Commit Graph

19918 Commits

Author SHA1 Message Date
Semir Patel 896c39d98c
Create tombstone on resource `Delete` (#17108) 2023-04-28 10:49:08 -05:00
Dan Upton 6d024775a0
resource: owner references must include a uid (#17169) 2023-04-28 11:22:42 +01:00
Freddy 29d5811f0d
Update HCP bootstrapping to support existing clusters (#16916)
* Persist HCP management token from server config

We want to move away from injecting an initial management token into
Consul clusters linked to HCP. The reasoning is that by using a separate
class of token we can have more flexibility in terms of allowing HCP's
token to co-exist with the user's management token.

Down the line we can also more easily adjust the permissions attached to
HCP's token to limit it's scope.

With these changes, the cloud management token is like the initial
management token in that iit has the same global management policy and
if it is created it effectively bootstraps the ACL system.

* Update SDK and mock HCP server

The HCP management token will now be sent in a special field rather than
as Consul's "initial management" token configuration.

This commit also updates the mock HCP server to more accurately reflect
the behavior of the CCM backend.

* Refactor HCP bootstrapping logic and add tests

We want to allow users to link Consul clusters that already exist to
HCP. Existing clusters need care when bootstrapped by HCP, since we do
not want to do things like change ACL/TLS settings for a running
cluster.

Additional changes:

* Deconstruct MaybeBootstrap so that it can be tested. The HCP Go SDK
  requires HTTPS to fetch a token from the Auth URL, even if the backend
  server is mocked. By pulling the hcp.Client creation out we can modify
  its TLS configuration in tests while keeping the secure behavior in
  production code.

* Add light validation for data received/loaded.

* Sanitize initial_management token from received config, since HCP will
  only ever use the CloudConfig.MangementToken.

* Add changelog entry
2023-04-27 22:27:39 +02:00
John Maguire d19a7dad68
APIGW: Update how status conditions for certificates are handled (#17115)
* Move status condition for invalid certifcate to reference the listener
that is using the certificate

* Fix where we set the condition status for listeners and certificate
refs, added tests

* Add changelog
2023-04-27 15:54:44 +00:00
Anita Akaeze 2a291419dd
Merge pull request #5288 from hashicorp/NET-3648_fix (#17163)
NET-3648: perform envoy version verification
2023-04-26 20:29:43 -04:00
Semir Patel 406c1afc04
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979)
* Add MaxEjectionPercent to config entry

* Add BaseEjectionTime to config entry

* Add MaxEjectionPercent and BaseEjectionTime to protobufs

* Add MaxEjectionPercent and BaseEjectionTime to api

* Fix integration test breakage

* Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings

* Website docs for MaxEjectionPercent and BaseEjection time

* Add `make docs` to browse docs at http://localhost:3000

* Changelog entry

* so that is the difference between consul-docker and dev-docker

* blah

* update proto funcs

* update proto

---------

Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2023-04-26 15:59:48 -07:00
Michael Wilkerson f24e5ed1d6
fixed aliases for sameness group (sameness_group) (#17161) 2023-04-26 14:53:23 -07:00
Mike Morris 93a1b3bf61
docs: fixup note about node scope for admin partitions (#17147) 2023-04-26 13:46:22 -04:00
Paul Glass 69e9e21bf4
TProxy integration test (#17103)
* TProxy integration test
* Fix GHA compatibility integration test command

Previously, when test splitting allocated multiple test directories to a
runner, the workflow ran `go tests "./test/dir1 ./test/dir2"` which
results in a directory not found error. This fixes that.
2023-04-26 11:49:38 -05:00
Freddy 8082ca612c
[CC-4519] Include Consul NodeID in Envoy bootstrap metadata (#17139)
This is being added so that metrics sent to HCP can be augmented with the source node's ID.

Opting not to add this to stats_tag out of caution, since it would increase the cardinality of metrics emitted by Envoy for all users.

There is no functional impact to Envoy expected from this change.
2023-04-26 10:04:57 -06:00
Dan Upton 02c3e44ad8
proto-public: document resource service (#17119) 2023-04-26 16:26:54 +01:00
Eric Haberkorn 34f24a3fa2
fix backward compat issue caused by localities being set to `null` when they are unset (#17144) 2023-04-26 11:02:20 -04:00
R.B. Boyer f74aedada0
api: ensure empty locality field is not transmitted to Consul (#17137) 2023-04-26 10:01:17 -05:00
Eric Haberkorn f2a96a8bac
add acl filter logs (#17143) 2023-04-26 10:57:35 -04:00
Eric Haberkorn 61ad5aa4a9
add sameness intentions in api package (#17096) 2023-04-26 10:00:18 -04:00
Dan Upton 15cc86ba91
Cleanup from unblocking the pipeline 🧹 (#17121) 2023-04-26 13:59:58 +01:00
Dan Upton 91f3abf27b
testing: `RunResourceService` helper (#17068) 2023-04-26 11:57:10 +01:00
Semir Patel cf50def90b
Fix or disable pipeline breaking changes that made it into main in last day or so (#17130)
* Fix straggler from renaming Register->RegisterTypes

* somehow a lint failure got through previously

* Fix lint-consul-retry errors

* adding in fix for success jobs getting skipped. (#17132)

* Temporarily disable inmem backend conformance test to get green pipeline

* Another test needs disabling

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-04-25 15:17:48 -05:00
David Yu 082d33b1e4
Update single-dc-multi-k8s.mdx (#17126) 2023-04-25 09:42:31 -07:00
Paul Banks ce96b2c69d
De-flake snapshot test (#17120) 2023-04-25 15:25:26 +01:00
Dan Upton f7c4f04060
Controller Supervision (#17016) 2023-04-25 12:52:35 +01:00
Dan Upton 5979752994
storage: fix bug where WatchList would (rarely) return duplicate events (#17067) 2023-04-25 11:48:13 +01:00
JUN YANG c47af84f85
Fix broken link in changelog (#17093)
Co-authored-by: David Yu <dyu@hashicorp.com>
2023-04-25 01:32:22 +00:00
Rosemary Wang 64b4623590
Clarify OpenTelemetry support for tracing (#17082) 2023-04-24 17:04:32 -07:00
malizz 79fab940b2
remove envoy endpoint flag from k8s docs (#17105) 2023-04-24 15:30:00 -07:00
John Murret eee48de998
ci: fix runner calculation to exclude the top level directory as part of the calculation (#17090)
* fix runner calculation to exclude the top level directory as part of the calculation

* fix the logic for generating the directories/functions

* De-scope tenenacy requirements to OSS only for now. (#17087)

Partition and namespace must be "default"
Peername must be "local"

* Fix virtual services being included in intention topology as downstreams. (#17099)

* Merge pull request #5200 from hashicorp/NET-3758 (#17102)

* Merge pull request #5200 from hashicorp/NET-3758

NET-3758: connect: update supported envoy versions to 1.26.0

* lint

* CI: remove uneeded AWS creds from test-integrations (#17104)

* Update test-integrations.yml

* removing permission lies now that vault is not used in this job.

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>

* update based on feedback

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
Co-authored-by: Anita Akaeze <anita.akaeze@hashicorp.com>
Co-authored-by: Dan Bond <danbond@protonmail.com>
2023-04-24 14:25:57 -06:00
John Maguire c5b7164b16
APIGW Normalize Status Conditions (#16994)
* normalize status conditions for gateways and routes

* Added tests for checking condition status and panic conditions for
validating combinations, added dummy code for fsm store

* get rid of unneeded gateway condition generator struct

* Remove unused file

* run go mod tidy

* Update tests, add conflicted gateway status

* put back removed status for test

* Fix linting violation, remove custom conflicted status

* Update fsm commands oss

* Fix incorrect combination of type/condition/status

* cleaning up from PR review

* Change "invalidCertificate" to be of accepted status

* Move status condition enums into api package

* Update gateways controller and generated code

* Update conditions in fsm oss tests

* run go mod tidy on consul-container module to fix linting

* Fix type for gateway endpoint test

* go mod tidy from changes to api

* go mod tidy on troubleshoot

* Fix route conflicted reason

* fix route conflict reason rename

* Fix text for gateway conflicted status

* Add valid certificate ref condition setting

* Revert change to resolved refs to be handled in future PR
2023-04-24 16:22:55 -04:00
Michael Wilkerson 40dd8ce65b
Add sameness group field to prepared queries (#17089)
* added method for converting SamenessGroupConfigEntry
- added new method `ToQueryFailoverTargets` for converting a SamenessGroupConfigEntry's members to a list of QueryFailoverTargets
- renamed `ToFailoverTargets` ToServiceResolverFailoverTargets to distinguish it from `ToQueryFailoverTargets`

* Added SamenessGroup to PreparedQuery
- exposed Service.Partition to API when defining a prepared query
- added a method for determining if a QueryFailoverOptions is empty
- This will be useful for validation
- added unit tests

* added method for retrieving a SamenessGroup to state store

* added logic for using PQ with SamenessGroup
- added branching path for SamenessGroup handling in execute. It will be handled separate from the normal PQ case
- added a new interface so that the `GetSamenessGroupFailoverTargets` can be properly tested
- separated the execute logic into a `targetSelector` function so that it can be used for both failover and sameness group PQs
- split OSS only methods into new PQ OSS files
- added validation that `samenessGroup` is an enterprise only feature

* added documentation for PQ SamenessGroup
2023-04-24 13:21:28 -07:00
Dan Bond dc4d8b0cf6
CI: remove uneeded AWS creds from test-integrations (#17104)
* Update test-integrations.yml

* removing permission lies now that vault is not used in this job.

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-04-24 11:34:53 -07:00
Anita Akaeze b0674f7d6d
Merge pull request #5200 from hashicorp/NET-3758 (#17102)
* Merge pull request #5200 from hashicorp/NET-3758

NET-3758: connect: update supported envoy versions to 1.26.0

* lint
2023-04-24 18:23:24 +00:00
Derek Menteer 136adf52da
Fix virtual services being included in intention topology as downstreams. (#17099) 2023-04-24 12:03:26 -05:00
Semir Patel 2409c32e20
De-scope tenenacy requirements to OSS only for now. (#17087)
Partition and namespace must be "default"
Peername must be "local"
2023-04-24 08:14:51 -05:00
Paul Banks 062cd72607
Bump raft to 1.5.0 (#17081)
* Bump raft to 1.5.0

* Add CHANGELOG entry

* Add CHANGELOG entry with right extension (thanks VSCode)

* Add CHANGELOG entry with right extension (thanks VSCode)

* Go mod tidy
2023-04-21 20:13:55 +01:00
Kyle Havlovitz dee8609793
Include virtual services from discovery chain in intention topology (#16862) 2023-04-21 16:58:13 +00:00
Kyle Havlovitz 29daa2f054
Add manual virtual IP support to state store (#16815) 2023-04-21 09:19:02 -07:00
John Murret 3939237e28
ci: fix test splits that have less test packages than runner count from hanging (#17080)
* use proper TOTAL_RUNNER setting when generating runner matrix.  if matrix size is smaller than total_runners, use the smaller number

* try again

* try again 2

* try again 3

* try again 4

* try again 5

* try scenario where number is less

* reset

* get rid of cat "$GITHUB_OUTPUT"

* Apply suggestions from code review

Co-authored-by: Dan Bond <danbond@protonmail.com>

* removing push trigger that was added for debug

---------

Co-authored-by: Dan Bond <danbond@protonmail.com>
2023-04-21 10:01:32 -06:00
John Murret 75aa8e39b9
ci: fix test splits that have less test packages than runner count from hanging (#17080)
* use proper TOTAL_RUNNER setting when generating runner matrix.  if matrix size is smaller than total_runners, use the smaller number

* try again

* try again 2

* try again 3

* try again 4

* try again 5

* try scenario where number is less

* reset

* get rid of cat "$GITHUB_OUTPUT"

* Apply suggestions from code review

Co-authored-by: Dan Bond <danbond@protonmail.com>

* removing push trigger that was added for debug

---------

Co-authored-by: Dan Bond <danbond@protonmail.com>
2023-04-21 10:01:05 -06:00
Eric Haberkorn e61ba07fa1
Fix a bug with disco chain config entry fetching (#17078)
Before this change, we were not fetching service resolvers (and therefore
service defaults) configuration entries for services on members of sameness
groups.
2023-04-21 09:18:32 -04:00
R.B. Boyer e76795dc08
fix the linter (#17077) 2023-04-20 17:49:08 -04:00
Anita Akaeze af6e061d05
NET-3648: Add script to get consul and envoy version (#17060) 2023-04-20 13:11:11 -04:00
Semir Patel b12d638046
Enforce operator:write acl on `WriteStatus` endpoint (#17019) 2023-04-20 16:25:33 +00:00
Eric Haberkorn 87994e4c5f
Add sameness groups to service intentions. (#17064) 2023-04-20 12:16:04 -04:00
Eddie Rowe cb467ac229
fix broken links (#17032)
* fix broken links

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-04-20 16:12:11 +00:00
Ronald 05cac617ba
Fix generated proto files (#17063)
* [COMPLIANCE] Add Copyright and License Headers

* generate proto

---------

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-04-20 13:31:49 +00:00
hashicorp-copywrite[bot] 87aee8308b
[COMPLIANCE] Add Copyright and License Headers (#16854)
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com>
2023-04-20 12:40:22 +00:00
John Murret 0216add52c
remove worklogs upload (#17056) 2023-04-19 16:29:36 -06:00
Paul Glass 972e81bd67
[NET-3091] Update service intentions to support jwt provider references (#17037)
* [NET-3090] Add new JWT provider config entry

* Add initial test cases

* update validations for jwt-provider config entry fields

* more validation

* start improving tests

* more tests

* Normalize

* Improve tests and move validate fns

* usage test update

* Add split between ent and oss for partitions

* fix lint issues

* Added retry backoff, fixed tests, removed unused defaults

* take into account default partitions

* use countTrue and add aliases

* omit audiences if empty

* fix failing tests

* add omit-entry

* Add JWT intentions

* generate proto

* fix deep copy issues

* remove extra field

* added some tests

* more tests

* add validation for creating existing jwt

* fix nil issue

* More tests, fix conflicts and improve memdb call

* fix namespace

* add aliases

* consolidate errors, skip duplicate memdb calls

* reworked iteration over config entries

* logic improvements from review

---------

Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
2023-04-19 18:16:39 -04:00
Paul Glass 91ca3b012c
[NET-3090] Add new JWT provider config entry (#17036)
* [NET-3090] Add new JWT provider config entry

* Add initial test cases

* update validations for jwt-provider config entry fields

* more validation

* start improving tests

* more tests

* Normalize

* Improve tests and move validate fns

* usage test update

* Add split between ent and oss for partitions

* fix lint issues

* Added retry backoff, fixed tests, removed unused defaults

* take into account default partitions

* use countTrue and add aliases

* omit audiences if empty

* fix failing tests

* add omit-entry

* update copyright headers ids

---------

Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com>
2023-04-19 17:54:14 -04:00
Paul Glass d8d89d4b59
Permissive mTLS (#17035)
This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode.
Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application.

* Update service-defaults and proxy-defaults config entries with a MutualTLSMode field
* Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode.
* Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2023-04-19 14:45:00 -05:00
R.B. Boyer 5e019393d3
Revert "cache: refactor agent cache fetching to prevent unnecessary f… (#16818) (#17046)
Revert "cache: refactor agent cache fetching to prevent unnecessary fetches on error (#14956)"

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
2023-04-19 13:17:21 -05:00