luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent/consul/config_endpoint.go

590 lines
19 KiB
Go
Raw Normal View History

Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
package consul
import (
"fmt"
"time"
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
metrics "github.com/armon/go-metrics"
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
"github.com/armon/go-metrics/prometheus"
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
"github.com/hashicorp/go-hclog"
memdb "github.com/hashicorp/go-memdb"
"github.com/mitchellh/copystructure"
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/consul/state"
"github.com/hashicorp/consul/agent/structs"
)
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
var ConfigSummaries = []prometheus.SummaryDefinition{
{
add the service name in the agent rather than in the definitions themselves
2020-11-13 21:18:04 +00:00
Name: []string{"config_entry", "apply"},
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
Help: "",
},
{
add the service name in the agent rather than in the definitions themselves
2020-11-13 21:18:04 +00:00
Name: []string{"config_entry", "get"},
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
Help: "",
},
{
add the service name in the agent rather than in the definitions themselves
2020-11-13 21:18:04 +00:00
Name: []string{"config_entry", "list"},
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
Help: "",
},
{
add the service name in the agent rather than in the definitions themselves
2020-11-13 21:18:04 +00:00
Name: []string{"config_entry", "listAll"},
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
Help: "",
},
{
add the service name in the agent rather than in the definitions themselves
2020-11-13 21:18:04 +00:00
Name: []string{"config_entry", "delete"},
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
Help: "",
},
{
add the service name in the agent rather than in the definitions themselves
2020-11-13 21:18:04 +00:00
Name: []string{"config_entry", "resolve_service_config"},
first pass on agent-configured prometheusDefs and adding defs for every consul metric
2020-11-13 02:12:12 +00:00
Help: "",
},
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
// The ConfigEntry endpoint is used to query centralized config information
type ConfigEntry struct {
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
srv *Server
logger hclog.Logger
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
// Apply does an upsert of the given config entry.
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
2019-04-30 23:27:16 +00:00
func (c *ConfigEntry) Apply(args *structs.ConfigEntryRequest, reply *bool) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if err := c.srv.validateEnterpriseRequest(args.Entry.GetEnterpriseMeta(), true); err != nil {
return err
}
Ensure that config entry writes are forwarded to the primary DC (#6339)
2019-08-20 16:01:13 +00:00
// Ensure that all config entry writes go to the primary datacenter. These will then
// be replicated to all the other datacenters.
args.Datacenter = c.srv.config.PrimaryDatacenter
rpc: remove unnecessary arg to ForwardRPC
2021-04-20 18:55:24 +00:00
if done, err := c.srv.ForwardRPC("ConfigEntry.Apply", args, reply); done {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
defer metrics.MeasureSince([]string{"config_entry", "apply"}, time.Now())
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
entMeta := args.Entry.GetEnterpriseMeta()
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, entMeta, nil)
if err != nil {
return err
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
if err := c.preflightCheck(args.Entry.GetKind()); err != nil {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
// Normalize and validate the incoming config entry as if it came from a user.
server: remove config entry CAS in legacy intention API bridge code (#9151) Change so line-item intention edits via the API are handled via the state store instead of via CAS operations. Fixes #9143
2020-11-13 20:42:21 +00:00
if err := args.Entry.Normalize(); err != nil {
return err
}
if err := args.Entry.Validate(); err != nil {
return err
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if authz != nil && !args.Entry.CanWrite(authz) {
Move the ACL logic into the ConfigEntry interface
2019-04-10 21:27:28 +00:00
return acl.ErrPermissionDenied
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
2019-04-30 23:27:16 +00:00
if args.Op != structs.ConfigEntryUpsert && args.Op != structs.ConfigEntryUpsertCAS {
args.Op = structs.ConfigEntryUpsert
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
resp, err := c.srv.raftApply(structs.ConfigEntryRequestType, args)
if err != nil {
return err
}
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import
2019-04-30 23:27:16 +00:00
if respBool, ok := resp.(bool); ok {
*reply = respBool
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return nil
}
// Get returns a single config entry by Kind/Name.
Add HTTP endpoints for config entry management (#5718)
2019-04-29 22:08:09 +00:00
func (c *ConfigEntry) Get(args *structs.ConfigEntryQuery, reply *structs.ConfigEntryResponse) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
rpc: remove unnecessary arg to ForwardRPC
2021-04-20 18:55:24 +00:00
if done, err := c.srv.ForwardRPC("ConfigEntry.Get", args, reply); done {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
defer metrics.MeasureSince([]string{"config_entry", "get"}, time.Now())
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
if err != nil {
return err
}
Move the ACL logic into the ConfigEntry interface
2019-04-10 21:27:28 +00:00
// Create a dummy config entry to check the ACL permissions.
lookupEntry, err := structs.MakeConfigEntry(args.Kind, args.Name)
if err != nil {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
Fix a bug with ACL enforcement of reads on namespaced config entries. (#7239)
2020-02-07 13:30:40 +00:00
lookupEntry.GetEnterpriseMeta().Merge(&args.EnterpriseMeta)
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if authz != nil && !lookupEntry.CanRead(authz) {
Move the ACL logic into the ConfigEntry interface
2019-04-10 21:27:28 +00:00
return acl.ErrPermissionDenied
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return c.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
func(ws memdb.WatchSet, state *state.Store) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
index, entry, err := state.ConfigEntry(ws, args.Kind, args.Name, &args.EnterpriseMeta)
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
if err != nil {
return err
}
reply.Index = index
Move the ACL logic into the ConfigEntry interface
2019-04-10 21:27:28 +00:00
if entry == nil {
return nil
}
Add HTTP endpoints for config entry management (#5718)
2019-04-29 22:08:09 +00:00
reply.Entry = entry
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return nil
})
}
// List returns all the config entries of the given kind. If Kind is blank,
// all existing config entries will be returned.
func (c *ConfigEntry) List(args *structs.ConfigEntryQuery, reply *structs.IndexedConfigEntries) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
rpc: remove unnecessary arg to ForwardRPC
2021-04-20 18:55:24 +00:00
if done, err := c.srv.ForwardRPC("ConfigEntry.List", args, reply); done {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
defer metrics.MeasureSince([]string{"config_entry", "list"}, time.Now())
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
if err != nil {
return err
}
config-entries: add a test for the API client Also fixes a bug with listing kind=mesh config entries. ValidateConfigEntryKind was only being used by the List endpoint, and was yet another place where we have to enumerate all the kinds. This commit removes ValidateConfigEntryKind and uses MakeConfigEntry instead. This change removes the need to maintain two separate functions at the cost of creating an instance of the config entry which will be thrown away immediately.
2021-05-04 21:14:21 +00:00
if args.Kind != "" {
if _, err := structs.MakeConfigEntry(args.Kind, ""); err != nil {
return fmt.Errorf("invalid config entry kind: %s", args.Kind)
}
Make a few config entry endpoints return 404s and allow for snake_case and lowercase key names. (#5748)
2019-04-30 22:19:19 +00:00
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return c.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
func(ws memdb.WatchSet, state *state.Store) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
index, entries, err := state.ConfigEntriesByKind(ws, args.Kind, &args.EnterpriseMeta)
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
if err != nil {
return err
}
// Filter the entries returned by ACL permissions.
filteredEntries := make([]structs.ConfigEntry, 0, len(entries))
for _, entry := range entries {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if authz != nil && !entry.CanRead(authz) {
Move the ACL logic into the ConfigEntry interface
2019-04-10 21:27:28 +00:00
continue
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
filteredEntries = append(filteredEntries, entry)
}
Move the ACL logic into the ConfigEntry interface
2019-04-10 21:27:28 +00:00
reply.Kind = args.Kind
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
reply.Index = index
reply.Entries = filteredEntries
return nil
})
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
var configEntryKindsFromConsul_1_8_0 = []string{
structs.ServiceDefaults,
structs.ProxyDefaults,
structs.ServiceRouter,
structs.ServiceSplitter,
structs.ServiceResolver,
structs.IngressGateway,
structs.TerminatingGateway,
}
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
// ListAll returns all the known configuration entries
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
func (c *ConfigEntry) ListAll(args *structs.ConfigEntryListAllRequest, reply *structs.IndexedGenericConfigEntries) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
rpc: remove unnecessary arg to ForwardRPC
2021-04-20 18:55:24 +00:00
if done, err := c.srv.ForwardRPC("ConfigEntry.ListAll", args, reply); done {
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
return err
}
defer metrics.MeasureSince([]string{"config_entry", "listAll"}, time.Now())
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
if err != nil {
return err
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
if len(args.Kinds) == 0 {
args.Kinds = configEntryKindsFromConsul_1_8_0
}
kindMap := make(map[string]struct{})
for _, kind := range args.Kinds {
kindMap[kind] = struct{}{}
}
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
return c.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
func(ws memdb.WatchSet, state *state.Store) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
index, entries, err := state.ConfigEntries(ws, &args.EnterpriseMeta)
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
if err != nil {
return err
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
// Filter the entries returned by ACL permissions or by the provided kinds.
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
filteredEntries := make([]structs.ConfigEntry, 0, len(entries))
for _, entry := range entries {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if authz != nil && !entry.CanRead(authz) {
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
continue
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
// Doing this filter outside of memdb isn't terribly
// performant. This kind filter is currently only used across
// version upgrades, so in the common case we are going to
// always return all of the data anyway, so it should be fine.
// If that changes at some point, then we should move this down
// into memdb.
if _, ok := kindMap[entry.GetKind()]; !ok {
continue
}
Implement config entry replication (#5706)
2019-04-26 17:38:39 +00:00
filteredEntries = append(filteredEntries, entry)
}
reply.Entries = filteredEntries
reply.Index = index
return nil
})
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
// Delete deletes a config entry.
func (c *ConfigEntry) Delete(args *structs.ConfigEntryRequest, reply *struct{}) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if err := c.srv.validateEnterpriseRequest(args.Entry.GetEnterpriseMeta(), true); err != nil {
return err
}
Ensure that config entry writes are forwarded to the primary DC (#6339)
2019-08-20 16:01:13 +00:00
// Ensure that all config entry writes go to the primary datacenter. These will then
// be replicated to all the other datacenters.
args.Datacenter = c.srv.config.PrimaryDatacenter
rpc: remove unnecessary arg to ForwardRPC
2021-04-20 18:55:24 +00:00
if done, err := c.srv.ForwardRPC("ConfigEntry.Delete", args, reply); done {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
defer metrics.MeasureSince([]string{"config_entry", "delete"}, time.Now())
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, args.Entry.GetEnterpriseMeta(), nil)
if err != nil {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
if err := c.preflightCheck(args.Entry.GetKind()); err != nil {
return err
}
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
// Normalize the incoming entry.
if err := args.Entry.Normalize(); err != nil {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if authz != nil && !args.Entry.CanWrite(authz) {
Move the ACL logic into the ConfigEntry interface
2019-04-10 21:27:28 +00:00
return acl.ErrPermissionDenied
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
args.Op = structs.ConfigEntryDelete
Handle FSM.Apply errors in raftApply Previously we were inconsistently checking the response for errors. This PR moves the response-is-error check into raftApply, so that all callers can look at only the error response, instead of having to know that errors could come from two places. This should expose a few more errors that were previously hidden because in some calls to raftApply we were ignoring the response return value. Also handle errors more consistently. In some cases we would log the error before returning it. This can be very confusing because it can result in the same error being logged multiple times. Instead return a wrapped error.
2021-04-08 22:58:15 +00:00
_, err = c.srv.raftApply(structs.ConfigEntryRequestType, args)
return err
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
// ResolveServiceConfig
func (c *ConfigEntry) ResolveServiceConfig(args *structs.ServiceConfigRequest, reply *structs.ServiceConfigResponse) error {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
rpc: remove unnecessary arg to ForwardRPC
2021-04-20 18:55:24 +00:00
if done, err := c.srv.ForwardRPC("ConfigEntry.ResolveServiceConfig", args, reply); done {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return err
}
defer metrics.MeasureSince([]string{"config_entry", "resolve_service_config"}, time.Now())
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
var authzContext acl.AuthorizerContext
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
if err != nil {
return err
}
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
if authz != nil && authz.ServiceRead(args.Name, &authzContext) != acl.Allow {
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return acl.ErrPermissionDenied
}
return c.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
func(ws memdb.WatchSet, state *state.Store) error {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
var thisReply structs.ServiceConfigResponse
thisReply.MeshGateway.Mode = structs.MeshGatewayModeDefault
Add changelog and cleanup todo for beta
2021-03-17 22:45:13 +00:00
// TODO(freddy) Refactor this into smaller set of state store functions
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
// Pass the WatchSet to both the service and proxy config lookups. If either is updated during the
// blocking query, this function will be rerun and these state store lookups will both be current.
Finish cleanup from ServiceConfigRequest changes
2021-03-15 22:38:01 +00:00
// We use the default enterprise meta to look up the global proxy defaults because they are not namespaced.
state: remove unnecessary kind index The query can be performed using a prefix query on the ID index. Also backport some enterprise changes to prevent conflicts.
2021-03-31 20:21:21 +00:00
_, proxyEntry, err := state.ConfigEntry(ws, structs.ProxyDefaults, structs.ProxyConfigGlobal, &args.EnterpriseMeta)
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
if err != nil {
return err
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
var (
proxyConf *structs.ProxyConfigEntry
proxyConfGlobalProtocol string
ok bool
)
Fill out the service manager functionality and fix tests
2019-04-23 06:39:02 +00:00
if proxyEntry != nil {
proxyConf, ok = proxyEntry.(*structs.ProxyConfigEntry)
if !ok {
return fmt.Errorf("invalid proxy config type %T", proxyEntry)
}
Fix panic in Resolving service config when proxy-defaults isn't defined yet (#5769)
2019-05-02 13:12:21 +00:00
// Apply the proxy defaults to the sidecar's proxy config
Copy the proxy config instead of direct assignment (#5786) This prevents modifying the data in the state store which is supposed to be immutable.
2019-05-06 16:09:59 +00:00
mapCopy, err := copystructure.Copy(proxyConf.Config)
if err != nil {
return fmt.Errorf("failed to copy global proxy-defaults: %v", err)
}
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.ProxyConfig = mapCopy.(map[string]interface{})
thisReply.Mode = proxyConf.Mode
thisReply.TransparentProxy = proxyConf.TransparentProxy
thisReply.MeshGateway = proxyConf.MeshGateway
thisReply.Expose = proxyConf.Expose
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
// Extract the global protocol from proxyConf for upstream configs.
rawProtocol := proxyConf.Config["protocol"]
if rawProtocol != nil {
proxyConfGlobalProtocol, ok = rawProtocol.(string)
if !ok {
return fmt.Errorf("invalid protocol type %T", rawProtocol)
}
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
index, serviceEntry, err := state.ConfigEntry(ws, structs.ServiceDefaults, args.Name, &args.EnterpriseMeta)
if err != nil {
return err
}
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.Index = index
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
var serviceConf *structs.ServiceConfigEntry
if serviceEntry != nil {
serviceConf, ok = serviceEntry.(*structs.ServiceConfigEntry)
if !ok {
return fmt.Errorf("invalid service config type %T", serviceEntry)
}
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
if serviceConf.Expose.Checks {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.Expose.Checks = true
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
if len(serviceConf.Expose.Paths) >= 1 {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.Expose.Paths = serviceConf.Expose.Paths
Expose HTTP-based paths through Connect proxy (#6446) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.
2019-09-26 02:55:52 +00:00
}
Implement Mesh Gateways This includes both ingress and egress functionality.
2019-06-18 00:52:01 +00:00
if serviceConf.MeshGateway.Mode != structs.MeshGatewayModeDefault {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.MeshGateway.Mode = serviceConf.MeshGateway.Mode
Implement Mesh Gateways This includes both ingress and egress functionality.
2019-06-18 00:52:01 +00:00
}
if serviceConf.Protocol != "" {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
if thisReply.ProxyConfig == nil {
thisReply.ProxyConfig = make(map[string]interface{})
Implement Mesh Gateways This includes both ingress and egress functionality.
2019-06-18 00:52:01 +00:00
}
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.ProxyConfig["protocol"] = serviceConf.Protocol
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
2021-04-12 15:35:14 +00:00
if serviceConf.TransparentProxy.OutboundListenerPort != 0 {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.TransparentProxy.OutboundListenerPort = serviceConf.TransparentProxy.OutboundListenerPort
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
2021-04-12 15:35:14 +00:00
}
Add flag for transparent proxies to dial individual instances (#10329)
2021-06-09 20:34:17 +00:00
if serviceConf.TransparentProxy.DialedDirectly {
thisReply.TransparentProxy.DialedDirectly = serviceConf.TransparentProxy.DialedDirectly
}
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
2021-04-12 15:35:14 +00:00
if serviceConf.Mode != structs.ProxyModeDefault {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.Mode = serviceConf.Mode
Add TransparentProxy opt to proxy definition
2021-03-11 06:08:41 +00:00
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
// First collect all upstreams into a set of seen upstreams.
// Upstreams can come from:
// - Explicitly from proxy registrations, and therefore as an argument to this RPC endpoint
// - Implicitly from centralized upstream config in service-defaults
seenUpstreams := map[structs.ServiceID]struct{}{}
fallback to proxy config global protocol when upstream services' protocol is unset (#6277) fallback to proxy config global protocol when upstream services' protocol is unset Fixes #5857
2019-08-05 19:52:35 +00:00
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
upstreamIDs := args.UpstreamIDs
legacyUpstreams := false
Pass down upstream defaults to client proxies This is needed in case the client proxy is in TransparentProxy mode. Typically they won't have explicit configuration for every upstream, so this ensures the settings can be applied to all of them when generating xDS config.
2021-03-20 04:03:17 +00:00
var (
noUpstreamArgs = len(upstreamIDs) == 0 && len(args.Upstreams) == 0
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
2021-04-12 15:35:14 +00:00
// Check the args and the resolved value. If it was exclusively set via a config entry, then args.Mode
// will never be transparent because the service config request does not use the resolved value.
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
tproxy = args.Mode == structs.ProxyModeTransparent || thisReply.Mode == structs.ProxyModeTransparent
Pass down upstream defaults to client proxies This is needed in case the client proxy is in TransparentProxy mode. Typically they won't have explicit configuration for every upstream, so this ensures the settings can be applied to all of them when generating xDS config.
2021-03-20 04:03:17 +00:00
)
// The upstreams passed as arguments to this endpoint are the upstreams explicitly defined in a proxy registration.
Replace TransparentProxy bool with ProxyMode This PR replaces the original boolean used to configure transparent proxy mode. It was replaced with a string mode that can be set to: - "": Empty string is the default for when the setting should be defaulted from other configuration like config entries. - "direct": Direct mode is how applications originally opted into the mesh. Proxy listeners need to be dialed directly. - "transparent": Transparent mode enables configuring Envoy as a transparent proxy. Traffic must be captured and redirected to the inbound and outbound listeners. This PR also adds a struct for transparent proxy specific configuration. Initially this is not stored as a pointer. Will revisit that decision before GA.
2021-04-12 15:35:14 +00:00
// If no upstreams were passed, then we should only returned the resolved config if the proxy in transparent mode.
Pass down upstream defaults to client proxies This is needed in case the client proxy is in TransparentProxy mode. Typically they won't have explicit configuration for every upstream, so this ensures the settings can be applied to all of them when generating xDS config.
2021-03-20 04:03:17 +00:00
// Otherwise we would return a resolved upstream config to a proxy with no configured upstreams.
if noUpstreamArgs && !tproxy {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
*reply = thisReply
Pass down upstream defaults to client proxies This is needed in case the client proxy is in TransparentProxy mode. Typically they won't have explicit configuration for every upstream, so this ensures the settings can be applied to all of them when generating xDS config.
2021-03-20 04:03:17 +00:00
return nil
}
Prevent requests without UpstreamIDs from being flagged as legacy. New clients in transparent proxy mode can send requests for service config resolution without any upstream args because they do not have explicitly defined upstreams. Old clients on the other hand will never send requests without the Upstreams args unless they don't have upstreams, in which case we do not send back upstream config.
2021-03-20 01:59:00 +00:00
// The request is considered legacy if the deprecated args.Upstream was used
if len(upstreamIDs) == 0 && len(args.Upstreams) > 0 {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
legacyUpstreams = true
upstreamIDs = make([]structs.ServiceID, 0)
for _, upstream := range args.Upstreams {
Prevent requests without UpstreamIDs from being flagged as legacy. New clients in transparent proxy mode can send requests for service config resolution without any upstream args because they do not have explicitly defined upstreams. Old clients on the other hand will never send requests without the Upstreams args unless they don't have upstreams, in which case we do not send back upstream config.
2021-03-20 01:59:00 +00:00
// Before Consul namespaces were released, the Upstreams provided to the endpoint did not contain the namespace.
// Because of this we attach the enterprise meta of the request, which will just be the default namespace.
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
sid := structs.NewServiceID(upstream, &args.EnterpriseMeta)
upstreamIDs = append(upstreamIDs, sid)
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
}
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
// First store all upstreams that were provided in the request
for _, sid := range upstreamIDs {
if _, ok := seenUpstreams[sid]; !ok {
seenUpstreams[sid] = struct{}{}
}
}
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
// Then store upstreams inferred from service-defaults and mapify the overrides.
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
var (
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
upstreamConfigs = make(map[structs.ServiceID]*structs.UpstreamConfig)
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
upstreamDefaults *structs.UpstreamConfig
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
// usConfigs stores the opaque config map for each upstream and is keyed on the upstream's ID.
usConfigs = make(map[structs.ServiceID]map[string]interface{})
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
)
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
if serviceConf != nil && serviceConf.UpstreamConfig != nil {
for i, override := range serviceConf.UpstreamConfig.Overrides {
if override.Name == "" {
c.logger.Warn(
"Skipping UpstreamConfig.Overrides entry without a required name field",
"entryIndex", i,
"kind", serviceConf.GetKind(),
"name", serviceConf.GetName(),
"namespace", serviceConf.GetEnterpriseMeta().NamespaceOrEmpty(),
)
continue // skip this impossible condition
}
seenUpstreams[override.ServiceID()] = struct{}{}
upstreamConfigs[override.ServiceID()] = override
}
if serviceConf.UpstreamConfig.Defaults != nil {
upstreamDefaults = serviceConf.UpstreamConfig.Defaults
Pass down upstream defaults to client proxies This is needed in case the client proxy is in TransparentProxy mode. Typically they won't have explicit configuration for every upstream, so this ensures the settings can be applied to all of them when generating xDS config.
2021-03-20 04:03:17 +00:00
// Store the upstream defaults under a wildcard key so that they can be applied to
// upstreams that are inferred from intentions and do not have explicit upstream configuration.
cfgMap := make(map[string]interface{})
upstreamDefaults.MergeInto(cfgMap)
wildcard := structs.NewServiceID(structs.WildcardSpecifier, structs.WildcardEnterpriseMeta())
usConfigs[wildcard] = cfgMap
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
}
}
Turn Limits and PassiveHealthChecks into pointers
2021-03-11 18:04:40 +00:00
for upstream := range seenUpstreams {
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
resolvedCfg := make(map[string]interface{})
// The protocol of an upstream is resolved in this order:
// 1. Default protocol from proxy-defaults (how all services should be addressed)
// 2. Protocol for upstream service defined in its service-defaults (how the upstream wants to be addressed)
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
// 3. Protocol defined for the upstream in the service-defaults.(upstream_config.defaults|upstream_config.overrides) of the downstream
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
// (how the downstream wants to address it)
protocol := proxyConfGlobalProtocol
_, upstreamSvcDefaults, err := state.ConfigEntry(ws, structs.ServiceDefaults, upstream.ID, &upstream.EnterpriseMeta)
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
if err != nil {
return err
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
if upstreamSvcDefaults != nil {
cfg, ok := upstreamSvcDefaults.(*structs.ServiceConfigEntry)
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
if !ok {
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
return fmt.Errorf("invalid service config type %T", upstreamSvcDefaults)
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
if cfg.Protocol != "" {
protocol = cfg.Protocol
}
}
if protocol != "" {
resolvedCfg["protocol"] = protocol
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
// Merge centralized defaults for all upstreams before configuration for specific upstreams
if upstreamDefaults != nil {
Restore old Envoy prefix on escape hatches This is done because after removing ID and NodeName from ServiceConfigRequest we will no longer know whether a request coming in is for a Consul client earlier than v1.10.
2021-03-15 20:12:57 +00:00
upstreamDefaults.MergeInto(resolvedCfg)
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
}
Pass MeshGateway config in service config request ResolveServiceConfig is called by service manager before the proxy registration is in the catalog. Therefore we should pass proxy registration flags in the request rather than trying to fetch them from the state store (where they may not exist yet).
2021-03-15 20:32:13 +00:00
// The MeshGateway value from the proxy registration overrides the one from upstream_defaults
// because it is specific to the proxy instance.
//
// The goal is to flatten the mesh gateway mode in this order:
// 0. Value from centralized upstream_defaults
// 1. Value from local proxy registration
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
// 2. Value from centralized upstream_config
Pass MeshGateway config in service config request ResolveServiceConfig is called by service manager before the proxy registration is in the catalog. Therefore we should pass proxy registration flags in the request rather than trying to fetch them from the state store (where they may not exist yet).
2021-03-15 20:32:13 +00:00
// 3. Value from local upstream definition. This last step is done in the client's service manager.
if !args.MeshGateway.IsZero() {
resolvedCfg["mesh_gateway"] = args.MeshGateway
fallback to proxy config global protocol when upstream services' protocol is unset (#6277) fallback to proxy config global protocol when upstream services' protocol is unset Fixes #5857
2019-08-05 19:52:35 +00:00
}
connect: update centralized upstreams representation in service-defaults (#10015)
2021-04-15 19:21:44 +00:00
if upstreamConfigs[upstream] != nil {
upstreamConfigs[upstream].MergeInto(resolvedCfg)
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
if len(resolvedCfg) > 0 {
usConfigs[upstream] = resolvedCfg
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
}
}
// don't allocate the slices just to not fill them
if len(usConfigs) == 0 {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
*reply = thisReply
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
return nil
}
if legacyUpstreams {
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
// For legacy upstreams we return a map that is only keyed on the string ID, since they precede namespaces
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.UpstreamConfigs = make(map[string]map[string]interface{})
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
for us, conf := range usConfigs {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.UpstreamConfigs[us.ID] = conf
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
}
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
} else {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.UpstreamIDConfigs = make(structs.OpaqueUpstreamConfigs, 0, len(usConfigs))
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
for us, conf := range usConfigs {
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
thisReply.UpstreamIDConfigs = append(thisReply.UpstreamIDConfigs,
Update server-side config resolution and client-side merging
2021-03-11 04:05:11 +00:00
structs.OpaqueUpstreamConfig{Upstream: us, Config: conf})
Add integration test for central config; fix central config WIP (#5752) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0
2019-05-01 23:39:31 +00:00
}
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
}
server: ensure that central service config flattening properly resets the state each time (#10239) The prior solution to call reply.Reset() aged poorly since newer fields were added to the reply, but not added to Reset() leading serial blocking query loops on the server to blend replies. This could manifest as a service-defaults protocol change from default=>http not reverting back to default after the config entry reponsible was deleted.
2021-05-14 15:21:44 +00:00
*reply = thisReply
Add RPC endpoints for config entry operations
2019-04-07 06:38:08 +00:00
return nil
})
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
// preflightCheck is meant to have kind-specific system validation outside of
// content validation. The initial use case is restricting the ability to do
// writes of service-intentions until the system is finished migration.
func (c *ConfigEntry) preflightCheck(kind string) error {
switch kind {
case structs.ServiceIntentions:
server: intentions CRUD requires connect to be enabled (#9194) Fixes #9123
2020-11-13 22:19:12 +00:00
// Exit early if Connect hasn't been enabled.
if !c.srv.config.ConnectEnabled {
return ErrConnectNotEnabled
}
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
usingConfigEntries, err := c.srv.fsm.State().AreIntentionsInConfigEntries()
if err != nil {
return fmt.Errorf("system metadata lookup failed: %v", err)
}
if !usingConfigEntries {
return ErrIntentionsNotUpgradedYet
}
}
return nil
}