Commit graph

17470 commits

Author SHA1 Message Date
R.B. Boyer 28ec70953b
test: retry the compat tests as often as other tests (#13369)
The upgrade compatibility tests need frequent retrying to pass because they are slightly flaky. To alleviate manual work borrow similar gotestsum logic from the main go tests CI job to rerun them automatically here.
2022-06-06 16:06:55 -05:00
R.B. Boyer db48b4f5a2
test: break dep on main consul module (#13373)
The main consul module is not a great library and complicates some oss/ent module issues.

This undoes #13371
2022-06-06 16:06:39 -05:00
R.B. Boyer 0681f3571d
peering: allow mesh gateways to proxy L4 peered traffic (#13339)
Mesh gateways will now enable tcp connections with SNI names including peering information so that those connections may be proxied.

Note: this does not change the callers to use these mesh gateways.
2022-06-06 14:20:41 -05:00
Fulvio f155ff347c
UDP check for service stanza #12221 (#12722)
* UDP check for service stanza #12221

* add pass status on timeout condition

* delete useless files

* Update check_test.go

improve comment in test

* fix test

* fix requested changes and update TestRuntimeConfig_Sanitize.golden

* add freeport to TestCheckUDPCritical

* improve comment for CheckUDP struct

* fix requested changes

* fix requested changes

* fix requested changes

* add UDP to proto

* add UDP to proto and add a changelog

* add requested test on agent_endpoint_test.go

* add test for given endpoints

* fix failing tests

* add documentation for udp healthcheck

* regenerate proto using buf

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/discovery/checks.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/ecs/configuration-reference.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/ecs/configuration-reference.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* add debug echo

* add debug circle-ci

* add debug circle-ci bash

* use echo instead of status_stage

* remove debug and status from devtools script and use echo instead

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* fix test

* replace status_stage with status

* replace functions with echo

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-06-06 15:13:19 -04:00
R.B. Boyer 977b39cde1
test: use a go mod replace trick for the compat test dependency on the main repo (#13371) 2022-06-06 14:12:49 -05:00
Evan Culver 6ba124d163
Add latest changelog entries (#13363) 2022-06-06 11:52:13 -07:00
alex ff2ad3ba0c
peering: send leader addr (#13342)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-06 10:00:38 -07:00
Riddhi Shah 6132f1a845
[OSS] consul connect envoy command changes for agentless (#13361)
Changes the sourcing of the envoy bootstrap configuration
to not use agent APIs and instead use the catalog(server) API.
This is done by passing a node-name flag to the command,
(which can only be used with proxy-id).

Also fixes a bug where the golden envoy bootstrap config files
used for tests did not use the expected destination service name
in certain places for connect proxy kind.
2022-06-06 09:23:08 -07:00
modrake 802eda2af6
add codeowners to protect release dirs (#13261)
* add codeowners to protect release dirs
2022-06-06 08:57:15 -07:00
Dan Upton 5cd31933d1
xds: remove HTTPCheckFetcher dependency (#13366)
This is the OSS portion of enterprise PR 1994

Rather than directly interrogating the agent-local state for HTTP
checks using the `HTTPCheckFetcher` interface, we now rely on the
config snapshot containing the checks.

This reduces the number of changes required to support server xDS
sessions.

It's not clear why the fetching approach was introduced in
931d167ebb2300839b218d08871f22323c60175d.
2022-06-06 15:15:33 +01:00
R.B. Boyer 4c781d1e15
peering: update how cross-peer upstreams and represented in proxycfg and rendered in xds (#13362)
This removes unnecessary, vestigal remnants of discovery chains.
2022-06-03 16:42:50 -05:00
cskh bd3a4dfeab
Add isLeader metric to track if a server is a leader (#13304)
CTIA-21: sdd is_leader metric to track if a server is a leader

Co-authored-by: alex <8968914+acpana@users.noreply.github.com>
2022-06-03 13:07:37 -04:00
Freddy 36322c49cf
Merge pull request #13340 from hashicorp/peering/public-listener 2022-06-02 15:15:29 -06:00
alex 5825f3e1f6
chore: remove broken link from pr template (#13343) 2022-06-02 09:51:22 -07:00
Kyle Schochenmaier bc906625f6
update multicluster docs (#13334) 2022-06-02 11:46:35 -05:00
Chris S. Kim 8a7dfbaa7d
Fix KVSGet method to handle QueryOptions properly (#13344) 2022-06-02 12:26:18 -04:00
Freddy 137bfbb02b Update public listener with SPIFFE Validator
Envoy's SPIFFE certificate validation extension allows for us to
validate against different root certificates depending on the trust
domain of the dialing proxy.

If there are any trust bundles from peers in the config snapshot then we
use the SPIFFE validator as the validation context, rather than the
usual TrustedCA.

The injected validation config includes the local root certificates as
well.
2022-06-01 17:06:33 -06:00
freddygv ad6dbe081a Add agent cache-type for TrustBundleListByService
There are a handful of changes in this commit:
* When querying trust bundles for a service we need to be able to
  specify the namespace of the service.
* The endpoint needs to track the index because the cache watches use
  it.
* Extracted bulk of the endpoint's logic to a state store function
  so that index tracking could be tested more easily.
* Removed check for service existence, deferring that sort of work to ACL authz
* Added the cache type
2022-06-01 17:05:10 -06:00
freddygv 073c9e3a91 Update assumptions around exported-service config
Given that the exported-services config entry can use wildcards, the
precedence for wildcards is handled as with intentions. The most exact
match is the match that applies for any given service. We do not take
the union of all that apply.

Another update that was made was to reflect that only one
exported-services config entry applies to any given service in a
partition. This is a pre-existing constraint that gets enforced by
the Normalize() method on that config entry type.
2022-06-01 17:03:51 -06:00
Freddy 6ef38eaea7
Configure upstream TLS context with peer root certs (#13321)
For mTLS to work between two proxies in peered clusters with different root CAs,
proxies need to configure their outbound listener to use different root certificates
for validation.

Up until peering was introduced proxies would only ever use one set of root certificates
to validate all mesh traffic, both inbound and outbound. Now an upstream proxy
may have a leaf certificate signed by a CA that's different from the dialing proxy's.

This PR makes changes to proxycfg and xds so that the upstream TLS validation
uses different root certificates depending on which cluster is being dialed.
2022-06-01 15:53:52 -06:00
Freddy b43799eee1
[OSS] Pull split ns/partition var out of testing file (#13337)
The api module previously had defaultPartition and defaultNamespace vars
for when we need default/empty split usage between ent/oss respectively.

This commit moves those two variables out of test code so that they can
be used for the service exports config entry's `GetNamespace()` method.

Previously `GetNamespace()` would return "default" in both OSS and enterprise,
which can trip up automation that passes the result of this method as the
namespace to write a config entry.

The split vars are kept private to prevent external usage, and prefixed with
`split` for more clarity about their behavior.
2022-06-01 14:42:33 -06:00
R.B. Boyer 211b62e9b2
build: ensure tools match go toolchain version (#13338) 2022-06-01 15:24:45 -05:00
R.B. Boyer addfef5065
test: regenerate golden files (#13336)
make envoy-regen
    go test ./agent/config -update
2022-06-01 15:17:03 -05:00
R.B. Boyer 4479d9e6df
build: add 'make help' to simply list available make targets (#13322) 2022-06-01 14:16:17 -05:00
R.B. Boyer b2045c0cd0
ci: nomad main is now on go 1.18 (#13329)
The nomad integration tests that use main need to be updated to reflect hashicorp/nomad#13036
2022-06-01 13:34:44 -05:00
Chris S. Kim 58ffa0488d
Revert getPathSuffixUnescaped (#13256) 2022-06-01 13:17:14 -04:00
Dan Upton e6dc26e087
proxycfg: replace direct agent cache usage with interfaces (#13320)
This is the OSS portion of enterprise PRs 1904, 1905, 1906, 1907, 1949,
and 1971.

It replaces the proxycfg manager's direct dependency on the agent cache
with interfaces that will be implemented differently when serving xDS
sessions from a Consul server.
2022-06-01 16:18:06 +01:00
Chris S. Kim 44a318ef73
Reimplement fs.FileInfo interface (#13315)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2022-06-01 11:09:51 -04:00
Michele Degges b0e5573f30
[Fix typo] Backport-reminder (#13313) 2022-05-31 22:44:53 -07:00
Chris S. Kim 23e7c5b5fd
Fix broken CI step (#13314) 2022-05-31 16:58:17 -04:00
Dhia Ayachi d4a04457e1
update gateway-services table with endpoints (#13217)
* update gateway-services table with endpoints

* fix failing test

* remove unneeded config in test

* rename "endpoint" to "destination"

* more endpoint renaming to destination in tests

* update isDestination based on service-defaults config entry creation

* use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist)

* set unknown state to empty to avoid modifying alot of tests

* fix logic to set the kind correctly on CRUD

* fix failing tests

* add missing tests and fix service delete

* fix failing test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* fix a bug with kind and add relevant test

* fix compile error

* fix failing tests

* add kind to clone

* fix failing tests

* fix failing tests in catalog endpoint

* fix service dump test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* remove duplicate tests

* rename consts and fix kind when no destination is defined in the service-defaults.

* rename Kind to ServiceKind and change switch to use .(type)

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
2022-05-31 16:20:12 -04:00
Chris S. Kim ea1e4aa52d
Update repo to use go:embed (#10996)
Replace bindata packages with stdlib go:embed.
Modernize some uiserver code with newer interfaces introduced in go 1.16 (mainly working with fs.File instead of http.File.
Remove steps that are no longer used from our build files.
Add Github Action to detect differences in agent/uiserver/dist and verify that the files are correct (by compiling UI assets and comparing contents).
2022-05-31 15:33:56 -04:00
DanStough f2c9574c1d chore(ci): add no-op jobs for branch protection rules 2022-05-31 15:24:22 -04:00
Riddhi Shah d558914a0f
[OSS] Fix merge central config tests (#13309)
Setting the right enterprise meta to fix the merge central config tests.
Re-added the tests that were failing on the OSS to ENT merge.
2022-05-31 12:04:19 -07:00
freddygv 14bff4fba6 Use embedded SpiffeID for peered upstreams 2022-05-31 09:55:37 -06:00
freddygv 4d3e09e8f8 Remove intermediate representation of SPIFFE IDs
xDS only ever uses the string representation, so we can avoid passing
around connect.SpiffeIDService objects around.
2022-05-31 09:55:37 -06:00
freddygv 5cd5108075 Return SPIFFE ID for connect proxies in PeerMeta
Proxies dialing exporting services need to know the SPIFFE ID of
services dialed so that the upstream's SANs can be validated.

This commit attaches the SPIFFE ID to all connect proxies exported over
the peering stream so that they are available to importing clusters.

The data in the SPIFFE ID cannot be re-constructed in peer clusters
because the partition of exported services is overwritten on imports.
2022-05-31 09:55:37 -06:00
Freddy a75af9d94a
[OSS] Add grpc endpoint to fetch a specific trust bundle (#13292)
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-05-31 09:54:40 -06:00
Chris S. Kim ffa7d737af
Refactor some functions for better enterprise use (#13280) 2022-05-30 09:46:55 -04:00
David Roca c4cc793066
docs: Use .snap extension in API snapshot save/restore
Change the `.tgz` file extension in the snapshot save and restore
examples on /api-docs/snapshot to `.snap`.

This is consistent with the file extension used in other example
snapshot save and restore commands, as well as the default extension
used by the Consul Snapshot Agent.
2022-05-27 14:07:37 -07:00
Matt Keeler 4814733934
Fix race during proxy closing (#13283)
p.service is written to within the Serve method. The Serve method also waits for the stopChan to be closed.

The race was between Close being called on the proxy causing Close on the service which was written to around the same time in the Serve method.

The fix is to have Serve be responsible for closing p.service.
2022-05-27 16:52:03 -04:00
Evan Culver d79fbf98f7
ci: add docker build smoke test (#13200) 2022-05-27 13:29:57 -07:00
cskh cbada60d21
CI: Verify built binaries in build job (#13221)
Co-authored-by: Evan Culver <eculver@hashicorp.com>
2022-05-27 14:50:41 -04:00
cskh 206c991058
CTIA-16: add tags to load test resources and run test on PR commit (#13258)
- retry destroy terraform resources
2022-05-27 14:49:39 -04:00
Matt Keeler b9e8b5c692
Fix a flaky test (#13282)
At the end of this test we were trying to ensure that updating a service in the local state causes it to re-register the service with the config manager.

The config manager in the same method will also call RegisteredProxies to determine if any need to be removed. This portion of the test is not attempting to verify that behavior.

Because the test is only blocked waiting for the Register event before it can end and assert all the mock expectations were met, we may not see the call to RegisteredProxies. This is especially apparent when tests are run with the race detector.

As we don’t actually care if that method is executed before the end of the test we can simply transition from expecting it to be called exactly once to a 0 or 1 times assertion.
2022-05-27 13:25:08 -04:00
Chris S. Kim e1b376f377
Add build tag for oss (#13279) 2022-05-27 11:39:58 -04:00
Mathew Estafanous 0481a99a70
Replace CLI command registry with a new pattern. (#12729) 2022-05-27 11:33:27 -04:00
Dan Upton a6a6d5a8ee
Enable servers to configure arbitrary proxies from the catalog (#13244)
OSS port of enterprise PR 1822

Includes the necessary changes to the `proxycfg` and `xds` packages to enable
Consul servers to configure arbitrary proxies using catalog data.

Broadly, `proxycfg.Manager` now has public methods for registering,
deregistering, and listing registered proxies — the existing local agent
state-sync behavior has been moved into a separate component that makes use of
these methods.

When an xDS session is started for a proxy service in the catalog, a goroutine
will be spawned to watch the service in the server's state store and
re-register it with the `proxycfg.Manager` whenever it is updated (and clean
it up when the client goes away).
2022-05-27 12:38:52 +01:00
alex 2d8664d384
monitor leadership in peering service (#13257)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2022-05-26 17:55:16 -07:00
Evan Culver 06a2689cce
Add latest changelog entries (#13276) 2022-05-26 16:14:02 -07:00