Commit Graph

17490 Commits

Author SHA1 Message Date
Nathan Coleman 8890e3ae69 Fix broken link 2022-06-20 16:33:49 -04:00
Nathan Coleman 49e0c16d4d Address surprise format of reference-grant 2022-06-20 16:30:58 -04:00
Nathan Coleman e33d4e3cb2 ReferenceGrant -> ReferencePolicy 2022-06-20 15:25:15 -04:00
sarahalsmiller 1c610cb01d
Update upgrade-specific-versions.mdx 2022-06-16 15:36:27 -05:00
Nathan Coleman 521e040356 Add note about expected status for invalid CertificateRef 2022-06-15 15:46:46 -04:00
Nathan Coleman a768fb8e80 Indent points specific to xRoute backend references 2022-06-14 17:27:02 -04:00
Nathan Coleman ac0be8644a Add docs for ReferencePolicy as it applies to Gateways 2022-06-14 15:11:28 -04:00
Sarah Alsmiller 0428a2ef99 light restructureing/fixed some copypasta 2022-06-13 16:16:45 -05:00
Sarah Alsmiller 42b840b684 updated referencepolicy to referencegrant, added v0.3.0 upgrade instructions 2022-06-13 16:05:21 -05:00
Nathan Coleman 00cc3940b8
Merge pull request #13333 from hashicorp/docs/capig-instances-config
docs: Consul API Gateway scaling config
2022-06-13 11:45:03 -04:00
Mike Morris 24ca62ef1c
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-06-07 16:24:35 -04:00
Mike Morris 00cdae18d5
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-06-07 16:17:45 -04:00
Dhia Ayachi 7602b6ebf2
Egress gtw/connect destination intentions (#13341)
* update gateway-services table with endpoints

* fix failing test

* remove unneeded config in test

* rename "endpoint" to "destination"

* more endpoint renaming to destination in tests

* update isDestination based on service-defaults config entry creation

* use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist)

* set unknown state to empty to avoid modifying alot of tests

* fix logic to set the kind correctly on CRUD

* fix failing tests

* add missing tests and fix service delete

* fix failing test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* fix a bug with kind and add relevant test

* fix compile error

* fix failing tests

* add kind to clone

* fix failing tests

* fix failing tests in catalog endpoint

* fix service dump test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* remove duplicate tests

* first draft of destinations intention in connect proxy

* remove ServiceDestinationList

* fix failing tests

* fix agent/consul failing tests

* change to filter intentions in the state store instead of adding a field.

* fix failing tests

* fix comment

* fix comments

* store service kind destination and add relevant tests

* changes based on review

* filter on destinations when querying source match

* Apply suggestions from code review

Co-authored-by: alex <8968914+acpana@users.noreply.github.com>

* fix style

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* rename destinationType to targetType.

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
Co-authored-by: alex <8968914+acpana@users.noreply.github.com>
Co-authored-by: github-team-consul-core <github-team-consul-core@hashicorp.com>
2022-06-07 15:03:59 -04:00
Evan Culver dcb511e78a
ci: Add package verifications to build workflow (#13294)
Co-authored-by: cskh <hui.kang@hashicorp.com>
2022-06-06 14:42:11 -07:00
R.B. Boyer 28ec70953b
test: retry the compat tests as often as other tests (#13369)
The upgrade compatibility tests need frequent retrying to pass because they are slightly flaky. To alleviate manual work borrow similar gotestsum logic from the main go tests CI job to rerun them automatically here.
2022-06-06 16:06:55 -05:00
R.B. Boyer db48b4f5a2
test: break dep on main consul module (#13373)
The main consul module is not a great library and complicates some oss/ent module issues.

This undoes #13371
2022-06-06 16:06:39 -05:00
R.B. Boyer 0681f3571d
peering: allow mesh gateways to proxy L4 peered traffic (#13339)
Mesh gateways will now enable tcp connections with SNI names including peering information so that those connections may be proxied.

Note: this does not change the callers to use these mesh gateways.
2022-06-06 14:20:41 -05:00
Fulvio f155ff347c
UDP check for service stanza #12221 (#12722)
* UDP check for service stanza #12221

* add pass status on timeout condition

* delete useless files

* Update check_test.go

improve comment in test

* fix test

* fix requested changes and update TestRuntimeConfig_Sanitize.golden

* add freeport to TestCheckUDPCritical

* improve comment for CheckUDP struct

* fix requested changes

* fix requested changes

* fix requested changes

* add UDP to proto

* add UDP to proto and add a changelog

* add requested test on agent_endpoint_test.go

* add test for given endpoints

* fix failing tests

* add documentation for udp healthcheck

* regenerate proto using buf

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/discovery/checks.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/ecs/configuration-reference.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/ecs/configuration-reference.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* add debug echo

* add debug circle-ci

* add debug circle-ci bash

* use echo instead of status_stage

* remove debug and status from devtools script and use echo instead

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* fix test

* replace status_stage with status

* replace functions with echo

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-06-06 15:13:19 -04:00
R.B. Boyer 977b39cde1
test: use a go mod replace trick for the compat test dependency on the main repo (#13371) 2022-06-06 14:12:49 -05:00
Evan Culver 6ba124d163
Add latest changelog entries (#13363) 2022-06-06 11:52:13 -07:00
alex ff2ad3ba0c
peering: send leader addr (#13342)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-06 10:00:38 -07:00
Riddhi Shah 6132f1a845
[OSS] consul connect envoy command changes for agentless (#13361)
Changes the sourcing of the envoy bootstrap configuration
to not use agent APIs and instead use the catalog(server) API.
This is done by passing a node-name flag to the command,
(which can only be used with proxy-id).

Also fixes a bug where the golden envoy bootstrap config files
used for tests did not use the expected destination service name
in certain places for connect proxy kind.
2022-06-06 09:23:08 -07:00
modrake 802eda2af6
add codeowners to protect release dirs (#13261)
* add codeowners to protect release dirs
2022-06-06 08:57:15 -07:00
Dan Upton 5cd31933d1
xds: remove HTTPCheckFetcher dependency (#13366)
This is the OSS portion of enterprise PR 1994

Rather than directly interrogating the agent-local state for HTTP
checks using the `HTTPCheckFetcher` interface, we now rely on the
config snapshot containing the checks.

This reduces the number of changes required to support server xDS
sessions.

It's not clear why the fetching approach was introduced in
931d167ebb2300839b218d08871f22323c60175d.
2022-06-06 15:15:33 +01:00
R.B. Boyer 4c781d1e15
peering: update how cross-peer upstreams and represented in proxycfg and rendered in xds (#13362)
This removes unnecessary, vestigal remnants of discovery chains.
2022-06-03 16:42:50 -05:00
cskh bd3a4dfeab
Add isLeader metric to track if a server is a leader (#13304)
CTIA-21: sdd is_leader metric to track if a server is a leader

Co-authored-by: alex <8968914+acpana@users.noreply.github.com>
2022-06-03 13:07:37 -04:00
Freddy 36322c49cf
Merge pull request #13340 from hashicorp/peering/public-listener 2022-06-02 15:15:29 -06:00
alex 5825f3e1f6
chore: remove broken link from pr template (#13343) 2022-06-02 09:51:22 -07:00
Kyle Schochenmaier bc906625f6
update multicluster docs (#13334) 2022-06-02 11:46:35 -05:00
Chris S. Kim 8a7dfbaa7d
Fix KVSGet method to handle QueryOptions properly (#13344) 2022-06-02 12:26:18 -04:00
Freddy 137bfbb02b Update public listener with SPIFFE Validator
Envoy's SPIFFE certificate validation extension allows for us to
validate against different root certificates depending on the trust
domain of the dialing proxy.

If there are any trust bundles from peers in the config snapshot then we
use the SPIFFE validator as the validation context, rather than the
usual TrustedCA.

The injected validation config includes the local root certificates as
well.
2022-06-01 17:06:33 -06:00
freddygv ad6dbe081a Add agent cache-type for TrustBundleListByService
There are a handful of changes in this commit:
* When querying trust bundles for a service we need to be able to
  specify the namespace of the service.
* The endpoint needs to track the index because the cache watches use
  it.
* Extracted bulk of the endpoint's logic to a state store function
  so that index tracking could be tested more easily.
* Removed check for service existence, deferring that sort of work to ACL authz
* Added the cache type
2022-06-01 17:05:10 -06:00
freddygv 073c9e3a91 Update assumptions around exported-service config
Given that the exported-services config entry can use wildcards, the
precedence for wildcards is handled as with intentions. The most exact
match is the match that applies for any given service. We do not take
the union of all that apply.

Another update that was made was to reflect that only one
exported-services config entry applies to any given service in a
partition. This is a pre-existing constraint that gets enforced by
the Normalize() method on that config entry type.
2022-06-01 17:03:51 -06:00
Freddy 6ef38eaea7
Configure upstream TLS context with peer root certs (#13321)
For mTLS to work between two proxies in peered clusters with different root CAs,
proxies need to configure their outbound listener to use different root certificates
for validation.

Up until peering was introduced proxies would only ever use one set of root certificates
to validate all mesh traffic, both inbound and outbound. Now an upstream proxy
may have a leaf certificate signed by a CA that's different from the dialing proxy's.

This PR makes changes to proxycfg and xds so that the upstream TLS validation
uses different root certificates depending on which cluster is being dialed.
2022-06-01 15:53:52 -06:00
Freddy b43799eee1
[OSS] Pull split ns/partition var out of testing file (#13337)
The api module previously had defaultPartition and defaultNamespace vars
for when we need default/empty split usage between ent/oss respectively.

This commit moves those two variables out of test code so that they can
be used for the service exports config entry's `GetNamespace()` method.

Previously `GetNamespace()` would return "default" in both OSS and enterprise,
which can trip up automation that passes the result of this method as the
namespace to write a config entry.

The split vars are kept private to prevent external usage, and prefixed with
`split` for more clarity about their behavior.
2022-06-01 14:42:33 -06:00
R.B. Boyer 211b62e9b2
build: ensure tools match go toolchain version (#13338) 2022-06-01 15:24:45 -05:00
R.B. Boyer addfef5065
test: regenerate golden files (#13336)
make envoy-regen
    go test ./agent/config -update
2022-06-01 15:17:03 -05:00
R.B. Boyer 4479d9e6df
build: add 'make help' to simply list available make targets (#13322) 2022-06-01 14:16:17 -05:00
Mike Morris 39a450bb75 docs(consul-api-gateway): fixup code snippets in gateway scaling section 2022-06-01 15:02:07 -04:00
Mike Morris 75166b6fbd docs(consul-api-gateway): fixup CLI prompt to match convention 2022-06-01 15:00:06 -04:00
Mike Morris 2601a7d563 docs(consul-api-gateway): add Gateway scaling section 2022-06-01 14:42:08 -04:00
R.B. Boyer b2045c0cd0
ci: nomad main is now on go 1.18 (#13329)
The nomad integration tests that use main need to be updated to reflect hashicorp/nomad#13036
2022-06-01 13:34:44 -05:00
Mike Morris 601c13eefe docs(consul-api-gateway): gateway instances -> instances per gateway 2022-06-01 14:06:18 -04:00
Mike Morris df1666765a docs(consul-api-gateway): add GatewayClassConfig deployment.maxInstances and deployment.minInstances 2022-06-01 13:59:50 -04:00
Mike Morris ac747888fd docs(consul-api-gateway): add GatewayClassConfig deployment.defaultInstances 2022-06-01 13:59:23 -04:00
Chris S. Kim 58ffa0488d
Revert getPathSuffixUnescaped (#13256) 2022-06-01 13:17:14 -04:00
Dan Upton e6dc26e087
proxycfg: replace direct agent cache usage with interfaces (#13320)
This is the OSS portion of enterprise PRs 1904, 1905, 1906, 1907, 1949,
and 1971.

It replaces the proxycfg manager's direct dependency on the agent cache
with interfaces that will be implemented differently when serving xDS
sessions from a Consul server.
2022-06-01 16:18:06 +01:00
Chris S. Kim 44a318ef73
Reimplement fs.FileInfo interface (#13315)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2022-06-01 11:09:51 -04:00
Michele Degges b0e5573f30
[Fix typo] Backport-reminder (#13313) 2022-05-31 22:44:53 -07:00
Chris S. Kim 23e7c5b5fd
Fix broken CI step (#13314) 2022-05-31 16:58:17 -04:00