17956 Commits

Author SHA1 Message Date
freddygv
1031ffc3c7 Re-validate existing secrets at state store
Previously establishment and pending secrets were only checked at the
RPC layer. However, given that these are Check-and-Set transactions we
should ensure that the given secrets are still valid when persisting a
secret exchange or promotion.

Otherwise it would be possible for concurrent requests to overwrite each
other.
2022-08-08 09:06:07 -06:00
freddygv
0ea4bfae94 Test fixes 2022-08-08 08:31:47 -06:00
freddygv
c04515a844 Use proto message for each secrets write op
Previously there was a field indicating the operation that triggered a
secrets write. Now there is a message for each operation and it contains
the secret ID being persisted.
2022-08-08 01:41:00 -06:00
freddygv
8067890787 Inherit active secret when exchanging 2022-08-03 17:32:53 -05:00
freddygv
60d6e28c97 Pass explicit signal with op for secrets write
Previously the updates to the peering secrets UUID table relied on
inferring what action triggered the update based on a reconciliation
against the existing secrets.

Instead we now explicitly require the operation to be given so that the
inference isn't necessary. This makes the UUID table logic easier to
reason about and fixes some related bugs.

There is also an update so that the peering secrets get handled on
snapshots/restores.
2022-08-03 17:25:12 -05:00
freddygv
9ca687bc7c Avoid deleting peering secret UUIDs at dialers
Dialers do not keep track of peering secret UUIDs, so they should not
attempt to clean up data from that table when their peering is deleted.

We also now keep peer server addresses when marking peerings for
deletion. Peer server addresses are used by the ShouldDial() helper
when determining whether the peering is for a dialer or an acceptor.
We need to keep this data so that peering secrets can be cleaned up
accordingly.
2022-08-03 16:34:57 -05:00
Michael Klein
a06eeeda15
ui: peering UI fixes - api contract change / wrong link in peerings list (#14007)
* Don't send `Datacenter` when establishing peer

* Don't surface link to non-existing peers.edit route anymore
2022-08-03 15:04:19 +02:00
John Cowen
17d712c039
ui: Re-hook up regenerate button (#14015) 2022-08-03 13:55:57 +01:00
skpratt
58eed6b049
Merge pull request #13906 from skpratt/validate-port-agent-split
Separate port and socket path validation for local agent
2022-08-02 16:58:41 -05:00
Dhia Ayachi
7154367892
add token to the request when creating a cacheIntentions query (#14005) 2022-08-02 14:27:34 -04:00
DanStough
20ffcbab32 chore: changelog for destinations 2022-08-02 10:48:00 -04:00
Daniel Upton
6452118c15 proxycfg-sources: fix hot loop when service not found in catalog
Fixes a bug where a service getting deleted from the catalog would cause
the ConfigSource to spin in a hot loop attempting to look up the service.

This is because we were returning a nil WatchSet which would always
unblock the select.

Kudos to @freddygv for discovering this!
2022-08-02 15:42:29 +01:00
Freddy
42996411cc
Various peering fixes (#13979)
* Avoid logging StreamSecretID
* Wrap additional errors in stream handler
* Fix flakiness in leader test and rename servers for clarity. There was
  a race condition where the peering was being deleted in the test
  before the stream was active. Now the test waits for the stream to be
  connected on both sides before deleting the associated peering.
* Run flaky test serially
2022-08-01 15:06:18 -06:00
DanStough
169ff71132 fix: ipv4 destination dns resolution 2022-08-01 16:45:57 -04:00
Evan Culver
ca5d2e1c00
ci: Use pattern for CRT release branch config (#13955) 2022-08-01 12:56:55 -07:00
Luke Kysow
988e1fd35d
peering: default to false (#13963)
* defaulting to false because peering will be released as beta
* Ignore peering disabled error in bundles cachetype

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: freddygv <freddy@hashicorp.com>
Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
2022-08-01 15:22:36 -04:00
Freddy
72b6d69652
Merge pull request #13499 from maxb/delete-unused-metric
Delete definition of metric `consul.acl.blocked.node.deregistration`
2022-08-01 12:31:05 -06:00
Dhia Ayachi
6fd65a4a45
Tgtwy egress HTTP support (#13953)
* add golden files

* add support to http in tgateway egress destination

* fix slice sorting to include both address and port when using server_names

* fix listener loop for http destination

* fix routes to generate a route per port and a virtualhost per port-address combination

* sort virtual hosts list to have a stable order

* extract redundant serviceNode
2022-08-01 14:12:43 -04:00
Jared Kirschner
458d0e9c41
Merge pull request #13871 from hashicorp/docs-update-enterprise-licensing-description
docs: update enterprise licensing description
2022-08-01 11:36:11 -04:00
Matt Keeler
f74d0cef7a
Implement/Utilize secrets for Peering Replication Stream (#13977) 2022-08-01 10:33:18 -04:00
Jared Kirschner
1348e44f8f
Merge pull request #13966 from hashicorp/jkirschner-hashicorp-patch-1
docs: fix k8s prepared query upstream link
2022-07-29 18:09:57 -04:00
Jared Kirschner
2ba916c50a
docs: fix k8s prepared query upstream link 2022-07-29 18:00:56 -04:00
alex
a45bb1f06b
block PeerName register requests (#13887)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-29 14:36:22 -07:00
Luke Kysow
95096e2c03
peering: retry establishing connection more quickly on certain errors (#13938)
When we receive a FailedPrecondition error, retry that more quickly
because we expect it will resolve shortly. This is particularly
important in the context of Consul servers behind a load balancer
because when establishing a connection we have to retry until we
randomly land on a leader node.

The default retry backoff goes from 2s, 4s, 8s, etc. which can result in
very long delays quite quickly. Instead, this backoff retries in 8ms
five times, then goes exponentially from there: 16ms, 32ms, ... up to a
max of 8152ms.
2022-07-29 13:04:32 -07:00
Sarah Pratt
10a4999a87 Separate port and socket path requirement in case of local agent assignment 2022-07-29 13:28:21 -05:00
Chris S. Kim
7f2732e12c Ensure connections are closed before WaitGroup marked as done
The previous ordering of defers meant the listener's connWG could fire and wake up other goroutines before the connection closed. Unsure if this caused any real bugs but this commit should make the code more correct.
2022-07-29 09:29:13 -04:00
alex
92c615c35f
Merge pull request #13952 from hashicorp/sync-more-acl
sync more acl enforcement
2022-07-28 12:31:02 -07:00
Dhia Ayachi
256694b603
inject gateway addons to destination clusters (#13951) 2022-07-28 15:17:35 -04:00
acpana
eae4e71492
sync more acl enforcement
sync w ent at 32756f7

Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 12:01:52 -07:00
alex
41f3343eac
Merge pull request #13929 from hashicorp/fix-validation
[sync] fix empty partitions matching
2022-07-28 10:14:49 -07:00
Evan Culver
d5bd9436d5
ci: Use correct branch name for 1.13 nightly test (#13945) 2022-07-28 12:49:15 -04:00
cskh
6640997fc1
fix (cli): import empty directory to kv (#13939)
* fix (cli): import empty directory to kv

- when import an empty directory like foo/, the import
  command will remove the trailing /, making it a
  non-directory key.
- This change fixes the bug by adding back the / if
  the imported key is an directory
2022-07-28 10:54:25 -04:00
Jared Kirschner
08fcdad0f6
Merge pull request #13917 from hashicorp/docs/show-cli-cmd-options-before-general-options-2
docs: show CLI cmd-specific opts before general opts
2022-07-27 18:55:06 -04:00
Jared Kirschner
95c72164a4 docs: show CLI cmd-specific opts before general opts
Applied to all remaining CLI commands.
2022-07-27 15:50:51 -07:00
Ashwin Venkatesh
eef9edaed9
Add peer counts to emitted metrics. (#13930) 2022-07-27 18:34:04 -04:00
Luke Kysow
465a9801e1
Merge pull request #13924 from hashicorp/lkysow/util-metric-peering
peering: don't track imported services/nodes in usage
2022-07-27 14:49:55 -07:00
acpana
6033584349
use EqualPartitions
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-27 14:48:30 -07:00
acpana
0351ca5136
better fix
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-27 14:28:08 -07:00
Evan Culver
3f876b85d9
ci: Add nightly test workflow for 1.13, remove 1.10 (#13927)
Signed-off-by: Evan Culver <eculver@hashicorp.com>
2022-07-27 16:59:00 -04:00
acpana
8b2ef80336
sync w ent
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-27 11:41:39 -07:00
Chris S. Kim
0999e05a7d Reduce arm64 flakes for TestConnectCA_ConfigurationSet_ChangeKeyConfig_Primary
There were 16 combinations of tests but 4 of them were duplicates since the default key type and bits were "ec" and 256. That entry was commented out to reduce the subtest count to 12.

testrpc.WaitForLeader was failing on arm64 environments; the cause is unknown but it might be due to the environment being flooded with parallel tests making RPC calls. The RPC polling+retry was replaced with a simpler check for leadership based on raft.
2022-07-27 13:54:34 -04:00
Chris S. Kim
8ead1caf53 Retry checks for virtual IP metadata 2022-07-27 13:54:34 -04:00
Chris S. Kim
62ed0250c3 Sort slice of ServiceNames deterministically 2022-07-27 13:54:34 -04:00
Chris S. Kim
a5fe2125e9 Remove unnecessary goroutine in flaky test
The watch is established in a background goroutine and the first assertion proves that the watcher is active so there is no reason for the update to happen in a racy goroutine.

Note that this does not completely remove the race condition as the first call to testGetConfigValTimeout could time out before a config is returned.
2022-07-27 13:54:34 -04:00
Luke Kysow
740d54e730 peering: don't track imported services/nodes in usage
Services/nodes that are imported from other peers are stored in
state. We don't want to count those as part of our own cluster's usage.
2022-07-27 09:08:51 -07:00
cskh
4e292b7b72
chore: clarify the error message: service.service must not be empty (#13907)
- when register service using catalog endpoint, the key of service
  name actually should be "service". Add this information to the
  error message will help user to quickly fix in the request.
2022-07-27 10:16:46 -04:00
Jared Kirschner
9080bef4a4
Merge pull request #13914 from hashicorp/docs/remove-comparisons-from-ref-docs
docs: remove comparative info from ref docs site
2022-07-27 02:42:41 -04:00
Jared Kirschner
bcbe9cc06d
Merge pull request #12903 from hashicorp/docs/show-cli-cmd-options-before-general-options
Docs: Show CLI command-specific options before general options
2022-07-27 02:18:04 -04:00
Jared Kirschner
cd562564ba docs: show CLI cmd-specific opts before general opts
Applied to a single command (acl auth-method create).
2022-07-26 22:38:44 -07:00
Jared Kirschner
edbf9e2b9d docs: update enterprise licensing description
Removes outdated instructions on using binaries with a built-in license.
2022-07-26 22:33:42 -07:00