Commit Graph

3195 Commits (be3a7cf7452313ae3c67668143f40a4d3b9493af)

Author SHA1 Message Date
Daniel Nephin accc5db292 Merge pull request #8812 from jjshanks/GH-8728
GH-8728 add raft default values
2021-05-18 19:33:09 +00:00
R.B. Boyer 4025a6349a xds: emit a labeled gauge of connected xDS streams by version (#10243)
Fixes #10099
2021-05-14 19:00:15 +00:00
R.B. Boyer e83dc4375d server: ensure that central service config flattening properly resets the state each time (#10239)
The prior solution to call reply.Reset() aged poorly since newer fields
were added to the reply, but not added to Reset() leading serial
blocking query loops on the server to blend replies.

This could manifest as a service-defaults protocol change from
default=>http not reverting back to default after the config entry
reponsible was deleted.
2021-05-14 15:22:16 +00:00
R.B. Boyer 54f5b96a5b agent: ensure we hash the non-deprecated upstream fields on ServiceConfigRequest (#10240) 2021-05-14 15:16:27 +00:00
Iryna Shustava 47d8f050d2 Save exposed ports in agent's store and expose them via API (#10173)
* Save exposed HTTP or GRPC ports to the agent's store
* Add those the health checks API so we can retrieve them from the API
* Change redirect-traffic command to also exclude those ports from inbound traffic redirection when expose.checks is set to true.
2021-05-12 20:56:15 +00:00
Daniel Nephin 50b66ebb63 Merge pull request #10217 from hashicorp/dnephin/test-flakes
testing: attempt to fix some test flakes
2021-05-12 19:39:07 +00:00
R.B. Boyer 88a8656e13 connect: update supported envoy versions to 1.18.3, 1.17.3, 1.16.4, and 1.15.5 (#10231) 2021-05-12 19:06:43 +00:00
Daniel Nephin ac0697ac48 Merge pull request #10188 from hashicorp/dnephin/dont-persist-agent-tokens
agent/local: do not persist the agent or user token
2021-05-10 19:58:59 +00:00
Daniel Nephin 2b5b54bd37 Merge pull request #10075 from hashicorp/dnephin/handle-raft-apply-errors
rpc: some cleanup of canRetry and ForwardRPC
2021-05-06 21:00:35 +00:00
Freddy 32e013c834 Merge pull request #10187 from hashicorp/fixup/ent-tproxy-test 2021-05-06 20:48:25 +00:00
Daniel Nephin 862d9b9d43 Merge pull request #10047 from hashicorp/dnephin/config-entry-validate
state: reduce arguments to validateProposedConfigEntryInServiceGraph
2021-05-06 18:11:52 +00:00
Daniel Nephin dd6257e17c Merge pull request #10189 from hashicorp/dnephin/http-api-health-query-meta
http: set consistency header properly for health endpoint
2021-05-06 18:10:12 +00:00
hc-github-team-consul-core acc171aa38
update bindata_assetfs.go 2021-05-05 23:41:12 +00:00
Mark Anderson 0a6d439dbb Merge pull request #10185 from hashicorp/ma/uds_fixups
Fixup UDS failing tests.
2021-05-05 16:17:32 -04:00
Mark Anderson 42ff449d4f Merge pull request #9981 from hashicorp/ma/uds_upstreams
Unix Domain Socket support for upstreams and downstreams
2021-05-05 16:17:32 -04:00
Daniel Nephin c1d1be2a4b Merge pull request #10155 from hashicorp/dnephin/config-entry-remove-fields
config-entry: remove Kind and Name field from Mesh config entry
2021-05-04 21:28:26 +00:00
Daniel Nephin a583415bed Merge pull request #10161 from hashicorp/dnephin/update-deps
Update a couple dependencies
2021-05-04 18:32:22 +00:00
Freddy 2d633ed804 Fixup discovery chain handling in transparent mode (#10168)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

Previously we would associate the address of a discovery chain target
with the discovery chain's filter chain. This was broken for a few reasons:

- If the upstream is a virtual service, the client proxy has no way of
dialing it because virtual services are not targets of their discovery
chains. The targets are distinct services. This is addressed by watching
the endpoints of all upstream services, not just their discovery chain
targets.

- If multiple discovery chains resolve to the same target, that would
lead to multiple filter chains attempting to match on the target's
virtual IP. This is addressed by only matching on the upstream's virtual
IP.

NOTE: this implementation requires an intention to the redirecting
virtual service and not just to the final destination. This is how
we can know that the virtual service is an upstream to watch.

A later PR will look into traversing discovery chains when computing
upstreams so that intentions are only required to the discovery chain
targets.
2021-05-04 14:46:53 +00:00
Paul Banks fa1b308c7b Make Raft trailing logs and snapshot timing reloadable (#10129)
* WIP reloadable raft config

* Pre-define new raft gauges

* Update go-metrics to change gauge reset behaviour

* Update raft to pull in new metric and reloadable config

* Add snapshot persistance timing and installSnapshot to our 'protected' list as they can be infrequent but are important

* Update telemetry docs

* Update config and telemetry docs

* Add note to oldestLogAge on when it is visible

* Add changelog entry

* Update website/content/docs/agent/options.mdx

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-05-04 14:40:40 +00:00
Freddy 4a4a1ebff8 Only consider virtual IPs for transparent proxies (#10162)
Initially we were loading every potential upstream address into Envoy
and then routing traffic to the logical upstream service. The downside
of this behavior is that traffic meant to go to a specific instance
would be load balanced across ALL instances.

Traffic to specific instance IPs should be forwarded to the original
destination and if it's a destination in the mesh then we should ensure
the appropriate certificates are used.

This PR makes transparent proxying a Kubernetes-only feature for now
since support for other environments requires generating virtual IPs,
and Consul does not do that at the moment.
2021-05-03 15:06:36 -06:00
Luke Kysow c816e29ef7 Give descriptive error if auth method not found (#10163)
* Give descriptive error if auth method not found

Previously during a `consul login -method=blah`, if the auth method was not found, the
error returned would be "ACL not found". This is potentially confusing
because there may be many different ACLs involved in a login: the ACL of
the Consul client, perhaps the binding rule or the auth method.

Now the error will be "auth method blah not found", which is much easier
to debug.
2021-05-03 20:39:51 +00:00
Daniel Nephin ac2aeb8f44 Merge pull request #10149 from hashicorp/dnephin/config-use-streaming-backend-defualt-true
config: default UseStreamingBackend to true
2021-04-30 20:30:28 +00:00
R.B. Boyer 145a83e436 connect: update supported envoy versions to 1.18.2, 1.17.2, 1.16.3, and 1.15.4 (#10101)
The only thing that needed fixing up pertained to this section of the 1.18.x release notes:

> grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default.

For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default.

Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.
2021-04-29 20:22:41 +00:00
R.B. Boyer df5e55fc50 xds: ensure that all envoyproxy/go-control-plane protobuf symbols are linked into the final binary (#10131)
This ensures that if someone does include some extension Consul does not currently make use of, that extension is actually usable. Without linking these envoy protobufs into the main binary it can't round trip the escape hatches to send them down to envoy.

Whenenver the go-control-plane library is upgraded next we just have to re-run 'make envoy-library'.
2021-04-29 19:58:58 +00:00
R.B. Boyer 6a39b47448 Support Incremental xDS mode (#9855)
This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged.

Union of all commit messages follows to give an overarching summary:

xds: exclusively support incremental xDS when using xDS v3

Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail.
Work around a strange older envoy behavior involving empty CDS responses over incremental xDS.
xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support

Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead.
Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client.
xds: pull out checkStreamACLs method in advance of a later commit

xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings

In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty.

This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10.

xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 18:54:53 +00:00
Freddy 740613fcf1 Rename cluster config files to mesh as well (#10148) 2021-04-29 00:16:06 +00:00
Freddy c652580b5b Rename "cluster" config entry to "mesh" (#10127)
This config entry is being renamed primarily because in k8s the name
cluster could be confusing given that the config entry applies across
federated datacenters.

Additionally, this config entry will only apply to Consul as a service
mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:14:03 +00:00
Daniel Nephin 798953f57d Merge pull request #10112 from hashicorp/dnephin/remove-streaming-from-cache
streaming: replace agent/cache with submatview.Store
2021-04-28 21:58:32 +00:00
Matt Keeler 4a38e20e6f Add prometheus guage definitions for replication metrics. (#10109) 2021-04-23 21:06:17 +00:00
Matt Keeler d0495902c4
[Backport/1.10.x]: Backport #10073 (#10102)
* Merge pull request #10094 from hashicorp/update-fingerprint

updating fingerprint

* Add replication metrics (#10073)

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-04-23 16:16:37 -04:00
Daniel Nephin b26938e61e Merge pull request #9991 from hashicorp/dnephin/handle-raft-apply-errors
Handle FSM.Apply errors in raftApply
2021-04-20 18:01:14 +00:00
Freddy 8314f17671 Disallow * as service-defaults name (#10069) 2021-04-19 20:23:41 +00:00
hashicorp-ci c40609ae2c
update bindata_assetfs.go 2021-04-16 01:49:23 +00:00
R.B. Boyer 70f1ba3a2b
fix test when run in enterprise (#10048) 2021-04-15 17:25:25 -05:00
freddygv a0f3591aee Don't panic on nil UpstreamConfiguration.Clone() 2021-04-15 15:46:21 -06:00
hashicorp-ci 131599bfab auto-updated agent/uiserver/bindata_assetfs.go from commit daf897f1a 2021-04-15 20:19:13 +00:00
Freddy 3be304be16
Merge pull request #10016 from hashicorp/topology-update 2021-04-15 14:11:23 -06:00
Freddy 439a7fce2d
Split Upstream.Identifier() so non-empty namespace is always prepended in ent (#10031) 2021-04-15 13:54:40 -06:00
R.B. Boyer 4db8b78854
connect: update centralized upstreams representation in service-defaults (#10015) 2021-04-15 14:21:44 -05:00
Kent 'picat' Gruber 9f7190a4fe
Merge pull request #10023 from hashicorp/fix-raw-kv-xss
Add content type headers to raw KV responses
2021-04-14 18:49:14 -04:00
Daniel Nephin 88f83b41aa snapshot: fix saving of auth methods
Previously only a single auth method would be saved to the snapshot. This commit fixes the typo
and adds to the test, to show that all auth methods are now saved.
2021-04-14 16:51:21 -04:00
Kent 'picat' Gruber cf1fce3d0c Add content type headers to raw KV responses 2021-04-14 16:20:22 -04:00
freddygv f7094f91c7 Avoid returning a nil slice 2021-04-14 10:52:05 -06:00
Matt Keeler bbf5993534
Move static token resolution into the ACLResolver (#10013) 2021-04-14 12:39:35 -04:00
R.B. Boyer 06848ce67e fix broken golden tests 2021-04-14 11:36:47 -05:00
Freddy 3ec4556114
Merge pull request #10006 from hashicorp/api-ptrs 2021-04-14 10:21:08 -06:00
freddygv 8e74eaa684 Update viz endpoint to include topology from intentions 2021-04-14 10:20:15 -06:00
Freddy 55a3697b83
Merge pull request #9987 from hashicorp/remove-kube-dns-hack 2021-04-14 10:00:53 -06:00
freddygv e1808af729 Fixup tests 2021-04-13 16:08:41 -06:00
freddygv 7cb3f32672 Convert new tproxy structs in api module into ptrs
This way we avoid serializing these when empty. Otherwise users of the
latest version of the api submodule cannot interact with older versions
of Consul, because a new api client would send keys that the older Consul
doesn't recognize yet.
2021-04-13 12:44:25 -06:00