Commit graph

24 commits

Author SHA1 Message Date
hc-github-team-consul-core 08547ba585
backport of commit c0afba3a0c2ae093fee756a9019d49db25367d69 (#17975)
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2023-06-30 14:20:50 +00:00
hc-github-team-consul-core e949c3fccc
Backport of ext-authz Envoy extension: support localhost as a valid target URI. into release/1.16.x (#17837)
* backport of commit 391db7e58b501b3ed7561fec352f2f3f5004a29f

* backport of commit f204d5b52ab80836128882a65d7d7c5e53b2fa3d

---------

Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
2023-06-21 21:00:02 +00:00
hc-github-team-consul-core 7f36993bf1
backport of commit b0eb3ec3dd4781c26877996e01e3c70b1601c5b4 (#17788)
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2023-06-16 13:55:37 +00:00
hc-github-team-consul-core 8e201f8964
Backport of Property Override validation improvements into release/1.16.x (#17778)
* backport of commit 97c779b5a2308a05fde93247209fa6e9cd3fc310

* backport of commit dd56a6800bebc54dabd7883fddc22b25ca2bdb92

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2023-06-15 18:20:16 +00:00
hc-github-team-consul-core 9ad5bdfb93
backport of commit 649e551f7dead2e5b661924ec845564abf5fe40c (#17697)
Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
2023-06-13 15:13:34 +00:00
hc-github-team-consul-core a1df92fe98
Backport of Default ProxyType for builtin extensions into release/1.16.x (#17667)
* backport of commit 131d234bdab165d96601b8064c49ce17ee5f141a

* backport of commit 1adc48734d9347599c8a694d427c6b26e5a748a1

---------

Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
2023-06-12 18:13:29 +00:00
hc-github-team-consul-core 4d369c4aa4
backport of commit 2735bbe60f316a4d4539752a8dd63a3ca360e49b (#17613)
Co-authored-by: Eric <eric@haberkorn.co>
2023-06-08 14:41:44 +00:00
Michael Zalimeni c9143cff36
Disable terminating-gateway for property-override (#17605)
More validation is needed to ensure this behaves as expected; in the
meantime, align with docs and disable this proxy type.
2023-06-07 19:39:25 +00:00
Michael Zalimeni 378a15af32
Fix Property Override Services parsing (#17584)
Ensure that the embedded api struct is properly parsed when
deserializing config containing a set ResourceFilter.Services field.

Also enhance existing integration test to guard against bugs and
exercise this field.
2023-06-06 15:40:37 -04:00
Matt Keeler e909289454
Various bits of cleanup detected when using Go Workspaces (#17462)
TLDR with many modules the versions included in each diverged quite a bit. Attempting to use Go Workspaces produces a bunch of errors.

This commit:

1. Fixes envoy-library-references.sh to work again
2. Ensures we are pulling in go-control-plane@v0.11.0 everywhere (previously it was at that version in some modules and others were much older)
3. Remove one usage of golang/protobuf that caused us to have a direct dependency on it.
4. Remove deprecated usage of the Endpoint field in the grpc resolver.Target struct. The current version of grpc (v1.55.0) has removed that field and recommended replacement with URL.Opaque and calls to the Endpoint() func when needing to consume the previous field.
4. `go work init <all the paths to go.mod files>` && `go work sync`. This syncrhonized versions of dependencies from the main workspace/root module to all submodules
5. Updated .gitignore to ignore the go.work and go.work.sum files. This seems to be standard practice at the moment.
6. Update doc comments in protoc-gen-consul-rate-limit to be go fmt compatible
7. Upgraded makefile infra to perform linting, testing and go mod tidy on all modules in a flexible manner.
8. Updated linter rules to prevent usage of golang/protobuf
9. Updated a leader peering test to account for an extra colon in a grpc error message.
2023-06-05 16:08:39 -04:00
Eric Haberkorn bbf0b70b52
Add Upstream Service Targeting to Property Override Extension (#17517)
* add upstream service targeting to property override extension

* Also add baseline goldens for service specific property override extension.
* Refactor the extension framework to put more logic into the templates.

* fix up the golden tests
2023-05-30 14:53:42 -04:00
Chris Thain eddaa6b351
Enable Network filters for Wasm Envoy Extension (#17505) 2023-05-30 07:17:33 -07:00
Michael Zalimeni fa1db1f2e9
Support Listener and ClusterLoadAssignment in property-override (#17497)
* Support Listener in Property Override

Add support for patching `Listener` resources via the builtin
`property-override` extension.

Refactor existing listener patch code in `BasicEnvoyExtender` to
simplify addition of resource support.

* Support ClusterLoadAssignment in Property Override

Add support for patching `ClusterLoadAssignment` resources via the
builtin `property-override` extension.
2023-05-29 09:42:35 -04:00
Michael Zalimeni 61e2ea094c
Add builtin/property-override Envoy Extension (#17487)
`property-override` is an extension that allows for arbitrarily
patching Envoy resources based on resource matching filters. Patch
operations resemble a subset of the JSON Patch spec with minor
differences to facilitate patching pre-defined (protobuf) schemas.

See Envoy Extension product documentation for more details.

Co-authored-by: Eric Haberkorn <eric.haberkorn@hashicorp.com>
Co-authored-by: Kyle Havlovitz <kyle@hashicorp.com>
2023-05-26 19:52:09 +00:00
Chris Thain 38dbdc9393
Add builtin/ext-authz Envoy Extension (#17495) 2023-05-26 12:22:54 -07:00
Chris Thain c1ed6e307f
ENT->OSS merge for Consolidate ListEnvoyExtender into BasicEnvoyExtender (#17491) 2023-05-26 11:10:31 -07:00
Michael Zalimeni 4cae008559
Disable remote proxy patching except AWS Lambda (#17415)
To avoid unintended tampering with remote downstreams via service
config, refactor BasicEnvoyExtender and RuntimeConfig to disallow
typical Envoy extensions from being applied to non-local proxies.

Continue to allow this behavior for AWS Lambda and the read-only
Validate builtin extensions.

Addresses CVE-2023-2816.
2023-05-23 11:55:06 +00:00
Chris Thain f9126b6c3a
Wasm Envoy HTTP extension (#16877) 2023-04-06 14:12:07 -07:00
Ronald dd0e8eec14
copyright headers for agent folder (#16704)
* copyright headers for agent folder

* Ignore test data files

* fix proto files and remove headers in agent/uiserver folder

* ignore deep-copy files
2023-03-28 14:39:22 -04:00
Matt Keeler f3c80c4eef
Protobuf Refactoring for Multi-Module Cleanliness (#16302)
Protobuf Refactoring for Multi-Module Cleanliness

This commit includes the following:

Moves all packages that were within proto/ to proto/private
Rewrites imports to account for the packages being moved
Adds in buf.work.yaml to enable buf workspaces
Names the proto-public buf module so that we can override the Go package imports within proto/buf.yaml
Bumps the buf version dependency to 1.14.0 (I was trying out the version to see if it would get around an issue - it didn't but it also doesn't break things and it seemed best to keep up with the toolchain changes)

Why:

In the future we will need to consume other protobuf dependencies such as the Google HTTP annotations for openapi generation or grpc-gateway usage.
There were some recent changes to have our own ratelimiting annotations.
The two combined were not working when I was trying to use them together (attempting to rebase another branch)
Buf workspaces should be the solution to the problem
Buf workspaces means that each module will have generated Go code that embeds proto file names relative to the proto dir and not the top level repo root.
This resulted in proto file name conflicts in the Go global protobuf type registry.
The solution to that was to add in a private/ directory into the path within the proto/ directory.
That then required rewriting all the imports.

Is this safe?

AFAICT yes
The gRPC wire protocol doesn't seem to care about the proto file names (although the Go grpc code does tack on the proto file name as Metadata in the ServiceDesc)
Other than imports, there were no changes to any generated code as a result of this.
2023-02-17 16:14:46 -05:00
cskh 1c5ca0da53
feat: envoy extension - http local rate limit (#16196)
- http local rate limit
- Apply rate limit only to local_app
- unit test and integ test
2023-02-07 21:56:15 -05:00
Nitya Dhanushkodi 77f6b20db0
refactor: remove troubleshoot module dependency on consul top level module (#16162)
Ensure nothing in the troubleshoot go module depends on consul's top level module. This is so we can import troubleshoot into consul-k8s and not import all of consul.

* turns troubleshoot into a go module [authored by @curtbushko]
* gets the envoy protos into the troubleshoot module [authored by @curtbushko]
* adds a new go module `envoyextensions` which has xdscommon and extensioncommon folders that both the xds package and the troubleshoot package can import
* adds testing and linting for the new go modules
* moves the unit tests in `troubleshoot/validateupstream` that depend on proxycfg/xds into the xds package, with a comment describing why those tests cannot be in the troubleshoot package
* fixes all the imports everywhere as a result of these changes 

Co-authored-by: Curt Bushko <cbushko@gmail.com>
2023-02-06 09:14:35 -08:00
cskh 177c466ee1
improvement: prevent filter being added twice from any enovy extension (#16112)
* improvement: prevent filter being added twice from any enovy extension

* break if error != nil

* update test
2023-01-31 16:49:45 +00:00
Derek Menteer 81cf8f7de3
Add extension validation on config save and refactor extensions. (#16110) 2023-01-30 15:35:26 -06:00