Commit Graph

18224 Commits

Author SHA1 Message Date
Daniel Upton 688dfe3138 proxycfg-glue: server-local implementation of `ServiceList`
This is the OSS portion of enterprise PR 2242.

This PR introduces a server-local implementation of the proxycfg.ServiceList
interface, backed by streaming events and a local materializer.
2022-07-14 18:22:12 +01:00
Daniel Upton 599f5e2207 proxycfg-glue: server-local compiled discovery chain data source
This is the OSS portion of enterprise PR 2236.

Adds a local blocking query-based implementation of the proxycfg.CompiledDiscoveryChain interface.
2022-07-14 18:22:12 +01:00
Jared Kirschner 664033e68e
Merge pull request #13655 from hashicorp/docs/add-envoy-to-standard-upgrade-instructions
docs: add Envoy upgrade step to std upgrade docs
2022-07-14 13:11:12 -04:00
Sarah Alsmiller 1fb91206fd fix formating issue 2022-07-14 11:31:18 -05:00
Sarah Alsmiller 8058178bbb merge 2022-07-14 11:24:39 -05:00
Sarah Alsmiller 81cc956d88 change file name 2022-07-14 11:22:05 -05:00
Sarah Alsmiller 216dbaf829 add links 2022-07-14 11:15:01 -05:00
Sarah Alsmiller 1d88a1ea14 content 2022-07-14 11:07:27 -05:00
Sarah Alsmiller 5a1aca8cbb fix identation 2022-07-14 11:06:16 -05:00
Jared Kirschner 9c0f2478b9 docs: add Envoy upgrade step to std upgrade docs 2022-07-14 06:56:11 -07:00
John Cowen e29a43dc20
ui: Add additional API requests for peering establishment (#13734) 2022-07-14 11:23:16 +01:00
John Cowen 2b9250b00b
ui: Move peers to a subapplication (#13725) 2022-07-14 11:22:45 +01:00
John Cowen 6fce197908
ui: Thread through data-source invalidate method (#13710)
* ui: Thread through data-source invalidate method

* Remove old invalidating state
2022-07-14 09:30:35 +01:00
John Cowen 65eccb33ce
ui: Make our old TabNav component easily usable with a state machine (#13705)
* ui: Make our old TabNav component easily usable with a state machine

* Add an event handler that receives an object
2022-07-14 09:30:07 +01:00
Evan Culver 276c834c6a
Add changelog entries from latest releases (#13746) 2022-07-13 18:23:53 -07:00
sarahalsmiller 53c91a9a04
Update website/content/docs/api-gateway/usage/basic-usage.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-13 16:21:13 -05:00
sarahalsmiller ad1efde9c3
Update website/content/docs/api-gateway/usage/basic-usage.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-13 16:18:39 -05:00
sarahalsmiller f658781e44
Update website/content/docs/api-gateway/configuration/gatewayclassconfig.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-13 16:01:53 -05:00
sarahalsmiller f163bb89d4
Update website/content/docs/api-gateway/configuration/gatewayclass.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-13 16:01:45 -05:00
Chris S. Kim d12b3d286e Check if an upstream is implicit from either intentions or peered services 2022-07-13 16:53:20 -04:00
Chris S. Kim 5d890cdbb2 Use new maps for proxycfg peered data 2022-07-13 16:05:10 -04:00
Chris S. Kim 34c0093d44 Add new watch.Map type to refactor proxycfg 2022-07-13 16:05:10 -04:00
Chris S. Kim 0936942b2d Scrub VirtualIPs before exporting 2022-07-13 16:05:10 -04:00
Kyle Havlovitz a7ea6cb771
Merge pull request #13699 from hashicorp/tgate-http2-upstream
Respect http2 protocol for upstreams of terminating gateways
2022-07-13 09:41:15 -07:00
R.B. Boyer c8c6484905
proto: add package prefixes for all proto files where it is safe (#13735)
We cannot do this for "subscribe" and "partition" this easily without
breakage so those are omitted.

Any protobuf message passed around via an Any construct will have the
fully qualified package name embedded in the protobuf as a string. Also
RPC method dispatch will include the package of the service during
serialization.

- We will be passing pbservice and pbpeering through an Any as part of
  peer stream replication.

- We will be exposing two new gRPC services via pbpeering and
  pbpeerstream.
2022-07-13 11:03:27 -05:00
Dan Upton 34140ff3e0
grpc: rename public/private directories to external/internal (#13721)
Previously, public referred to gRPC services that are both exposed on
the dedicated gRPC port and have their definitions in the proto-public
directory (so were considered usable by 3rd parties). Whereas private
referred to services on the multiplexed server port that are only usable
by agents and other servers.

Now, we're splitting these definitions, such that external/internal
refers to the port and public/private refers to whether they can be used
by 3rd parties.

This is necessary because the peering replication API needs to be
exposed on the dedicated port, but is not (yet) suitable for use by 3rd
parties.
2022-07-13 16:33:48 +01:00
R.B. Boyer c880728ab4
peerstream: some cosmetic refactors to make this easier to follow (#13732)
- Use some protobuf construction helper methods for brevity.
- Rename a local variable to avoid later shadowing.
- Rename the Nonce field to be more like xDS's naming.
- Be more explicit about which PeerID fields are empty.
2022-07-13 10:00:35 -05:00
John Cowen dc4302e23f
ui: Remove UNDEFINED state from being undeleteable (#13702)
* ui: Remove UNDEFINED state from being undeleteable

* Fixup node tests
2022-07-13 12:06:16 +01:00
John Cowen 51a8955103
ui: Remove horizontal scrollbar from peering list rows (#13701) 2022-07-13 11:22:49 +01:00
Kyle Havlovitz 0ac7de3bae Use protocol from resolved config entry, not gateway service 2022-07-12 16:23:40 -07:00
Kyle Havlovitz 54d8fe9032 Enable http2 options for grpc protocol 2022-07-12 14:38:44 -07:00
R.B. Boyer 81764a5650
peering: always send the mesh gateway SpiffeID even for tcp services (#13728)
If someone were to switch a peer-exported service from L4 to L7 there
would be a brief SAN validation hiccup as traffic shifted to the mesh
gateway for termination.

This PR sends the mesh gateway SpiffeID down all the time so the clients
always expect a switch.
2022-07-12 11:38:13 -05:00
R.B. Boyer ee5eb5a960
state: prohibit changing an exported tcp discovery chain in a way that would break SAN validation (#13727)
For L4/tcp exported services the mesh gateways will not be terminating
TLS. A caller in one peer will be directly establishing TLS connections
to the ultimate exported service in the other peer.

The caller will be doing SAN validation using the replicated SpiffeID
values shipped from the exporting side. There are a class of discovery
chain edits that could be done on the exporting side that would cause
the introduction of a new SpiffeID value. In between the time of the
config entry update on the exporting side and the importing side getting
updated peer stream data requests to the exported service would fail due
to SAN validation errors.

This is unacceptable so instead prohibit the exporting peer from making
changes that would break peering in this way.
2022-07-12 11:17:33 -05:00
R.B. Boyer 2c329475ce
state: prohibit exported discovery chains to have cross-datacenter or cross-partition references (#13726)
Because peerings are pairwise, between two tuples of (datacenter,
partition) having any exported reference via a discovery chain that
crosses out of the peered datacenter or partition will ultimately not be
able to work for various reasons. The biggest one is that there is no
way in the ultimate destination to configure an intention that can allow
an external SpiffeID to access a service.

This PR ensures that a user simply cannot do this, so they won't run
into weird situations like this.
2022-07-12 11:03:41 -05:00
Michael Klein 4a62ef296d
ui: peer permission handling (#13724)
* Request peering permissions when peerings is active

* Update peering ability to use peering resource

* fix canDelete peer permission to check write permission

* use super call in abilities.peer#canDelete
2022-07-12 16:16:47 +01:00
Chris S. Kim 9f5ab3ec10
Return error if ServerAddresses is empty (#13714) 2022-07-12 11:09:00 -04:00
Michael Klein d25b025468
ui: use environment variable for feature flagging peers (#13703)
* ui: use environment variable for feature flagging peers

* Add documentation for `features`-service

* Allow setting feature flag for peers via bookmarklet

* don't use features service for flagging peers

* add ability for checking if peers feature is enabled

* Use abilities to conditionally use peers feature

* Remove unused features service
2022-07-12 12:02:45 +01:00
Michael Wilkerson affae7ae83
update docs (#13711)
* update docs

* Update website/content/docs/nia/enterprise/index.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-07-11 15:03:18 -07:00
R.B. Boyer 986f24ce52
proto: ensure buf formatter has been applied to protobufs (#13709) 2022-07-11 13:44:51 -05:00
Jeff Boruszak 671d968ecc
Merge pull request #13693 from hashicorp/docs-cluster-peering-updates
docs: Cluster Peering docs fixes
2022-07-11 12:34:07 -05:00
Nathan Coleman 0bb6078002
Merge pull request #13681 from hashicorp/docs/install-capigw-version-env-var
docs(consul-api-gateway): use VERSION env var in install steps
2022-07-11 10:32:19 -05:00
Nathan Coleman 626704fcda
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx 2022-07-11 11:26:04 -04:00
cskh 2d99304762
feat(cli): enable to delete config entry from an input file (#13677)
* feat(cli): enable to delete config entry from an input file

- A new flag to config delete to delete a config entry in a
  valid config file, e.g., config delete -filename
  intention-allow.hcl
- Updated flag validation; -filename and -kind can't be set
  at the same time
- Move decode config entry method from config_write.go to
  helpers.go for reusing ParseConfigEntry()
- add changelog

Co-authored-by: Dan Upton <daniel@floppy.co>
2022-07-11 10:13:40 -04:00
Kyle Havlovitz 18aacf9b55
Merge pull request #13678 from hashicorp/envoy-prometheus-tls-fix
Fix syntax for envoy bootstrap prometheus secret config
2022-07-08 15:58:19 -07:00
Kyle Havlovitz 3803195a44 Add changelog note 2022-07-08 15:23:00 -07:00
Kyle Havlovitz 616a2da835 Respect http2 protocol for upstreams of terminating gateways 2022-07-08 14:30:45 -07:00
R.B. Boyer 5b801db24b
peering: move peer replication to the external gRPC port (#13698)
Peer replication is intended to be between separate Consul installs and
effectively should be considered "external". This PR moves the peer
stream replication bidirectional RPC endpoint to the external gRPC
server and ensures that things continue to function.
2022-07-08 12:01:13 -05:00
sarahalsmiller 17bece6799
Update website/content/docs/api-gateway/configuration/gateway.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-07-08 09:54:47 -05:00
Mike Morris fc8fbda641
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:38:30 -04:00
Mike Morris 28d2ee5ada
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:37:12 -04:00