Commit graph

19948 commits

Author SHA1 Message Date
Semir Patel f8b900d555
Reaper controller for cascading deletes of owner resources (#17256) 2023-05-09 13:57:40 -05:00
Freddy f914d88179
Post a PR comment if the backport runner fails (#17197) 2023-05-09 12:28:34 -06:00
Freddy 0459069523
Hash namespace+proxy ID when creating socket path (#17204)
UNIX domain socket paths are limited to 104-108 characters, depending on
the OS. This limit was quite easy to exceed when testing the feature on
Kubernetes, due to how proxy IDs encode the Pod ID eg:
metrics-collector-59467bcb9b-fkkzl-hcp-metrics-collector-sidecar-proxy

To ensure we stay under that character limit this commit makes a
couple changes:
- Use a b64 encoded SHA1 hash of the namespace + proxy ID to create a
  short and deterministic socket file name.
- Add validation to proxy registrations and proxy-defaults to enforce a
  limit on the socket directory length.
2023-05-09 12:20:26 -06:00
Dan Upton 270df96301
resource: add helpers for more efficiently comparing IDs etc (#17224) 2023-05-09 19:02:24 +01:00
Derek Menteer 3ce5277217
Fix multiple issues related to proxycfg health queries. (#17241)
Fix multiple issues related to proxycfg health queries.

1. The datacenter was not being provided to a proxycfg query, which resulted in
bypassing agentless query optimizations and using the normal API instead.

2. The health rpc endpoint would return a zero index when insufficient ACLs were
detected. This would result in the agent cache performing an infinite loop of
queries in rapid succession without backoff.
2023-05-09 12:37:58 -05:00
Dan Upton 91f76b6fb2
controller: deduplicate items in queue (#17168) 2023-05-09 18:14:20 +01:00
Dan Bond 93a906d2a4
Revert "ci: remove test splitting for compatibility tests (#17166)" (#17262)
This reverts commit 861a8151d50377315c6c391833fef85b71b54d18.
2023-05-09 10:44:31 -06:00
Dan Upton 979ef66885
Controller Runtime 2023-05-09 15:25:55 +01:00
Dan Stough 7bb2f158b2
chore(ci): fix backport assistant branch creation race (#17249) 2023-05-08 20:30:45 +00:00
John Murret 6ffa87c2eb
ci: remove test splitting for compatibility tests (#17166)
* remove test splitting from compatibility-integration-tests

* enable on push

* remove ipv6 loopback fix

* re-add ipv6 loopback fix

* remove test splitting from upgrade-integration-tests

* remove test splitting from upgrade-integration-tests

* put test splitting back in for upgrade tests

* upgrade-integration tests-o
ne runner no retries
2023-05-08 20:26:16 +00:00
Matt Keeler 6919dabb50
Register new catalog & mesh protobuf types with the resource registry (#17225) 2023-05-08 15:36:35 -04:00
Derek Menteer 73b65228f5
Fix issue with peer stream node cleanup. (#17235)
Fix issue with peer stream node cleanup.

This commit encompasses a few problems that are closely related due to their
proximity in the code.

1. The peerstream utilizes node IDs in several locations to determine which
nodes / services / checks should be cleaned up or created. While VM deployments
with agents will likely always have a node ID, agentless uses synthetic nodes
and does not populate the field. This means that for consul-k8s deployments, all
services were likely bundled together into the same synthetic node in some code
paths (but not all), resulting in strange behavior. The Node.Node field should
be used instead as a unique identifier, as it should always be populated.

2. The peerstream cleanup process for unused nodes uses an incorrect query for
node deregistration. This query is NOT namespace aware and results in the node
(and corresponding services) being deregistered prematurely whenever it has zero
default-namespace services and 1+ non-default-namespace services registered on
it. This issue is tricky to find due to the incorrect logic mentioned in #1,
combined with the fact that the affected services must be co-located on the same
node as the currently deregistering service for this to be encountered.

3. The stream tracker did not understand differences between services in
different namespaces and could therefore report incorrect numbers. It was
updated to utilize the full service name to avoid conflicts and return proper
results.
2023-05-08 13:13:25 -05:00
John Murret 7c101c27c3
security: update go version to 1.20.4 (#17240)
* update go version to 1.20.3

* add changelog

* rename changelog file to remove underscore

* update to use 1.20.4

* update change log entry to reflect 1.20.4
2023-05-08 11:57:11 -06:00
Jared Kirschner 1922417443
docs: correct misspelling (#17229) 2023-05-08 13:30:48 -04:00
Semir Patel 9615837c60
resource: List resources by owner (#17190) 2023-05-08 12:26:19 -05:00
cskh 9074a13843
upgrade test: use docker.mirror.hashicorp.services to avoid docker login (#17186)
* upgrade test: use docker.mirror.hashicorp.services to avoid docker login

* upgrade tests: remove docker login

Signed-off-by: Dan Bond <danbond@protonmail.com>

---------

Signed-off-by: Dan Bond <danbond@protonmail.com>
Co-authored-by: Dan Bond <danbond@protonmail.com>
2023-05-08 13:15:38 -04:00
cskh b5d2fafd7a
Upgrade test target image (#17226)
* upgrade test: add targetimage name as parameter to upgrade function

- the image name of latest version and target version could be
  different. Add the parameter of targetImage to the upgrade
  function

* fix a bug of expected error
2023-05-08 12:02:31 -04:00
Jared Kirschner d447b54ad3
docs: consistently name Consul service mesh (#17222)
Remove outdated usage of "Consul Connect" instead of Consul service mesh.

The connect subsystem in Consul provides Consul's service mesh capabilities.
However, the term "Consul Connect" should not be used as an alternative to
the name "Consul service mesh".
2023-05-05 13:41:40 -04:00
Dan Upton 34786c71cd
controller: make the WorkQueue generic (#16982) 2023-05-05 15:38:22 +01:00
Matt Keeler 36c7edf13c
Initial Catalog & Mesh Protobuf Definitions (#17123) 2023-05-05 09:47:28 -04:00
John Eikenberry 0210211a69
enable auto-tidy expired issuers in vault (as CA)
When using vault as a CA and generating the local signing cert, try to
enable the PKI endpoint's auto-tidy feature with it set to tidy expired
issuers.
2023-05-03 20:30:37 +00:00
Nathan Coleman f5668b3621
Use auth context when evaluating service read permissions (#17207)
Co-authored-by: Blake Covarrubias <1812+blake@users.noreply.github.com>
2023-05-02 16:23:42 -04:00
Eddie Rowe 827be5ad6e
Fix broken lightstep link (#17201) 2023-05-01 14:24:52 +00:00
Poonam Jadhav 2a33111b21
feat: add no-op reporting background routine (#17178) 2023-04-28 20:07:03 -04:00
Freddy a90fff4789
Revert "[CC-4519] Include Consul NodeID in Envoy bootstrap metadata" (#17191) 2023-04-28 15:23:55 -06:00
Eric Haberkorn 47a7e52098
fix panic in injectSANMatcher when tlsContext is nil (#17185) 2023-04-28 16:27:57 -04:00
Paul Glass e1cff98a8f
Permissive mTLS: Config entry filtering and CLI warnings (#17183)
This adds filtering for service-defaults: consul config list -filter 'MutualTLSMode == "permissive"'.

It adds CLI warnings when the CLI writes a config entry and sees that either service-defaults or proxy-defaults contains MutualTLSMode=permissive, or sees that the mesh config entry contains AllowEnablingPermissiveMutualTLSMode=true.
2023-04-28 12:51:36 -05:00
R.B. Boyer 064392441f
peering: ensure that merged central configs of peered upstreams for partitioned downstreams work (#17179)
Partitioned downstreams with peered upstreams could not properly merge central config info (i.e. proxy-defaults and service-defaults things like mesh gateway modes) if the upstream had an empty DestinationPartition field in Enterprise.

Due to data flow, if this setup is done using Consul client agents the field is never empty and thus does not experience the bug.

When a service is registered directly to the catalog as is the case for consul-dataplane use this field may be empty and and the internal machinery of the merging function doesn't handle this well.

This PR ensures the internal machinery of that function is referentially self-consistent.
2023-04-28 12:36:08 -05:00
Semir Patel 2601f0488c
Sync .golangci.yml from ENT (#17180) 2023-04-28 17:14:37 +00:00
John Landa b9cf6579e6
Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry (#17066)
* Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry

* Add changelog

* Remove test on default MaxTokenTTL

* Change to imperitive tense for changelog entry
2023-04-28 10:57:30 -05:00
Semir Patel 896c39d98c
Create tombstone on resource Delete (#17108) 2023-04-28 10:49:08 -05:00
Dan Upton 6d024775a0
resource: owner references must include a uid (#17169) 2023-04-28 11:22:42 +01:00
Freddy 29d5811f0d
Update HCP bootstrapping to support existing clusters (#16916)
* Persist HCP management token from server config

We want to move away from injecting an initial management token into
Consul clusters linked to HCP. The reasoning is that by using a separate
class of token we can have more flexibility in terms of allowing HCP's
token to co-exist with the user's management token.

Down the line we can also more easily adjust the permissions attached to
HCP's token to limit it's scope.

With these changes, the cloud management token is like the initial
management token in that iit has the same global management policy and
if it is created it effectively bootstraps the ACL system.

* Update SDK and mock HCP server

The HCP management token will now be sent in a special field rather than
as Consul's "initial management" token configuration.

This commit also updates the mock HCP server to more accurately reflect
the behavior of the CCM backend.

* Refactor HCP bootstrapping logic and add tests

We want to allow users to link Consul clusters that already exist to
HCP. Existing clusters need care when bootstrapped by HCP, since we do
not want to do things like change ACL/TLS settings for a running
cluster.

Additional changes:

* Deconstruct MaybeBootstrap so that it can be tested. The HCP Go SDK
  requires HTTPS to fetch a token from the Auth URL, even if the backend
  server is mocked. By pulling the hcp.Client creation out we can modify
  its TLS configuration in tests while keeping the secure behavior in
  production code.

* Add light validation for data received/loaded.

* Sanitize initial_management token from received config, since HCP will
  only ever use the CloudConfig.MangementToken.

* Add changelog entry
2023-04-27 22:27:39 +02:00
John Maguire d19a7dad68
APIGW: Update how status conditions for certificates are handled (#17115)
* Move status condition for invalid certifcate to reference the listener
that is using the certificate

* Fix where we set the condition status for listeners and certificate
refs, added tests

* Add changelog
2023-04-27 15:54:44 +00:00
Anita Akaeze 2a291419dd
Merge pull request #5288 from hashicorp/NET-3648_fix (#17163)
NET-3648: perform envoy version verification
2023-04-26 20:29:43 -04:00
Semir Patel 406c1afc04
Support Envoy's MaxEjectionPercent and BaseEjectionTime config entries for passive health checks (#15979)
* Add MaxEjectionPercent to config entry

* Add BaseEjectionTime to config entry

* Add MaxEjectionPercent and BaseEjectionTime to protobufs

* Add MaxEjectionPercent and BaseEjectionTime to api

* Fix integration test breakage

* Verify MaxEjectionPercent and BaseEjectionTime in integration test upstream confings

* Website docs for MaxEjectionPercent and BaseEjection time

* Add `make docs` to browse docs at http://localhost:3000

* Changelog entry

* so that is the difference between consul-docker and dev-docker

* blah

* update proto funcs

* update proto

---------

Co-authored-by: Maliz <maliheh.monshizadeh@hashicorp.com>
2023-04-26 15:59:48 -07:00
Michael Wilkerson f24e5ed1d6
fixed aliases for sameness group (sameness_group) (#17161) 2023-04-26 14:53:23 -07:00
Mike Morris 93a1b3bf61
docs: fixup note about node scope for admin partitions (#17147) 2023-04-26 13:46:22 -04:00
Paul Glass 69e9e21bf4
TProxy integration test (#17103)
* TProxy integration test
* Fix GHA compatibility integration test command

Previously, when test splitting allocated multiple test directories to a
runner, the workflow ran `go tests "./test/dir1 ./test/dir2"` which
results in a directory not found error. This fixes that.
2023-04-26 11:49:38 -05:00
Freddy 8082ca612c
[CC-4519] Include Consul NodeID in Envoy bootstrap metadata (#17139)
This is being added so that metrics sent to HCP can be augmented with the source node's ID.

Opting not to add this to stats_tag out of caution, since it would increase the cardinality of metrics emitted by Envoy for all users.

There is no functional impact to Envoy expected from this change.
2023-04-26 10:04:57 -06:00
Dan Upton 02c3e44ad8
proto-public: document resource service (#17119) 2023-04-26 16:26:54 +01:00
Eric Haberkorn 34f24a3fa2
fix backward compat issue caused by localities being set to null when they are unset (#17144) 2023-04-26 11:02:20 -04:00
R.B. Boyer f74aedada0
api: ensure empty locality field is not transmitted to Consul (#17137) 2023-04-26 10:01:17 -05:00
Eric Haberkorn f2a96a8bac
add acl filter logs (#17143) 2023-04-26 10:57:35 -04:00
Eric Haberkorn 61ad5aa4a9
add sameness intentions in api package (#17096) 2023-04-26 10:00:18 -04:00
Dan Upton 15cc86ba91
Cleanup from unblocking the pipeline 🧹 (#17121) 2023-04-26 13:59:58 +01:00
Dan Upton 91f3abf27b
testing: RunResourceService helper (#17068) 2023-04-26 11:57:10 +01:00
Semir Patel cf50def90b
Fix or disable pipeline breaking changes that made it into main in last day or so (#17130)
* Fix straggler from renaming Register->RegisterTypes

* somehow a lint failure got through previously

* Fix lint-consul-retry errors

* adding in fix for success jobs getting skipped. (#17132)

* Temporarily disable inmem backend conformance test to get green pipeline

* Another test needs disabling

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-04-25 15:17:48 -05:00
David Yu 082d33b1e4
Update single-dc-multi-k8s.mdx (#17126) 2023-04-25 09:42:31 -07:00
Paul Banks ce96b2c69d
De-flake snapshot test (#17120) 2023-04-25 15:25:26 +01:00