Commit Graph

17876 Commits

Author SHA1 Message Date
R.B. Boyer 81764a5650
peering: always send the mesh gateway SpiffeID even for tcp services (#13728)
If someone were to switch a peer-exported service from L4 to L7 there
would be a brief SAN validation hiccup as traffic shifted to the mesh
gateway for termination.

This PR sends the mesh gateway SpiffeID down all the time so the clients
always expect a switch.
2022-07-12 11:38:13 -05:00
R.B. Boyer ee5eb5a960
state: prohibit changing an exported tcp discovery chain in a way that would break SAN validation (#13727)
For L4/tcp exported services the mesh gateways will not be terminating
TLS. A caller in one peer will be directly establishing TLS connections
to the ultimate exported service in the other peer.

The caller will be doing SAN validation using the replicated SpiffeID
values shipped from the exporting side. There are a class of discovery
chain edits that could be done on the exporting side that would cause
the introduction of a new SpiffeID value. In between the time of the
config entry update on the exporting side and the importing side getting
updated peer stream data requests to the exported service would fail due
to SAN validation errors.

This is unacceptable so instead prohibit the exporting peer from making
changes that would break peering in this way.
2022-07-12 11:17:33 -05:00
R.B. Boyer 2c329475ce
state: prohibit exported discovery chains to have cross-datacenter or cross-partition references (#13726)
Because peerings are pairwise, between two tuples of (datacenter,
partition) having any exported reference via a discovery chain that
crosses out of the peered datacenter or partition will ultimately not be
able to work for various reasons. The biggest one is that there is no
way in the ultimate destination to configure an intention that can allow
an external SpiffeID to access a service.

This PR ensures that a user simply cannot do this, so they won't run
into weird situations like this.
2022-07-12 11:03:41 -05:00
Michael Klein 4a62ef296d
ui: peer permission handling (#13724)
* Request peering permissions when peerings is active

* Update peering ability to use peering resource

* fix canDelete peer permission to check write permission

* use super call in abilities.peer#canDelete
2022-07-12 16:16:47 +01:00
Chris S. Kim 9f5ab3ec10
Return error if ServerAddresses is empty (#13714) 2022-07-12 11:09:00 -04:00
Michael Klein d25b025468
ui: use environment variable for feature flagging peers (#13703)
* ui: use environment variable for feature flagging peers

* Add documentation for `features`-service

* Allow setting feature flag for peers via bookmarklet

* don't use features service for flagging peers

* add ability for checking if peers feature is enabled

* Use abilities to conditionally use peers feature

* Remove unused features service
2022-07-12 12:02:45 +01:00
Michael Wilkerson affae7ae83
update docs (#13711)
* update docs

* Update website/content/docs/nia/enterprise/index.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-07-11 15:03:18 -07:00
R.B. Boyer 986f24ce52
proto: ensure buf formatter has been applied to protobufs (#13709) 2022-07-11 13:44:51 -05:00
Jeff Boruszak 671d968ecc
Merge pull request #13693 from hashicorp/docs-cluster-peering-updates
docs: Cluster Peering docs fixes
2022-07-11 12:34:07 -05:00
Nathan Coleman 0bb6078002
Merge pull request #13681 from hashicorp/docs/install-capigw-version-env-var
docs(consul-api-gateway): use VERSION env var in install steps
2022-07-11 10:32:19 -05:00
Nathan Coleman 626704fcda
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx 2022-07-11 11:26:04 -04:00
cskh 2d99304762
feat(cli): enable to delete config entry from an input file (#13677)
* feat(cli): enable to delete config entry from an input file

- A new flag to config delete to delete a config entry in a
  valid config file, e.g., config delete -filename
  intention-allow.hcl
- Updated flag validation; -filename and -kind can't be set
  at the same time
- Move decode config entry method from config_write.go to
  helpers.go for reusing ParseConfigEntry()
- add changelog

Co-authored-by: Dan Upton <daniel@floppy.co>
2022-07-11 10:13:40 -04:00
Kyle Havlovitz 18aacf9b55
Merge pull request #13678 from hashicorp/envoy-prometheus-tls-fix
Fix syntax for envoy bootstrap prometheus secret config
2022-07-08 15:58:19 -07:00
Kyle Havlovitz 3803195a44 Add changelog note 2022-07-08 15:23:00 -07:00
Kyle Havlovitz 616a2da835 Respect http2 protocol for upstreams of terminating gateways 2022-07-08 14:30:45 -07:00
R.B. Boyer 5b801db24b
peering: move peer replication to the external gRPC port (#13698)
Peer replication is intended to be between separate Consul installs and
effectively should be considered "external". This PR moves the peer
stream replication bidirectional RPC endpoint to the external gRPC
server and ensures that things continue to function.
2022-07-08 12:01:13 -05:00
Mike Morris fc8fbda641
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:38:30 -04:00
Mike Morris 28d2ee5ada
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:37:12 -04:00
boruszak 7384eefff0 Clarification around "peering_token.json" and adding Partition names 2022-07-07 16:10:21 -05:00
Chris Thain 27c239b596
Docs: Fix path to consul-ecs Terraform modules (#13689) 2022-07-07 13:30:19 -07:00
R.B. Boyer 40c5c7eee2
server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data (#13687)
Currently servers exchange information about their WAN serf port
and RPC port with serf tags, so that they all learn of each other's
addressing information. We intend to make larger use of the new
public-facing gRPC port exposed on all of the servers, so this PR
addresses that by passing around the gRPC port via serf tags and
then ensuring the generated consul service in the catalog has
metadata about that new port as well for ease of non-serf-based lookup.
2022-07-07 13:55:41 -05:00
John Cowen 8c0da8fdfb
ui: Peer Deletion (#13665)
* ui: Peer Deletion (#13665)
* ui: Add sorting peer listing by State (#13684)
* ui: Add filtering peer listing by State (#13685)
2022-07-07 18:23:26 +01:00
John Cowen 8d275ac186
ui: CopyableCode component (#13686)
* ui: CopyableCode component plus switch into existing implementations
2022-07-07 17:42:47 +01:00
boruszak 368d88f9b3 "<service-name" fix - added brackets 2022-07-07 10:08:53 -05:00
Mike Morris 4372e4d3c4 docs(consul-api-gateway): use VERSION env var in install steps 2022-07-06 17:22:05 -04:00
Usha Kodali 922004d46b
Consul on ECS compatibility matrix docs update (#13060) 2022-07-06 12:34:14 -07:00
Kyle Havlovitz c31554ec64 Fix syntax for bootstrap sds secret config 2022-07-06 09:53:40 -07:00
Freddy ed9808c4f1
Parse peer name for virtual IP DNS queries (#13602)
This commit updates the DNS query locality parsing so that the virtual
IP for an imported service can be queried.

Note that:
- Support for parsing a peer in other service discovery queries was not
  added.
- Querying another datacenter for a virtual IP is not supported. This
  was technically allowed in 1.11 but is being rolled back for 1.13
  because it is not a use-case we intended to support. Virtual IPs in
  different datacenters are going to collide because they are allocated
  sequentially.
2022-07-06 10:30:04 -06:00
R.B. Boyer 4ce9651421
test: update mockery use to put mocks into test files (#13656)
--testonly doesn't do anything anymore so switch to --filename instead
2022-07-05 16:57:15 -05:00
Jared Kirschner a5cb3e67d8
Merge pull request #13654 from hashicorp/docs/correct-1.10.x-upgrade-path
docs: improve large version change upgrade path
2022-07-05 14:33:28 -04:00
John Cowen 756072898d
ui: Slight update to peering mocks to more properly match actual (#13664) 2022-07-04 18:49:41 +01:00
John Cowen 9377ac7635
ui: Fixup peering imported/exported service counts (#13662)
* ui: Fix up peer states and counts in the listing
2022-07-04 18:49:21 +01:00
Chris S. Kim 0910c41d95
Revise possible states for a peering. (#13661)
These changes are primarily for Consul's UI, where we want to be more
specific about the state a peering is in.

- The "initial" state was renamed to pending, and no longer applies to
  peerings being established from a peering token.

- Upon request to establish a peering from a peering token, peerings
  will be set as "establishing". This will help distinguish between the
  two roles: the cluster that generates the peering token and the
  cluster that establishes the peering.

- When marked for deletion, peering state will be set to "deleting".
  This way the UI determines the deletion via the state rather than the
  "DeletedAt" field.

Co-authored-by: freddygv <freddy@hashicorp.com>
2022-07-04 10:47:58 -04:00
John Cowen dae1f9d0b8
ui: Add peer searching and sorting (#13634)
* ui: Add peer searching and sorting

Initial name search and sort only, more to come here

* Remove old peerings::search component

* Use @model peers

* ui: Peer listing with dc/ns/partition/name based unique IDs and polling deletion (#13648)

* ui: Add peer repo with listing datasource

* ui: Use data-loader component to use the data-source

* ui: Remove ember-data REST things and Route.model hook

* 10 second not 1 second poll

* Fill out Datacenter and Partition

* route > routeName

* Faker randomised mocks for peering endpoint

* ui: Adds initial peer detail page plus address tab (#13651)
2022-07-04 11:31:58 +01:00
John Cowen c86aedfdd5
ui: Gradual deprecation of old StateChart interface (#13604) 2022-07-04 11:22:14 +01:00
Daniel Upton 687c447701 Changelog entry 2022-07-04 10:48:36 +01:00
Daniel Upton e1d0aff462 proxycfg: server-local intention upstreams data source
This is the OSS portion of enterprise PR 2157.

It builds on the local blocking query work in #13438 to implement the
proxycfg.IntentionUpstreams interface using server-local data.

Also moves the ACL filtering logic from agent/consul into the acl/filter
package so that it can be reused here.
2022-07-04 10:48:36 +01:00
Daniel Upton 21ea217b1d proxycfg: server-local intentions data source
This is the OSS portion of enterprise PR 2141.

This commit provides a server-local implementation of the `proxycfg.Intentions`
interface that sources data from streaming events.

It adds events for the `service-intentions` config entry type, and then consumes
event streams (via materialized views) for the service's explicit intentions and
any applicable wildcard intentions, merging them into a single list of intentions.

An alternative approach I considered was to consume _all_ intention events (via
`SubjectWildcard`) and filter out the irrelevant ones. This would admittedly
remove some complexity in the `agent/proxycfg-glue` package but at the expense
of considerable overhead from waking potentially many thousands of connect
proxies every time any intention is updated.
2022-07-04 10:48:36 +01:00
Daniel Upton 497df1ca3b proxycfg: server-local config entry data sources
This is the OSS portion of enterprise PR 2056.

This commit provides server-local implementations of the proxycfg.ConfigEntry
and proxycfg.ConfigEntryList interfaces, that source data from streaming events.

It makes use of the LocalMaterializer type introduced for peering replication,
adding the necessary support for authorization.

It also adds support for "wildcard" subscriptions (within a topic) to the event
publisher, as this is needed to fetch service-resolvers for all services when
configuring mesh gateways.

Currently, events will be emitted for just the ingress-gateway, service-resolver,
and mesh config entry types, as these are the only entries required by proxycfg
— the events will be emitted on topics named IngressGateway, ServiceResolver,
and MeshConfig topics respectively.

Though these events will only be consumed "locally" for now, they can also be
consumed via the gRPC endpoint (confirmed using grpcurl) so using them from
client agents should be a case of swapping the LocalMaterializer for an
RPCMaterializer.
2022-07-04 10:48:36 +01:00
Jared Kirschner 93edefd4a1 docs: improve large version change upgrade path 2022-07-01 05:47:24 -07:00
Michael Klein 303e7ff2e0
ui: allow searching services by admin-partition (#13650) 2022-06-30 17:24:52 +01:00
Michael Klein 362670f98f
ui: peering chores (#13636)
* Update empty state topology downstreams to included peer info

* Add filter for filtering for service without ExternalSources
2022-06-30 15:47:04 +01:00
alex 90577810cc
peering: add imported/exported counts to peering (#13644)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2022-06-29 14:07:30 -07:00
Chris S. Kim 0dc1b11e42
Fix ENT drift in files (#13647) 2022-06-29 16:53:22 -04:00
Matt Keeler 57d0be42b9
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646)
Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
2022-06-29 16:38:17 -04:00
Chris S. Kim 25aec40e74
Add internal endpoint to fetch peered upstream candidates from VirtualIP table (#13642)
For initial cluster peering TProxy support we consider all imported services of a partition to be potential upstreams.

We leverage the VirtualIP table because it stores plain service names (e.g. "api", not "api-sidecar-proxy").
2022-06-29 16:34:58 -04:00
Eric Haberkorn f3bba7c963
Fix spelling mistake in serverless patcher (#13607)
passhthrough -> passthrough
2022-06-29 15:21:21 -04:00
David Yu 8f8ed954cc
docs: add controller to cluster peering docs (#13639)
* docs: add controller to cluster peering docs
2022-06-29 11:08:37 -07:00
John Cowen 5c17ef792c
ui: Fix up peer ENT tests (#13633)
* ui: Add missing @nspaces

* Reorder peerings to be before any optionals

* Merge params instead of overwriting

* Reorder int tests
2022-06-29 19:07:39 +01:00
alex 04ec093130
no 1.9 style metrics (#13532)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-29 09:46:37 -07:00