Commit Graph

3227 Commits

Author SHA1 Message Date
freddygv b21224a4c8 PR comments 2021-04-08 11:16:03 -06:00
Daniel Nephin 34f1facebb
Merge pull request #9950 from hashicorp/dnephin/state-use-txn-everywhere
state: use Txn interface everywhere
2021-04-08 12:02:03 -04:00
Daniel Nephin c40e1a2ac6
Merge pull request #9880 from hashicorp/dnephin/catalog-events-test-pattern
state: use runCase pattern for large test
2021-04-08 11:54:41 -04:00
Paul Banks 1406671290
cache: Fix bug where connection errors can cause early cache expiry (#9979)
Fixes a cache bug where TTL is not updated while a value isn't changing or cache entry is returning fetch errors.
2021-04-08 11:11:15 +01:00
Paul Banks ee04d452be
cache: fix bug where TTLs were ignored leading to leaked memory in client agents (#9978)
* Fix bug in cache where TTLs are effectively ignored

This mostly affects streaming since streaming will immediately return from Fetch calls when the state is Closed on eviction which causes the race condition every time.

However this also affects all other cache types if the fetch call happens to return between the eviction and then next time around the Get loop by any client.

There is a separate bug that allows cache items to be evicted even when there are active clients which is the trigger here.

* Add changelog entry

* Update .changelog/9978.txt
2021-04-08 11:08:56 +01:00
Paul Banks 8e00e327b0
Merge pull request #9977 from hashicorp/grpc-tuning
streaming: Grpc tuning
2021-04-08 11:05:38 +01:00
freddygv ab752c1c86 Avoid sending zero-value upstream defaults from api 2021-04-07 15:03:42 -06:00
freddygv a6388c7e2f Revert "Avoid accumulating synthetic upstreams"
This reverts commit 86672df4fa.
2021-04-07 14:30:30 -06:00
freddygv 02f6768cd2 Remove kube-dns resolution since clusterip will be a tagged addr 2021-04-07 14:15:21 -06:00
hashicorp-ci dedf2861be auto-updated agent/uiserver/bindata_assetfs.go from commit a0d12ff16 2021-04-07 16:48:59 +00:00
freddygv 86672df4fa Avoid accumulating synthetic upstreams
Synthetic upstreams from service-defaults config are stored locally in
the Upstreams list. Since these come from service-defaults they should
be cleaned up locally when no longer present in the service config
response.
2021-04-07 09:32:48 -06:00
freddygv 49a4a78fd5 Ensure mesh gateway mode override is set for upstreams for intentions 2021-04-07 09:32:48 -06:00
freddygv 5140c3e51f Finish resolving upstream defaults in proxycfg 2021-04-07 09:32:48 -06:00
freddygv 986bcccbea Pass down upstream defaults to client proxies
This is needed in case the client proxy is in TransparentProxy mode.
Typically they won't have explicit configuration for every upstream, so
this ensures the settings can be applied to all of them when generating
xDS config.
2021-04-07 09:32:47 -06:00
freddygv 77ead5cca9 Prevent wildcard destinations for proxies and upstreams 2021-04-07 09:32:47 -06:00
freddygv 24ee8a0488 Prevent requests without UpstreamIDs from being flagged as legacy.
New clients in transparent proxy mode can send requests for service
config resolution without any upstream args because they do not have
explicitly defined upstreams.

Old clients on the other hand will never send requests without the
Upstreams args unless they don't have upstreams, in which case we do not
send back upstream config.
2021-04-07 09:32:47 -06:00
freddygv 2b49cc39ed Fixup doc phrasing 2021-04-07 09:32:47 -06:00
freddygv 458eb41be1 Prevent synthetic upstreams without addresses from failing duplicate ip/port validation 2021-04-07 09:32:47 -06:00
Paul Banks 5529cb7347 Tune streaming backoff on errors to retry a bit faster when TCP connections drop 2021-04-07 14:13:30 +01:00
Paul Banks 44718456b5 Set gRPC keepalives to mirror Yamux keepalive behaviour 2021-04-07 14:09:22 +01:00
R.B. Boyer d4c401b350
missed build tag on this file (#9974) 2021-04-06 13:24:11 -05:00
R.B. Boyer 499fee73b3
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973)
This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 13:19:59 -05:00
Daniel Nephin f0ba6f858a
Merge pull request #9958 from hashicorp/dnephin/state-improve-indexer-tests
state: support additional test cases in indexer tests
2021-04-06 11:55:24 -04:00
Yong Wen Chua 409768d6e5
Merge branch 'master' of github.com:hashicorp/consul into tg-rewrite 2021-04-06 17:05:26 +08:00
R.B. Boyer e494313e7b
api: ensure v1/health/ingress/:service endpoint works properly when streaming is enabled (#9967)
The streaming cache type for service health has no way to handle v1/health/ingress/:service queries as there is no equivalent topic that would return the appropriate data.

Ensure that attempts to use this endpoint will use the old cache-type for now so that they return appropriate data when streaming is enabled.
2021-04-05 13:23:00 -05:00
Daniel Nephin 6e69829edb state: support additional test cases in indexer tests
And add a few additional cases.
2021-03-31 14:39:33 -04:00
Kyle Havlovitz a2869b280b Backport enterprise changes to prevent merge conflicts
Co-Authored-By: Kyle Havlovitz <kylehav@gmail.com>
2021-03-31 14:05:26 -04:00
Daniel Nephin 26440d9e1f
Merge pull request #9949 from hashicorp/dnephin/state-index-checks
state: convert remaining checks table indexers to functional pattern
2021-03-31 11:53:21 -04:00
Daniel Nephin 909348e546
Merge pull request #9948 from hashicorp/dnephin/state-index-service
state: convert remaining services table indexers to functions
2021-03-31 11:49:21 -04:00
Daniel Nephin 1e32dbca29
Merge pull request #9947 from hashicorp/dnephin/state-ent-index-3
state: move indexer functions out of oss files
2021-03-31 11:45:26 -04:00
hashicorp-ci 352061c72e auto-updated agent/uiserver/bindata_assetfs.go from commit ee5c3e3aa 2021-03-31 15:00:21 +00:00
Daniel Nephin 1f64b3a7de state: use tableIndex constant 2021-03-29 18:52:20 -04:00
Daniel Nephin 9514698b10 state: use ReadTxn and WriteTxn interface
Instead of *txn, so that we can replace the txn implementation with others, and so
that the function is easily documented as a read or write function.
2021-03-29 18:52:16 -04:00
Daniel Nephin 80827e8615
Merge pull request #9932 from hashicorp/dnephin/use-ent-meta-default
Set default enterprise meta in test case
2021-03-29 18:44:39 -04:00
Daniel Nephin d0e5cd66f0 state: convert checks.service index to new pattern 2021-03-29 16:38:53 -04:00
Daniel Nephin 3092c627fe state: convert checks.status indexer
As part of this change the indexer will now be case insensitive by using
the lower case value. This should be safe because previously we always
had lower case strings.

This change was made out of convenience. All the other indexers use
lowercase, so we can re-use the indexFromQuery function by using
lowercase here as well.
2021-03-29 16:38:50 -04:00
Daniel Nephin 628eed3748 state: add tests for checks indexers 2021-03-29 16:38:47 -04:00
Daniel Nephin ce631d0bba state: use constants for table checks 2021-03-29 16:38:43 -04:00
Daniel Nephin cf2646e0d1 state: pass Query in from caller
To reduce the number of arguments
2021-03-29 15:42:30 -04:00
Daniel Nephin 9eea19da59 state: convert services.kind to functional indexer pattern 2021-03-29 15:42:30 -04:00
Daniel Nephin b6553af222 state: add tests for services.kind indexer 2021-03-29 15:42:27 -04:00
Daniel Nephin 0c61abcc31 state: convert services table service and connect indexer
To the new functional indexer pattern
2021-03-29 15:42:24 -04:00
Daniel Nephin 395ebce510 state: add tests for services table service and connect indexers 2021-03-29 15:42:22 -04:00
Daniel Nephin 2d2c3e1190 state: use constant for tableServices 2021-03-29 15:42:18 -04:00
Daniel Nephin 341265ec69 state: remove duplication of Query indexer 2021-03-29 14:35:11 -04:00
Daniel Nephin 08ee12ab34 state: remove duplication in acl tables schema 2021-03-29 14:21:27 -04:00
Daniel Nephin 72960388a3 state: reduce duplication in catalog table schema 2021-03-29 14:21:23 -04:00
Daniel Nephin 7de186f291 state: share more indexer functions for config_entries 2021-03-29 14:21:20 -04:00
Daniel Nephin 024dcbef03 state: remove old schema test
This test has been replaced by TestNewDBSchema_Indexers
2021-03-29 14:21:13 -04:00
Daniel Nephin 8591feb58a state: use addNamespaceIndex again 2021-03-29 14:21:02 -04:00
hashicorp-ci 02b7eb0949 auto-updated agent/uiserver/bindata_assetfs.go from commit 4d13e31ae 2021-03-26 15:51:59 +00:00
Daniel Nephin d62ed94415 Set default enterprise meta in test case 2021-03-25 17:40:22 -04:00
Lars Lehtonen 4bad87c293 agent: use testAgent_RegisterService_TranslateKeys()
When this test was refactored it looks like there was a copy+paste error
and the test case was made to call the wrong function.
2021-03-25 16:55:13 -04:00
Lars Lehtonen 681bd8f57b agent: remove unused makeTelemetryDefaults() 2021-03-25 16:02:42 -04:00
Daniel Nephin 8d25f9ab3d
Merge pull request #9923 from hashicorp/dnephin/fix-ui-config
http: fix a bug that would cause runtimeConfig to be cached
2021-03-25 12:26:09 -04:00
Daniel Nephin ac210cdc48
Merge pull request #9911 from hashicorp/dnephin/state-index-acl-roles
state: convert ACLRoles policies index to new functional indexer pattern
2021-03-24 18:28:19 -04:00
Daniel Nephin 2e917e3f9c
Merge pull request #9916 from hashicorp/dnephin/state-index-checks-id
state: convert checks.ID index to the functional indexer pattern
2021-03-24 18:23:52 -04:00
Daniel Nephin d50037cae2 http: add a test for transform changing value 2021-03-24 15:38:11 -04:00
Daniel Nephin c98805f505 http: fix a bug that would cause runtimeConfig to be cached
This bug would result in the UI not having the correct settings in
Consul enterprise, which could produce many warnings in the logs.

This bug occured because the index page, which includes a map of configuration
was rendered when the HTTPHandler is first created. This PR changes the
UIServer to instead render the index page when the page is requested.

The rendering does not appear to be all that expensive, so rendering it
when requested should not cause much extra latency.
2021-03-24 14:48:18 -04:00
hashicorp-ci 0414a872ec auto-updated agent/uiserver/bindata_assetfs.go from commit 232921b60 2021-03-23 13:26:56 +00:00
Daniel Nephin 8743e925d5 state: add tests for checks.ID indexer 2021-03-22 18:06:43 -04:00
Daniel Nephin 30281a5332 state: use tx.First instead of tx.FirstWatch
Where appropriate. After removing the helper function a bunch of  these calls can
be changed to tx.First.
2021-03-22 18:06:33 -04:00
Daniel Nephin 1cdcfb8260 state: convert checks.ID index to new pattern 2021-03-22 18:06:08 -04:00
Hans Hasselberg 53e9c134af
introduce certopts (#9606)
* introduce cert opts

* it should be using the same signer

* lint and omit serial
2021-03-22 10:16:41 +01:00
Daniel Nephin 6324f37241 state: use uuid for acl-roles.policies index
Previously we were encoding the UUID as a string, but the index it references uses a UUID
so this index can also use an encoded UUID to save a bit of memory.
2021-03-19 19:45:37 -04:00
Daniel Nephin 43df402e51 state: convert acl-roles.policies index to new pattern 2021-03-19 19:45:37 -04:00
Daniel Nephin 00b6f0b41a state: convert acl-roles.name index to the functional indexer pattern 2021-03-19 19:45:37 -04:00
Daniel Nephin d7f5094702 state: add indexer tests for acl-roles table 2021-03-19 19:45:37 -04:00
Daniel Nephin a058c31ead state: use constants for acl-roles table and indexes 2021-03-19 19:45:37 -04:00
Daniel Nephin eb6769ccc6 state: convert acl-policies table to new pattern 2021-03-19 15:24:00 -04:00
Daniel Nephin 340462dd72 state: use constants and add tests for acl-policies table 2021-03-19 15:19:57 -04:00
Daniel Nephin 0c14f3818d state: add indexer test for services.ID index 2021-03-19 14:13:14 -04:00
Daniel Nephin dbd3cef1ed state: handle wildcard for services.ID index
When listing services, use the id_prefix directly if wildcards are allowed.

Error if a wildcard is used for a query that does not index the wildcard
2021-03-19 14:12:19 -04:00
Daniel Nephin 627c469f08 state: fix prefix index with the new pattern
Prefix queries are generally being used to match part of a partial
index. We can support these indexes by using a function that accept
different types for each subset of the index.

What I found interesting is that in the generic StringFieldIndexer the
implementation for PrefixFromArgs would remove the trailing null, but
at least in these 2 cases we actually want a null terminated string.
We simply want fewer components in the string.
2021-03-19 14:12:17 -04:00
Daniel Nephin d90845f26d state: move services.ID to new pattern 2021-03-19 14:11:59 -04:00
hashicorp-ci f3f3513d83 auto-updated agent/uiserver/bindata_assetfs.go from commit a7a56ca39 2021-03-19 15:19:17 +00:00
Daniel Nephin 4d1d19ed46 state: add tests for gateway-service table indexers 2021-03-18 12:09:42 -04:00
Daniel Nephin 11b4de719c state: use constants and remove wrapping
for GatewayServices table
2021-03-18 12:08:59 -04:00
Daniel Nephin d879fe581d state: Move UpstreamDownstream to state package 2021-03-18 12:08:59 -04:00
Daniel Nephin 65f5b99247 state: add tests for mesh-topology table indexers 2021-03-18 12:08:57 -04:00
Daniel Nephin c749c6c927 state: use constants for mesh-topology table operations 2021-03-18 12:08:03 -04:00
hashicorp-ci 43f6544c21 auto-updated agent/uiserver/bindata_assetfs.go from commit 980299d51 2021-03-18 15:23:26 +00:00
hashicorp-ci 69f6fc9f99 auto-updated agent/uiserver/bindata_assetfs.go from commit 8dc590cf1 2021-03-18 14:41:20 +00:00
Freddy 1c13aa23f1
Merge pull request #9900 from hashicorp/ent-fixes
Fixup enterprise tests from tproxy changes
2021-03-18 08:33:30 -06:00
Freddy 0bab999fe4
Merge pull request #9899 from hashicorp/wildcard-ixn-oss
Add methods to check intention has wildcard src or dst
2021-03-18 08:33:07 -06:00
freddygv 098b9af901 Fixup enterprise tests from tproxy changes 2021-03-17 23:05:00 -06:00
freddygv 9713e3ba38 Add methods to check intention has wildcard src or dst 2021-03-17 22:15:48 -06:00
freddygv eb1e0a1751 Cancel watch on all errors 2021-03-17 21:44:14 -06:00
freddygv 52bf00de8b Split up normalizing from defaulting values for upstream cfg 2021-03-17 21:37:55 -06:00
freddygv ad6c726453 Uncomment listener tests 2021-03-17 21:37:12 -06:00
freddygv f4f45af6d0 Merge master and fix upstream config protocol defaulting 2021-03-17 21:13:40 -06:00
freddygv 9bff39ba07 Temporarily silence spurious wakeup. Addressing false positive in beta. 2021-03-17 17:25:29 -06:00
freddygv 0defd17106 Merge remote-tracking branch 'origin/master' into intention-topology-endpoint 2021-03-17 17:14:38 -06:00
Freddy 8207b832df
Add TransparentProxy option to proxy definitions 2021-03-17 17:01:45 -06:00
Freddy c664938bae
Add per-upstream configuration to service-defaults 2021-03-17 16:59:51 -06:00
freddygv 7938dd82eb Add changelog and cleanup todo for beta 2021-03-17 16:45:13 -06:00
freddygv 9f0696528b Rename hasChains for clarity 2021-03-17 16:42:29 -06:00
freddygv 0da8702f34 PR comments 2021-03-17 16:18:56 -06:00
freddygv bf96d536d9 Upstreams loop is only for prepared queries and they are not CentrallyConfigured 2021-03-17 15:32:52 -06:00
freddygv 8a062e1546 Handle prepared queries in Upstreams loop and escape hatches in disco chain loop 2021-03-17 15:17:43 -06:00
freddygv ce964f8ea5 Update xds for transparent proxy 2021-03-17 13:40:49 -06:00
freddygv a54d6a9010 Update proxycfg for transparent proxy 2021-03-17 13:40:39 -06:00
freddygv 37f684664d Do not include consul as upstream or downstream 2021-03-17 13:40:04 -06:00
Daniel Nephin 69ce10602f state: add tests for config-entry indexers 2021-03-17 14:41:46 -04:00
Daniel Nephin a414649543 state: convert config-entries kind index to new pattern 2021-03-17 14:40:57 -04:00
Daniel Nephin aadf187094 state: remove config-entries namespace index
Use a prefix of the ID index instead.
2021-03-17 14:40:57 -04:00
Daniel Nephin d70bbf671a state: remove unnecessary method receiver 2021-03-17 14:40:57 -04:00
Daniel Nephin 650ac62098 state: convert config-entries table to new indexer pattern
Using functional indexes to isolate enterprise differentiation and
remove reflection.
2021-03-17 14:40:57 -04:00
Daniel Nephin 9f03e23e44
Merge pull request #9881 from hashicorp/dnephin/state-index-service-check-nodes
state: convert services.node and checks.node indexes
2021-03-17 14:12:02 -04:00
Daniel Nephin bd6332ae25
Merge pull request #9863 from hashicorp/dnephin/config-entry-kind-name
state: move ConfigEntryKindName
2021-03-17 14:09:39 -04:00
hashicorp-ci 583743424f auto-updated agent/uiserver/bindata_assetfs.go from commit 9e715842d 2021-03-17 16:03:18 +00:00
hashicorp-ci bac1afbb89 auto-updated agent/uiserver/bindata_assetfs.go from commit f9e8b26af 2021-03-17 14:45:58 +00:00
hashicorp-ci 6872c33881 auto-updated agent/uiserver/bindata_assetfs.go from commit aca797658 2021-03-17 11:27:44 +00:00
hashicorp-ci f4a96768d1 auto-updated agent/uiserver/bindata_assetfs.go from commit 41471719e 2021-03-17 10:50:59 +00:00
freddygv 3f2489c31d Refactor makePublicListener
By accepting a name the function can be used for other inbound listeners,
like the one for TransparentProxy.
2021-03-16 19:22:26 -06:00
Christopher Broglie f0307c73e5 Add support for configuring TLS ServerName for health checks
Some TLS servers require SNI, but the Golang HTTP client doesn't
include it in the ClientHello when connecting to an IP address. This
change adds a new TLSServerName field to health check definitions to
optionally set it. This fixes #9473.
2021-03-16 18:16:44 -04:00
freddygv 7892964a0c Add cache-type for Internal.IntentionUpstreams 2021-03-16 11:06:47 -06:00
Daniel Nephin 34eb6c01ff state: convert services.node and checks.node indexes
Using NodeIdentity to share the indexes with both.
2021-03-16 13:00:31 -04:00
freddygv 942334b208 Prefix match type vars to match use 2021-03-16 09:49:24 -06:00
freddygv 4cb9fdc27f Pass txn into service list queries 2021-03-16 09:33:08 -06:00
freddygv 86ff9065c1 Pass txn into intention match queries 2021-03-16 08:03:52 -06:00
freddygv 31e757de2a Replace CertURI.Authorize() calls.
AuthorizeIntentionTarget is a generalized version of the old function,
and can be evaluated against sources or destinations.
2021-03-15 18:06:04 -06:00
freddygv f5ed751c91 Fixup typo, comments, and regression 2021-03-15 17:50:47 -06:00
freddygv 4bdbcff9c0 Fixup upstream test 2021-03-15 17:20:30 -06:00
freddygv 3492f9e0d6 Finish cleanup from ServiceConfigRequest changes 2021-03-15 16:38:01 -06:00
freddygv 770c5552d6 Update service manager to pass MeshGateway with config req 2021-03-15 16:08:03 -06:00
freddygv 6090cfcf68 PR comments 2021-03-15 16:02:03 -06:00
Daniel Nephin 4d456922a9 state: use runCase pattern for large test
The TestServiceHealthEventsFromChanges function was over 1400 lines.
Attempting to debug test failures in test functions this large is
difficult. It requires scrolling to the line which defines the testcase
because the failure message only includes the line number of the
assertion, not the line number of the test case.

This is an excellent example of where test tables stop working well, and
start being a problem. To mitigate this problem, the runCase pattern can
be used. When one of these tests fails, a failure message will print the
line number of both the test case and the assertion. This allows a
developer to quickly jump to both of the relevant lines, signficanting
reducing the time it takes to debug test failures.

For example, one such failure could look like this:

    catalog_events_test.go:1610: case: service reg, new node
    catalog_events_test.go:1605: assertion failed: values are not equal
2021-03-15 17:53:16 -04:00
freddygv 7df846aa24 Pass MeshGateway config in service config request
ResolveServiceConfig is called by service manager before the proxy
registration is in the catalog. Therefore we should pass proxy
registration flags in the request rather than trying to fetch
them from the state store (where they may not exist yet).
2021-03-15 14:32:13 -06:00
freddygv 8b46d8dcbb Restore old Envoy prefix on escape hatches
This is done because after removing ID and NodeName from
ServiceConfigRequest we will no longer know whether a request coming in
is for a Consul client earlier than v1.10.
2021-03-15 14:12:57 -06:00
freddygv 93c3c1780d Only lowercase the protocol when normalizing 2021-03-15 14:12:15 -06:00
freddygv 41b2ba1e58 Add omitempty across the board for UpstreamConfig 2021-03-15 13:23:18 -06:00
freddygv 08759e46ed Add RPC endpoint for intention upstreams 2021-03-15 08:50:35 -06:00
freddygv 08737fa606 Add state store function for intention upstreams 2021-03-15 08:50:35 -06:00
freddygv 3722ce2fff Refactor IntentionDecision
This enables it to be called for many upstreams or downstreams of a
service while only querying intentions once.

Additionally, decisions are now optionally denied due to L7 permissions
being present. This enables the function to be used to filter for
potential upstreams/downstreams of a service.
2021-03-15 08:50:35 -06:00
Daniel Nephin f40b76af2d proxycfg: use rpcclient/health.Client instead of passing around cache name
This should allow us to swap out the implementation with something other
than `agent/cache` without making further code changes.
2021-03-12 11:46:04 -05:00
Daniel Nephin 566741a143 catalog_events: set the right key for connect snapshots 2021-03-12 11:35:43 -05:00
Daniel Nephin 906834ce8e proxycfg: Use streaming in connect state 2021-03-12 11:35:42 -05:00
Daniel Nephin 1a764553c0 rpcclient: use streaming for connect health 2021-03-12 11:35:42 -05:00
freddygv d80e4b27b1 Update content hash due to new field 2021-03-11 19:59:19 -07:00
freddygv 682f357185 Fixup more tests 2021-03-11 16:26:55 -07:00
freddygv 756ab4c546 Fixup protobufs and tests 2021-03-11 14:58:59 -07:00
Kyle Havlovitz 1e87c7183a
Merge pull request #9672 from hashicorp/ca-force-skip-xc
connect/ca: Allow ForceWithoutCrossSigning for all providers
2021-03-11 11:49:15 -08:00
freddygv df1f3995f8 Update service manager to store centrally configured upstreams 2021-03-11 11:37:21 -07:00
freddygv 6fd30d0384 Add TransparentProxy opt to proxy definition 2021-03-11 11:37:21 -07:00
freddygv 306ef7d252 Restore old escape hatch alias 2021-03-11 11:36:35 -07:00
freddygv e3dc2a49df Turn Limits and PassiveHealthChecks into pointers 2021-03-11 11:04:40 -07:00
hashicorp-ci f3556f6bba auto-updated agent/uiserver/bindata_assetfs.go from commit fa6687b7f 2021-03-11 09:34:21 +00:00
freddygv acec711a6a Update server-side config resolution and client-side merging 2021-03-10 21:05:11 -07:00
freddygv 1710ec87d2 finish moving UpstreamConfig and related fields to structs pkg 2021-03-10 21:04:13 -07:00