Commit Graph

5004 Commits

Author SHA1 Message Date
Kyle Havlovitz dee8609793
Include virtual services from discovery chain in intention topology (#16862) 2023-04-21 16:58:13 +00:00
Kyle Havlovitz 29daa2f054
Add manual virtual IP support to state store (#16815) 2023-04-21 09:19:02 -07:00
Eric Haberkorn e61ba07fa1
Fix a bug with disco chain config entry fetching (#17078)
Before this change, we were not fetching service resolvers (and therefore
service defaults) configuration entries for services on members of sameness
groups.
2023-04-21 09:18:32 -04:00
Semir Patel b12d638046
Enforce operator:write acl on `WriteStatus` endpoint (#17019) 2023-04-20 16:25:33 +00:00
Eric Haberkorn 87994e4c5f
Add sameness groups to service intentions. (#17064) 2023-04-20 12:16:04 -04:00
hashicorp-copywrite[bot] 87aee8308b
[COMPLIANCE] Add Copyright and License Headers (#16854)
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com>
2023-04-20 12:40:22 +00:00
Paul Glass 972e81bd67
[NET-3091] Update service intentions to support jwt provider references (#17037)
* [NET-3090] Add new JWT provider config entry

* Add initial test cases

* update validations for jwt-provider config entry fields

* more validation

* start improving tests

* more tests

* Normalize

* Improve tests and move validate fns

* usage test update

* Add split between ent and oss for partitions

* fix lint issues

* Added retry backoff, fixed tests, removed unused defaults

* take into account default partitions

* use countTrue and add aliases

* omit audiences if empty

* fix failing tests

* add omit-entry

* Add JWT intentions

* generate proto

* fix deep copy issues

* remove extra field

* added some tests

* more tests

* add validation for creating existing jwt

* fix nil issue

* More tests, fix conflicts and improve memdb call

* fix namespace

* add aliases

* consolidate errors, skip duplicate memdb calls

* reworked iteration over config entries

* logic improvements from review

---------

Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
2023-04-19 18:16:39 -04:00
Paul Glass 91ca3b012c
[NET-3090] Add new JWT provider config entry (#17036)
* [NET-3090] Add new JWT provider config entry

* Add initial test cases

* update validations for jwt-provider config entry fields

* more validation

* start improving tests

* more tests

* Normalize

* Improve tests and move validate fns

* usage test update

* Add split between ent and oss for partitions

* fix lint issues

* Added retry backoff, fixed tests, removed unused defaults

* take into account default partitions

* use countTrue and add aliases

* omit audiences if empty

* fix failing tests

* add omit-entry

* update copyright headers ids

---------

Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com>
2023-04-19 17:54:14 -04:00
Paul Glass d8d89d4b59
Permissive mTLS (#17035)
This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode.
Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application.

* Update service-defaults and proxy-defaults config entries with a MutualTLSMode field
* Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode.
* Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2023-04-19 14:45:00 -05:00
R.B. Boyer 5e019393d3
Revert "cache: refactor agent cache fetching to prevent unnecessary f… (#16818) (#17046)
Revert "cache: refactor agent cache fetching to prevent unnecessary fetches on error (#14956)"

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
2023-04-19 13:17:21 -05:00
John Murret d7c488762e
ci: remove test-integrations CircleCI workflow (#16928)
* remove all CircleCI files

* remove references to CircleCI

* remove more references to CircleCI

* pin golangci-lint to v1.51.1 instead of v1.51
2023-04-19 16:19:29 +00:00
Luke Kysow 9345ce89d4
Don't send updates twice (#16999) 2023-04-18 10:41:58 -07:00
Poonam Jadhav 4f7d1b4700
feat: set up reporting agent (#16991) 2023-04-18 11:03:05 -04:00
Dan Upton 3466c85cc4
server: wire up in-process Resource Service (#16978) 2023-04-18 10:03:23 +01:00
Semir Patel 0674f30fc1
Tenancy wildcard validaton for `Write`, `Read`, and `Delete` endpoints (#17004) 2023-04-17 16:33:20 -05:00
Derek Menteer 7ce928a42e
Add PrioritizeByLocality to config entries. (#17007)
This commit adds the PrioritizeByLocality field to both proxy-config
and service-resolver config entries for locality-aware routing. The
field is currently intended for enterprise only, and will be used to
enable prioritization of service-mesh connections to services based
on geographical region / zone.
2023-04-14 15:42:54 -05:00
Michael Wilkerson 4edb1b553d
* added Sameness Group to proto files (#16998)
- added Sameness Group to config entries
- added Sameness Group to subscriptions

* generated proto files

* added Sameness Group events to the state store
- added test cases

* Refactored health RPC Client
- moved code that is common to rpcclient under rpcclient common.go. This will help set us up to support future RPC clients

* Refactored proxycfg glue views
- Moved views to rpcclient config entry. This will allow us to reuse this code for a config entry client

* added config entry RPC Client
- Copied most of the testing code from rpcclient/health

* hooked up new rpcclient in agent

* fixed documentation and comments for clarity
2023-04-14 09:24:46 -07:00
Dhia Ayachi b628355cc4
add IP rate limiting config update (#16997)
* add IP rate limiting config update

* fix review comments
2023-04-14 09:26:38 -04:00
Semir Patel fc3d024d4d
Enforce Owner rules in `Write` endpoint (#16983) 2023-04-14 08:19:46 -05:00
Semir Patel 1f860b99d2
Fix delete when uid not provided (#16996) 2023-04-14 08:18:24 -05:00
Eric Haberkorn ece9b58e97
move enterprise test cases out of open source (#16985) 2023-04-13 09:07:06 -04:00
Semir Patel f9311318e1
Add mutate hook to `Write` endpoint (#16958) 2023-04-12 16:50:07 -05:00
Semir Patel 53a0755f03
Enforce ACLs on resource `Write` and `Delete` endpoints (#16956) 2023-04-12 16:22:44 -05:00
Dhia Ayachi 825663b38a
Memdb Txn Commit race condition fix (#16871)
* Add a test to reproduce the race condition

* Fix race condition by publishing the event after the commit and adding a lock to prevent out of order events.

* split publish to generate the list of events before committing the transaction.

* add changelog

* remove extra func

* Apply suggestions from code review

Co-authored-by: Dan Upton <daniel@floppy.co>

* add comment to explain test

---------

Co-authored-by: Dan Upton <daniel@floppy.co>
2023-04-12 13:18:01 -04:00
Poonam Jadhav c8d21de074
feat: add reporting config with reload (#16890) 2023-04-11 15:04:02 -04:00
Dan Upton d46543631c
resource: `WriteStatus` endpoint (#16886) 2023-04-11 19:23:14 +01:00
Derek Menteer 2a13c9af1f
Remove deprecated service-defaults upstream behavior. (#16957)
Prior to this change, peer services would be targeted by service-default
overrides as long as the new `peer` field was not found in the config entry.
This commit removes that deprecated backwards-compatibility behavior. Now
it is necessary to specify the `peer` field in order for upstream overrides
to apply to a peer upstream.
2023-04-11 10:20:33 -05:00
Semir Patel 8d0d600ea3
Resource validation hook for `Write` endpoint (#16950) 2023-04-11 06:55:32 -05:00
Semir Patel ca19954c08
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 06:10:14 -05:00
John Maguire 3d11e9b26a
APIGW: Routes with duplicate parents should be invalid (#16926)
* ensure route parents are unique when creating an http route

* Ensure tcp route parents are unique

* Added unit tests
2023-04-10 13:20:32 -04:00
John Eikenberry 30d3a087dc
log warning about certificate expiring sooner and with more details
The old setting of 24 hours was not enough time to deal with an expiring certificates. This change ups it to 28 days OR 40% of the full cert duration, whichever is shorter. It also adds details to the log message to indicate which certificate it is logging about and a suggested action.
2023-04-07 20:38:07 +00:00
Chris Thain f9126b6c3a
Wasm Envoy HTTP extension (#16877) 2023-04-06 14:12:07 -07:00
Semir Patel 2b0a5b52c2
Resource `Delete` endpoint (#16756) 2023-04-06 08:58:54 -05:00
Dan Upton 4e8ab7a390
Resource `Write` endpoint (#16786) 2023-04-06 10:40:04 +01:00
Dan Upton 52ce151221
Raft storage backend (#16619) 2023-04-04 17:30:06 +01:00
cskh 97c4424743
docs: add envoy to the proxycfg diagram (#16834)
* docs: add envoy to the proxycfg diagram
2023-04-04 09:42:42 -04:00
Freddy 04e6e79b09
Allow dialer to re-establish terminated peering (#16776)
Currently, if an acceptor peer deletes a peering the dialer's peering
will eventually get to a "terminated" state. If the two clusters need to
be re-peered the acceptor will re-generate the token but the dialer will
encounter this error on the call to establish:

"failed to get addresses to dial peer: failed to refresh peer server
addresses, will continue to use initial addresses: there is no active
peering for "<<<ID>>>""

This is because in `exchangeSecret().GetDialAddresses()` we will get an
error if fetching addresses for an inactive peering. The peering shows
up as inactive at this point because of the existing terminated state.

Rather than checking whether a peering is active we can instead check
whether it was deleted. This way users do not need to delete terminated
peerings in the dialing cluster before re-establishing them.
2023-04-03 12:07:45 -06:00
Chris S. Kim 8671448b73
Connect CA Primary Provider refactor (#16749)
* Rename Intermediate cert references to LeafSigningCert

Within the Consul CA subsystem, the term "Intermediate"
is confusing because the meaning changes depending on
provider and datacenter (primary vs secondary). For
example, when using the Consul CA the "ActiveIntermediate"
may return the root certificate in a primary datacenter.

At a high level, we are interested in knowing which
CA is responsible for signing leaf certs, regardless of
its position in a certificate chain. This rename makes
the intent clearer.

* Move provider state check earlier

* Remove calls to GenerateLeafSigningCert

GenerateLeafSigningCert (formerly known
as GenerateIntermediate) is vestigial in
non-Vault providers, as it simply returns
the root certificate in primary
datacenters.

By folding Vault's intermediate cert logic
into `GenerateRoot` we can encapsulate
the intermediate cert handling within
`newCARoot`.

* Move GenerateLeafSigningCert out of PrimaryProvidder

Now that the Vault Provider calls
GenerateLeafSigningCert within
GenerateRoot, we can remove the method
from all other providers that never
used it in a meaningful way.

* Add test for IntermediatePEM

* Rename GenerateRoot to GenerateCAChain

"Root" was being overloaded in the Consul CA
context, as different providers and configs
resulted in a single root certificate or
a chain originating from an external trusted
CA. Since the Vault provider also generates
intermediates, it seems more accurate to
call this a CAChain.
2023-04-03 11:40:33 -04:00
Eric Haberkorn beb9f17337
Add default resolvers to disco chains based on the default sameness group (#16837) 2023-03-31 14:35:56 -04:00
Derek Menteer ee59a81dc9
Add sameness-group to exported-services config entries (#16836)
This PR adds the sameness-group field to exported-service
config entries, which allows for services to be exported
to multiple destination partitions / peers easily.
2023-03-31 12:36:44 -05:00
Dan Upton 37207b4e4c
storage: fix resource leak in Watch (#16817) 2023-03-31 13:24:19 +01:00
Eric Haberkorn b97a3a17d8
add order by locality failover to Consul enterprise (#16791) 2023-03-30 10:08:38 -04:00
Ronald 71fb0a723e
Copyright headers for missing files/folders (#16708)
* copyright headers for agent folder
2023-03-28 18:48:58 -04:00
Ronald dd0e8eec14
copyright headers for agent folder (#16704)
* copyright headers for agent folder

* Ignore test data files

* fix proto files and remove headers in agent/uiserver folder

* ignore deep-copy files
2023-03-28 14:39:22 -04:00
John Maguire 09512ae32d
Update normalization of route refs (#16789)
* Use merge of enterprise meta's rather than new custom method

* Add merge logic for tcp routes

* Add changelog

* Normalize certificate refs on gateways

* Fix infinite call loop

* Explicitly call enterprise meta
2023-03-28 11:23:49 -04:00
Michael Wilkerson baa1fd3cd6
changes to support new PQ enterprise fields (#16793) 2023-03-27 15:40:49 -07:00
Semir Patel bd4a01f38f
Resource service List(..) endpoint (#16753) 2023-03-27 16:25:27 -05:00
Dhia Ayachi 6da620159e
add ip rate limiter controller OSS parts (#16790) 2023-03-27 17:00:25 -04:00
Kyle Havlovitz 045f39ddd9
Allocate virtual ip for resolver/router/splitter config entries (#16760) 2023-03-27 13:04:24 -07:00
Semir Patel 0b441e07cc
WatchList(..) endpoint for the resource service (#16726) 2023-03-27 14:37:54 -05:00