Commit Graph

17962 Commits

Author SHA1 Message Date
Freddy a09c776645 Update public listener with SPIFFE Validator
Envoy's SPIFFE certificate validation extension allows for us to
validate against different root certificates depending on the trust
domain of the dialing proxy.

If there are any trust bundles from peers in the config snapshot then we
use the SPIFFE validator as the validation context, rather than the
usual TrustedCA.

The injected validation config includes the local root certificates as
well.
2022-06-01 17:06:33 -06:00
freddygv 647c57a416 Add agent cache-type for TrustBundleListByService
There are a handful of changes in this commit:
* When querying trust bundles for a service we need to be able to
  specify the namespace of the service.
* The endpoint needs to track the index because the cache watches use
  it.
* Extracted bulk of the endpoint's logic to a state store function
  so that index tracking could be tested more easily.
* Removed check for service existence, deferring that sort of work to ACL authz
* Added the cache type
2022-06-01 17:05:10 -06:00
freddygv 8b58fa8afe Update assumptions around exported-service config
Given that the exported-services config entry can use wildcards, the
precedence for wildcards is handled as with intentions. The most exact
match is the match that applies for any given service. We do not take
the union of all that apply.

Another update that was made was to reflect that only one
exported-services config entry applies to any given service in a
partition. This is a pre-existing constraint that gets enforced by
the Normalize() method on that config entry type.
2022-06-01 17:03:51 -06:00
Freddy 74ca6406ea
Configure upstream TLS context with peer root certs (#13321)
For mTLS to work between two proxies in peered clusters with different root CAs,
proxies need to configure their outbound listener to use different root certificates
for validation.

Up until peering was introduced proxies would only ever use one set of root certificates
to validate all mesh traffic, both inbound and outbound. Now an upstream proxy
may have a leaf certificate signed by a CA that's different from the dialing proxy's.

This PR makes changes to proxycfg and xds so that the upstream TLS validation
uses different root certificates depending on which cluster is being dialed.
2022-06-01 15:53:52 -06:00
Freddy 143dc75e0d
[OSS] Pull split ns/partition var out of testing file (#13337)
The api module previously had defaultPartition and defaultNamespace vars
for when we need default/empty split usage between ent/oss respectively.

This commit moves those two variables out of test code so that they can
be used for the service exports config entry's `GetNamespace()` method.

Previously `GetNamespace()` would return "default" in both OSS and enterprise,
which can trip up automation that passes the result of this method as the
namespace to write a config entry.

The split vars are kept private to prevent external usage, and prefixed with
`split` for more clarity about their behavior.
2022-06-01 14:42:33 -06:00
R.B. Boyer 1b69366a39
build: ensure tools match go toolchain version (#13338) 2022-06-01 15:24:45 -05:00
R.B. Boyer 8e530701ce
test: regenerate golden files (#13336)
make envoy-regen
    go test ./agent/config -update
2022-06-01 15:17:03 -05:00
R.B. Boyer 06ae7aa891
build: add 'make help' to simply list available make targets (#13322) 2022-06-01 14:16:17 -05:00
Mike Morris f2f011c4f0 docs(consul-api-gateway): fixup code snippets in gateway scaling section 2022-06-01 15:02:07 -04:00
Mike Morris f40563aa2c docs(consul-api-gateway): fixup CLI prompt to match convention 2022-06-01 15:00:06 -04:00
Mike Morris f4b8aea322 docs(consul-api-gateway): add Gateway scaling section 2022-06-01 14:42:08 -04:00
R.B. Boyer 487700d9fc
ci: nomad main is now on go 1.18 (#13329)
The nomad integration tests that use main need to be updated to reflect hashicorp/nomad#13036
2022-06-01 13:34:44 -05:00
Mike Morris 83accbf0e3 docs(consul-api-gateway): gateway instances -> instances per gateway 2022-06-01 14:06:18 -04:00
Mike Morris eb4bc313ee docs(consul-api-gateway): add GatewayClassConfig deployment.maxInstances and deployment.minInstances 2022-06-01 13:59:50 -04:00
Mike Morris 4dc699ef19 docs(consul-api-gateway): add GatewayClassConfig deployment.defaultInstances 2022-06-01 13:59:23 -04:00
Chris S. Kim fcdd031911
Revert getPathSuffixUnescaped (#13256) 2022-06-01 13:17:14 -04:00
Dan Upton adeabed126
proxycfg: replace direct agent cache usage with interfaces (#13320)
This is the OSS portion of enterprise PRs 1904, 1905, 1906, 1907, 1949,
and 1971.

It replaces the proxycfg manager's direct dependency on the agent cache
with interfaces that will be implemented differently when serving xDS
sessions from a Consul server.
2022-06-01 16:18:06 +01:00
Chris S. Kim 67860bd248
Reimplement fs.FileInfo interface (#13315)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2022-06-01 11:09:51 -04:00
Michele Degges 2689eaed37
[Fix typo] Backport-reminder (#13313) 2022-05-31 22:44:53 -07:00
Mark Anderson ce75f486ed yUpdate website/content/docs/connect/ca/vault.mdx
Port some changes that were made to the backport branch but not in the original PR.

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-31 20:22:12 -07:00
Chris S. Kim 3178a3cb7a
Fix broken CI step (#13314) 2022-05-31 16:58:17 -04:00
Dhia Ayachi 1b779240ae
update gateway-services table with endpoints (#13217)
* update gateway-services table with endpoints

* fix failing test

* remove unneeded config in test

* rename "endpoint" to "destination"

* more endpoint renaming to destination in tests

* update isDestination based on service-defaults config entry creation

* use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist)

* set unknown state to empty to avoid modifying alot of tests

* fix logic to set the kind correctly on CRUD

* fix failing tests

* add missing tests and fix service delete

* fix failing test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* fix a bug with kind and add relevant test

* fix compile error

* fix failing tests

* add kind to clone

* fix failing tests

* fix failing tests in catalog endpoint

* fix service dump test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* remove duplicate tests

* rename consts and fix kind when no destination is defined in the service-defaults.

* rename Kind to ServiceKind and change switch to use .(type)

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
2022-05-31 16:20:12 -04:00
Chris S. Kim f0a9b30174
Update repo to use go:embed (#10996)
Replace bindata packages with stdlib go:embed.
Modernize some uiserver code with newer interfaces introduced in go 1.16 (mainly working with fs.File instead of http.File.
Remove steps that are no longer used from our build files.
Add Github Action to detect differences in agent/uiserver/dist and verify that the files are correct (by compiling UI assets and comparing contents).
2022-05-31 15:33:56 -04:00
DanStough ee079eb4e3 chore(ci): add no-op jobs for branch protection rules 2022-05-31 15:24:22 -04:00
Riddhi Shah 1a901953e2
[OSS] Fix merge central config tests (#13309)
Setting the right enterprise meta to fix the merge central config tests.
Re-added the tests that were failing on the OSS to ENT merge.
2022-05-31 12:04:19 -07:00
freddygv 364758ef2f Use embedded SpiffeID for peered upstreams 2022-05-31 09:55:37 -06:00
freddygv c8edec0ab6 Remove intermediate representation of SPIFFE IDs
xDS only ever uses the string representation, so we can avoid passing
around connect.SpiffeIDService objects around.
2022-05-31 09:55:37 -06:00
freddygv 870e7c72d7 Return SPIFFE ID for connect proxies in PeerMeta
Proxies dialing exporting services need to know the SPIFFE ID of
services dialed so that the upstream's SANs can be validated.

This commit attaches the SPIFFE ID to all connect proxies exported over
the peering stream so that they are available to importing clusters.

The data in the SPIFFE ID cannot be re-constructed in peer clusters
because the partition of exported services is overwritten on imports.
2022-05-31 09:55:37 -06:00
Freddy 9427700270
[OSS] Add grpc endpoint to fetch a specific trust bundle (#13292)
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-05-31 09:54:40 -06:00
Chris S. Kim 8e24a56134
Refactor some functions for better enterprise use (#13280) 2022-05-30 09:46:55 -04:00
David Roca 357fe1c080
docs: Use .snap extension in API snapshot save/restore
Change the `.tgz` file extension in the snapshot save and restore
examples on /api-docs/snapshot to `.snap`.

This is consistent with the file extension used in other example
snapshot save and restore commands, as well as the default extension
used by the Consul Snapshot Agent.
2022-05-27 14:07:37 -07:00
Matt Keeler ead8e4a200
Fix race during proxy closing (#13283)
p.service is written to within the Serve method. The Serve method also waits for the stopChan to be closed.

The race was between Close being called on the proxy causing Close on the service which was written to around the same time in the Serve method.

The fix is to have Serve be responsible for closing p.service.
2022-05-27 16:52:03 -04:00
Evan Culver 9a13be3881
ci: add docker build smoke test (#13200) 2022-05-27 13:29:57 -07:00
cskh 64cfe245dd
CI: Verify built binaries in build job (#13221)
Co-authored-by: Evan Culver <eculver@hashicorp.com>
2022-05-27 14:50:41 -04:00
cskh 9e7e363627
CTIA-16: add tags to load test resources and run test on PR commit (#13258)
- retry destroy terraform resources
2022-05-27 14:49:39 -04:00
Matt Keeler 3795769729
Fix a flaky test (#13282)
At the end of this test we were trying to ensure that updating a service in the local state causes it to re-register the service with the config manager.

The config manager in the same method will also call RegisteredProxies to determine if any need to be removed. This portion of the test is not attempting to verify that behavior.

Because the test is only blocked waiting for the Register event before it can end and assert all the mock expectations were met, we may not see the call to RegisteredProxies. This is especially apparent when tests are run with the race detector.

As we don’t actually care if that method is executed before the end of the test we can simply transition from expecting it to be called exactly once to a 0 or 1 times assertion.
2022-05-27 13:25:08 -04:00
Chris S. Kim b2c4e8b2fe
Add build tag for oss (#13279) 2022-05-27 11:39:58 -04:00
Mathew Estafanous 428e32706e
Replace CLI command registry with a new pattern. (#12729) 2022-05-27 11:33:27 -04:00
Dan Upton 2427e38839
Enable servers to configure arbitrary proxies from the catalog (#13244)
OSS port of enterprise PR 1822

Includes the necessary changes to the `proxycfg` and `xds` packages to enable
Consul servers to configure arbitrary proxies using catalog data.

Broadly, `proxycfg.Manager` now has public methods for registering,
deregistering, and listing registered proxies — the existing local agent
state-sync behavior has been moved into a separate component that makes use of
these methods.

When an xDS session is started for a proxy service in the catalog, a goroutine
will be spawned to watch the service in the server's state store and
re-register it with the `proxycfg.Manager` whenever it is updated (and clean
it up when the client goes away).
2022-05-27 12:38:52 +01:00
alex fd7a403e11
monitor leadership in peering service (#13257)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2022-05-26 17:55:16 -07:00
Evan Culver bffb6d8ab8
Add latest changelog entries (#13276) 2022-05-26 16:14:02 -07:00
Riddhi Shah b6a4271c02
Termporarily disable validation of merge central config response (#13266)
Temporarily disabling the validation of merge central config response since
it is breaking OSS to ENT merging.
A follow up PR will patch the fixes.
2022-05-26 13:49:40 -07:00
Chris S. Kim 6d3bea7129
Add support for streaming CA roots to peers (#13260)
Sender watches for changes to CA roots and sends
them through the replication stream. Receiver saves
CA roots to tablePeeringTrustBundle
2022-05-26 15:24:09 -04:00
Jasmine W c052c17d20 Merge pull request #13239 from hashicorp/ui/bugfix/permissions-header
ui: Typography update for view-only Intentions
2022-05-26 14:47:49 -04:00
cskh e61e405fb1
Enable manual triggering of load test (#13068) 2022-05-26 14:18:14 -04:00
Riddhi Shah c78ee7d48f
Remove tests failing on ent (#13255)
Will follow up with the fixed version of these tests that passes in ent.
2022-05-26 10:17:59 -07:00
Michele Degges 407cd332ff
[CI-only] Support UBI images (#13232)
Co-authored-by: David Yu <dyu@hashicorp.com>
2022-05-26 09:49:47 -07:00
John Cowen 09c5bac102
Export top-level HCP Enabled go-template variable for UI (#13165)
* Update ui template data to export HCPEnabled at the top level
2022-05-26 17:23:56 +01:00
Jasmine W a2c20518c0 updates
readded %reset-typo and defined .consul-intention-view h2
2022-05-26 11:23:00 -04:00
DanStough 2e2c71d2f2 fix: multiple grpc/http2 services for ingress listeners 2022-05-26 10:43:58 -04:00