Go to file
Mike Morris 277c41d336
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576)
* xds: refactor ingress listener SDS configuration

* xds: update resolveListenerSDS call args in listeners_test

* ingress: add TLS min, max and cipher suites to GatewayTLSConfig

* xds: implement envoyTLSVersions and envoyTLSCipherSuites

* xds: merge TLS config

* xds: configure TLS parameters with ingress TLS context from leaf

* xds: nil check in resolveListenerTLSConfig validation

* xds: nil check in makeTLSParameters* functions

* changelog: add entry for TLS params on ingress config entries

* xds: remove indirection for TLS params in TLSConfig structs

* xds: return tlsContext, nil instead of ambiguous err

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* xds: switch zero checks to types.TLSVersionUnspecified

* ingress: add validation for ingress config entry TLS params

* ingress: validate listener TLS config

* xds: add basic ingress with TLS params tests

* xds: add ingress listeners mixed TLS min version defaults precedence test

* xds: add more explicit tests for ingress listeners inheriting gateway defaults

* xds: add test for single TLS listener on gateway without TLS defaults

* xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test

* types/tls: change TLSVersion to string

* types/tls: update TLSCipherSuite to string type

* types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private

* api: add TLS params to GatewayTLSConfig, add tests

* api: add TLSMinVersion to ingress gateway config entry test JSON

* xds: switch to Envoy TLS cipher suite encoding from types package

* xds: fixup validation for TLSv1_3 min version with cipher suites

* add some kitchen sink tests and add a missing struct tag

* xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites

* xds: update connectTLSEnabled comment

* xds: remove unsued resolveGatewayServiceTLSConfig function

 * xds: add makeCommonTLSContextFromLeafWithoutParams

* types/tls: add LessThan comparator function for concrete values

* types/tls: change tlsVersions validation map from string to TLSVersion keys

* types/tls: remove unused envoyTLSCipherSuites

* types/tls: enable chacha20 cipher suites for Consul agent

* types/tls: remove insecure cipher suites from allowed config

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source.

Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330

* types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private

* types/tls: return all unmatched cipher suites in validation errors

* xds: check that Envoy API value matching TLS version is found when building TlsParameters

* types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings

* types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String()

* xds: add TLSVersionUnspecified to list of configurable cipher suites

* structs: update note about config entry warning

* xds: remove TLS min version cipher suite unconfigurable test placeholder

* types/tls: update tests to remove assumption about private map values

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-01-11 11:46:42 -05:00
.changelog ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
.circleci website: fix algolia indexing (#11413) 2021-12-15 08:30:46 -06:00
.github removing markdown file for consul docs day issue 2022-01-03 11:06:09 -07:00
.release Removing test branch 2021-12-14 18:19:14 -08:00
acl Rename partition-exports to exported-services 2021-12-03 17:47:31 -07:00
agent ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
api ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
bench Gets benchmarks running again and does a rough pass for 0.7.1. 2016-11-29 13:02:26 -08:00
build-support Update CI and release go versions to 1.17.5 (#11799) 2021-12-10 14:04:56 -05:00
command ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
connect sdk/freeport: rename Port to GetOne 2021-11-30 17:32:41 -05:00
contributing Move contributing to docs 2021-08-30 16:17:09 -04:00
demo demo: Added udp port forwarding 2018-05-30 13:56:56 +09:00
docs Move contributing to docs 2021-08-30 16:17:09 -04:00
grafana add readme outlining how to edit and publish 2021-01-12 14:47:11 -08:00
internal testing: remove unnecessary calls to freeport 2021-11-29 12:19:43 -05:00
ipaddr Ensure Consul is IPv6 compliant (#5468) 2019-06-04 10:02:38 -04:00
lib testing: remove unnecessary calls to freeport 2021-11-29 12:19:43 -05:00
logging Fix Windows logging to files (#11960) 2022-01-06 16:07:09 -05:00
proto Rename `Master` and `AgentMaster` fields in config protobuf (#11764) 2021-12-07 19:59:38 +00:00
sdk sdk/freeport: rename Port to GetOne 2021-11-30 17:32:41 -05:00
sentinel re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
service_os re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
snapshot testing: skip slow tests with -short 2020-12-07 13:42:55 -05:00
terraform terraform: remove modules in repo (#5085) 2019-04-04 16:31:43 -07:00
test Fix integration test with updated file perms (#11916) 2021-12-23 19:00:02 -05:00
testrpc ca: remove duplicate WaitFor function 2021-12-08 18:42:52 -05:00
tlsutil regenerate expired certs (#11462) 2021-11-01 11:40:16 -04:00
types ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
ui ui: Adding Partition to topology card (#11805) 2022-01-11 10:04:06 -05:00
version Improved performance of the version.GetHumanVersion function by 50% on memory allocation. (#11507) 2021-12-09 13:14:06 -08:00
website Merge pull request #12002 from hashicorp/kubernetes-service-screenshot 2022-01-11 11:34:00 -05:00
.dockerignore Update the scripting 2018-06-14 21:42:47 -04:00
.gitattributes Initial commit 2013-11-04 14:15:27 -08:00
.gitignore website: remove netlify artifacts and port missing redirects over to new format (#9601) 2021-01-21 10:16:17 -05:00
.golangci.yml xds: remove deprecated usages of xDS (#9602) 2021-02-22 15:00:15 -06:00
CHANGELOG.md Add missing changelog entries (#11973) 2022-01-07 20:23:46 -08:00
Dockerfile add dumb-init package to Dockerfile 2021-11-18 08:36:59 -08:00
GNUmakefile build: switch to 'go install' over 'go get' (#11582) 2021-11-16 12:04:49 -06:00
INTERNALS.md Move contributing to docs 2021-08-30 16:17:09 -04:00
LICENSE Initial commit 2013-11-04 14:15:27 -08:00
NOTICE.md add copyright notice file 2018-07-09 10:58:26 -07:00
README.md docs: Call out the UI in README and include details for contributing to it (#11187) 2021-09-30 13:34:28 +01:00
Vagrantfile Adds a basic Linux Vagrant setup, stolen from Nomad. 2017-10-06 08:10:12 -07:00
codecov.yml Update all the references in CI and makefile to the bindata file location 2020-10-01 16:19:10 +01:00
go.mod upgrade raft to v1.3.3 (#11958) 2022-01-06 14:09:13 -05:00
go.sum upgrade raft to v1.3.3 (#11958) 2022-01-06 14:09:13 -05:00
main.go cmd: introduce a shim to expose Stdout/Stderr writers 2021-06-02 16:51:34 -04:00
main_test.go Adding basic CLI infrastructure 2013-12-19 11:22:08 -08:00
package-lock.json Adding UI screenshots to L7 overview 2022-01-10 14:34:00 -05:00

README.md

Consul CircleCI Discuss

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.

Consul provides several key features:

  • Multi-Datacenter - Consul is built to be datacenter aware, and can support any number of regions without complex configuration.

  • Service Mesh/Service Segmentation - Consul Connect enables secure service-to-service communication with automatic TLS encryption and identity-based authorization. Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Connect at all.

  • Service Discovery - Consul makes it simple for services to register themselves and to discover other services via a DNS or HTTP interface. External services such as SaaS providers can be registered as well.

  • Health Checking - Health Checking enables Consul to quickly alert operators about any issues in a cluster. The integration with service discovery prevents routing traffic to unhealthy hosts and enables service level circuit breakers.

  • Key/Value Storage - A flexible key/value store enables storing dynamic configuration, feature flagging, coordination, leader election and more. The simple HTTP API makes it easy to use anywhere.

Consul runs on Linux, macOS, FreeBSD, Solaris, and Windows and includes an optional browser based UI. A commercial version called Consul Enterprise is also available.

Please note: We take Consul's security and our users' trust very seriously. If you believe you have found a security issue in Consul, please responsibly disclose by contacting us at security@hashicorp.com.

Quick Start

A few quick start guides are available on the Consul website:

Documentation

Full, comprehensive documentation is available on the Consul website:

https://www.consul.io/docs

Contributing

Thank you for your interest in contributing! Please refer to CONTRIBUTING.md for guidance. For contributions specifically to the browser based UI, please refer to the UI's README.md for guidance.