Mark Anderson
28b4b3a85d
Add x-forwarded-client-cert headers
...
Description
Add x-fowarded-client-cert information on trusted incoming connections.
Envoy provides support forwarding and annotating the
x-forwarded-client-cert header via the forward_client_cert_details
set_current_client_cert_details filter fields. It would be helpful for
consul to support this directly in its config. The escape hatches are
a bit cumbersome for this purpose.
This has been implemented on incoming connections to envoy. Outgoing
(from the local service through the sidecar) will not have a
certificate, and so are left alone.
A service on an incoming connection will now get headers something like this:
```
X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard]
```
Closes #12852
2022-05-04 08:50:58 -07:00
claire labry
8ebb515bfc
Merge pull request #12917 from hashicorp/add-release-config-key
...
Add config key to the promote-staging event
2022-05-03 17:26:46 -04:00
Amier Chery
03ac931b52
Merge pull request #12631 from driesgroblerw/patch-1
...
Updated the link to acl-policies
2022-05-03 14:59:05 -04:00
DanStough
8d655ded4c
chore(ci): fix backport-assistant for stable website
2022-05-03 14:36:46 -04:00
Kyle Havlovitz
0696ed24c8
Merge pull request #12885 from hashicorp/acl-err-cache
...
Store and return RPC error in ACL cache entries
2022-05-03 10:44:22 -07:00
Kyle Havlovitz
76d62a14f5
Return ACLRemoteError from cache and test it correctly
2022-05-03 10:05:26 -07:00
DanStough
e899e06c29
chore(ci): fix backport assistant
2022-05-03 12:41:12 -04:00
R.B. Boyer
bd87505bf2
ci: upgrade bats and the circle machine executors to get integration tests to function again ( #12918 )
...
Bonus change: send less context when building the test-sds-server to
speed up the setup.
2022-05-03 11:21:32 -05:00
Claire Labry
561221a343
Add config key to the promote-staging event
2022-05-03 11:58:14 -04:00
FFMMM
3b3f001580
[sync oss] api: add peering api module ( #12911 )
2022-05-02 11:49:05 -07:00
Blake Covarrubias
54119f3225
docs: Add example Envoy escape hatch configs ( #12764 )
...
Add example escape hatch configurations for all supported override
types.
2022-05-02 11:25:59 -07:00
DanStough
b2a005342b
chore(ci): add initial support for backport assistant
2022-05-02 11:14:32 -04:00
Jared Kirschner
cf12f8af20
Merge pull request #12762 from hashicorp/jkirschner-hashicorp-patch-1
...
docs: use correct previous name of recovery token
2022-04-29 18:35:56 -04:00
Chris S. Kim
9791bad136
peering: Make Upstream peer-aware ( #12900 )
...
Adds DestinationPeer field to Upstream.
Adds Peer field to UpstreamID and its string conversion functions.
2022-04-29 18:12:51 -04:00
Jared Kirschner
5be6f3402d
Merge pull request #12902 from hashicorp/jkirschner-hashicorp-patch-2
...
docs: fix typo
2022-04-29 17:59:26 -04:00
Jared Kirschner
c1aacc2728
docs: fix typo
2022-04-29 17:57:21 -04:00
Jared Kirschner
0028d927e3
Merge pull request #12893 from hashicorp/docs/improve-consul-server-resilience
...
docs: add guidance on improving Consul resilience
2022-04-29 15:42:09 -04:00
Chris S. Kim
0d66301ea7
Cleanup peering files that used error types that were removed ( #12892 )
2022-04-29 14:02:26 -04:00
Jared Kirschner
de51780eb8
docs: add guidance on improving Consul resilience
...
Discuss available strategies for improving server-level and infrastructure-level
fault tolerance in Consul.
2022-04-29 10:58:03 -07:00
Jeff Apple
e286dc2a50
Merge pull request #12891 from hashicorp/docs-api-gateway-0.2.1
...
Docs: update for API Gateway v0.2.1
2022-04-29 10:50:04 -07:00
Mathew Estafanous
474385d153
Unify various status errors into one HTTP error type. ( #12594 )
...
Replaces specific error types for HTTP Status codes with
a generic HTTPError type.
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2022-04-29 13:42:49 -04:00
Jeff-Apple
e8a1a1eb68
Dcos: update for API Gateway v0.2.1
2022-04-29 09:52:00 -07:00
Jared Kirschner
d04fe6ca2c
Merge pull request #11810 from hashicorp/update-enterprise-packaging-in-feature-docs
...
Update enterprise packaging in feature docs
2022-04-28 19:38:59 -04:00
Jared Kirschner
964afedd13
docs: improve ent overview headings
2022-04-28 16:27:34 -07:00
Jared Kirschner
1ca903d28d
docs: explicitly fill all ent feature matrix cells
2022-04-28 12:41:37 -07:00
Chris S. Kim
2626963db9
Add a Github action to remind people about backport automation ( #12884 )
2022-04-28 14:52:41 -04:00
Kyle Havlovitz
0d8b187ea1
Store and return rpc error in acl cache entries
2022-04-28 09:08:55 -07:00
Jeff Apple
62311368c6
Merge pull request #12874 from hashicorp/japple-api-gw-fix-install-doc
...
Docs: updated versions on install page and other minor fixes.
2022-04-27 17:24:51 -07:00
Jeff-Apple
144a27da3d
Docs: updated versions on install page and other minor fixes.
2022-04-27 16:52:52 -07:00
Mike Morris
80417f02dc
website(consul-api-gateway): fixup stray div tag and step 8 link rendering ( #12873 )
2022-04-27 19:36:01 -04:00
Karl Cardenas
3bf17020d9
Merge pull request #12872 from hashicorp/markdown-fix
...
docs: fixes makdown leakage
2022-04-27 14:20:19 -07:00
Karl Cardenas
dbaed47da2
docs: fixes makdown leakage
2022-04-27 14:15:39 -07:00
Jared Kirschner
33ccefcc4e
docs: update HCP Consul feature matrix
2022-04-27 12:44:00 -07:00
Nathan Coleman
6a4ca9c5a7
Merge pull request #12871 from hashicorp/apigw-crd-version
...
Update version pin for consul-api-gateway install docs
2022-04-27 14:23:05 -05:00
Nathan Coleman
8208c2daf9
Update version pin for consul-api-gateway CRD install
2022-04-27 15:07:02 -04:00
Jeff Apple
359d62a49d
Merge pull request #12863 from hashicorp/api-gateway-v0.2-docs
...
Update product docs for release of Consul API Gateway v0.2
2022-04-27 12:01:23 -07:00
Nathan Coleman
1e84407681
Update minimum Consul version in Tech Specs
2022-04-27 14:55:55 -04:00
Jeff-Apple
24682ccc8a
correction to the API Gateway 0.2 release notes.
2022-04-27 11:53:27 -07:00
Nathan Coleman
0104383203
Instruct user to update apiGateway.image in values.yaml
2022-04-27 14:47:15 -04:00
Jeff-Apple
fb1dcc6eb1
Adding release notes for API Gateway v0.2
2022-04-27 11:44:39 -07:00
Nathan Coleman
d039e0088f
Hide clipboard for codeblocks that shouldn't be copied
2022-04-27 14:37:51 -04:00
trujillo-adam
ac04a1251f
hid copy fn for codeblocks that don't need it
2022-04-27 11:34:44 -07:00
Mike Morris
195ec096bb
website(consul-api-gateway): add ReferencePolicy to overview docs ( #12861 )
...
* website(consul-api-gateway): add ReferencePolicy to overview docs
* website(consul-api-gateway): bump required Consul Helm chart version
For allowing Consul API Gateway controller to read ReferencePolicy
resources and UX improvement re-using connectInject.consulNamespaces
config for Consul API Gateway config.
* added referencepolicy documentation to route section
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
* Update consul-api-gateway-install.mdx
* Update consul-api-gateway-install.mdx
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
* Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
* Update website/content/docs/api-gateway/index.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* Update website/content/docs/api-gateway/index.mdx
* Update website/content/docs/api-gateway/index.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathandanielcoleman@gmail.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-04-27 14:25:42 -04:00
Nathan Coleman
0474b35c62
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
...
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:24:28 -04:00
Nathan Coleman
ba0080a80e
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
...
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:23:57 -04:00
Nathan Coleman
21b7b18197
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
...
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:23:48 -04:00
Nathan Coleman
d2234fc6f7
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
...
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:14:36 -04:00
Nathan Coleman
45be1d370f
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
...
Co-authored-by: Karl Cardenas <kcardenas@hashicorp.com>
2022-04-27 14:14:27 -04:00
Nathan Coleman
1c17b2c9c3
Update consul-api-gateway pin in installation instructions
2022-04-27 14:12:19 -04:00
Nathan Coleman
d3a23229bb
Remove Consul pin from installation instructions
...
The consul-k8s chart has the correct version defaulted, and having it pinned here is another thing we have to include in all upgrade instructions
2022-04-27 14:11:51 -04:00