Commit Graph

19269 Commits (f6ebc48c4e5c86cebb39de50fa55a786889a32be)

Author SHA1 Message Date
Dan Stough f6ebc48c4e
docs(peering): peering GA ACL updates (#15366)
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2022-11-18 17:39:41 -05:00
Derek Menteer 9a8c47d589
Add Consul 1.14.0 known issue. (#15469)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2022-11-18 14:59:57 -07:00
Derek Menteer 6fa8fa4fca
Fix issue with connect Envoy choosing incorrect TLS settings. (#15466)
This commit fixes a situation where the API TLS configuration
incorrectly influences the GRPC port TLS configuration for XDS.
2022-11-18 14:36:20 -06:00
Jared Kirschner c14f664399
docs: include upgrade path to 1.14 (#15463) 2022-11-18 09:56:41 -08:00
Iryna Shustava 2be8b3326c
docs: remaining agentless docs updates (#15455)
* Update servers-outside-kubernetes.mdx

* Update single-dc-multi-k8s.mdx

* update Vault data integration for snapshot agent

* update k8s health checks page

* remove all instances of controller.enabled in helm values examples

* API Gateway update

* Apply suggestions from code review

Co-authored-by: Riddhi Shah <riddhi@hashicorp.com>

* Apply suggestions from code review

* Apply suggestions from code review

* Cleaner diagram

* added change around clients to workloads

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com>
Co-authored-by: Riddhi Shah <riddhi@hashicorp.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
2022-11-18 11:33:02 -06:00
Derek Menteer f52f3c5afc
Fix SDK to support older versions of Consul. (#15423)
This change was necessary, because the configuration was always
generated with a gRPC TLS port, which did not exist in Consul 1.13,
and would result in the server failing to launch with an error.

This code checks the version of Consul and conditionally adds the
gRPC TLS port, only if the version number is greater than 1.14.
2022-11-18 10:32:01 -06:00
trujillo-adam ab51aac7e0
Update docs for the release of Consul API Gateway v0.5 (#15015)
* added usage folder to organize use case docs for CAPIgw

* Add peer field to MeshService configuration page

* Add first pass at guide for routing to peered services

* Add exception to same-datacenter restriction for referenced Consul service

* Add example HTTPRoute referencing the MeshService as backendRef

* Add example ServiceResolver

* Add note about current ServiceResolver requirement

ServiceResolver may eventually be created implicitly by the API gateway controller, but that decision is pending.

* tweaks to the usage page for routing to peered services

* tweaks to the  description in the  configuration reference

* resolved TO-DOs from previous iteration

* Remove datacenter federation from limited support matrix

* added tolerations doc

* Remove note excluding k8s 1.24 since we now support it

* Reorder sections to maintain alphabetical sort

* Add example configuration for MeshService resource

* Adjust wording + indentation of other docs

* Use consistent "example-" prefix for resource names in example code

* reframed the tolerations documentation; STILL A WIP

* add helm chart documentation

* removed tolerations from gwcconfig configuration model reference

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* update version to 0.5.0

* Update install.mdx

* added release notes for v.0.5.x

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
2022-11-17 15:42:25 -08:00
David Yu 940084e097
docs: Update admin-partitions.mdx (#15428)
* Update admin-partitions.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-11-17 15:12:32 -08:00
Jeff Boruszak 0b711ec8a2
docs: Consul Dataplane updates for v.1.14.0 (#15384)
* Consul Architecture update

* Consul on Kubernetes architecture

* Install Consul on Kubernetes with Helm updates

* Vault as the Secrets Backend Data Integration

* Kubernetes Service Mesh Overview

* Terminating Gateways

* Fully updated

* Join external service to k8s

* Consul on Kubernetes

* Configure metrics for Consul on Kubernetes

* Service Sync for Consul on Kubernetes

* Custom Resource Definitions for Consul on k8s

* Upgrading Consul on Kubernetes Components

* Rolling Updates to TLS

* Dataplanes diagram

* Upgrade instructions

* k8s architecture page updates

* Update website/content/docs/k8s/connect/observability/metrics.mdx

Co-authored-by: Riddhi Shah <riddhi@hashicorp.com>

* Update website/content/docs/architecture/index.mdx

* Update website/content/docs/k8s/connect/terminating-gateways.mdx

* CRDs

* updating version numbers

* Updated example config

* Image clean up

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/k8s/architecture.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Riddhi Shah <riddhi@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-11-17 17:04:29 -06:00
Derek Menteer ad0cba9fd5
Improve language on 1.14 upgrade instructions. (#15412) 2022-11-17 16:28:47 -06:00
Nitya Dhanushkodi 05f7b51c6a
generate helm docs (#15443) 2022-11-17 14:26:14 -08:00
Matt Keeler 26f9008808
Update licensing docs to account for virtual agents. (#15398)
* Update licensing docs to account for virtual agents.

* Update website/content/docs/enterprise/license/overview.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-11-17 13:58:07 -08:00
Paul Glass 781f1499d7
docs: Include env vars in consul-dataplane reference (#15369)
* docs: Include env vars in consul-dataplane reference
* docs: Consul Dataplane bundles Envoy 1.24
* docs: Consul Dataplane is no longer beta
2022-11-17 15:56:41 -06:00
David Yu 2fcb043816
docs: Consul K8s 1.0/Consul 1.14 GA Compat Matrix change (#15400)
* docs: 1.0 GA Compat Matrix change
2022-11-17 13:42:06 -08:00
Alexander Scheel 2b90307f6d
Detect Vault 1.11+ import, update default issuer (#15253)
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2022-11-17 16:29:49 -05:00
Tu Nguyen 43097a4db9
Update guidance for vault PKI CA provider (#15422)
* Update guidance for vault PKI CA provider

* clarify workarounds if already using vault 1.11+

* Update website/content/docs/connect/ca/vault.mdx

* Update website/content/docs/k8s/connect/connect-ca-provider.mdx

* Update website/content/docs/k8s/deployment-configurations/vault/data-integration/connect-ca.mdx

* Apply suggestions from code review

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* add suggestion from Matt

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-11-17 08:51:43 -08:00
Dan Stough 778812a457
docs(peering): update k8s docs for GA (#15417)
* docs(peering): update k8s docs for GA

* fix code formatting and typo
2022-11-17 08:25:32 -08:00
Michael Schurter 527b58db66
docs: add nomad incompatibility to 1.14 docs (#15397)
docs: add nomad incompatibility to 1.14 docs
2022-11-16 16:45:58 -06:00
cskh 435e16ecda
fix: clarifying error message when acquiring a lock in remote dc (#15394)
* fix: clarifying error message when acquiring a lock in remote dc

* Update website/content/commands/lock.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-11-16 15:27:37 -05:00
Derek Menteer 5853710829
Include addresses.grpc_tls in upgrade docs. (#15408) 2022-11-16 14:10:29 -06:00
cskh 5593d5ddb5
docs: make the h1 title consistent with the page_title (#15396) 2022-11-16 14:40:52 -05:00
Derek Menteer b0041311f7
Fix issue with formatting in upgrade notes. (#15395) 2022-11-16 13:38:09 -06:00
Nitya Dhanushkodi 4a0fd15b69
update compatibility matrix (#15389) 2022-11-15 22:07:37 -08:00
cskh 359a908bea
integ-test: remove unnecessary step since connection is already via mgw (#15381) 2022-11-15 15:26:40 -05:00
Derek Menteer dc27e35f82
Consul 1.14 post-release updates (#15382)
* Update changelog with 1.14 notes.

* gomod version bumps for 1.14 release.
2022-11-15 14:22:43 -06:00
Dan Stough fbd474efee
chore(ci): exempt backport docs and ui from go tests (#14223) 2022-11-15 11:39:51 -05:00
cskh e0487281a8
docs: minor clarifiation to mesh gateway (#15373)
* doc: minor clarifiation to mesh gateway

* update h1 title of mgw for wan fed control plan traffic
2022-11-15 11:00:58 -05:00
Kyle Havlovitz f4c3e54b11
auto-config: relax node name validation for JWT authorization (#15370)
* auto-config: relax node name validation for JWT authorization

This changes the JWT authorization logic to allow all non-whitespace,
non-quote characters when validating node names. Consul had previously
allowed these characters in node names, until this validation was added
to fix a security vulnerability with whitespace/quotes being passed to
the `bexpr` library. This unintentionally broke node names with
characters like `.` which aren't related to this vulnerability.

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-11-14 18:24:40 -06:00
Nick Wales c4eb1b67f5
Fixes broken links (#15343)
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-11-14 14:18:57 -08:00
Dhia Ayachi 225ae55e83
Leadership transfer cmd (#14132)
* add leadership transfer command

* add RPC call test (flaky)

* add missing import

* add changelog

* add command registration

* Apply suggestions from code review

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>

* add the possibility of providing an id to raft leadership transfer. Add few tests.

* delete old file from cherry pick

* rename changelog filename to PR #

* rename changelog and fix import

* fix failing test

* check for OperatorWrite

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>

* rename from leader-transfer to transfer-leader

* remove version check and add test for operator read

* move struct to operator.go

* first pass

* add code for leader transfer in the grpc backend and tests

* wire the http endpoint to the new grpc endpoint

* remove the RPC endpoint

* remove non needed struct

* fix naming

* add mog glue to API

* fix comment

* remove dead code

* fix linter error

* change package name for proto file

* remove error wrapping

* fix failing test

* add command registration

* add grpc service mock tests

* fix receiver to be pointer

* use defined values

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>

* reuse MockAclAuthorizer

* add documentation

* remove usage of external.TokenFromContext

* fix failing tests

* fix proto generation

* Apply suggestions from code review

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* Apply suggestions from code review

* add more context in doc for the reason

* Apply suggestions from docs code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* regenerate proto

* fix linter errors

Co-authored-by: github-team-consul-core <github-team-consul-core@hashicorp.com>
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-11-14 15:35:12 -05:00
Derek Menteer ef61bdf3c2
Remove unnecessary default test config. (#15361) 2022-11-14 14:07:42 -06:00
Dan Stough 9a5196a47f
Peering Mesh Gateway Updates for GA (#15344)
* docs(peering): remove beta references

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>
Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
2022-11-14 15:03:17 -05:00
Dan Stough e426b79a60
docs(peering): remove beta references (#15340)
* docs(peering): remove beta references
2022-11-14 14:49:50 -05:00
Freddy 706866fa00
Ensure that NodeDump imported nodes are filtered (#15356) 2022-11-14 12:35:20 -07:00
Nitya Dhanushkodi 9e060b8e1b
add changelog (#15351) 2022-11-14 13:23:09 -06:00
Freddy c58f86a00f
Fixup authz for data imported from peers (#15347)
There are a few changes that needed to be made to to handle authorizing
reads for imported data:

- If the data was imported from a peer we should not attempt to read the
  data using the traditional authz rules. This is because the name of
  services/nodes in a peer cluster are not equivalent to those of the
  importing cluster.

- If the data was imported from a peer we need to check whether the
  token corresponds to a service, meaning that it has service:write
  permissions, or to a local read only token that can read all
  nodes/services in a namespace.

This required changes at the policyAuthorizer level, since that is the
only view available to OSS Consul, and at the enterprise
partition/namespace level.
2022-11-14 11:36:27 -07:00
Kyle Havlovitz dde5c524ad
connect: strip port from DNS SANs for ingress gateway leaf cert (#15320)
* connect: strip port from DNS SANs for ingress gateway leaf cert

* connect: format DNS SANs in CreateCSR

* connect: Test wildcard case when formatting SANs
2022-11-14 10:27:03 -08:00
Chris S. Kim 050f26c71a
Add changelog (#15327) 2022-11-14 11:23:02 -05:00
Derek Menteer 931cec42b3
Prevent serving TLS via ports.grpc (#15339)
Prevent serving TLS via ports.grpc

We remove the ability to run the ports.grpc in TLS mode to avoid
confusion and to simplify configuration. This breaking change
ensures that any user currently using ports.grpc in an encrypted
mode will receive an error message indicating that ports.grpc_tls
must be explicitly used.

The suggested action for these users is to simply swap their ports.grpc
to ports.grpc_tls in the configuration file. If both ports are defined,
or if the user has not configured TLS for grpc, then the error message
will not be printed.
2022-11-11 14:29:22 -06:00
skpratt 2bc8a3aae5
Revert "Add test coverage comments to PRs (#15183)" (#15341)
This reverts commit 4870c4cae9.
2022-11-11 13:42:38 -06:00
skpratt 4870c4cae9
Add test coverage comments to PRs (#15183)
* add test coverage comments to PRs

* [skip ci] update test coverage

* [skip ci] add .gitattributes to avoid merge conflicts with test coverage

* exempt main and release branches from coverage job

* [skip ci] update test coverage

* [skip ci] update test coverage

* clean up debug line, exit early if missing files

* [skip ci] update test coverage

* extract repository into variable to make porting to ENT easier

* [skip ci] update test coverage

Co-authored-by: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
2022-11-10 14:43:37 -06:00
Dan Stough 626249fbf5
[OSS] fix: wait and try longer to peer through mesh gw (#15328) 2022-11-10 13:54:00 -05:00
Kyle Schochenmaier bf0f61a878
removes ioutil usage everywhere which was deprecated in go1.16 (#15297)
* update go version to 1.18 for api and sdk, go mod tidy
* removes ioutil usage everywhere which was deprecated in go1.16 in favour of io and os packages. Also introduces a lint rule which forbids use of ioutil going forward.
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2022-11-10 10:26:01 -06:00
Derek Menteer d981fb8d14
Add peering incompatibility warning to upgrade docs. (#15319) 2022-11-10 09:32:31 -06:00
malizz b51f0e25e9
update ACLs for cluster peering (#15317)
* update ACLs for cluster peering

* add changelog

* Update .changelog/15317.txt

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>
2022-11-09 13:02:58 -08:00
Luke Kysow c80f8c3526
Add description for anon token policy (#15311) 2022-11-09 10:26:10 -08:00
hashicorp-copywrite[bot] 22e903342b
[COMPLIANCE] Update MPL-2.0 LICENSE (#14964)
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2022-11-09 12:24:14 -06:00
malizz b9a9e1219c
update config defaults, add docs (#15302)
* update config defaults, add docs

* update grpc tls port for non-default values

* add changelog

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>

* Update website/content/docs/agent/config/config-files.mdx

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>

* update logic for setting grpc tls port value

* move default config to default.go, update changelog

* update docs

* Fix config tests.

* Fix linter error.

* Fix ConnectCA tests.

* Cleanup markdown on upgrade notes.

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
2022-11-09 09:29:55 -08:00
Eric Haberkorn c340922991
Log Warnings When Peering With Mesh Gateway Mode None (#15304)
warn when mesh gateway mode is set to none for peering
2022-11-09 11:48:58 -05:00
Derek Menteer 418bd62c44
Fix mesh gateway configuration with proxy-defaults (#15186)
* Fix mesh gateway proxy-defaults not affecting upstreams.

* Clarify distinction with upstream settings

Top-level mesh gateway mode in proxy-defaults and service-defaults gets
merged into NodeService.Proxy.MeshGateway, and only gets merged with
the mode attached to an an upstream in proxycfg/xds.

* Fix mgw mode usage for peered upstreams

There were a couple issues with how mgw mode was being handled for
peered upstreams.

For starters, mesh gateway mode from proxy-defaults
and the top-level of service-defaults gets stored in
NodeService.Proxy.MeshGateway, but the upstream watch for peered data
was only considering the mesh gateway config attached in
NodeService.Proxy.Upstreams[i]. This means that applying a mesh gateway
mode via global proxy-defaults or service-defaults on the downstream
would not have an effect.

Separately, transparent proxy watches for peered upstreams didn't
consider mesh gateway mode at all.

This commit addresses the first issue by ensuring that we overlay the
upstream config for peered upstreams as we do for non-peered. The second
issue is addressed by re-using setupWatchesForPeeredUpstream when
handling transparent proxy updates.

Note that for transparent proxies we do not yet support mesh gateway
mode per upstream, so the NodeService.Proxy.MeshGateway mode is used.

* Fix upstream mesh gateway mode handling in xds

This commit ensures that when determining the mesh gateway mode for
peered upstreams we consider the NodeService.Proxy.MeshGateway config as
a baseline.

In absense of this change, setting a mesh gateway mode via
proxy-defaults or the top-level of service-defaults will not have an
effect for peered upstreams.

* Merge service/proxy defaults in cfg resolver

Previously the mesh gateway mode for connect proxies would be
merged at three points:

1. On servers, in ComputeResolvedServiceConfig.
2. On clients, in MergeServiceConfig.
3. On clients, in proxycfg/xds.

The first merge returns a ServiceConfigResponse where there is a
top-level MeshGateway config from proxy/service-defaults, along with
per-upstream config.

The second merge combines per-upstream config specified at the service
instance with per-upstream config specified centrally.

The third merge combines the NodeService.Proxy.MeshGateway
config containing proxy/service-defaults data with the per-upstream
mode. This third merge is easy to miss, which led to peered upstreams
not considering the mesh gateway mode from proxy-defaults.

This commit removes the third merge, and ensures that all mesh gateway
config is available at the upstream. This way proxycfg/xds do not need
to do additional overlays.

* Ensure that proxy-defaults is considered in wc

Upstream defaults become a synthetic Upstream definition under a
wildcard key "*". Now that proxycfg/xds expect Upstream definitions to
have the final MeshGateway values, this commit ensures that values from
proxy-defaults/service-defaults are the default for this synthetic
upstream.

* Add changelog.

Co-authored-by: freddygv <freddy@hashicorp.com>
2022-11-09 10:14:29 -06:00