19042 Commits

Author SHA1 Message Date
Jared Kirschner
04a14e8f07 docs: fix ent feature matrix links 2022-10-18 12:32:56 -07:00
Chris S. Kim
29a297d3e9
Refactor client RPC timeouts (#14965)
Fix an issue where rpc_hold_timeout was being used as the timeout for non-blocking queries. Users should be able to tune read timeouts without fiddling with rpc_hold_timeout. A new configuration `rpc_read_timeout` is created.

Refactor some implementation from the original PR 11500 to remove the misleading linkage between RPCInfo's timeout (used to retry in case of certain modes of failures) and the client RPC timeouts.
2022-10-18 15:05:09 -04:00
R.B. Boyer
0cca4c088d
test: possibly fix flake in TestIntentionGetExact (#15021)
Restructure test setup to be similar to TestAgent_ServerCertificate
and see if that's enough to avoid flaking after join.
2022-10-18 10:51:20 -05:00
Dhia Ayachi
5eb2bad8fd
bump relevant modules versions (#14972) 2022-10-18 11:24:26 -04:00
Iryna Shustava
5cd0ccfc75
Support auth method with snapshot agent [ENT] (#15020)
Port of hashicorp/consul-enterprise#3303
2022-10-17 15:57:48 -06:00
R.B. Boyer
fe2d41ddad
cache: prevent goroutine leak in agent cache (#14908)
There is a bug in the error handling code for the Agent cache subsystem discovered:

1. NotifyCallback calls notifyBlockingQuery which calls getWithIndex in
   a loop (which backs off on-error up to 1 minute)

2. getWithIndex calls fetch if there’s no valid entry in the cache

3. fetch starts a goroutine which calls Fetch on the cache-type, waits
   for a while (again with backoff up to 1 minute for errors) and then
   calls fetch to trigger a refresh

The end result being that every 1 minute notifyBlockingQuery spawns an
ancestry of goroutines that essentially lives forever.

This PR ensures that the goroutine started by `fetch` cancels any prior
goroutine spawned by the same line for the same key.

In isolated testing where a cache type was tweaked to indefinitely
error, this patch prevented goroutine counts from skyrocketing.
2022-10-17 14:38:10 -05:00
R.B. Boyer
02a858efa0
ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one (#15005)
In practice this was masked by #14956 and was only uncovered fixing the
other bug.

  go test ./agent -run TestAgentConnectCALeafCert_goodNotLocal

would fail when only #14956 was fixed.
2022-10-17 13:24:27 -05:00
David Yu
efe25cfe46
docs: formatting on backend application and delete peering CRDs (#15007)
* docs: formatting on backend application and delete peering CRDs

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-10-17 10:34:05 -07:00
Dan Upton
641347fe14
proto: deep-copy PeeringTrustBundle using proto.Clone (#15004)
Fixes a `go vet` warning caused by the pragma.DoNotCopy on the protobuf
message type.

Originally I'd hoped we wouldn't need any reflection in the proxycfg hot
path, but it seems proto.Clone is the only supported way to copy a message.
2022-10-17 16:30:35 +01:00
Chris S. Kim
3d2dffff16
Merge pull request #13388 from deblasis/feature/health-checks_windows_service
Feature: Health checks windows service
2022-10-17 09:26:19 -04:00
Dan Upton
f8b4b41205
proxycfg: fix goroutine leak when service is re-registered (#14988)
Fixes a bug where we'd leak a goroutine in state.run when the given
context was canceled while there was a pending update.
2022-10-17 11:31:10 +01:00
Kyle Havlovitz
3a60885259
Merge pull request #14800 from hashicorp/mgw-tcp-keepalives
Add TCP keepalive settings to proxy config for mesh gateways
2022-10-14 19:01:02 -07:00
Kyle Havlovitz
aaf892a383 Extend tcp keepalive settings to work for terminating gateways as well 2022-10-14 17:05:46 -07:00
Kyle Havlovitz
2c569f6b9c Update docs and add tcp_keepalive_probes setting 2022-10-14 17:05:46 -07:00
Kyle Havlovitz
2242d1ec4a Add TCP keepalive settings to proxy config for mesh gateways 2022-10-14 17:05:46 -07:00
David Yu
1a883891a7
docs: improvements on language from cluster peering steps (#14993)
* docs: improvements on language from cluster peering steps

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-10-14 14:29:11 -07:00
Derek Menteer
2a33d0ff96 Fix issue with incorrect method signature on test. 2022-10-14 11:04:57 -05:00
Freddy
24d0c8801a
Merge pull request #14981 from hashicorp/peering/dial-through-gateways 2022-10-14 09:44:56 -06:00
Tyler Wendlandt
0c8563f060
Merge pull request #14986 from hashicorp/ui/feature/filter-node-healthchecks-agentless
UI: filter node healthchecks on agentless service instances
2022-10-14 09:33:45 -06:00
Dan Upton
328e3ff563
proxycfg: rate-limit delivery of config snapshots (#14960)
Adds a user-configurable rate limiter to proxycfg snapshot delivery,
with a default limit of 250 updates per second.

This addresses a problem observed in our load testing of Consul
Dataplane where updating a "global" resource such as a wildcard
intention or the proxy-defaults config entry could starve the Raft or
Memberlist goroutines of CPU time, causing general cluster instability.
2022-10-14 15:52:00 +01:00
Derek Menteer
29ebcf5ff0 Add tests for peering state snapshots / restores. 2022-10-14 09:48:04 -05:00
Derek Menteer
e3ff9912d0 Add test for ExportedServicesForAllPeersByName 2022-10-14 09:48:04 -05:00
Alessandro De Blasis
5f99f578a9
Update website/content/api-docs/agent/check.mdx 2022-10-14 12:32:55 +01:00
Dan Upton
e6b55d1d81
perf: remove expensive reflection from xDS hot path (#14934)
Replaces the reflection-based implementation of proxycfg's
ConfigSnapshot.Clone with code generated by deep-copy.

While load testing server-based xDS (for consul-dataplane) we discovered
this method is extremely expensive. The ConfigSnapshot struct, directly
or indirectly, contains a copy of many of the structs in the agent/structs
package, which creates a large graph for copystructure.Copy to traverse
at runtime, on every proxy reconfiguration.
2022-10-14 10:26:42 +01:00
Michael Klein
03734a1bac
Merge pull request #14977 from hashicorp/ui/fix/scrollbar-bento-box
ui: Bento-Box show scrollbars only when necessary
2022-10-14 09:07:57 +02:00
wenincode
c85d70e80d Address linting errors 2022-10-13 19:05:19 -06:00
wenincode
363db8c849 Add changelog entry 2022-10-13 18:54:39 -06:00
wenincode
9355d0d4f6 Add tests for filtering node health checks 2022-10-13 18:45:15 -06:00
freddygv
c77123a2aa Use split var in tests 2022-10-13 17:12:47 -06:00
freddygv
bf51021c07 Use split wildcard partition name
This way OSS avoids passing a non-empty label, which will be rejected in
OSS consul.
2022-10-13 16:55:28 -06:00
Freddy
ee4cdc4985
Merge pull request #14935 from hashicorp/fix/alias-leak 2022-10-13 16:31:15 -06:00
freddygv
da68ed70c1 Add changelog entry 2022-10-13 16:09:32 -06:00
freddygv
f48d7fbe04 Add changelog entry 2022-10-13 16:03:15 -06:00
freddygv
573aa408a1 Lint 2022-10-13 15:55:55 -06:00
wenincode
4530e2e547 Format healthchecks template 2022-10-13 15:48:18 -06:00
wenincode
0eb250d3a0 Filter healthchecks for synthetic-nodes 2022-10-13 15:47:47 -06:00
David Yu
2c5f6a4678
1.14 dataplane docs beta: Bump to beta3 (#14979)
Bump to beta
2022-10-13 14:40:40 -07:00
Derek Menteer
0f424e3cdf Reset wait on ensureServerAddrSubscription 2022-10-13 15:58:26 -05:00
freddygv
96fdd3728a Fix CA init error code 2022-10-13 14:58:11 -06:00
freddygv
472a8e82dc Add integ test for peering through gateways 2022-10-13 14:58:05 -06:00
freddygv
2c99a21596 Update leader routine to maybe use gateways 2022-10-13 14:58:00 -06:00
freddygv
e69bc727ec Update peering establishment to maybe use gateways
When peering through mesh gateways we expect outbound dials to peer
servers to flow through the local mesh gateway addresses.

Now when establishing a peering we get a list of dial addresses as a
ring buffer that includes local mesh gateway addresses if the local DC
is configured to peer through mesh gateways. The ring buffer includes
the mesh gateway addresses first, but also includes the remote server
addresses as a fallback.

This fallback is present because it's possible that direct egress from
the servers may be allowed. If not allowed then the leader will cycle
back to a mesh gateway address through the ring.

When attempting to dial the remote servers we retry up to a fixed
timeout. If using mesh gateways we also have an initial wait in
order to allow for the mesh gateways to configure themselves.

Note that if we encounter a permission denied error we do not retry
since that error indicates that the secret in the peering token is
invalid.
2022-10-13 14:57:55 -06:00
malizz
b0b0cbb8ee
increase protobuf size limit for cluster peering (#14976) 2022-10-13 13:46:51 -07:00
Jasmine W
e04c56a3a1
Merge pull request #14975 from hashicorp/ui/bugfix/peering-misspelling
UI: Copy changes for peering detail page
2022-10-13 15:28:21 -04:00
Derek Menteer
4e140c98bc Address PR comments. 2022-10-13 14:11:02 -05:00
Derek Menteer
1e394da400 Disallow peering to the same cluster. 2022-10-13 14:11:02 -05:00
wenincode
12a24a6d8c Update peers show tests to look for serverAddresses tab 2022-10-13 13:06:11 -06:00
Jasmine W
09513e7ef2 Update index.js 2022-10-13 14:42:13 -04:00
Michael Klein
8a1609f6da Bento-Box show scrollbars only when necessary 2022-10-13 20:27:19 +02:00
Derek Menteer
8742fbe14f Prevent consul peer-exports by discovery chain. 2022-10-13 12:45:09 -05:00