Commit Graph

17059 Commits

Author SHA1 Message Date
Kyle Havlovitz f8efe9a208 Log a warning when a terminating gateway service has TLS but not SNI configured 2022-03-31 12:18:40 -07:00
Dhia Ayachi 16b19dd82d
auto-reload configuration when config files change (#12329)
* add config watcher to the config package

* add logging to watcher

* add test and refactor to add WatcherEvent.

* add all API calls and fix a bug with recreated files

* add tests for watcher

* remove the unnecessary use of context

* Add debug log and a test for file rename

* use inode to detect if the file is recreated/replaced and only listen to create events.

* tidy ups (#1535)

* tidy ups

* Add tests for inode reconcile

* fix linux vs windows syscall

* fix linux vs windows syscall

* fix windows compile error

* increase timeout

* use ctime ID

* remove remove/creation test as it's a use case that fail in linux

* fix linux/windows to use Ino/CreationTime

* fix the watcher to only overwrite current file id

* fix linter error

* fix remove/create test

* set reconcile loop to 200 Milliseconds

* fix watcher to not trigger event on remove, add more tests

* on a remove event try to add the file back to the watcher and trigger the handler if success

* fix race condition

* fix flaky test

* fix race conditions

* set level to info

* fix when file is removed and get an event for it after

* fix to trigger handler when we get a remove but re-add fail

* fix error message

* add tests for directory watch and fixes

* detect if a file is a symlink and return an error on Add

* rename Watcher to FileWatcher and remove symlink deref

* add fsnotify@v1.5.1

* fix go mod

* do not reset timer on errors, rename OS specific files

* rename New func

* events trigger on write and rename

* add missing test

* fix flaking tests

* fix flaky test

* check reconcile when removed

* delete invalid file

* fix test to create files with different mod time.

* back date file instead of sleeping

* add watching file in agent command.

* fix watcher call to use new API

* add configuration and stop watcher when server stop

* add certs as watched files

* move FileWatcher to the agent start instead of the command code

* stop watcher before replacing it

* save watched files in agent

* add add and remove interfaces to the file watcher

* fix remove to not return an error

* use `Add` and `Remove` to update certs files

* fix tests

* close events channel on the file watcher even when the context is done

* extract `NotAutoReloadableRuntimeConfig` is a separate struct

* fix linter errors

* add Ca configs and outgoing verify to the not auto reloadable config

* add some logs and fix to use background context

* add tests to auto-config reload

* remove stale test

* add tests to changes to config files

* add check to see if old cert files still trigger updates

* rename `NotAutoReloadableRuntimeConfig` to `StaticRuntimeConfig`

* fix to re add both key and cert file. Add test to cover this case.

* review suggestion

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* add check to static runtime config changes

* fix test

* add changelog file

* fix review comments

* Apply suggestions from code review

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* update flag description

Co-authored-by: FFMMM <FFMMM@users.noreply.github.com>

* fix compilation error

* add static runtime config support

* fix test

* fix review comments

* fix log test

* Update .changelog/12329.txt

Co-authored-by: Dan Upton <daniel@floppy.co>

* transfer tests to runtime_test.go

* fix filewatcher Replace to not deadlock.

* avoid having lingering locks

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* split ReloadConfig func

* fix warning message

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* convert `FileWatcher` into an interface

* fix compilation errors

* fix tests

* extract func for adding and removing files

Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: FFMMM <FFMMM@users.noreply.github.com>
Co-authored-by: Daniel Upton <daniel@floppy.co>
2022-03-31 15:11:49 -04:00
R.B. Boyer dc62293978
build: run mog separately after the protobufs are generated (#12665)
Also ensure that we run mog serially on each package in dependency
order.
2022-03-31 13:49:42 -05:00
Kyle Havlovitz b21b4346b4 Add expanded token read flag and endpoint option 2022-03-31 10:49:49 -07:00
FFMMM 1adfd7b94c
polish rpc.service.call metric behavior (#12624) 2022-03-31 10:49:37 -07:00
Paul Glass 706c844423
Add IAM Auth Method (#12583)
This adds an aws-iam auth method type which supports authenticating to Consul using AWS IAM identities.

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2022-03-31 10:18:48 -05:00
Bryce Kalow 6bf67b7ef4
website: redirect /api to /api-docs (#12660) 2022-03-30 16:16:26 -05:00
Mike Morris 7cb9bfdfa9
website(api-gateway): add common errors page (#12643)
* Adding common errors page for API Gateway

* website(api-gateway): add missing CRDs common error message

* Update website/content/docs/api-gateway/common-errors.mdx

Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>

* Update website/content/docs/api-gateway/common-errors.mdx

Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>

* Update website/content/docs/api-gateway/common-errors.mdx

Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>

* Update website/content/docs/api-gateway/common-errors.mdx

* Additional page editing instructions and formating

* Update website/content/docs/api-gateway/common-errors.mdx

* Update website/content/docs/api-gateway/common-errors.mdx

* Update website/content/docs/api-gateway/common-errors.mdx

* Update website/content/docs/api-gateway/common-errors.mdx

* Update website/content/docs/api-gateway/common-errors.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff-Apple <79924108+Jeff-Apple@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
2022-03-30 16:05:00 -04:00
Eric Haberkorn 458b1838db
Merge pull request #12659 from hashicorp/bump-go-control-plane
Bump Go Control Plane
2022-03-30 15:07:47 -04:00
R.B. Boyer e79ce8ab03
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601)
- `tls.incoming`: applies to the inbound mTLS targeting the public
  listener on `connect-proxy` and `terminating-gateway` envoy instances

- `tls.outgoing`: applies to the outbound mTLS dialing upstreams from
  `connect-proxy` and `ingress-gateway` envoy instances

Fixes #11966
2022-03-30 13:43:59 -05:00
R.B. Boyer c98f2acd75 similar bump 2022-03-30 13:28:00 -05:00
R.B. Boyer 33fcc83d00 fail on error and use ptypes.MarshalAny for now instead of anypb.New 2022-03-30 13:27:49 -05:00
Eric e4b4f175ed Bump go-control-plane
* `go get cloud.google.com/go@v0.59.0`
* `go get github.com/envoyproxy/go-control-plane@v0.9.9`
* `make envoy-library`
* Bumpprotoc to 3.15.8
2022-03-30 13:11:27 -04:00
Matt Keeler 15ddbbc686
Update raft-boltdb to pull in new writeCapacity metric (#12646) 2022-03-30 11:38:44 -04:00
R.B. Boyer e1e610d0ae
need two dollar signs for a shell variable in makefiles (#12657) 2022-03-30 10:37:44 -05:00
R.B. Boyer 82bfc04f87
build: auto install correct version of protoc locally (#12651) 2022-03-30 10:08:17 -05:00
R.B. Boyer ac5bea862a
server: ensure that service-defaults meta is incorporated into the discovery chain response (#12511)
Also add a new "Default" field to the discovery chain response to clients
2022-03-30 10:04:18 -05:00
FFMMM bbab030beb
introduce EmptyReadRequest for status_endpoint (#12653)
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2022-03-29 18:05:45 -07:00
Mike Morris 885edde8c1
website(api-gateway): add consul namespace to helm install (#12644)
* website: api-gateway helm install consul namespace

To mirror instructions at https://learn.hashicorp.com/tutorials/consul/kubernetes-api-gateway

* website(api-gateway): add notes on where to find available versions

* website(api-gateway): fixup link to more clearly indicate Consul Helm chart releases

* Update website/content/docs/api-gateway/api-gateway-usage.mdx
2022-03-29 17:36:21 -04:00
R.B. Boyer cef336a0a3
build: install mog and execute it during protobuf compilation (#12647)
- also import replace isn't needed anymore
2022-03-29 15:18:05 -05:00
Fulvio b94bbf7f43
remove DualStack field from check TCP #12629 (#12630) 2022-03-29 14:56:01 -04:00
R.B. Boyer 64e1501bda
add missing line from prototest.AssertDeepEqual (#12645) 2022-03-29 13:17:41 -05:00
R.B. Boyer 8aebca5794
build: enforce protoc binary is the expected version (#12641) 2022-03-29 12:02:43 -05:00
Eric Haberkorn e5ed4fe493
Merge pull request #12639 from hashicorp/gogo-away
Remove the Rest of Gogo
2022-03-29 10:14:44 -04:00
Eric 76c65e873c code review changes 2022-03-29 09:36:34 -04:00
Eric 5f050614e5 remove the rest of gogo 2022-03-28 17:34:41 -04:00
Eric Haberkorn 9bc15e2f1a
Merge pull request #12638 from hashicorp/remove-gogo-from-acls
Remove gogo from ACL Protobufs
2022-03-28 16:52:13 -04:00
Michele Degges 535edfa247
[RelAPI Onboarding] Add release API metadata file (#12591) 2022-03-28 13:45:53 -07:00
Eric 02d8a11ff0 remove gogo from acl protobufs 2022-03-28 16:20:56 -04:00
R.B. Boyer 4676960b93
proto-gen-rpc-glue: support QueryMeta and QueryOptions (#12637) 2022-03-28 13:12:51 -05:00
R.B. Boyer dc023cb0dd
proto-gen-rpc-glue: use a shallow copy of proto/pbcommon instead of a consul dependency (#12634) 2022-03-28 10:08:41 -05:00
Connor 922619dfc3
Fix leaked Vault LifetimeRenewers (#12607)
* Fix leaked Vault LifetimeRenewers

When the Vault CA Provider is reconfigured we do not stop the
LifetimeRenewers which can cause them to leak until the Consul processes
recycles. On Configure execute stopWatcher if it exists and is not nil
before starting a new renewal

* Add jitter before restarting the LifetimeWatcher

If we fail to login to Vault or our token is no longer valid we can
overwhelm a Vault instance with many requests very quickly by restarting
the LifetimeWatcher. Before restarting the LifetimeWatcher provide a
backoff time of 1 second or less.

* Use a retry.Waiter instead of RandomStagger

* changelog

* gofmt'd

* Swap out bool for atomic.Unit32 in test

* Provide some extra clarification in comment and changelog
2022-03-28 09:58:16 -05:00
Chris S. Kim fb3a4a5db5
Merge pull request #12632 from hashicorp/kisunji-patch-1
Add example of goimports -local to contributing docs
2022-03-28 10:57:16 -04:00
R.B. Boyer 9736e33897
proto-gen-rpc-glue: fix behavior of renamed fields (#12633) 2022-03-28 09:40:56 -05:00
Chris S. Kim 1de2632684 Add example of goimports -local 2022-03-28 10:20:50 -04:00
Luke Kysow 633e510f23
Fix logic for website checker (#12627)
Workflow should run when no docs/cherry-pick label && no pr/docs-label
2022-03-25 18:40:51 -07:00
mrspanishviking 7da80ddbb4
Merge pull request #12595 from hashicorp/k8s-cli-install
docs: add link to k8s cli install page
2022-03-25 14:09:39 -07:00
R.B. Boyer 3d725a1762
regenerate rpc glue stubs in protobuf files using comments (#12625) 2022-03-25 15:55:40 -05:00
Luke Kysow c8cdebd9cc
Update consul-enterprise.mdx (#12622) 2022-03-25 13:00:14 -07:00
Mark Anderson 667fac8db1
Fixups for error messages from ACL Errors (#12620)
Fixups for error messages from ACL Errors

Alter error messages to be more verbose and explanatory, something like:

Permission denied: token with AccessorID '8a2d52a0-6b41-7077-8374-09d4fafa2d30 ' lacks permission 'service:read' on "foobar" on "foobar" in partition "foo" in namespace "bar"

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-03-25 12:34:59 -07:00
Eric Haberkorn fb7462c8dd
Merge pull request #12616 from hashicorp/more-gogo-removal
Assorted changes required to remove gogo
2022-03-25 11:48:43 -04:00
Eric 5cab213e81 assorted changes required to remove gogo 2022-03-25 09:55:36 -04:00
FFMMM c39854de78
fix bad oss sync, use gauges not counters (#12611) 2022-03-24 14:41:30 -07:00
Kyle Havlovitz 3b736d6a0c
Merge pull request #12596 from hashicorp/overview-endpoint
oss: Add overview UI internal endpoint
2022-03-24 14:27:54 -07:00
Mike Morris f8a2ae2606
agent: convert listener config to TLS types (#12522)
* tlsutil: initial implementation of types/TLSVersion

tlsutil: add test for parsing deprecated agent TLS version strings

tlsutil: return TLSVersionInvalid with error

tlsutil: start moving tlsutil cipher suite lookups over to types/tls

tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup

agent: attempt to use types in runtime config

agent: implement b.tlsVersion validation in config builder

agent: fix tlsVersion nil check in builder

tlsutil: update to renamed ParseTLSVersion and goTLSVersions

tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion

tlsutil: disable invalid config parsing tests

tlsutil: update tests

auto_config: lookup old config strings from base.TLSMinVersion

auto_config: update endpoint tests to use TLS types

agent: update runtime_test to use TLS types

agent: update TestRuntimeCinfig_Sanitize.golden

agent: update config runtime tests to expect TLS types

* website: update Consul agent tls_min_version values

* agent: fixup TLS parsing and compilation errors

* test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test

* tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites

* test: revert autoconfig tls min version fixtures to old format

* types: add TLSVersions public function

* agent: add warning for deprecated TLS version strings

* agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder

* tlsutil(BREAKING): change default TLS min version to TLS 1.2

* agent: move ParseCiphers logic from tlsutil into agent config builder

* tlsutil: remove unused CipherString function

* agent: fixup import for types package

* Revert "tlsutil: remove unused CipherString function"

This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c.

* agent: fixup config builder and runtime tests

* tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig

* test: move TLS cipher suites parsing test from tlsutil into agent config builder tests

* agent: remove parseCiphers helper from auto_config_endpoint_test

* test: remove unused imports from tlsutil

* agent: remove resolved FIXME comment

* tlsutil: remove TODO and FIXME in cipher suite validation

* agent: prevent setting inherited cipher suite config when TLS 1.3 is specified

* changelog: add entry for converting agent config to TLS types

* agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now

* tlsutil: remove config tests for values checked at agent config builder boundary

* tlsutil: remove tls version check from loadProtocolConfig

* tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites

* website: update search link for supported Consul agent cipher suites

* website: apply review suggestions for tls_min_version description

* website: attempt to clean up markdown list formatting for tls_min_version

* website: moar linebreaks to fix tls_min_version formatting

* Revert "website: moar linebreaks to fix tls_min_version formatting"

This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c.

* autoconfig: translate old values for TLSMinVersion

* agent: rename var for translated value of deprecated TLS version value

* Update agent/config/deprecated.go

Co-authored-by: Dan Upton <daniel@floppy.co>

* agent: fix lint issue

* agent: fixup deprecated config test assertions for updated warning

Co-authored-by: Dan Upton <daniel@floppy.co>
2022-03-24 15:32:25 -04:00
Kyle Havlovitz a559de63dd Sort by partition/ns/servicename instead of the reverse 2022-03-24 12:16:05 -07:00
FFMMM ceee04f4c6
remove Telemetry.MergeDefaults (#12606)
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2022-03-24 10:37:04 -07:00
Riddhi Shah 63327f306a
Merge pull request #12610 from hashicorp/agentless-rpc-acl-support
[oss] ACL pkg updates to support Agentless RPCs
2022-03-24 20:28:14 +05:30
Riddhi Shah 95362cc5ea ACL pkg updates to support Agentless RPCs
For many of the new RPCs that will be added in Consul servers for Agentless work,
the ACL token will need to be authorized for service:write on any service in any namespace in any partition.

The ACL package updates are to make ServiceWriteAny related helpers available on the different authorizers.
2022-03-24 17:01:06 +05:30
FFMMM 26717b470a
[metrics][rpc]: add basic prefix filter test for new rpc metric (#12598)
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2022-03-23 13:29:12 -07:00