* backport of commit e1bf4284947af9edd36e9d6f4d2c32e2d1fe9b14
* backport of commit ddf214e638327cdf4b76d325d3c4194d6e26cee3
* backport of commit e41bd9c4e372c2b83d673d6f5c4afcfb44bdf14f
* backport of commit b9cfc86e145d0b90474a1e13f5f02ce7599d9f0f
* backport of commit 0ddf013d6c4e7d44c0c6dfff8fe0c56e5c4b6ca5
* backport of commit 1b0b513b05c1b14c9eb69f0e74f72fc7a0bba118
* backport of commit 29442ad641b0de0df9753cdd207b9f15bc76e6e5
* backport of commit 5e7ddf5c7ef764e7df8fa4f6cd03431e89e8b441
* backport of commit f2b6fa7b4362ecde79b3b8a9752da6d2774d44d8
* backport of commit 83b84a985a131c0ce2b10351f6dd5ca68cef5bf2
* backport of commit 56d81738cc8143ddec27cc5134af23da4bfc2dd8
* backport of commit 0ab44f06c7249adc8a0ba43c369c66ae1f18e8c8
* backport of commit 69c99fbccb711d32194eefd04419b854cacf8750
* backport of commit b79e1245c1bf765c97462f322c09965314317b0a
* backport of commit fb1441976be9c78a2d658b094e178a0c0f75eb5e
* backport of commit 3b7b2a04242e17fc88296fc248ba491e697697c4
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 91c82db42b95f66f7edc75a668a3ebd44338e74f
* backport of commit 4be71ab9413232c1ccd537c66011bb529af65d34
---------
Co-authored-by: Xinyi Wang <xinyi.wang@hashicorp.com>
* backport of commit 1c8b71521297965bf04034caed10d29586084447
* backport of commit 0d690d9eb6d6f29bb2771f59c1a3c707360d92a5
---------
Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
* backport of commit 4f7d21da6cc2b314f82e92958dc215f25a023cb9
* backport of commit d1ba0e877c5713112dd77a2b1f8b16e34ea6c456
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit a8658bf7c88722c0b88481637c213ce838eb3c7c
* backport of commit 966673b5fe20854f815211fe97cfff30056a002d
* backport of commit 7cea575b3a5c28f014fb35c42f46079ccbeaeef0
* backport of commit 17e57a3abe52c19d323c4159b1521788298e8216
* backport of commit 86a7dc34657c4434cb89077fff95217744e596e5
* backport of commit 7f541fffaabb377de97e13b20e8052b9573643df
* backport of commit 4e46d282ff8f24418321e32924c466762dd3f459
* backport of commit 72d7b61634ffc539f4c5a70de6c648a51a74c9f4
* backport of commit 2b6169f7cb3bd374ce0a378fc174268790dd1d4b
* backport of commit b94a833ec952979e9fc7d6518ce30897b3477323
* backport of commit 74e0ec2a05ead2da243086dedab606ff16185afe
* backport of commit be0167b4920f2406f53f326780fff2f7633734d7
* backport of commit a92a3088b4d5431fc6668c1859cd46301e44af8e
* backport of commit 4b02d312d718ac9ea265d8d39463a7625e659c51
* backport of commit f131207d42ce1684a49e18c4096def2fa6d68a82
* backport of commit 3f0be37f49b0b006e5d9ecdba8e9a4af8c933230
* backport of commit 29ed7aaf6f7e080e41e896111b9f25b95af880a7
* backport of commit 8ae546707beaf3a52c28f2e5d8a9d85b965ee93c
* backport of commit 8ed74fcf442dd8cf5e9abb8317d106564c47cfd1
* backport of commit 36537bafb6962d2f966da754a19cbc6a23ef2535
* backport of commit ef7599d7789a216e688a4663538b2e9d06f82c07
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 7196fb16d9a6277e351571bb0404747d34e50aaa
* backport of commit facfb7742d8de892457d8cecc7e820d2b14ae559
---------
Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
* no-op commit due to failed cherry-picking
* Fix formatting for webhook-certs Consul tutorial (#17810)
* Fix formatting for webhook-certs Consul tutorial
* Make a small grammar change to also pick up whitespace changes necessary for formatting
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
---------
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Steven Zamborsky <97125550+stevenzamborsky@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 391db7e58b501b3ed7561fec352f2f3f5004a29f
* backport of commit f204d5b52ab80836128882a65d7d7c5e53b2fa3d
---------
Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
* backport of commit 452d08d5e8e40c0710a2042dd1d67b8eaa5fe43d
* backport of commit 1f1f222c97f981a23de44be2afdef37c25f4a91a
---------
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
* backport of commit fa99a741344d96cda07cebd327cabe6d37858ae5
* backport of commit aef14f225347c42b3f62768f18f1cf8593303491
* backport of commit dd5e8e0efaba266c1701cb8c1a56c53857730161
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit c02c4445ccf3cd3dd15199932d81de78b32c1210
* backport of commit 3237e24a11496172837fb05a0dcdbd0266e8710e
* backport of commit 3bbd88fb79094dc641cd1ff43e8a8cdde92df3d9
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 9f1631dc0db7c3320356d60500a7f28f38673d5f
* backport of commit 5b6b2e37c0d1e11dcf1a6a12e09932b8c18da620
---------
Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
* no-op commit due to failed cherry-picking
* docs: minor fixes to JWT auth docs (#17680)
* Fixes
* service intentions fixes
---------
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* backport of commit 1602c996fd1bc6d73f9a2c34d93687700307382a
* backport of commit 132c6ee6c5e119b904d2133cb93722a7ab321634
* backport of commit 5e64b930f55531d4d6668b797b5643b98489d163
* backport of commit 83a7b3fe52adc04835c52ffeb08adbcc3ac23d17
---------
Co-authored-by: Paul Glass <pglass@hashicorp.com>
* add docs for consul-k8s config read command
This PR adds documentation for the functionality introduced in
https://github.com/hashicorp/consul-k8s/pull/2078.
* add output
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
Fix ACL check on health endpoint
Prior to this change, the service health API would not explicitly return an
error whenever a token with invalid permissions was given, and it would instead
return empty results. With this change, a "Permission denied" error is returned
whenever data is queried. This is done to better support the agent cache, which
performs a fetch backoff sleep whenever ACL errors are encountered. Affected
endpoints are: `/v1/health/connect/` and `/v1/health/ingress/`.
* agent: configure server lastseen timestamp
Signed-off-by: Dan Bond <danbond@protonmail.com>
* use correct config
Signed-off-by: Dan Bond <danbond@protonmail.com>
* add comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* use default age in test golden data
Signed-off-by: Dan Bond <danbond@protonmail.com>
* add changelog
Signed-off-by: Dan Bond <danbond@protonmail.com>
* fix runtime test
Signed-off-by: Dan Bond <danbond@protonmail.com>
* agent: add server_metadata
Signed-off-by: Dan Bond <danbond@protonmail.com>
* update comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* correctly check if metadata file does not exist
Signed-off-by: Dan Bond <danbond@protonmail.com>
* follow instructions for adding new config
Signed-off-by: Dan Bond <danbond@protonmail.com>
* add comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* update comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* Update agent/agent.go
Co-authored-by: Dan Upton <daniel@floppy.co>
* agent/config: add validation for duration with min
Signed-off-by: Dan Bond <danbond@protonmail.com>
* docs: add new server_rejoin_age_max config definition
Signed-off-by: Dan Bond <danbond@protonmail.com>
* agent: add unit test for checking server last seen
Signed-off-by: Dan Bond <danbond@protonmail.com>
* agent: log continually for 60s before erroring
Signed-off-by: Dan Bond <danbond@protonmail.com>
* pr comments
Signed-off-by: Dan Bond <danbond@protonmail.com>
* remove unneeded todo
* agent: fix error message
Signed-off-by: Dan Bond <danbond@protonmail.com>
---------
Signed-off-by: Dan Bond <danbond@protonmail.com>
Co-authored-by: Dan Upton <daniel@floppy.co>
* snapshot: some improvments to the snapshot process
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Remove outdated usage of "Consul Connect" instead of Consul service mesh.
The connect subsystem in Consul provides Consul's service mesh capabilities.
However, the term "Consul Connect" should not be used as an alternative to
the name "Consul service mesh".
* Add MaxEjectionPercent to config entry
* Add BaseEjectionTime to config entry
* Add MaxEjectionPercent and BaseEjectionTime to protobufs
* Add MaxEjectionPercent and BaseEjectionTime to api
* Fix integration test breakage
* Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings
* Website docs for MaxEjectionPercent and BaseEjection time
* Add `make docs` to browse docs at http://localhost:3000
* Changelog entry
* so that is the difference between consul-docker and dev-docker
* blah
* update proto funcs
* update proto
---------
Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
* added method for converting SamenessGroupConfigEntry
- added new method `ToQueryFailoverTargets` for converting a SamenessGroupConfigEntry's members to a list of QueryFailoverTargets
- renamed `ToFailoverTargets` ToServiceResolverFailoverTargets to distinguish it from `ToQueryFailoverTargets`
* Added SamenessGroup to PreparedQuery
- exposed Service.Partition to API when defining a prepared query
- added a method for determining if a QueryFailoverOptions is empty
- This will be useful for validation
- added unit tests
* added method for retrieving a SamenessGroup to state store
* added logic for using PQ with SamenessGroup
- added branching path for SamenessGroup handling in execute. It will be handled separate from the normal PQ case
- added a new interface so that the `GetSamenessGroupFailoverTargets` can be properly tested
- separated the execute logic into a `targetSelector` function so that it can be used for both failover and sameness group PQs
- split OSS only methods into new PQ OSS files
- added validation that `samenessGroup` is an enterprise only feature
* added documentation for PQ SamenessGroup
Prior to this change, peer services would be targeted by service-default
overrides as long as the new `peer` field was not found in the config entry.
This commit removes that deprecated backwards-compatibility behavior. Now
it is necessary to specify the `peer` field in order for upstream overrides
to apply to a peer upstream.
* Fix API GW broken link
* Update website/content/docs/api-gateway/upgrades.mdx
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
---------
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
This is part of an effort to raise awareness that you need to monitor
your mesh CA if coming from an external source as you'll need to manage
the rotation.
* converted intentions conf entry to ref CT format
* set up intentions nav
* add page for intentions usage
* final intentions usage page
* final intentions overview page
* fixed old relative links
* updated diagram for overview
* updated links to intentions content
* fixed typo in updated links
* rename intentions overview page file to index
* rollback link updates to intentions overview
* fixed nav
* Updated custom HTML in API and CLI pages to MD
* applied suggestions from review to index page
* moved conf examples from usage to conf ref
* missed custom HTML section
* applied additional feedback
* Apply suggestions from code review
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* updated headings in usage page
* renamed files and udpated nav
* updated links to new file names
* added redirects and final tweaks
* typo
---------
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* Fix broken links in Consul docs
* more broken link fixes
* more 404 fixes
* 404 fixes
* broken link fix
---------
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* First cluster grpc service should be NodePort
This is based on the issue opened here https://github.com/hashicorp/consul-k8s/issues/1903
If you follow the documentation https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/single-dc-multi-k8s exactly as it is, the first cluster will only create the consul UI service on NodePort but not the rest of the services (including for grpc). By default, from the helm chart, they are created as headless services by setting clusterIP None. This will cause an issue for the second cluster to discover consul server on the first cluster over gRPC as it cannot simply cannot through gRPC default port 8502 and it ends up in an error as shown in the issue https://github.com/hashicorp/consul-k8s/issues/1903
As a solution, the grpc service should be exposed using NodePort (or LoadBalancer). I added those changes required in both cluster1-values.yaml and cluster2-values.yaml, and also a description for those changes for the normal users to understand. Kindly review and I hope this PR will be accepted.
* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
---------
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Ashvitha Sridharan <ashvitha.sridharan@hashicorp.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
Add a new envoy flag: "envoy_hcp_metrics_bind_socket_dir", a directory
where a unix socket will be created with the name
`<namespace>_<proxy_id>.sock` to forward Envoy metrics.
If set, this will configure:
- In bootstrap configuration a local stats_sink and static cluster.
These will forward metrics to a loopback listener sent over xDS.
- A dynamic listener listening at the socket path that the previously
defined static cluster is sending metrics to.
- A dynamic cluster that will forward traffic received at this listener
to the hcp-metrics-collector service.
Reasons for having a static cluster pointing at a dynamic listener:
- We want to secure the metrics stream using TLS, but the stats sink can
only be defined in bootstrap config. With dynamic listeners/clusters
we can use the proxy's leaf certificate issued by the Connect CA,
which isn't available at bootstrap time.
- We want to intelligently route to the HCP collector. Configuring its
addreess at bootstrap time limits our flexibility routing-wise. More
on this below.
Reasons for defining the collector as an upstream in `proxycfg`:
- The HCP collector will be deployed as a mesh service.
- Certificate management is taken care of, as mentioned above.
- Service discovery and routing logic is automatically taken care of,
meaning that no code changes are required in the xds package.
- Custom routing rules can be added for the collector using discovery
chain config entries. Initially the collector is expected to be
deployed to each admin partition, but in the future could be deployed
centrally in the default partition. These config entries could even be
managed by HCP itself.
* fixes for unsupported partitions field in CRD metadata block
* Apply suggestions from code review
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
---------
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
* Update the consul-k8s cli docs for the new `proxy log` subcommand
* Updated consul-k8s docs from PR feedback
* Added proxy log command to release notes
hc-github-team-consul-core