open-consul/agent/structs
R.B. Boyer 63422ca9c5
connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams (#8470)
Fixes #8466

Since Consul 1.8.0 there was a bug in how ingress gateway protocol
compatibility was enforced. At the point in time that an ingress-gateway
config entry was modified the discovery chain for each upstream was
checked to ensure the ingress gateway protocol matched. Unfortunately
future modifications of other config entries were not validated against
existing ingress-gateway definitions, such as:

1. create tcp ingress-gateway pointing to 'api' (ok)
2. create service-defaults for 'api' setting protocol=http (worked, but not ok)
3. create service-splitter or service-router for 'api' (worked, but caused an agent panic)

If you were to do these in a different order, it would fail without a
crash:

1. create service-defaults for 'api' setting protocol=http (ok)
2. create service-splitter or service-router for 'api' (ok)
3. create tcp ingress-gateway pointing to 'api' (fail with message about
   protocol mismatch)

This PR introduces the missing validation. The two new behaviors are:

1. create tcp ingress-gateway pointing to 'api' (ok)
2. (NEW) create service-defaults for 'api' setting protocol=http ("ok" for back compat)
3. (NEW) create service-splitter or service-router for 'api' (fail with
   message about protocol mismatch)

In consideration for any existing users that may be inadvertently be
falling into item (2) above, that is now officiall a valid configuration
to be in. For anyone falling into item (3) above while you cannot use
the API to manufacture that scenario anymore, anyone that has old (now
bad) data will still be able to have the agent use them just enough to
generate a new agent/proxycfg error message rather than a panic.
Unfortunately we just don't have enough information to properly fix the
config entries.
2020-08-12 11:19:20 -05:00
..
acl.go ACL Node Identities (#7970) 2020-06-16 12:54:27 -04:00
acl_cache.go acl: adding support for kubernetes auth provider login (#5600) 2019-04-26 14:49:25 -05:00
acl_cache_test.go test: Remove t.Parallel() from agent/structs tests 2020-05-08 14:06:10 -04:00
acl_legacy.go ACL Node Identities (#7970) 2020-06-16 12:54:27 -04:00
acl_legacy_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
acl_oss.go ACL Node Identities (#7970) 2020-06-16 12:54:27 -04:00
acl_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
auto_encrypt.go tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 22:22:07 +02:00
catalog.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
check_definition.go feat: support sending body in HTTP checks (#6602) 2020-02-10 09:27:12 -07:00
check_definition_test.go Replace goe/verify.Values with testify/require.Equal (#7993) 2020-06-02 12:41:25 -04:00
check_type.go feat: support sending body in HTTP checks (#6602) 2020-02-10 09:27:12 -07:00
config_entry.go Split up unused key validation for oss/ent (#8189) 2020-06-25 13:58:29 -06:00
config_entry_discoverychain.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
config_entry_discoverychain_oss.go Updates to Config Entries and Connect for Namespaces (#7116) 2020-01-24 10:04:58 -05:00
config_entry_discoverychain_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
config_entry_gateways.go connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams (#8470) 2020-08-12 11:19:20 -05:00
config_entry_gateways_test.go connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams (#8470) 2020-08-12 11:19:20 -05:00
config_entry_oss.go Split up unused key validation for oss/ent (#8189) 2020-06-25 13:58:29 -06:00
config_entry_oss_test.go Split up unused key validation for oss/ent (#8189) 2020-06-25 13:58:29 -06:00
config_entry_test.go Split up unused key validation for oss/ent (#8189) 2020-06-25 13:58:29 -06:00
connect.go Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
connect_ca.go Move generation of the CA Configuration from the agent code into a method on the RuntimeConfig (#8363) 2020-07-23 16:05:28 -04:00
connect_ca_test.go connect: add validations around intermediate cert ttl (#7213) 2020-02-11 00:05:49 +01:00
connect_oss.go Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
connect_proxy_config.go Add alias struct tags for new decode hook 2020-05-27 16:24:47 -04:00
connect_proxy_config_oss.go Updates to Config Entries and Connect for Namespaces (#7116) 2020-01-24 10:04:58 -05:00
connect_proxy_config_test.go Make sure IngressHosts isn't parsed during JSON decode 2020-05-06 15:06:14 -05:00
discovery_chain.go OSS Changes for various config entry namespacing bugs (#7226) 2020-02-06 10:52:25 -05:00
discovery_chain_oss.go Updates to Config Entries and Connect for Namespaces (#7116) 2020-01-24 10:04:58 -05:00
errors.go DNS: add IsErrQueryNotFound function for easier error evaluation 2020-07-01 03:41:44 +01:00
federation_state.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
intention.go connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) 2020-06-26 16:59:15 -05:00
intention_oss.go connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) 2020-06-26 16:59:15 -05:00
intention_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
operator.go Move autopilot to a standalone package 2017-12-11 16:45:33 -08:00
prepared_query.go Catalog + Namespace OSS changes. (#7219) 2020-02-10 10:40:44 -05:00
prepared_query_test.go
protobuf_compat.go Refactor the agentpb package (#8362) 2020-07-23 11:24:20 -04:00
sanitize_oss.go Update to use a consulent build tag instead of just ent (#5759) 2019-05-01 11:11:27 -04:00
service_definition.go OSS Changes for various config entry namespacing bugs (#7226) 2020-02-06 10:52:25 -05:00
service_definition_test.go Replace goe/verify.Values with testify/require.Equal (#7993) 2020-06-02 12:41:25 -04:00
snapshot.go
structs.go fsm: Fix snapshot bug with restoring node/service/check indexes 2020-08-11 11:49:52 -07:00
structs_filtering_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
structs_oss.go connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) 2020-06-26 16:59:15 -05:00
structs_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
testing.go agent: ensure that we always use the same settings for msgpack (#7245) 2020-02-07 15:50:24 -06:00
testing_catalog.go Ingress Gateways for TCP services (#7509) 2020-04-16 14:00:48 -07:00
testing_connect_proxy_config.go Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) 2018-10-10 16:55:34 +01:00
testing_intention.go Updates to Config Entries and Connect for Namespaces (#7116) 2020-01-24 10:04:58 -05:00
testing_service_definition.go Add Proxy Upstreams to Service Definition (#4639) 2018-10-10 16:55:34 +01:00
txn.go OSS KV Modifications to Support Namespaces 2019-11-25 12:57:35 -05:00