Commit Graph

19920 Commits

Author SHA1 Message Date
Paul Glass d8d89d4b59
Permissive mTLS (#17035)
This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode.
Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application.

* Update service-defaults and proxy-defaults config entries with a MutualTLSMode field
* Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode.
* Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2023-04-19 14:45:00 -05:00
R.B. Boyer 5e019393d3
Revert "cache: refactor agent cache fetching to prevent unnecessary f… (#16818) (#17046)
Revert "cache: refactor agent cache fetching to prevent unnecessary fetches on error (#14956)"

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
2023-04-19 13:17:21 -05:00
Kyle Havlovitz 26128548a5
Avoid decoding nil pointer in map walker (#17048) 2023-04-19 10:23:38 -07:00
John Murret d7c488762e
ci: remove test-integrations CircleCI workflow (#16928)
* remove all CircleCI files

* remove references to CircleCI

* remove more references to CircleCI

* pin golangci-lint to v1.51.1 instead of v1.51
2023-04-19 16:19:29 +00:00
John Murret 9a77ec0b6d
ci: add test-integrations (#16915)
* add test-integrations workflow

* add test-integrations success job

* update vault integration testing versions (#16949)

* change parallelism to 4 forgotestsum.  use env.CONSUL_VERSION so we can see the version.

* use env for repeated values

* match test to circleci

* fix envvar

* fix envvar 2

* fix envvar 3

* fix envvar 4

* fix envvar 5

* make upgrade and compatibility tests match circleci

* run go env to check environment

* debug docker

Signed-off-by: Dan Bond <danbond@protonmail.com>

* debug docker

Signed-off-by: Dan Bond <danbond@protonmail.com>

* revert debug docker

Signed-off-by: Dan Bond <danbond@protonmail.com>

* going back to command that worked 5 days ago for compatibility tests

* Update Envoy versions to reflect changes in #16889

* cd to test dir

* try running ubuntu latest

* update PR with latest changes that work in enterprise

* yaml still sucks

* test GH fix (localhost resolution)

* change for testing

* test splitting and ipv6 lookup for compatibility and upgrade tests

* fix indention

* consul as image name

* remove the on push

* add gotestsum back in

* removing the use of the gotestsum download action

* yaml sucks today just like yesterday

* fixing nomad tests

* worked out the kinks on enterprise

---------

Signed-off-by: Dan Bond <danbond@protonmail.com>
Co-authored-by: John Eikenberry <jae@zhar.net>
Co-authored-by: Dan Bond <danbond@protonmail.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: Sarah <sthompson@hashicorp.com>
2023-04-18 20:45:30 -06:00
Luke Kysow 9345ce89d4
Don't send updates twice (#16999) 2023-04-18 10:41:58 -07:00
Kevin Wang 63e9c08234
Bump the golang.org/x/net to 0.7.0 to address CVE-2022-41723 (#16754)
* Bump the golang.org/x/net to 0.7.0 to address CVE-2022-41723

https://nvd.nist.gov/vuln/detail/CVE-2022-41723

* Add changelog entry

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2023-04-18 17:31:08 +00:00
Andrei Komarov 5c35095490
api: enable query options on agent force-leave endpoint (#15987) 2023-04-18 11:31:48 -05:00
Poonam Jadhav 4f7d1b4700
feat: set up reporting agent (#16991) 2023-04-18 11:03:05 -04:00
Dhia Ayachi 41064eb20b
add ability to start container tests in debug mode and attach a debugger (#16887)
* add ability to start container tests in debug mode and attach a debugger to consul while running it.

* add a debug message with the debug port

* use pod to get the right port

* fix image used in basic test

* add more data to identify which container to debug.

* fix comment

Co-authored-by: Evan Culver <eculver@users.noreply.github.com>

* rename debugUri to debugURI

---------

Co-authored-by: Evan Culver <eculver@users.noreply.github.com>
2023-04-18 09:49:53 -04:00
Dan Upton 3466c85cc4
server: wire up in-process Resource Service (#16978) 2023-04-18 10:03:23 +01:00
Jared Kirschner dcd1143086
docs: update docs related to GH-16779 (#17020) 2023-04-17 23:41:31 +00:00
Semir Patel 0674f30fc1
Tenancy wildcard validaton for `Write`, `Read`, and `Delete` endpoints (#17004) 2023-04-17 16:33:20 -05:00
trujillo-adam 905cc1bbd5
added an intro statement for the SI conf entry confiration model (#17017)
* added an intro statement for the SI conf entry confiration model

* caught a few more typos
2023-04-17 11:29:32 -07:00
trujillo-adam c4752bace3
fixed bad link (#17009) 2023-04-14 13:51:56 -07:00
Derek Menteer 7ce928a42e
Add PrioritizeByLocality to config entries. (#17007)
This commit adds the PrioritizeByLocality field to both proxy-config
and service-resolver config entries for locality-aware routing. The
field is currently intended for enterprise only, and will be used to
enable prioritization of service-mesh connections to services based
on geographical region / zone.
2023-04-14 15:42:54 -05:00
trujillo-adam 7db438d114
added missing error message content to troubleshooting (#17005) 2023-04-14 13:04:12 -07:00
Michael Wilkerson 4edb1b553d
* added Sameness Group to proto files (#16998)
- added Sameness Group to config entries
- added Sameness Group to subscriptions

* generated proto files

* added Sameness Group events to the state store
- added test cases

* Refactored health RPC Client
- moved code that is common to rpcclient under rpcclient common.go. This will help set us up to support future RPC clients

* Refactored proxycfg glue views
- Moved views to rpcclient config entry. This will allow us to reuse this code for a config entry client

* added config entry RPC Client
- Copied most of the testing code from rpcclient/health

* hooked up new rpcclient in agent

* fixed documentation and comments for clarity
2023-04-14 09:24:46 -07:00
Dhia Ayachi b628355cc4
add IP rate limiting config update (#16997)
* add IP rate limiting config update

* fix review comments
2023-04-14 09:26:38 -04:00
Semir Patel fc3d024d4d
Enforce Owner rules in `Write` endpoint (#16983) 2023-04-14 08:19:46 -05:00
Semir Patel 1f860b99d2
Fix delete when uid not provided (#16996) 2023-04-14 08:18:24 -05:00
Eric Haberkorn ece9b58e97
move enterprise test cases out of open source (#16985) 2023-04-13 09:07:06 -04:00
cskh ebf0910d54
upgrade test: config nodeName, nodeid, and inherited persistent data for consul container (#16931) 2023-04-12 18:00:56 -04:00
Semir Patel f9311318e1
Add mutate hook to `Write` endpoint (#16958) 2023-04-12 16:50:07 -05:00
Nathan Coleman ad5a4201d5
Update list of Envoy versions (#16889)
* Update list of Envoy versions

* Update docs + CI + tests

* Add changelog entry

* Add newly-released Envoy versions 1.23.8 and 1.24.6

* Add newly-released Envoy version 1.22.11
2023-04-12 17:43:15 -04:00
Semir Patel 53a0755f03
Enforce ACLs on resource `Write` and `Delete` endpoints (#16956) 2023-04-12 16:22:44 -05:00
Dan Bond 1eec647fd3
circleci: remove frontend jobs (#16906)
* circleci: remove fronted jobs

Signed-off-by: Dan Bond <danbond@protonmail.com>

* remove frontend-cache

Signed-off-by: Dan Bond <danbond@protonmail.com>

---------

Signed-off-by: Dan Bond <danbond@protonmail.com>
2023-04-12 14:07:18 -07:00
Eric Haberkorn f89938e56b
add sameness to exported services structs in the api package (#16984) 2023-04-12 16:49:28 -04:00
Dhia Ayachi 825663b38a
Memdb Txn Commit race condition fix (#16871)
* Add a test to reproduce the race condition

* Fix race condition by publishing the event after the commit and adding a lock to prevent out of order events.

* split publish to generate the list of events before committing the transaction.

* add changelog

* remove extra func

* Apply suggestions from code review

Co-authored-by: Dan Upton <daniel@floppy.co>

* add comment to explain test

---------

Co-authored-by: Dan Upton <daniel@floppy.co>
2023-04-12 13:18:01 -04:00
Dan Bond 9a2221b07b
ci: split frontend ember jobs (#16973)
Signed-off-by: Dan Bond <danbond@protonmail.com>
2023-04-12 04:48:09 +00:00
Nathan Coleman 8eaf4b17c1
Added backport labels to PR template checklist (#16966) 2023-04-11 19:18:11 +00:00
Poonam Jadhav c8d21de074
feat: add reporting config with reload (#16890) 2023-04-11 15:04:02 -04:00
John Murret c4d27e436e
ci: remove build-distros from CircleCI (#16941) 2023-04-11 18:52:35 +00:00
Luke Kysow f6603008d1
Remove global.name requirement for APs (#16964)
This is not a requirement when using APs because each AP has its own
auth method so it's okay if the names overlap.
2023-04-11 11:41:33 -07:00
Dan Upton d46543631c
resource: `WriteStatus` endpoint (#16886) 2023-04-11 19:23:14 +01:00
Derek Menteer f08fc57997
Update docs for service-defaults overrides. (#16960)
Update docs for service-defaults overrides.

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-04-11 11:40:55 -05:00
Thomas Eckert bf6584ac72
Fix the indentation of the copyAnnotations example (#16873) 2023-04-11 15:34:52 +00:00
Derek Menteer 2a13c9af1f
Remove deprecated service-defaults upstream behavior. (#16957)
Prior to this change, peer services would be targeted by service-default
overrides as long as the new `peer` field was not found in the config entry.
This commit removes that deprecated backwards-compatibility behavior. Now
it is necessary to specify the `peer` field in order for upstream overrides
to apply to a peer upstream.
2023-04-11 10:20:33 -05:00
Semir Patel 8d0d600ea3
Resource validation hook for `Write` endpoint (#16950) 2023-04-11 06:55:32 -05:00
Semir Patel ca19954c08
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 06:10:14 -05:00
John Murret 78b21d8840
ci: build-artifacts - fix platform missing in manifest error (#16940)
* ci: build-artifacts - fix platform missing in manifest error

* remove platform key
2023-04-10 16:42:42 -06:00
John Murret b67ec0cb61
ci: remove go-tests workflow from CircleCI (#16855)
* remove go-tests workflow from CircleCI

* add yaml anchor back
2023-04-10 14:47:32 -06:00
John Murret 2da115bc63
ci: remove verify-ci from circleci (#16860) 2023-04-10 12:35:07 -06:00
John Maguire 3d11e9b26a
APIGW: Routes with duplicate parents should be invalid (#16926)
* ensure route parents are unique when creating an http route

* Ensure tcp route parents are unique

* Added unit tests
2023-04-10 13:20:32 -04:00
John Murret 91fd8b7917
ci: add GOTAGS to build-distros (#16934) 2023-04-10 11:16:44 -06:00
Andrea Scarpino 61a456682a
docs: fix typo in LocalRequestTimeoutMs (#16917) 2023-04-10 09:56:49 -07:00
cskh 762a69cc42
Test: add noCleanup to TestServer stop (#16919) 2023-04-07 20:47:54 -04:00
Jared Kirschner 0eeb7f8b18
docs: improve upgrade path guidance (#16925) 2023-04-07 20:47:15 +00:00
John Eikenberry ff39dca2b4
highlight the agent.tls cert metric with CA ones
Include server agent certificate with list of cert metrics that need monitoring.
2023-04-07 20:41:14 +00:00
John Eikenberry 30d3a087dc
log warning about certificate expiring sooner and with more details
The old setting of 24 hours was not enough time to deal with an expiring certificates. This change ups it to 28 days OR 40% of the full cert duration, whichever is shorter. It also adds details to the log message to indicate which certificate it is logging about and a suggested action.
2023-04-07 20:38:07 +00:00