* backport of commit dc685df58e
* backport of commit 3e27e57c48
* backport of commit b38fc6da37
* Add BoundReferences to ComputedTrafficPermissions (#20593)
(cherry picked from commit ab3c6cf1e5)
---------
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
* backport of commit e484c3c7dc
* backport of commit 76afe081a5
* backport of commit cb93adba79
* backport of commit a23ea51c82
---------
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
* backport of commit ded3c9fa12
* backport of commit f6ce7c3529
---------
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 43a338256e
* backport of commit ea8464203b
* backport of commit f6fb15b811
---------
Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* no-op commit due to failed cherry-picking
* [1.18.x] mesh: use ComputedImplicitDestinations resource in the sidecar controller (#20553)
Wire the ComputedImplicitDestinations resource into the sidecar controller, replacing the inline version already present.
Also:
- Rewrite the controller to use the controller cache
- Rewrite it to no longer depend on ServiceEndpoints
- Remove the fetcher and (local) cache abstraction
---------
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* Convert consul-hcp to a simpler component
* update existing test to use envStub helper
* An hcp link item for the navbar
* A method of linking to HCP
* Hook up fetching linking status to the nav-item
* Hooking up fetching link status to the hcp link friend
* Adding some tests
* remove a comment - but also fix padding justify-content
* Fix the banner tests
* Adding permission tests as well
* some more sane formatting
* Rename function with its now multipurpose use
* Feature change: No more NEW Badge since it breaks padding - instead a linked badge
* Removing unused class
mesh: add ComputedImplicitDestinations resource for future use (#20547)
Creates a new controller to create ComputedImplicitDestinations resources by
composing ComputedRoutes, Services, and ComputedTrafficPermissions to
infer all ParentRef services that could possibly send some portion of traffic to a
Service that has at least one accessible Workload Identity. A followup PR will
rewire the sidecar controller to make use of this new resource.
As this is a performance optimization, rather than a security feature the following
aspects of traffic permissions have been ignored:
- DENY rules
- port rules (all ports are allowed)
Also:
- Add some v2 TestController machinery to help test complex dependency mappers.
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* no-op commit due to failed cherry-picking
* Do not parallelize DNS tests because they consume too many ports (#20482)
---------
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
* no-op commit due to failed cherry-picking
* DNS v2 Multiple fixes. (#20525)
* DNS v2 Multiple fixes.
* add license header
* get rid of DefaultIntentionPolicy change that was not supposed to be there.
---------
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
* V1 Compat Exported Services Controller Optimizations (#20517)
V1 compat exported services controller optimizations
* Don't start the v2 exported services controller in v1 mode.
* Use the controller cache.
* Trigger the V1 Compat exported-services Controller when V1 Config Entries are Updated (#20456)
* Trigger the v1 compat exported-services controller when the v1 config entry is modified.
* Hook up exported-services config entries to the event publisher.
* Add tests to the v2 exported services shim.
* Use the local materializer trigger updates on the v1 compat exported services controller when exported-services config entries are modified.
* stop sleeping when context is cancelled
---------
Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>
NET-7631 - Fix Node records that point to external/ non-IP addresses (#20491)
* NET-7630 - Fix TXT record creation on node queries
* NET-7631 - Fix Node records that point to external/ non-IP addresses
* NET-7630 - Fix TXT record creation on node queries
Co-authored-by: John Murret <john.murret@hashicorp.com>
* backport of commit 392b8d7573
* backport of commit b4716599ae
* backport of commit a03cb97cb0
* backport of commit 73b277cdef
* backport of commit e53b9794c8
---------
Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
* backport of commit 2069bd134a
* backport of commit c0446fd670
* backport of commit 5227cc2bf1
---------
Co-authored-by: Nick Ethier <nethier@hashicorp.com>
catalog: improve the bound workload identity encoding on services (#20458)
The endpoints controller currently encodes the list of unique workload identities
referenced by all workload matched by a Service into a special data-bearing
status condition on that Service. This allows a downstream controller to avoid an
expensive watch on the ServiceEndpoints type just to get this data.
The current encoding does not lend itself well to machine parsing, which is what
the field is meant for, so this PR simplifies the encoding from:
"blah blah: " + strings.Join(ids, ",") + "."
to
strings.Join(ids, ",")
It also provides an exported utility function to easily extract this data.
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
v2: ensure the controller caches are fully populated before first use (#20421)
The new controller caches are initialized before the DependencyMappers or the
Reconciler run, but importantly they are not populated. The expectation is that
when the WatchList call is made to the resource service it will send an initial
snapshot of all resources matching a single type, and then perpetually send
UPSERT/DELETE events afterward. This initial snapshot will cycle through the
caching layer and will catch it up to reflect the stored data.
Critically the dependency mappers and reconcilers will race against the restoration
of the caches on server startup or leader election. During this time it is possible a
mapper or reconciler will use the cache to lookup a specific relationship and
not find it. That very same reconciler may choose to then recompute some
persisted resource and in effect rewind it to a prior computed state.
Change
- Since we are updating the behavior of the WatchList RPC, it was aligned to
match that of pbsubscribe and pbpeerstream using a protobuf oneof instead of the enum+fields option.
- The WatchList rpc now has 3 alternating response events: Upsert, Delete,
EndOfSnapshot. When set the initial batch of "snapshot" Upserts sent on a new
watch, those operations will be followed by an EndOfSnapshot event before beginning
the never-ending sequence of Upsert/Delete events.
- Within the Controller startup code we will launch N+1 goroutines to execute WatchList
queries for the watched types. The UPSERTs will be applied to the nascent cache
only (no mappers will execute).
- Upon witnessing the END operation, those goroutines will terminate.
- When all cache priming routines complete, then the normal set of N+1 long lived
watch routines will launch to officially witness all events in the system using the
primed cached.
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
* backport of commit b76447fb80
* backport of commit 395984c444
* backport of commit cc1246d8ba
* backport of commit 43170a5a70
---------
Co-authored-by: Xinyi Wang <xinyi.wang@hashicorp.com>
hc-github-team-consul-core