years ago
Jorge Marey	3f3bb8831e	Fix typos. Add test. Add documentation	2 years ago
Jorge Marey	ed7b34128f	Add new tracing configuration	2 years ago
Freddy	97d1db759f	Merge pull request #13496 from maxb/fix-kv_entries-metric	2 years ago
Freddy	829a2a8722	Merge pull request #14364 from hashicorp/peering/term-delete	2 years ago
Max Bowsher	decc9231ee	Merge branch 'main' into fix-kv_entries-metric	2 years ago
Chris S. Kim	5010fa5c03	Merge pull request #14371 from hashicorp/kisunji/peering-metrics-update Adjust metrics reporting for peering tracker	2 years ago
Chris S. Kim	74ddf040dd	Add heartbeat timeout grace period when accounting for peering health	2 years ago
Derek Menteer	0ceec9017b	Expose `grpc_tls` via serf for cluster peering.	2 years ago
Derek Menteer	1255a8a20d	Add separate grpc_tls port. To ease the transition for users, the original gRPC port can still operate in a deprecated mode as either plain-text or TLS mode. This behavior should be removed in a future release whenever we no longer support this. The resulting behavior from this commit is: `ports.grpc > 0 && ports.grpc_tls > 0` spawns both plain-text and tls ports. `ports.grpc > 0 && grpc.tls == undefined` spawns a single plain-text port. `ports.grpc > 0 && grpc.tls != undefined` spawns a single tls port (backwards compat mode).	2 years ago
freddygv	310608fb19	Add validation to prevent switching dialing mode This prevents unexpected changes to the output of ShouldDial, which should never change unless a peering is deleted and recreated.	2 years ago
Eric Haberkorn	72f90754ae	Update max_ejection_percent on outlier detection for peered clusters to 100% (#14373 ) We can't trust health checks on peered services when service resolvers, splitters and routers are used.	2 years ago
Alessandro De Blasis	26cc56bc68	fix(agent): removed redundant code in docker check as well	2 years ago
Alessandro De Blasis	c0d647d11e	fix(agent): removed redundant check on prev. running check	2 years ago
Chris S. Kim	def529edd3	Rename test	2 years ago
Chris S. Kim	93271f649c	Fix test	2 years ago
Eric Haberkorn	1099665473	Update the structs and discovery chain for service resolver redirects to cluster peers. (#14366 )	2 years ago
Alessandro De Blasis	f3437eaf05	Merge remote-tracking branch 'hashicorp/main' into feature/health-checks_windows_service Signed-off-by: Alessandro De Blasis <alex@deblasis.net>	2 years ago
Alessandro De Blasis	f634e36811	fix(OSServiceCheck): fixes following code-review	2 years ago
Chris S. Kim	4d97e2f936	Adjust metrics reporting for peering tracker	2 years ago
freddygv	650e48624d	Allow terminated peerings to be deleted Peerings are terminated when a peer decides to delete the peering from their end. Deleting a peering sends a termination message to the peer and triggers them to mark the peering as terminated but does NOT delete the peering itself. This is to prevent peerings from disappearing from both sides just because one side deleted them. Previously the Delete endpoint was skipping the deletion if the peering was not marked as active. However, terminated peerings are also inactive. This PR makes some updates so that peerings marked as terminated can be deleted by users.	2 years ago
Chris S. Kim	937a8ec742	Fix casing	2 years ago
Chris S. Kim	87962b9713	Merge branch 'main' into catalog-service-list-filter	2 years ago
Chris S. Kim	e2fe8b8d65	Fix tests for enterprise	2 years ago
Chris S. Kim	1c43a1a7b4	Merge branch 'main' into NET-638-push-server-address-updates-to-the-peer # Conflicts: # agent/grpc-external/services/peerstream/stream_test.go	2 years ago
Chris S. Kim	6ddcc04613	Replace ring buffer with async version (#14314 ) We need to watch for changes to peerings and update the server addresses which get served by the ring buffer. Also, if there is an active connection for a peer, we are getting up-to-date server addresses from the replication stream and can safely ignore the token's addresses which may be stale.	2 years ago
alex	30ff2e9a35	peering: add peer health metric (#14004 ) Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>	2 years ago
Chris S. Kim	181063cd23	Exit loop when context is cancelled	2 years ago
cskh	41aea65214	Fix: the inboundconnection limit filter should be placed in front of http co… (#14325 ) * fix: the inboundconnection limit should be placed in front of http connection manager Co-authored-by: Freddy <freddygv@users.noreply.github.com>	2 years ago
Chris S. Kim	8c94d1a80c	Update test comment	2 years ago
Chris S. Kim	5f2959329f	Add check for zero-length server addresses	2 years ago
skpratt	919da33331	no-op: refactor usagemetrics tests for clarity and DRY cases (#14313 )	2 years ago
Pablo Ruiz García	1f293e5244	Added new auto_encrypt.grpc_server_tls config option to control AutoTLS enabling of GRPC Server's TLS usage Fix for #14253 Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>	2 years ago
Dan Upton	3b993f2da7	dataplane: update envoy bootstrap params for consul-dataplane (#14017 ) Contains 2 changes to the GetEnvoyBootstrapParams response to support consul-dataplane. Exposing node_name and node_id: consul-dataplane will support providing either the node_id or node_name in its configuration. Unfortunately, supporting both in the xDS meta adds a fair amount of complexity (partly because most tables are currently indexed on node_name) so for now we're going to return them both from the bootstrap params endpoint, allowing consul-dataplane to exchange a node_id for a node_name (which it will supply in the xDS meta). Properly setting service for gateways: To avoid the need to special case gateways in consul-dataplane, service will now either be the destination service name for connect proxies, or the gateway service name. This means it can be used as-is in Envoy configuration (i.e. as a cluster name or in metric tags).	2 years ago
Daniel Upton	13c04a13af	proxycfg: terminate stream on irrecoverable errors This is the OSS portion of enterprise PR 2339. It improves our handling of "irrecoverable" errors in proxycfg data sources. The canonical example of this is what happens when the ACL token presented by Envoy is deleted/revoked. Previously, the stream would get "stuck" until the xDS server re-checked the token (after 5 minutes) and terminated the stream. Materializers would also sit burning resources retrying something that could never succeed. Now, it is possible for data sources to mark errors as "terminal" which causes the xDS stream to be closed immediately. Similarly, the submatview.Store will evict materializers when it observes they have encountered such an error.	2 years ago
Chris S. Kim	81e965479b	PR feedback to specify Node name in test mock	2 years ago
Eric Haberkorn	58901ad7df	Cluster peering failover disco chain changes (#14296 )	2 years ago
Chris S. Kim	cdc8b0634d	Fix flakes	2 years ago
Chris S. Kim	03e92826aa	Increase heartbeat rate to reduce test flakes	2 years ago
Chris S. Kim	06ba9775ee	Remove check for ResponseNonce	2 years ago
Chris S. Kim	547fb9570e	Add missing mock assertions	2 years ago
Chris S. Kim	adff2eef16	Fix data race newMockSnapshotHandler has an assertion on t.Cleanup which gets called before the event publisher is cancelled. This commit reorders the context.WithCancel so it properly gets cancelled before the assertion is made.	2 years ago
cskh	060531a29a	Fix: add missing ent meta for test (#14289 )	2 years ago
Chris S. Kim	4e40e1d222	Handle server addresses update as client	2 years ago
Chris S. Kim	584d3409c4	Send server addresses on update from server	2 years ago
Chris S. Kim	c9d8ad3939	Add new subscription for server addresses	2 years ago
Chris S. Kim	028b87d51f	Cleanup unused logger	2 years ago
Chris S. Kim	df951bd601	Expose external gRPC port in autopilot The grpc_port was added to a NodeService's meta in `ea58f235f5`	2 years ago
cskh	527ebd068a	fix: missing MaxInboundConnections field in service-defaults config entry (#14072 ) * fix: missing max_inbound_connections field in merge config	2 years ago
cskh	e84e4b8868	Fix: upgrade pkg imdario/merg to prevent merge config panic (#14237 ) * upgrade imdario/merg to prevent merge config panic * test: service definition takes precedence over service-defaults in merged results	2 years ago
James Hartig	f92883bbce	Use the maximum jitter when calculating the timeout The timeout should include the maximum possible jitter since the server will randomly add to it's timeout a jitter. If the server's timeout is less than the client's timeout then the client will return an i/o deadline reached error. Before: ``` time curl 'http://localhost:8500/v1/catalog/service/service?dc=other-dc&stale=&wait=600s&index=15820644' rpc error making call: i/o deadline reached real 10m11.469s user 0m0.018s sys 0m0.023s ``` After: ``` time curl 'http://localhost:8500/v1/catalog/service/service?dc=other-dc&stale=&wait=600s&index=15820644' [...] real 10m35.835s user 0m0.021s sys 0m0.021s ```	2 years ago
Eric Haberkorn	1a73b0ca20	Add `Targets` field to service resolver failovers. (#14162 ) This field will be used for cluster peering failover.	2 years ago

... 2 3 4 5 6 ...

4864 Commits (b4151780d6615330da98c94ad6671043cf4116ef)