consul

Commit Graph

Author	SHA1	Message	Date
Paul Banks	659321d008	Handle namespaces in route names correctly; add tests for enterprise	3 years ago
Paul Banks	2a3d3d3c23	Update xDS routes to support ingress services with different TLS config	3 years ago
Paul Banks	16b3b1c737	Update xDS Listeners with SDS support	3 years ago
Chris S. Kim	f972048ebc	connect: Allow upstream listener escape hatch for prepared queries (#11109 )	3 years ago
Evan Culver	7e20a5e4f9	connect: remove support for Envoy 1.15	3 years ago
Evan Culver	2d23f92b35	add 1.19.x versions to test config	3 years ago
Evan Culver	2798383dbc	regenerate envoy golden files	3 years ago
Evan Culver	7605dff46e	add envoy 1.19.1	3 years ago
R.B. Boyer	b2d17ac448	xds: fix representation of incremental xDS subscriptions (#10987 ) Fixes #10563 The `resourceVersion` map was doing two jobs prior to this PR. The first job was to track what version of every resource we know envoy currently has. The second was to track subscriptions to those resources (by way of the empty string for a version). This mostly works out fine, but occasionally leads to consul removing a resource and accidentally (effectively) unsubscribing at the same time. The fix separates these two jobs. When all of the resources for a subscription are removed we continue to track the subscription until envoy explicitly unsubscribes	3 years ago
R.B. Boyer	5fe613dd05	xds: ensure the active streams counters are 64 bit aligned on 32 bit systems (#11085 )	3 years ago
freddygv	9cd30e8650	Ensure partition is used for SAN validation	3 years ago
freddygv	d90e30f009	Update spiffe ID patterns used for RBAC	3 years ago
freddygv	5e54f253d7	Expand testing of simplifyNotSourceSlice for partitions	3 years ago
freddygv	19da23be28	Expand testing of removeSameSourceIntentions for partitions	3 years ago
freddygv	beab0cd962	Account for partition when matching src intentions	3 years ago
Paul Banks	e22cc9c53a	Header manip for split legs plumbing	3 years ago
Paul Banks	83fc8723a3	Header manip for service-router plumbed through	3 years ago
Paul Banks	f439dfc04f	Ingress gateway header manip plumbing	3 years ago
Dhia Ayachi	bc0e4f2f46	partition dicovery chains (#10983 ) * partition dicovery chains * fix default partition for OSS	3 years ago
Dhia Ayachi	09197c989c	add partition to SNI when partition is non default (#10917 )	3 years ago
Freddy	8d83d27674	connect: update envoy supported versions to latest patch release (#10961) Relevant advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h	3 years ago
Giulio Micheloni	7fa01105cc	Fix merge conflicts	3 years ago
Giulio Micheloni	655da1fc42	Merge branch 'main' into serve-panic-recovery	3 years ago
Giulio Micheloni	4b0eaa4bff	grpc, xds: recovery middleware to return and log error in case of panic 1) xds and grpc servers: 1.1) to use recovery middleware with callback that prints stack trace to log 1.2) callback turn the panic into a core.Internal error 2) added unit test for grpc server	3 years ago
freddygv	01936ddb70	Avoid passing zero value into variadic	3 years ago
freddygv	af52d21884	Update prepared query cluster SAN validation Previously SAN validation for prepared queries was broken because we validated against the name, namespace, and datacenter for prepared queries. However, prepared queries can target: - Services with a name that isn't their own - Services in multiple datacenters This means that the SpiffeID to validate needs to be based on the prepared query endpoints, and not the prepared query's upstream definition. This commit updates prepared query clusters to account for that.	3 years ago
freddygv	85878685b7	Fixup proxy config test fixtures - The TestNodeService helper created services with the fixed name "web", and now that name is overridable. - The discovery chain snapshot didn't have prepared query endpoints so the endpoints tests were missing data for prepared queries	3 years ago
Dhia Ayachi	1950ebbe1f	oss portion of ent #1069 (#10883 )	3 years ago
Daniel Nephin	8252a2691c	xds: document how authorization works	3 years ago
Daniel Nephin	e637cd71f3	acl: use authz consistently as the variable name for an acl.Authorizer Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r682147950 Renames all variables for acl.Authorizer to use `authz`. Previously some places used `rule` which I believe was an old name carried over from the legacy ACL system. A couple places also used authorizer. This commit also removes another couple of authorizer nil checks that are no longer necessary.	3 years ago
Giulio Micheloni	2b14a9b59a	grpc Server: turn panic into error through middleware	3 years ago
Daniel Nephin	84fac3ce0e	acl: use acl.ManangeAll when ACLs are disabled Instead of returning nil and checking for nilness Removes a bunch of nil checks, and fixes one test failures.	3 years ago
R.B. Boyer	188e8dc51f	agent/structs: add a bunch more EnterpriseMeta helper functions to help with partitioning (#10669 )	3 years ago
Freddy	12b7e07d5c	Merge pull request #10621 from hashicorp/vuln/validate-sans	3 years ago
R.B. Boyer	20feb42d3a	xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619 )	3 years ago
freddygv	b4c5c58c9b	Add TODOs about partition handling	3 years ago
freddygv	5a82656510	Update golden files	3 years ago
freddygv	47da00d3c7	Validate SANs for passthrough clusters and failovers	3 years ago
freddygv	5454147c09	Update golden files to account for SAN validation	3 years ago
freddygv	a6d3fe90b1	Validate Subject Alternative Name for upstreams These changes ensure that the identity of services dialed is cryptographically verified. For all upstreams we validate against SPIFFE IDs in the format used by Consul's service mesh: spiffe://<trust-domain>/ns/<namespace>/dc/<datacenter>/svc/<service>	3 years ago
Daniel Nephin	7d73fd7ae5	rename GRPC->XDS where appropriate	3 years ago
jkirschner-hashicorp	5f73de6fbc	Merge pull request #10560 from jkirschner-hashicorp/change-sane-to-reasonable Replace use of 'sane' where appropriate	3 years ago
Jared Kirschner	bd536151e1	Replace use of 'sane' where appropriate HashiCorp voice, style, and language guidelines recommend avoiding ableist language unless its reference to ability is accurate in a particular use.	3 years ago
Dhia Ayachi	9b45107c1e	Format certificates properly (rfc7468) with a trailing new line (#10411 ) * trim carriage return from certificates when inserting rootCA in the inMemDB * format rootCA properly when returning the CA on the connect CA endpoint * Fix linter warnings * Fix providers to trim certs before returning it * trim newlines on write when possible * add changelog * make sure all provider return a trailing newline after the root and intermediate certs * Fix endpoint to return trailing new line * Fix failing test with vault provider * make test more robust * make sure all provider return a trailing newline after the leaf certs * Check for suffix before removing newline and use function * Add comment to consul provider * Update change log Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix typo * simplify code callflow Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * extract requireNewLine as shared func * remove dependency to testify in testing file * remove extra newline in vault provider * Add cert newline fix to envoy xds * remove new line from mock provider * Remove adding a new line from provider and fix it when the cert is read * Add a comment to explain the fix * Add missing for leaf certs * fix missing new line * fix missing new line in leaf certs * remove extra new line in test * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * fix in vault provider and when reading cache (RPC call) * fix AWS provider * fix failing test in the provider * remove comments and empty lines * add check for empty cert in test * fix linter warnings * add new line for leaf and private key * use string concat instead of Sprintf * fix new lines for leaf signing * preallocate slice and remove append * Add new line to `SignIntermediate` and `CrossSignCA` Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>	3 years ago
R.B. Boyer	5b495ae8e0	xds: fix flaky protocol tests (#10410 )	4 years ago
Freddy	ae886136f1	Merge pull request #10404 from hashicorp/ingress-stats	4 years ago
R.B. Boyer	80c39f1083	xds: adding more delta protocol tests (#10398 ) Fixes #10125	4 years ago
freddygv	924a5ba642	Regen golden files	4 years ago
Freddy	0a38c8fe10	Update agent/xds/listeners.go Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	4 years ago
freddygv	f3e4705923	Remove unused param	4 years ago
freddygv	0aec6761dc	Update ingress gateway stats labeling In the absence of stats_tags to handle this pattern, when we pass "ingress_upstream.$port" as the stat_prefix, Envoy splits up that prefix and makes the port a part of the metric name. For example: - stat_prefix: ingress_upstream.8080 This leads to metric names like envoy_http_8080_no_route. Changing the stat_prefix to ingress_upstream_80880 yields the expected metric names such as envoy_http_no_route. Note that we don't encode the destination's name/ns/dc in this stat_prefix because for HTTP services ingress gateways use a single filter chain. Only cluster metrics are available on a per-upstream basis.	4 years ago
freddygv	6f8c6043b6	Update terminating gateway stats labeling This change makes it so that the stat prefix for terminating gateways matches that of connect proxies. By using the structure of "upstream.svc.ns.dc" we can extract labels for the destination service, namespace, and datacenter.	4 years ago
R.B. Boyer	848ad8535b	xds: ensure that dependent xDS resources are reconfigured during primary type warming (#10381 ) Updates to a cluster will clear the associated endpoints, and updates to a listener will clear the associated routes. Update the incremental xDS logic to account for this implicit cleanup so that we can finish warming the clusters and listeners. Fixes #10379	4 years ago
Freddy	ffb13f35f1	Rename CatalogDestinationsOnly (#10397 ) CatalogDestinationsOnly is a passthrough that would enable dialing addresses outside of Consul's catalog. However, when this flag is set to true only _connect_ endpoints for services can be dialed. This flag is being renamed to signal that non-Connect endpoints can't be dialed by transparent proxies when the value is set to true.	4 years ago
Freddy	429f9d8bb8	Add flag for transparent proxies to dial individual instances (#10329 )	4 years ago
Freddy	7577f0e991	Revert "Avoid adding original_dst filter when not needed" (#10365 )	4 years ago
Freddy	353280660f	Ensure passthrough clusters can be created (#10301 )	4 years ago
Freddy	19334e8abf	Avoid adding original_dst filter when not needed (#10302 )	4 years ago
R.B. Boyer	ede14b7c54	xds: emit a labeled gauge of connected xDS streams by version (#10243 ) Fixes #10099	4 years ago
R.B. Boyer	3b50a55533	connect: update supported envoy versions to 1.18.3, 1.17.3, 1.16.4, and 1.15.5 (#10231 )	4 years ago
Daniel Nephin	347f3d2128	Merge pull request #10155 from hashicorp/dnephin/config-entry-remove-fields config-entry: remove Kind and Name field from Mesh config entry	4 years ago
Mark Anderson	ff7fca756b	Add simple test for downstream sockets Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago
Mark Anderson	8040f91a43	Add support for downstreams Enhance config by adding SocketPath and LocalSocketPath config values Supports syntax of the form: ``` services { name = "sock_forwarder" id = "sock_forwarder.1" socket_path = "/tmp/downstream_3.sock" connect { sidecar_service { proxy { local_service_socket_path = "/tmp/downstream.sock" } } } } ``` Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago
Mark Anderson	6be9cebad0	Add tests for xds/listeners Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago
Mark Anderson	583ae65d5b	Convert mode to string representation Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago
Mark Anderson	06f0f79218	Continue working through proxy and agent Rework/listeners, rename makeListener Refactor, tests pass Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago
Freddy	ed1082510d	Fixup discovery chain handling in transparent mode (#10168 ) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Previously we would associate the address of a discovery chain target with the discovery chain's filter chain. This was broken for a few reasons: - If the upstream is a virtual service, the client proxy has no way of dialing it because virtual services are not targets of their discovery chains. The targets are distinct services. This is addressed by watching the endpoints of all upstream services, not just their discovery chain targets. - If multiple discovery chains resolve to the same target, that would lead to multiple filter chains attempting to match on the target's virtual IP. This is addressed by only matching on the upstream's virtual IP. NOTE: this implementation requires an intention to the redirecting virtual service and not just to the final destination. This is how we can know that the virtual service is an upstream to watch. A later PR will look into traversing discovery chains when computing upstreams so that intentions are only required to the discovery chain targets.	4 years ago
Freddy	2ca3f481f8	Only consider virtual IPs for transparent proxies (#10162 ) Initially we were loading every potential upstream address into Envoy and then routing traffic to the logical upstream service. The downside of this behavior is that traffic meant to go to a specific instance would be load balanced across ALL instances. Traffic to specific instance IPs should be forwarded to the original destination and if it's a destination in the mesh then we should ensure the appropriate certificates are used. This PR makes transparent proxying a Kubernetes-only feature for now since support for other environments requires generating virtual IPs, and Consul does not do that at the moment.	4 years ago
Daniel Nephin	62efaaab21	config-entry: remove Kind and Name field from Mesh config entry No config entry needs a Kind field. It is only used to determine the Go type to target. As we introduce new config entries (like this one) we can remove the kind field and have the GetKind method return the single supported value. In this case (similar to proxy-defaults) the Name field is also unnecessary. We always use the same value. So we can omit the name field entirely.	4 years ago
R.B. Boyer	abc1dc0fe9	connect: update supported envoy versions to 1.18.2, 1.17.2, 1.16.3, and 1.15.4 (#10101 ) The only thing that needed fixing up pertained to this section of the 1.18.x release notes: > grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default. For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default. Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.	4 years ago
R.B. Boyer	85a718da63	xds: ensure that all envoyproxy/go-control-plane protobuf symbols are linked into the final binary (#10131 ) This ensures that if someone does include some extension Consul does not currently make use of, that extension is actually usable. Without linking these envoy protobufs into the main binary it can't round trip the escape hatches to send them down to envoy. Whenenver the go-control-plane library is upgraded next we just have to re-run 'make envoy-library'.	4 years ago
R.B. Boyer	71d45a3460	Support Incremental xDS mode (#9855 ) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time	4 years ago
Freddy	078c40425f	Rename "cluster" config entry to "mesh" (#10127 ) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.	4 years ago
Freddy	439a7fce2d	Split Upstream.Identifier() so non-empty namespace is always prepended in ent (#10031 )	4 years ago
R.B. Boyer	06848ce67e	fix broken golden tests	4 years ago
Freddy	55a3697b83	Merge pull request #9987 from hashicorp/remove-kube-dns-hack	4 years ago
freddygv	4e509aa768	Remove todo that was todone	4 years ago
freddygv	75edc9bc7c	Avoid nil panic when cluster config doesn't exist	4 years ago
freddygv	7bd51ff536	Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.	4 years ago
Iryna Shustava	5755c97bc7	cli: Add new `consul connect redirect-traffic` command for applying traffic redirection rules when Transparent Proxy is enabled. (#9910 ) * Add new consul connect redirect-traffic command for applying traffic redirection rules when Transparent Proxy is enabled. * Add new iptables package for applying traffic redirection rules with iptables.	4 years ago
Freddy	e385e5992f	Merge pull request #9042 from lawliet89/tg-rewrite	4 years ago
freddygv	c6d64a8078	Stable sort cidr ranges to match on	4 years ago
freddygv	02f6768cd2	Remove kube-dns resolution since clusterip will be a tagged addr	4 years ago
R.B. Boyer	499fee73b3	connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973 ) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.	4 years ago
Yong Wen Chua	409768d6e5	Merge branch 'master' of github.com:hashicorp/consul into tg-rewrite	4 years ago
freddygv	ad6c726453	Uncomment listener tests	4 years ago
freddygv	f4f45af6d0	Merge master and fix upstream config protocol defaulting	4 years ago
freddygv	9f0696528b	Rename hasChains for clarity	4 years ago
freddygv	0da8702f34	PR comments	4 years ago
freddygv	bf96d536d9	Upstreams loop is only for prepared queries and they are not CentrallyConfigured	4 years ago
freddygv	8a062e1546	Handle prepared queries in Upstreams loop and escape hatches in disco chain loop	4 years ago
freddygv	ce964f8ea5	Update xds for transparent proxy	4 years ago
freddygv	3f2489c31d	Refactor makePublicListener By accepting a name the function can be used for other inbound listeners, like the one for TransparentProxy.	4 years ago
freddygv	8b46d8dcbb	Restore old Envoy prefix on escape hatches This is done because after removing ID and NodeName from ServiceConfigRequest we will no longer know whether a request coming in is for a Consul client earlier than v1.10.	4 years ago
freddygv	e3dc2a49df	Turn Limits and PassiveHealthChecks into pointers	4 years ago
freddygv	1710ec87d2	finish moving UpstreamConfig and related fields to structs pkg	4 years ago
freddygv	87cde19b4c	Create new types for service-defaults upstream cfg	4 years ago
R.B. Boyer	398b766532	xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658 ) - Also add support for envoy 1.17.0	4 years ago
R.B. Boyer	be89557fb4	test: omit envoy golden test files that differ from the latest version (#9807 ) Since we currently do no version switching this removes 75% of the PR noise. To generate all *.golden files were removed and then I ran: go test ./agent/xds -update	4 years ago
Yong Wen Chua	58b553704a	Update test fixtures	4 years ago

1 2 3 4 5 ...

295 Commits (ca3aca92c4d2b2a94f959655ff0db03f00a49a6a)