Commit Graph

19777 Commits

Author SHA1 Message Date
Mark Anderson 1497421b65
Merge pull request #12878 from hashicorp/ma/x-forwarded-client-cert
Support x-forwarded-client-cert
2022-05-04 11:05:44 -07:00
Evan Culver d5a97ecaf3
fix(ci): use correct variable syntax for build-distros job (#12933) 2022-05-04 10:45:23 -07:00
Dan Upton 6bfdb48560
acl: gRPC login and logout endpoints (#12935)
Introduces two new public gRPC endpoints (`Login` and `Logout`) and
includes refactoring of the equivalent net/rpc endpoints to enable the
majority of logic to be reused (i.e. by extracting the `Binder` and
`TokenWriter` types).

This contains the OSS portions of the following enterprise commits:

- 75fcdbfcfa6af21d7128cb2544829ead0b1df603
- bce14b714151af74a7f0110843d640204082630a
- cc508b70fbf58eda144d9af3d71bd0f483985893
2022-05-04 17:38:45 +01:00
Mark Anderson 13f5a1f6a8 Fix tests for APPEND_FORWARD change
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson 69c129c73f Change to use APPEND_FORWARD for terminating gateway
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson db0c61303f Update mesh config tests
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson e6282c7c64 Docs and changelog edits
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson c6dbc34172 Fixup missed config entry
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson 33bc0a8cb3 Add some docs
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:58 -07:00
Mark Anderson d8f4cc5537 Add x-forwarded-client-cert headers
Description
Add x-fowarded-client-cert information on trusted incoming connections.

Envoy provides support forwarding and annotating the
x-forwarded-client-cert header via the forward_client_cert_details
set_current_client_cert_details filter fields. It would be helpful for
consul to support this directly in its config. The escape hatches are
a bit cumbersome for this purpose.

This has been implemented on incoming connections to envoy. Outgoing
(from the local service through the sidecar) will not have a
certificate, and so are left alone.

A service on an incoming connection will now get headers something like this:

```
X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard]
```

Closes #12852
2022-05-04 08:50:58 -07:00
claire labry 1cd73d7a71
Merge pull request #12917 from hashicorp/add-release-config-key
Add config key to the promote-staging event
2022-05-03 17:26:46 -04:00
Amier Chery b51cc46e43
Merge pull request #12631 from driesgroblerw/patch-1
Updated the link to acl-policies
2022-05-03 14:59:05 -04:00
DanStough 64b339aca7 chore(ci): fix backport-assistant for stable website 2022-05-03 14:36:46 -04:00
Kyle Havlovitz 369f4848e3
Merge pull request #12885 from hashicorp/acl-err-cache
Store and return RPC error in ACL cache entries
2022-05-03 10:44:22 -07:00
Kyle Havlovitz 3bd001fb29 Return ACLRemoteError from cache and test it correctly 2022-05-03 10:05:26 -07:00
DanStough b1a1ddf78f chore(ci): fix backport assistant 2022-05-03 12:41:12 -04:00
R.B. Boyer 7d20b68959
ci: upgrade bats and the circle machine executors to get integration tests to function again (#12918)
Bonus change: send less context when building the test-sds-server to
speed up the setup.
2022-05-03 11:21:32 -05:00
Claire Labry b147910a95
Add config key to the promote-staging event 2022-05-03 11:58:14 -04:00
FFMMM 4cd68b4534
[sync oss] api: add peering api module (#12911) 2022-05-02 11:49:05 -07:00
Blake Covarrubias 8dc68002f9
docs: Add example Envoy escape hatch configs (#12764)
Add example escape hatch configurations for all supported override
types.
2022-05-02 11:25:59 -07:00
DanStough 5fa882127e chore(ci): add initial support for backport assistant 2022-05-02 11:14:32 -04:00
Jared Kirschner 304eb8a95d
Merge pull request #12762 from hashicorp/jkirschner-hashicorp-patch-1
docs: use correct previous name of recovery token
2022-04-29 18:35:56 -04:00
Chris S. Kim 829554c706
peering: Make Upstream peer-aware (#12900)
Adds DestinationPeer field to Upstream.
Adds Peer field to UpstreamID and its string conversion functions.
2022-04-29 18:12:51 -04:00
Jared Kirschner 23b3f88141
Merge pull request #12902 from hashicorp/jkirschner-hashicorp-patch-2
docs: fix typo
2022-04-29 17:59:26 -04:00
Jared Kirschner 4b315c6ffd
docs: fix typo 2022-04-29 17:57:21 -04:00
Jared Kirschner c8676a4564
Merge pull request #12893 from hashicorp/docs/improve-consul-server-resilience
docs: add guidance on improving Consul resilience
2022-04-29 15:42:09 -04:00
Chris S. Kim 33bfaf5671
Cleanup peering files that used error types that were removed (#12892) 2022-04-29 14:02:26 -04:00
Jared Kirschner 2ab5559a6a docs: add guidance on improving Consul resilience
Discuss available strategies for improving server-level and infrastructure-level
fault tolerance in Consul.
2022-04-29 10:58:03 -07:00
Jeff Apple d6fdaa608f
Merge pull request #12891 from hashicorp/docs-api-gateway-0.2.1
Docs: update for API Gateway v0.2.1
2022-04-29 10:50:04 -07:00
Mathew Estafanous 893b740dff
Unify various status errors into one HTTP error type. (#12594)
Replaces specific error types for HTTP Status codes with 
a generic HTTPError type.

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2022-04-29 13:42:49 -04:00
Jeff-Apple 70e5ccfe59 Dcos: update for API Gateway v0.2.1 2022-04-29 09:52:00 -07:00
Jared Kirschner 3867ce2355
Merge pull request #11810 from hashicorp/update-enterprise-packaging-in-feature-docs
Update enterprise packaging in feature docs
2022-04-28 19:38:59 -04:00
Jared Kirschner 1e161b8c1b docs: improve ent overview headings 2022-04-28 16:27:34 -07:00
Jared Kirschner e4a66931a9 docs: explicitly fill all ent feature matrix cells 2022-04-28 12:41:37 -07:00
Chris S. Kim 6e7d17052c
Add a Github action to remind people about backport automation (#12884) 2022-04-28 14:52:41 -04:00
Kyle Havlovitz f84ed5f70b Store and return rpc error in acl cache entries 2022-04-28 09:08:55 -07:00
Jeff Apple 6ec2cfe8a0
Merge pull request #12874 from hashicorp/japple-api-gw-fix-install-doc
Docs: updated versions on install page and other minor fixes.
2022-04-27 17:24:51 -07:00
Jeff-Apple 04409f7164 Docs: updated versions on install page and other minor fixes. 2022-04-27 16:52:52 -07:00
Mike Morris 22c02b002d
website(consul-api-gateway): fixup stray div tag and step 8 link rendering (#12873) 2022-04-27 19:36:01 -04:00
Karl Cardenas da4adcd808
Merge pull request #12872 from hashicorp/markdown-fix
docs: fixes makdown leakage
2022-04-27 14:20:19 -07:00
Karl Cardenas 89c32164d7
docs: fixes makdown leakage 2022-04-27 14:15:39 -07:00
Jared Kirschner ce9e72778c docs: update HCP Consul feature matrix 2022-04-27 12:44:00 -07:00
Nathan Coleman ebacee3d13
Merge pull request #12871 from hashicorp/apigw-crd-version
Update version pin for consul-api-gateway install docs
2022-04-27 14:23:05 -05:00
Nathan Coleman a9a0416266 Update version pin for consul-api-gateway CRD install 2022-04-27 15:07:02 -04:00
Jeff Apple 1f8f4e5d27
Merge pull request #12863 from hashicorp/api-gateway-v0.2-docs
Update product docs for release of Consul API Gateway v0.2
2022-04-27 12:01:23 -07:00
Nathan Coleman 498b80b284 Update minimum Consul version in Tech Specs 2022-04-27 14:55:55 -04:00
Jeff-Apple d110933167 correction to the API Gateway 0.2 release notes. 2022-04-27 11:53:27 -07:00
Nathan Coleman 865fa7c480 Instruct user to update apiGateway.image in values.yaml 2022-04-27 14:47:15 -04:00
Jeff-Apple 14030b261e Adding release notes for API Gateway v0.2 2022-04-27 11:44:39 -07:00
Nathan Coleman f678d8aeda Hide clipboard for codeblocks that shouldn't be copied 2022-04-27 14:37:51 -04:00