Commit Graph

18276 Commits

Author SHA1 Message Date
R.B. Boyer 7672532b05
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629)
When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:

    mTLS SAN field must be the service's local mesh gateway leaf cert
      AND
    the first XFCC header (from the MGW) must have a URI field that matches the original intention source

Also:

- Update the regex program limit to be much higher than the teeny
  defaults, since the RBAC regex constructions are more complicated now.

- Fix a few stray panics in xds generation.
2022-06-29 10:29:54 -05:00
Tu Nguyen 3c608f5536
Fix typo in cluster peering docs (#13574)
* Fix typo in cluster peering docs
* Remove highlight, update curly quotes
2022-06-28 15:54:57 -07:00
R.B. Boyer 3445c6b09a
xds: have mesh gateways forward peered SpiffeIDs using the XFCC header (#13625) 2022-06-28 15:32:42 -05:00
R.B. Boyer 115000144b
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624)
A mesh gateway will now configure the filter chains for L7 exported
services using the correct discovery chain information.
2022-06-28 14:52:25 -05:00
R.B. Boyer f3f941f1a0
test: for upgrade compatibility tests retain assigned container ip addresses on upgrade (#13615)
Use a synthetic pod construct to hold onto the IP address in the
interim.
2022-06-28 09:50:13 -05:00
Dan Upton 883ccc2a98
test: run Envoy integration tests against both servers and clients (#13610) 2022-06-28 13:15:45 +01:00
Michele Degges f6f41da860
Turn off sec-scanner check (#13614) 2022-06-27 15:52:51 -07:00
Evan Culver 7353ca9eb5
Fix verifications by using updated arm package names (#13601)
Co-authored-by: alex <8968914+acpana@users.noreply.github.com>
2022-06-27 14:00:27 -07:00
R.B. Boyer 2dba16be52
peering: replicate all SpiffeID values necessary for the importing side to do SAN validation (#13612)
When traversing an exported peered service, the discovery chain
evaluation at the other side may re-route the request to a variety of
endpoints. Furthermore we intend to terminate mTLS at the mesh gateway
for arriving peered traffic that is http-like (L7), so the caller needs
to know the mesh gateway's SpiffeID in that case as well.

The following new SpiffeID values will be shipped back in the peerstream
replication:

- tcp: all possible SpiffeIDs resulting from the service-resolver
        component of the exported discovery chain

- http-like: the SpiffeID of the mesh gateway
2022-06-27 14:37:18 -05:00
Kyle Havlovitz 891a864b75
Merge pull request #13611 from hashicorp/prometheus-tls-docs
Update docs for prometheus TLS options
2022-06-27 09:51:06 -07:00
Kyle Havlovitz cc2bcb2b9f Update docs for prometheus TLS options 2022-06-27 09:33:27 -07:00
Amier Chery d3512e7fdd
Merge pull request #13516 from maxb/docs-fix-metric-dots
Fix use of trailing dots on metric names in telemetry.mdx
2022-06-27 10:31:11 -04:00
Amier Chery 3f297373ac
Merge pull request #13603 from loicsaintroch/patch-1
Add HashiBox to community tools
2022-06-27 10:29:30 -04:00
Loïc Saint-Roch 2c89485870
Add HashiBox to community tools 2022-06-26 15:50:25 +02:00
Kyle Havlovitz 57eb442c51
Merge pull request #13481 from hashicorp/envoy-prometheus-tls
Add TLS support in Envoy Prometheus endpoint
2022-06-24 15:36:40 -07:00
alex 4333312be9
peering, internal: support UIServices, UINodes, UINodeInfo (#13577) 2022-06-24 15:17:35 -07:00
Michele Degges 5538ba212f
[CI-only] Dev tag update for main (#13541) 2022-06-24 13:45:57 -07:00
Evan Culver 187c72ead6
Remove trigger-oss-merge job (#13600) 2022-06-24 13:45:30 -07:00
Chris S. Kim a5f9994128
Add new index for PeeredServiceName and ServiceVirtualIP (#13582)
For TProxy we will be leveraging the VirtualIP table, which needs to become peer-aware
2022-06-24 14:38:39 -04:00
R.B. Boyer 988919a581
tests: ensure integration tests show logs from the containers to help debugging (#13593) 2022-06-24 10:26:17 -05:00
Matt Keeler 91b8bf4b55
Clarify the wording of the peering limitations in the preview (#13590) 2022-06-24 09:58:31 -04:00
Frank DiRocco 49856e8cec
update terraform module location for consul aws modules (#13522)
Co-authored-by: Paul Glass <pglass@hashicorp.com>
2022-06-23 22:10:44 -07:00
Paul Glass c1b2b2c980
docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 16:42:40 -05:00
David Yu 094e801644
docs: add missing $ gossip key rotation (#13581) 2022-06-23 14:31:05 -07:00
David Yu baf6c67415
docs: add indent to code block config tab to align with other branches (#13573) 2022-06-23 08:38:36 -07:00
alex 2c837a21df
Merge pull request #13570 from hashicorp/acpance/peering-oss-intentions
oss: peering, http: get peer service intentions (#2098)
2022-06-23 08:15:59 -07:00
Will Jordan 25f4c44268
Add per-node max indexes (#12399)
Adds fine-grained node.[node] entries to the index table, allowing blocking queries to return fine-grained indexes that prevent them from returning immediately when unrelated nodes/services are updated.

Co-authored-by: kisunji <ckim@hashicorp.com>
2022-06-23 11:13:25 -04:00
Chris S. Kim aaf3c051f2
Make memdb indexers generic (#13558)
We have many indexer functions in Consul which take interface{} and type assert before building the index. We can use generics to get rid of the initial plumbing and pass around functions with better defined signatures. This has two benefits: 1) Less verbosity; 2) Developers can parse the argument types to memdb schemas without having to introspect the function for the type assertion.
2022-06-23 11:07:19 -04:00
Matt Keeler dc19b9f46f
Port over the index 0 -> 1 code that lived in the old rpc setQueryMeta function. (#13561) 2022-06-23 09:34:47 -04:00
Michael Klein 272c878559
ui: feature-flagged peering mvp (#13425)
* add peers route

* add peers to nav

* use regular app ui patterns peers template

* use empty state in peers UI

* mock `v1/peerings` request

* implement custom adapter/serializer for `peers`-model

* index request for peerings on peers route

* update peers list to show as proper list

* Use tailwind for easier styling

* Unique ids in peerings response mock-api

* Add styling peerings list

* Allow creating empty tooltip

To make it easier to iterate over a set of items where some items
should not display a tooltip and others should.

* Add tooltip Peerings:Badge

* Add undefined peering state badge

* Remove imported/exported services count peering

This won't be included in the initial version of the API response

* Implement Peerings::Search

* Make it possible to filter peerings by name

* Install ember-keyboard

For idiomatic handling of key-presses.

* Clear peering search input when pressing `Escape`

* use peers.index instead of peers for peerings listing

* Allow to include peered services in services-query

* update services mock to add peerName

* add Consul::Peer component

To surface peering information on a resource

* add PeerName as attribute to service model

* surface peering information in service list

* Add tooltip to Consul::Peer

* Make services searchable by peer-name

* Allow passing optional query-params to href-to

* Add peer query-param to dc.services.show

* Pass peer as query-param services listing

* support option peer route-param

* set peer-name undefined in services serializer when empty

* update peer route-param when navigating to peered service

* request sercice with peer-name if need be

* make sure to reset peer route-param when leaving service.show

* componentize services.peer-info

* surface peer info services.show

* make sure to reset peer route-param in main nav

* fix services breadcrumb services.intentions

we need to reset peer route-param here to not break the app

* surface peer when querying for it on service api call

* query for peer info service-instance api calls

* surface peer info service-instance.show

* Camelize peer attributes to match rest of app

* Refactor peers.index to reflect camelized attributes for peer

* Remove unused query-params services.show

* make logo href reset peer route-param

* Cleanup optional peer param query service-instance

* Use replace decorator instead of serializer for empty peerName

* make sure to only send peer info when correct qp is passed

* Always send qp for querying peers services request

* rename with-imports to with-peers

* Use css for peer-icon

* Refactor bucket-list component to surface peer-info

* Remove Consul::Peer component

This info is now displayed via the bucket-list component

* Fix bucket-list component to surface service again

* Update bucket-list docs to reflect peer-info addition

* Remove tailwind related styles

* Remove consul-tailwind package

We won't be using tailwind for now

* Fix typo badge scss

* Add with-import handling mock-api nodes

* Add peerName to node attributes

* include peers when querying nodes

* reflect api updates node list mock

* Create consul::node::peer-info component

* Surface peer-info in nodes list

* Mock peer response for node request

* Make it possible to add peer-name to node request

* Update peer route-param when linking to node

* Reset peers route-param when leaving nodes.show

We need to reset the route-param to not introduce a bug - otherwise
subsequent node show request would request with the old peer query-param

* Add sourcePeer intentions api mock

* add SourcePeer attr to intentions model

* Surface peering info on intentions list

* Request peered intentions differently intentions.edit

* Handle peer info in intentions/exact mock

* Surface peering info intention view

* Add randomized peer data topology mock

* Surface peer info topology view

* fix service/peer-info styling

We aren't using tailwind anymore - we need to create a custom scss file

* Update peerings api mocks

* Update peerings::badge with updated styling

* cleanup intentions/exact mock

* Create watcher component to declaratively register polling

* Poll peers in background when on peers route

* use existing colors for peering-badge

* Add test for requesting service with `with-peers`-query

* add imported/exported count to peers model

* update mock-api to surface exported/imported count on peers

* Show exported/imported peers count on peers list

* Use translations for service import/export UI peers

* Make sure to ask for nodes with peers

* Add match-url step for easier url testing of service urls

* Add test for peer-name on peered services

* Add test for service navigation peered service

* Implement feature-flag handling

* Enable peering feature in test and development

* Redirect peers to services.index when feature-flag is disabled

* Only query for peers when feature is enabled

* Only show peers in nav when feature is enabled

* Componentize peering service count detail

* Handle non-state Peerings::Badge

* Use Peerings::ServiceCount in peerings list

* Only send peer query for peered service-instances.

* Add step to visit url directly

* add test for accessing peered service directly

* Remove unused service import peers.index

* Only query for peer when peer provided node-adapter

* fix tests
2022-06-23 14:16:26 +01:00
David Yu e8f7a1f2c1
docs: add Core requirements to cluster peering k8s docs (#13569)
* docs: add Core requirements to cluster peering k8s docs

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-06-22 19:12:08 -07:00
acpana 07cd838e77
oss: peering, http: get peer service intentions (#2098)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-22 16:25:09 -07:00
trujillo-adam 760df49741
Merge pull request #13492 from hashicorp/docs-ecs-mesh-gw
Docs for ECS Mesh Gateway
2022-06-22 15:55:31 -07:00
Kyle Schochenmaier 11fb9f6e37
[docs] update doc headers (#13527)
* update helm docs to have correct headers
2022-06-22 15:56:25 -05:00
Kyle Havlovitz 6f31bf85ee
Merge pull request #13526 from hashicorp/dns-parititon-docs
docs: Clarify section on partitioned node DNS lookups
2022-06-22 10:59:04 -07:00
Kyle Havlovitz aeb943fb0d docs: Clarify section on partitioned node DNS lookups 2022-06-22 10:41:13 -07:00
trujillo-adam e8b1ac2060 applied feedback from review 2022-06-22 10:18:56 -07:00
Tu Nguyen 2041b5f0a9
Merge pull request #13550 from hashicorp/docs/peering-upstream-annotation
Docs/peering upstream annotation
2022-06-22 01:02:23 -07:00
David Yu ac14ef53b2 slight update to retrigger tests 2022-06-22 00:34:49 -07:00
Tu Nguyen a9efa089ad
Merge pull request #13538 from hashicorp/eculver/1.13.0-changelog
Add changelog entries for 1.13.0-alpha1 and 1.13.0-alpha2
2022-06-22 00:10:34 -07:00
Tu Nguyen a35d37c574
Merge pull request #13433 from hashicorp/docs-cluster-peering-technical-preview
docs: Cluster Peering for OSS Technical Preview
2022-06-22 00:10:11 -07:00
Tu Nguyen a6865de076
Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-06-22 00:05:32 -07:00
Tu Nguyen efc30989f8
Merge pull request #13501 from hashicorp/peering-helm-value
docs: add peering helm value
2022-06-22 00:03:33 -07:00
Jeff Apple 4895c5f8b9
Merge pull request #13427 from hashicorp/docs/capigw-0.3
docs: Update docs for release of Consul API Gateway v0.3.0
2022-06-22 00:00:42 -07:00
Jeff Apple 3dde875368
Apply suggestions from code review 2022-06-21 22:23:26 -07:00
Jeff Apple 1d69e37272
Apply suggestions from tech writer review
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-06-21 22:14:34 -07:00
trujillo-adam e4f243c402 removed most of 'ECS service' information 2022-06-21 17:02:18 -07:00
trujillo-adam 88dc4de903
Apply suggestions from code review
Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
2022-06-21 16:53:10 -07:00
David Yu 563c11baa5
Update website/content/docs/connect/cluster-peering/k8s.mdx 2022-06-21 16:34:45 -07:00
Tu Nguyen 5596f6fc4b
Apply suggestions from code review 2022-06-21 16:31:49 -07:00