4f0432be5e
Update xds pkg to account for GatewayKey
2021-10-27 09:03:56 -06:00
f3f15640a9
Update mesh gateway proxy watches for partitions
...
This commit updates mesh gateway watches for cross-partitions
communication.
* Mesh gateways are keyed by partition and datacenter.
* Mesh gateways will now watch gateways in partitions that export
services to their partition.
* Mesh gateways in non-default partitions will not have cross-datacenter
watches. They are not involved in traditional WAN federation.
2021-10-27 09:03:56 -06:00
af662c8c1c
Avoid mixing named and unnamed params
2021-10-26 23:42:25 -06:00
1de62bb0a2
Avoid passing nil config pointer
2021-10-26 23:42:25 -06:00
4a2e40aa3c
Avoid panic on nil partitionAuthorizer config
...
partitionAuthorizer.config can be nil if it wasn't provided on calls to
newPartitionAuthorizer outside of the ACLResolver. This usage happens
often in tests.
This commit: adds a nil check when the config is going to be used,
updates non-test usage of NewPolicyAuthorizerWithDefaults to pass a
non-nil config, and dettaches setEnterpriseConf from the ACLResolver.
2021-10-26 23:42:25 -06:00
015d85cd74
Update NodeRead for partition-exports
...
When issuing cross-partition service discovery requests, ACL filtering
often checks for NodeRead privileges. This is because the common return
type is a CheckServiceNode, which contains node data.
2021-10-26 23:42:11 -06:00
afb0976eac
acl: pass PartitionInfo through ent ACLConfig
2021-10-26 23:41:52 -06:00
56d1858c4a
acl: Expand ServiceRead logic to look at service-exports for cross-partition
2021-10-26 23:41:32 -06:00
4737ad118d
Swap in structs.EqualPartitions for cmp
2021-10-26 23:36:01 -06:00
1bade08f91
Replace Split with SplitN
2021-10-26 23:36:01 -06:00
3966677aaf
Finish removing useInDatacenter
2021-10-26 23:36:01 -06:00
69476221c1
Update XDS for sidecars dialing through gateways
2021-10-26 23:35:48 -06:00
ea311d2e47
Configure sidecars to watch gateways in partitions
...
Previously the datacenter of the gateway was the key identifier, now it
is the datacenter and partition.
When dialing services in other partitions or datacenters we now watch
the appropriate partition.
2021-10-26 23:35:37 -06:00
feaebde1f1
Remove useInDatacenter from disco chain requests
...
useInDatacenter was used to determine whether the mesh gateway mode of
the upstream should be returned in the discovery chain target. This
commit makes it so that the mesh gateway mode is returned every time,
and it is up to the caller to decide whether mesh gateways should be
watched or used.
2021-10-26 23:35:21 -06:00
e27e58c6cc
agent: refactor the agent delegate interface to be partition friendly ( #11429 )
2021-10-26 15:08:55 -05:00
27f8a85664
agent: Ensure partition is considered in agent endpoints ( #11427 )
2021-10-26 15:20:57 -04:00
2f9ee8e558
remove spaces
2021-10-26 12:38:13 -04:00
be14f6da90
fix altDomain responses for services where address is IP, added tests
2021-10-26 12:38:13 -04:00
eec9d66e22
fix encodeIPAsFqdn to return alt-domain when requested, added test case
2021-10-26 12:38:12 -04:00
9d6797a463
fixed altDomain response for NS type queries, and added test
2021-10-26 12:38:12 -04:00
0735e12412
edited TestDNS_AltDomains_Service to test responses for altDomains, and added TXT additional section check
2021-10-26 12:38:12 -04:00
8972e093d9
fixed alt-domain answer for SRV records, and TXT records in additional section
2021-10-26 12:38:12 -04:00
3f736467e6
ui: Pass primary dc through to uiserver ( #11317 )
...
Co-authored-by: John Cowen <johncowen@users.noreply.github.com>
2021-10-26 10:30:17 -04:00
83d4d0e108
Remove outdated partition label from test
2021-10-25 18:47:02 -06:00
c3e381b4c1
Rename service-exports to partition-exports
...
Existing config entries prefixed by service- are specific to individual
services. Since this config entry applies to partitions it is being
renamed.
Additionally, the Partition label was changed to Name because using
Partition at the top-level and in the enterprise meta was leading to the
enterprise meta partition being dropped by msgpack.
2021-10-25 17:58:48 -06:00
f24bad2a52
Merge pull request #11232 from hashicorp/dnephin/acl-legacy-remove-docs
...
acl: add docs and changelog for the removal of the legacy ACL system
2021-10-25 18:38:00 -04:00
f7cdd210fe
Update agent/consul/acl_client.go
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-10-25 17:25:14 -04:00
732b841dd7
state: remove support for updating legacy ACL tokens
2021-10-25 17:25:14 -04:00
76b007dacd
acl: remove init check for legacy anon token
...
This token should always already be migrated from a previous version.
2021-10-25 17:25:14 -04:00
8ae6ee4e36
acl: remove legacy parameter to ACLDatacenter
...
It is no longer used now that legacy ACLs have been removed.
2021-10-25 17:25:14 -04:00
d778113773
acl: remove ACLTokenTypeManagement
2021-10-25 17:25:14 -04:00
2f0eba1980
acl: remove ACLTokenTypeClient,
...
along with the last test referencing it.
2021-10-25 17:25:14 -04:00
88c6aeea34
acl: remove legacy arg to store.ACLTokenSet
...
And remove the tests for legacy=true
2021-10-25 17:25:14 -04:00
b31a7fc498
acl: remove EmbeddedPolicy
...
This method is no longer. It only existed for legacy tokens, which are no longer supported.
2021-10-25 17:25:14 -04:00
ceaa36f983
acl: remove tests for resolving legacy tokens
...
The code for this was already removed, which suggests this is not actually testing what it claims.
I'm guessing these are still resolving because the tokens are converted to non-legacy tokens?
2021-10-25 17:25:14 -04:00
a46e3bd2fc
acl: stop replication on leadership lost
...
It seems like this was missing. Previously this was only called by init of ACLs during an upgrade.
Now that legacy ACLs are removed, nothing was calling stop.
Also remove an unused method from client.
2021-10-25 17:24:12 -04:00
15cd8c7ab8
Remove incorrect TODO
2021-10-25 17:20:06 -04:00
589b238374
acl: move the legacy ACL struct to the one package where it is used
...
It is now only used for restoring snapshots. We can remove it in phase 2.
2021-10-25 17:20:06 -04:00
0ba5d0afcd
acl: remove most of the rest of structs/acl_legacy.go
2021-10-25 17:20:06 -04:00
ab5cdce760
Merge pull request #11163 from hashicorp/feature/ingress-tls-mixed
...
Add support for enabling connect-based ingress TLS per listener.
2021-10-25 21:36:01 +01:00
6433a57d3c
fix autopilot_failure_tolerance, add autopilot metrics test case ( #11399 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-25 10:55:59 -07:00
67a624a49f
use *telemetry.MetricsPrefix as prometheus.PrometheusOpts.Name ( #11290 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-21 13:33:01 -07:00
75f69a98a2
fix leadership transfer on leave suggestions ( #11387 )
...
* add suggestions
* set isLeader to false when leadership transfer succeed
2021-10-21 14:02:26 -04:00
2d1ac1f7d0
try to perform a leadership transfer when leaving ( #11376 )
...
* try to perform a leadership transfer when leaving
* add a changelog
2021-10-21 12:44:31 -04:00
752a285552
Add new service-exports config entry
2021-10-20 12:24:18 -07:00
716b05f934
Merge pull request #11293 from bisakhmondal/service_filter
...
expression validation of service-resolver subset filter
2021-10-20 08:57:37 -04:00
4808b97d9c
Rebase and rebuild golden files for Envoy version bump
2021-10-19 21:37:58 +01:00
ff405d35c7
Refactor `resolveListenerSDSConfig` to pass in whole config
2021-10-19 20:58:29 +01:00
5c8702b182
Add support for enabling connect-based ingress TLS per listener.
2021-10-19 20:58:28 +01:00
55dd52cb17
acl: small OSS refactors to help ensure that auth methods with namespace rules work with partitions ( #11323 )
2021-10-14 15:38:05 -05:00
f76fddb28e
Use stored entmeta to fill authzContext
2021-10-14 08:57:40 -06:00
bdf3e951f8
Ensure partition is handled by auto-encrypt
2021-10-14 08:32:45 -06:00
bb228ab165
fix: only add prom autopilot gauges to servers ( #11241 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-13 09:25:30 -07:00
0a6d683c84
Update Intentions.List with partitions ( #11299 )
2021-10-13 10:47:12 -04:00
3e8ece97a8
acl: fix bug in 'consul members' filtering with partitions ( #11263 )
2021-10-13 09:18:16 -05:00
929ad1e80f
add service resolver subset filter validation
2021-10-13 02:56:04 +05:30
2cd80e5f66
Merge pull request #11222 from hashicorp/clly/service-mesh-metrics
...
Start tracking connect service mesh usage metrics
2021-10-11 14:35:03 -05:00
2119351f77
Replace fmt.Sprintf with function
2021-10-11 12:43:38 -05:00
baec141df3
preload json values in structs to determine defaults
2021-10-10 17:52:26 -04:00
e37b5846fd
ca: split Primary/Secondary Provider
...
To make it more clear which methods are necessary for each scenario. This can
also prevent problems which force all DCs to use the same Vault instance, which
is currently a problem.
2021-10-10 15:48:02 -04:00
571acb872e
ca: extract primaryUpdateRootCA
...
This function is only run when the CAManager is a primary. Extracting this function
makes it clear which parts of UpdateConfiguration are run only in the primary and
also makes the cleanup logic simpler. Instead of both a defer and a local var we
can call the cleanup function in two places.
2021-10-10 15:26:55 -04:00
a65594d8ec
ca: rename functions to use a primary or secondary prefix
...
This commit renames functions to use a consistent pattern for identifying the functions that
can only be called when the Manager is run as the primary or secondary.
This is a step toward eventually creating separate types and moving these methods off of CAManager.
2021-10-10 15:26:55 -04:00
20f0efd8c1
ca: make receiver variable name consistent
...
Every other method uses c not ca
2021-10-10 15:26:55 -04:00
e3a18e5203
add test cases for h2ping_use_tls default behavior
2021-10-09 17:12:52 -04:00
7f28301212
fix consul_autopilot_healthy metric emission ( #11231 )
...
https://github.com/hashicorp/consul/issues/10730
2021-10-08 10:31:50 -07:00
38986d6371
Rename ConfigUsageEnterprise to EnterpriseConfigEntryUsage
2021-10-08 10:53:34 -05:00
76b3c4ed3c
Rename and prefix ConfigEntry in Usage table
...
Rename ConfigUsage functions to ConfigEntry
prefix ConfigEntry kinds with the ConfigEntry table name to prevent
potential conflicts
2021-10-07 16:19:55 -05:00
0e39a7a333
Add connect specific prefix to Usage table
...
Ensure that connect Kind's are separate from ConfigEntry Kind's to
prevent miscounting
2021-10-07 16:16:23 -05:00
bda1998175
only set default on H2PingUseTLS if H2PING is set
2021-10-06 22:13:01 -04:00
51e498717f
docs: add notice that legacy ACLs have been removed.
...
Add changelog
Also remove a metric that is no longer emitted that was missed in a
previous step.
2021-10-05 18:30:22 -04:00
577f2649bf
acl: remove unused translate rules endpoint
...
The CLI command does not use this endpoint, so we can remove it. It was missed in an
earlier pass.
2021-10-05 18:26:05 -04:00
f9ba7c39b5
Add changelog, website and metric docs
...
Add changelog to document what changed.
Add entry to telemetry section of the website to document what changed
Add docs to the usagemetric endpoint to help document the metrics in code
2021-10-05 13:34:24 -05:00
5446009299
Fixing SOA record to use alt domain when alt domain in use ( #10431 )
2021-10-05 10:47:27 -04:00
35faff55f8
fix test
2021-10-05 00:48:09 -04:00
1c1405552a
fix formatting
2021-10-05 00:15:04 -04:00
e46b41d04d
fix formatting
2021-10-05 00:12:23 -04:00
f8b47cdfcd
change config option to H2PingUseTLS
2021-10-05 00:12:21 -04:00
ed4ca3db49
add support for h2c in h2 ping health checks
2021-10-04 22:51:08 -04:00
e03b7e4c68
Merge pull request #11182 from hashicorp/dnephin/acl-legacy-remove-upgrade
...
acl: remove upgrade from legacy, start in non-legacy mode
2021-10-04 17:25:39 -04:00
e47c5c5ceb
Merge pull request #11118 from hashicorp/eculver/remove-envoy-1.15
...
Remove support for Envoy 1.15
2021-10-04 23:14:24 +02:00
d279c60010
Merge pull request #11115 from hashicorp/eculver/envoy-1.19.1
...
Add support for Envoy 1.19.1
2021-10-04 23:13:26 +02:00
b9f0014d70
acl: remove updateEnterpriseSerfTags
...
The only remaining caller is a test helper, and the tests don't use the enterprise gossip
pools.
2021-10-04 17:01:51 -04:00
5ac360b22d
Merge pull request #11126 from hashicorp/dnephin/acl-legacy-remove-resolve-and-get-policy
...
acl: remove ACL.GetPolicy RPC endpoint and ACLResolver.resolveTokenLegacy
2021-10-04 16:29:51 -04:00
ed5693b537
Add metrics to count the number of service-mesh config entries
2021-10-04 14:50:17 -05:00
9c487389cf
Add metrics to count connect native service mesh instances
...
This will add the counts of the service mesh instances tagged by
whether or not it is connect native
2021-10-04 14:37:05 -05:00
8000ea45ca
Add metrics to count service mesh Kind instance counts
...
This will add the counts of service mesh instances tagged by the
different ServiceKind's.
2021-10-04 14:36:59 -05:00
b6435259c3
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Remove the early WaitForLeader in dc2, because with it the test was
failing with ACL not found.
2021-10-01 18:03:10 -04:00
e74ce0fb2e
Add 1.15 versions to too old list
2021-10-01 11:28:26 -07:00
3c8ca0dbd2
agent: Reject partitions in legacy intention endpoints ( #11181 )
2021-10-01 13:18:57 -04:00
bf94949d48
Support partitions in parseIntentionStringComponent ( #11202 )
2021-10-01 12:36:12 -04:00
8bd52995d1
fix token list by auth method ( #11196 )
...
* add tests to OIDC authmethod and fix entMeta when retrieving auth-methods
* fix oss compilation error
2021-10-01 12:00:43 -04:00
4cdcaf3658
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-30 11:32:28 -07:00
7b157bba4e
regenerate more envoy golden files
2021-09-30 10:57:47 -07:00
ec935a2486
acl: call stop for the upgrade goroutine when done
...
TestAgentLeaks_Server was reporting a goroutine leak without this. Not sure if it would actually
be a leak in production or if this is due to the test setup, but seems easy enough to call it
this way until we remove legacyACLTokenUpgrade.
2021-09-29 17:36:43 -04:00
0c077d0527
acl: only run startACLUpgrade once
...
Since legacy ACL tokens can no longer be created we only need to run this upgrade a single
time when leadership is estalbished.
2021-09-29 16:22:01 -04:00
f21097beda
acl: remove reading of serf acl tags
...
We no long need to read the acl serf tag, because servers are always either ACL enabled or
ACL disabled.
We continue to write the tag so that during an upgarde older servers will see the tag.
2021-09-29 15:45:11 -04:00
b866e3c4f4
acl: fix test failure
...
For some reason removing legacy ACL upgrade requires using an ACL token now
for this WaitForLeader.
2021-09-29 15:21:30 -04:00
ebb2388605
acl: remove legacy ACL upgrades from Server
...
As part of removing the legacy ACL system
2021-09-29 15:19:23 -04:00
41a97360ca
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Use the root token in WaitForLeader, because without it the test was
failing with ACL not found.
2021-09-29 15:15:50 -04:00
b73b68d696
acl: remove ACL.GetPolicy endpoint and resolve legacy acls
...
And all code that was no longer used once those two were removed.
2021-09-29 14:33:19 -04:00
freddygv