Commit Graph

17504 Commits

Author SHA1 Message Date
Nathan Coleman 29c83c0eb4
Apply suggestions from code review
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2022-06-21 15:37:26 -04:00
Nathan Coleman 2eeabeba71
Apply suggestions from code review
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2022-06-21 14:59:40 -04:00
Nathan Coleman d5eed9dff3
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx 2022-06-21 14:08:42 -04:00
Nathan Coleman be5ff8095f
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2022-06-21 14:08:18 -04:00
Nathan Coleman afb9949934 Use new release version in examples 2022-06-21 14:07:23 -04:00
Nathan Coleman ac205ff255 Fix whitespace inconsistencies 2022-06-21 14:07:07 -04:00
Nathan Coleman 2b5b6a1159 Update version of consul Helm chart 2022-06-21 14:06:53 -04:00
Jeff Apple 2044394c87
make "changelog" plural in the API GW 0.3 release notes. 2022-06-21 10:07:14 -07:00
Nathan Coleman 39e4d21801
Update website/content/docs/release-notes/consul-api-gateway/v0_3_x.mdx
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
2022-06-21 12:20:24 -04:00
Nathan Coleman ed012f1a81 Link reference to Kubernetes Gateway API site 2022-06-21 11:37:19 -04:00
sarahalsmiller 5dd00a63d5
Update upgrade-specific-versions.mdx 2022-06-21 10:05:38 -05:00
sarahalsmiller c1e3119b8c
Update website/content/docs/api-gateway/upgrade-specific-versions.mdx
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2022-06-21 09:55:10 -05:00
Nathan Coleman af030ba8ed
Update website/content/docs/release-notes/consul-api-gateway/v0_3_x.mdx 2022-06-21 10:42:52 -04:00
Jeff-Apple 0b80402ebb API GW 0.3 Release Notes and updated Tech Specs 2022-06-20 17:00:11 -07:00
Nathan Coleman 1fde46b756 Fix broken link 2022-06-20 16:33:49 -04:00
Nathan Coleman 837bc486c2 Address surprise format of reference-grant 2022-06-20 16:30:58 -04:00
Nathan Coleman 3242f5769c ReferenceGrant -> ReferencePolicy 2022-06-20 15:25:15 -04:00
sarahalsmiller 3c6cbb51b5
Update upgrade-specific-versions.mdx 2022-06-16 15:36:27 -05:00
Nathan Coleman f42f0fbe5f Add note about expected status for invalid CertificateRef 2022-06-15 15:46:46 -04:00
Nathan Coleman 5e9e1fb70f Indent points specific to xRoute backend references 2022-06-14 17:27:02 -04:00
Nathan Coleman 975a5e4b1f Add docs for ReferencePolicy as it applies to Gateways 2022-06-14 15:11:28 -04:00
Sarah Alsmiller a9c25eb417 light restructureing/fixed some copypasta 2022-06-13 16:16:45 -05:00
Sarah Alsmiller ba7115a1df updated referencepolicy to referencegrant, added v0.3.0 upgrade instructions 2022-06-13 16:05:21 -05:00
Nathan Coleman ce3d49237d
Merge pull request #13333 from hashicorp/docs/capig-instances-config
docs: Consul API Gateway scaling config
2022-06-13 11:45:03 -04:00
Mike Morris e971ea2e69
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-06-07 16:24:35 -04:00
Mike Morris a9137aba36
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-06-07 16:17:45 -04:00
Dhia Ayachi 5ec3274ae5
Egress gtw/connect destination intentions (#13341)
* update gateway-services table with endpoints

* fix failing test

* remove unneeded config in test

* rename "endpoint" to "destination"

* more endpoint renaming to destination in tests

* update isDestination based on service-defaults config entry creation

* use a 3 state kind to be able to set the kind to unknown (when neither a service or a destination exist)

* set unknown state to empty to avoid modifying alot of tests

* fix logic to set the kind correctly on CRUD

* fix failing tests

* add missing tests and fix service delete

* fix failing test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* fix a bug with kind and add relevant test

* fix compile error

* fix failing tests

* add kind to clone

* fix failing tests

* fix failing tests in catalog endpoint

* fix service dump test

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* remove duplicate tests

* first draft of destinations intention in connect proxy

* remove ServiceDestinationList

* fix failing tests

* fix agent/consul failing tests

* change to filter intentions in the state store instead of adding a field.

* fix failing tests

* fix comment

* fix comments

* store service kind destination and add relevant tests

* changes based on review

* filter on destinations when querying source match

* Apply suggestions from code review

Co-authored-by: alex <8968914+acpana@users.noreply.github.com>

* fix style

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

* rename destinationType to targetType.

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
Co-authored-by: alex <8968914+acpana@users.noreply.github.com>
Co-authored-by: github-team-consul-core <github-team-consul-core@hashicorp.com>
2022-06-07 15:03:59 -04:00
Evan Culver 596432fe38
ci: Add package verifications to build workflow (#13294)
Co-authored-by: cskh <hui.kang@hashicorp.com>
2022-06-06 14:42:11 -07:00
R.B. Boyer 321e236891
test: retry the compat tests as often as other tests (#13369)
The upgrade compatibility tests need frequent retrying to pass because they are slightly flaky. To alleviate manual work borrow similar gotestsum logic from the main go tests CI job to rerun them automatically here.
2022-06-06 16:06:55 -05:00
R.B. Boyer fbee9eda08
test: break dep on main consul module (#13373)
The main consul module is not a great library and complicates some oss/ent module issues.

This undoes #13371
2022-06-06 16:06:39 -05:00
R.B. Boyer ab758b7b32
peering: allow mesh gateways to proxy L4 peered traffic (#13339)
Mesh gateways will now enable tcp connections with SNI names including peering information so that those connections may be proxied.

Note: this does not change the callers to use these mesh gateways.
2022-06-06 14:20:41 -05:00
Fulvio d457d8b6ce
UDP check for service stanza #12221 (#12722)
* UDP check for service stanza #12221

* add pass status on timeout condition

* delete useless files

* Update check_test.go

improve comment in test

* fix test

* fix requested changes and update TestRuntimeConfig_Sanitize.golden

* add freeport to TestCheckUDPCritical

* improve comment for CheckUDP struct

* fix requested changes

* fix requested changes

* fix requested changes

* add UDP to proto

* add UDP to proto and add a changelog

* add requested test on agent_endpoint_test.go

* add test for given endpoints

* fix failing tests

* add documentation for udp healthcheck

* regenerate proto using buf

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/discovery/checks.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/ecs/configuration-reference.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/ecs/configuration-reference.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* add debug echo

* add debug circle-ci

* add debug circle-ci bash

* use echo instead of status_stage

* remove debug and status from devtools script and use echo instead

* Update website/content/api-docs/agent/check.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* fix test

* replace status_stage with status

* replace functions with echo

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-06-06 15:13:19 -04:00
R.B. Boyer 979b9312ca
test: use a go mod replace trick for the compat test dependency on the main repo (#13371) 2022-06-06 14:12:49 -05:00
Evan Culver 7e750968bc
Add latest changelog entries (#13363) 2022-06-06 11:52:13 -07:00
alex bbbc50815a
peering: send leader addr (#13342)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-06 10:00:38 -07:00
Riddhi Shah 7a039b46a2
[OSS] consul connect envoy command changes for agentless (#13361)
Changes the sourcing of the envoy bootstrap configuration
to not use agent APIs and instead use the catalog(server) API.
This is done by passing a node-name flag to the command,
(which can only be used with proxy-id).

Also fixes a bug where the golden envoy bootstrap config files
used for tests did not use the expected destination service name
in certain places for connect proxy kind.
2022-06-06 09:23:08 -07:00
modrake a56293c8a3
add codeowners to protect release dirs (#13261)
* add codeowners to protect release dirs
2022-06-06 08:57:15 -07:00
Dan Upton b168424398
xds: remove HTTPCheckFetcher dependency (#13366)
This is the OSS portion of enterprise PR 1994

Rather than directly interrogating the agent-local state for HTTP
checks using the `HTTPCheckFetcher` interface, we now rely on the
config snapshot containing the checks.

This reduces the number of changes required to support server xDS
sessions.

It's not clear why the fetching approach was introduced in
931d167ebb.
2022-06-06 15:15:33 +01:00
R.B. Boyer 019aeaa57d
peering: update how cross-peer upstreams and represented in proxycfg and rendered in xds (#13362)
This removes unnecessary, vestigal remnants of discovery chains.
2022-06-03 16:42:50 -05:00
cskh 74158a8aa2
Add isLeader metric to track if a server is a leader (#13304)
CTIA-21: sdd is_leader metric to track if a server is a leader

Co-authored-by: alex <8968914+acpana@users.noreply.github.com>
2022-06-03 13:07:37 -04:00
Freddy 32f125cc0f
Merge pull request #13340 from hashicorp/peering/public-listener 2022-06-02 15:15:29 -06:00
alex dc72659296
chore: remove broken link from pr template (#13343) 2022-06-02 09:51:22 -07:00
Kyle Schochenmaier ce44f6f604
update multicluster docs (#13334) 2022-06-02 11:46:35 -05:00
Chris S. Kim 73af9e9737
Fix KVSGet method to handle QueryOptions properly (#13344) 2022-06-02 12:26:18 -04:00
Freddy a09c776645 Update public listener with SPIFFE Validator
Envoy's SPIFFE certificate validation extension allows for us to
validate against different root certificates depending on the trust
domain of the dialing proxy.

If there are any trust bundles from peers in the config snapshot then we
use the SPIFFE validator as the validation context, rather than the
usual TrustedCA.

The injected validation config includes the local root certificates as
well.
2022-06-01 17:06:33 -06:00
freddygv 647c57a416 Add agent cache-type for TrustBundleListByService
There are a handful of changes in this commit:
* When querying trust bundles for a service we need to be able to
  specify the namespace of the service.
* The endpoint needs to track the index because the cache watches use
  it.
* Extracted bulk of the endpoint's logic to a state store function
  so that index tracking could be tested more easily.
* Removed check for service existence, deferring that sort of work to ACL authz
* Added the cache type
2022-06-01 17:05:10 -06:00
freddygv 8b58fa8afe Update assumptions around exported-service config
Given that the exported-services config entry can use wildcards, the
precedence for wildcards is handled as with intentions. The most exact
match is the match that applies for any given service. We do not take
the union of all that apply.

Another update that was made was to reflect that only one
exported-services config entry applies to any given service in a
partition. This is a pre-existing constraint that gets enforced by
the Normalize() method on that config entry type.
2022-06-01 17:03:51 -06:00
Freddy 74ca6406ea
Configure upstream TLS context with peer root certs (#13321)
For mTLS to work between two proxies in peered clusters with different root CAs,
proxies need to configure their outbound listener to use different root certificates
for validation.

Up until peering was introduced proxies would only ever use one set of root certificates
to validate all mesh traffic, both inbound and outbound. Now an upstream proxy
may have a leaf certificate signed by a CA that's different from the dialing proxy's.

This PR makes changes to proxycfg and xds so that the upstream TLS validation
uses different root certificates depending on which cluster is being dialed.
2022-06-01 15:53:52 -06:00
Freddy 143dc75e0d
[OSS] Pull split ns/partition var out of testing file (#13337)
The api module previously had defaultPartition and defaultNamespace vars
for when we need default/empty split usage between ent/oss respectively.

This commit moves those two variables out of test code so that they can
be used for the service exports config entry's `GetNamespace()` method.

Previously `GetNamespace()` would return "default" in both OSS and enterprise,
which can trip up automation that passes the result of this method as the
namespace to write a config entry.

The split vars are kept private to prevent external usage, and prefixed with
`split` for more clarity about their behavior.
2022-06-01 14:42:33 -06:00
R.B. Boyer 1b69366a39
build: ensure tools match go toolchain version (#13338) 2022-06-01 15:24:45 -05:00