If an automatic backport fails to more than one release branch we need
to crate a PR to backport it. So far we've had to create a backport PR
for each target release branch.
With this change, we may be able to create only a single PR, and then
run the backport automation to cherry-pick it into other release
branches.
The idea is that if a change introduced in version n-1 caused a
conflict, and there are no other changes, then the backport automation
should be able to use the same commit for version n-2 and n-3.
The only thing that needed fixing up pertained to this section of the 1.18.x release notes:
> grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default.
For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default.
Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.
Note that this does NOT upgrade to xDS v3. That will come in a future PR.
Additionally:
- Ignored staticcheck warnings about how github.com/golang/protobuf is deprecated.
- Shuffled some agent/xds imports in advance of a later xDS v3 upgrade.
- Remove support for envoy 1.13.x but don't add in 1.17.x yet. We have to wait until the xDS v3 support is added in a follow-up PR.
Fixes#8425
TestEnvoy.Close used e.stream.recvCh == nil to indicate the channel had already
been closed, so that TestEnvoy.Close can be called multiple times. The recvCh
was not protected by a lock, so setting it to nil caused a data race with any
goroutine trying to read from the channel.
Instead set the stream to nil. The stream is guarded by a lock, so it does not race.
This change allows us to test the agent/xds package using -race.
* ci: stop building darwin/386 binaries
Go 1.15 drops support for 32-bit binaries on Darwin https://golang.org/doc/go1.15#darwin
* tls: ConnectionState::NegotiatedProtocolIsMutual is deprecated in Go 1.15, this value is always true
* correct error messages that changed slightly
* Completely regenerate some TLS test data
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Most packages should pass the race detector. An exclude list ensures
that new packages are automatically tested with -race.
Also fix a couple small test races to allow more packages to be tested.
Returning readyCh requires a lock because it can be set to nil, and
setting it to nil will race without the lock.
Move the TestServer.Listening calls around so that they properly guard
setting TestServer.l. Otherwise it races.
Remove t.Parallel in a small package. The entire package tests run in a
few seconds, so t.Parallel does very little.
In auto-config, wait for the AutoConfig.run goroutine to stop before
calling readPersistedAutoConfig. Without this change there was a data
race on reading ac.config.
* ui: Add the most basic workspace root in /ui
* We already have a LICENSE file in the repository root
* Change directory path in build scripts ui-v2 -> ui
* Make yarn install flags configurable from elsewhere
* Minimal workspace root makefile
* Call the new docker specific target
* Update yarn in the docker build image
* Reconfigure the netlify target and move to the higher makefile
* Move ui-v2 -> ui/packages/consul-ui
* Change repo root to refleect new folder structure
* Temporarily don't hoist consul-api-double
* Fixup CI configuration
* Fixup lint errors
* Fixup Netlify target
* Move various environment getting utils out of the main file and test/doc
* Clean up and document the entire environment file
* Tweak the environment tests to reflect what they should be
* Explicitly enable namespaces instead of defaulting
* Allow env fallback functions to be called lazily
Otherwise the executables used for finding out things would be required
during build, this way if env vars are set the executable aren't needed
* Infer booleans from the fallback and cast them as such
* update bindata on ui-v2/ changes
* Revert "Remove GIT_SHA environment variable"
This reverts commit f620f9aefd41362ce76c3a8e0f4addf402ee0ca2.
* Revert "Hardcode in an app version for ember-cli-app-version"
This reverts commit 5ae493d79b34ef2143d78a44c21a63623140bba8.
* revert modtime change in #8712
* add check for bindata_assetfs changes
* Remove GIT_SHA environment variable
* Hardcode in an app version for ember-cli-app-version
* change ' to " for CONSUL_UI_SETTINGS_PLACEHOLDER
Co-authored-by: John Cowen <jcowen@hashicorp.com>
Co-authored-by: hashicorp-ci <hashicorp-ci@users.noreply.github.com>
Related changes:
- hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported
- remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it
- stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
Running every test with the race detector would add significant time to
CI. That additionaltime won't provide much value as many of the integration tests use
much of the same code.
For now we can run -race on some of the smaller packages. As we move
more code into smaller packages we should be able to add more packages
to the list that runs with '-race'.
For now this is running without parallelism, but we can enable that as
well when we need it.
boltdb fails the 'checkptr' check, which is automatically enabled by
'-race', so I've disabled checkptr as well.
* test/integration: only run against 1 envoy version
These tests are slow enough that it seems unlikely that anyone is
running multiple versions locally. If someone wants to, a for loop
outside of run_test.sh should do the right thing.
Remove unused vars.
* Remove logic to iterate over test cases, run a single case
* Add a golang runner for integration tests
* Use build tags for envoy integration tests
And add junit-xml report
If not artificially limited by setting JOBS env var,
broccoli-babel-transpiler will attempt to parallelize across the number
of CPUs on the host VM rather than the Docker container, resulting in CI
jobs being killed due to running out of memory.
* bump ember-build-prod and ember-build to medium+ to prevent OOM errors
* filter frontend workflow to only run on master, ui-staging, and ui/* branches
The previous PR which added these was accidentally performing the download
in the root directory. For the api, and sdk directories it should be in done
in the same directory that will be used to run tests. Otherwise the
wrong dependencies will be downloaded which may add unnecessary time to
the CI run.
Run 'go mod download' first so that dependencies are pulled in a
separate step. This makes the test splitting and test output easier
to scroll through.
Remove test splitting from the api/sdk test runs. These jobs do not
use parallelism, so there is no test timing data injected into the
job. They can't be split.
Remove the dependencies from the go-test job, so that we can start
the slowest test job earlier in the workflow.
To reduce the chance of some tests not being run because it does not
match the regex passed to '-run'.
Also document why some tests are allowed to be skipped on CI.
37897bfc27 made it possible to use
the -m flag with cherry-pick, even when the target is not a merge commit.
This commit changes the image used to run the cherry-pick job to alpine so that we get
a more recent version of git.
The alpine image will also download much faster when the CI node does not have the image cached.
This change assumes that it is always safe to use the first commit
parent as the mainline. I believe this assumption is safe with a
github merge workflow.
Using golangci-lint has a number of advantages:
- adding new linters becomes much easier, its a couple lines of yaml config
instead of more bash scripting
- it enables whitelisting of issues using inline comments or regex
- when running multiple linters less work is done. The parsed source can be reused
by multiple linters
- linters are run in parallel to reduce CI runtime.
- You can no longer cross submodule boundaries with ./... in go
subcommands like `go list` or `go test`. The makefile and CI scripts
were updated accordingly.
- Also of note: `go mod vendor` now omits things build ignored.
* add 1.12.2
* add envoy 1.13.0
* Introduce -envoy-version to get 1.10.0 passing.
* update old version and fix consul-exec case
* add envoy_version and fix check
* Update Envoy CLI tests to account for the 1.13 compatibility changes.
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
* ui: Make API integration tests aware of CONSUL_NSPACES_ENABLED
* ui: Allow passing CONSUL_NSPACES_ENABLED in via the cli in ember
* ui: Add more makefile targets/package scripts to switch NSPACEs on/off
* ui: Ensure all acceptance tests continue to pass with NSPACEs on/off
This required a little tweaking of the dictionary, at some point
page-navigation and some of these little tweaks will no longer be
required
* ui: Try running CI frontend tests in two parellel runs oss/ent
* ui: Use correct make target, use different names for the reports
* ui: Move CI to use the Makefile for testing (+ tmporary removal of exam)
* ui: make a specific test-ci target as we are using --path dist
--path dist looks for a previous build to test against, in CI this
exists as we run a build first, but locally potentially this dist folder
doesn't
* vault-ca-provider: add make target and CI test-integration job for /agent/connect/ca/ Vault Provider tests
* load env vars in the vault-ca-provider ci job
* add checkout task, see if we need to attach workspace or not
* ci: remove vault dependency from go-test job to ensure we only run the vault-provider tests in their job
* ci: fix from RB and Alvin code review, add mod cache after checkout
* ci: add CI context to make target and store test results
* ci: fix whitespace
* ci: create test results directory before we try to write to it
* ACL Authorizer overhaul
To account for upcoming features every Authorization function can now take an extra *acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil.
Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision.
* Include stub for extra enterprise rules in the global management policy
* Allow for an upgrade of the global-management policy