20147 Commits

Author SHA1 Message Date
Chris Thain
366bd6f89f
ext-authz Envoy extension: support localhost as a valid target URI. (#17821) 2023-06-21 13:42:42 -07:00
Chris S. Kim
a4653de8da
CA provider doc updates and Vault provider minor update (#17831)
Update CA provider docs

Clarify that providers can differ between
primary and secondary datacenters

Provide a comparison chart for consul vs
vault CA providers

Loosen Vault CA provider validation for RootPKIPath

Update Vault CA provider documentation
2023-06-21 19:34:42 +00:00
George Bolo
82441a27fa
fixes #17732 - AccessorID in request body should be optional when updating ACL token (#17739)
* AccessorID in request body should be optional when updating ACL token

* add a test case

* fix test case

* add changelog entry for PR #17739
2023-06-21 13:31:40 -05:00
Michael Zalimeni
d0797c4a0d
Fixup consul-container/test/debugging.md (#17815)
Add missing `-t` flag and fix minor typo.
2023-06-21 17:52:00 +00:00
Eric Haberkorn
a3ba559149
Make locality aware routing xDS changes (#17826) 2023-06-21 12:39:53 -04:00
Michael Zalimeni
500dcb1f21
Set GOPRIVATE for all hashicorp repos in CI (#17817)
Consistently set GOPRIVATE to include all hashicorp repos, s.t. private
modules are successfully pulled in enterprise CI.
2023-06-21 11:26:27 -04:00
trujillo-adam
f17b7f32fc
Change URLs for redirects from RC to default latest (#17822) 2023-06-20 13:17:46 -07:00
Ronald
ee95bc7266
Add jwt-authn metrics to jwt-provider docs (#17816)
* [NET-3095] add jwt-authn metrics docs
2023-06-20 19:46:16 +00:00
Steven Zamborsky
2a94ffa571
Fix formatting for webhook-certs Consul tutorial (#17810)
* Fix formatting for webhook-certs Consul tutorial
* Make a small grammar change to also pick up whitespace changes necessary for formatting

---------

Co-authored-by: David Yu <dyu@hashicorp.com>
2023-06-20 11:33:10 -07:00
Michael Zalimeni
e4c9793ee2
Clarify limitations of Prop Override extension (#17801)
Explicitly document the limitations of the extension, particularly what
kind of fields it is capable of modifying.
2023-06-20 11:26:28 -04:00
John Murret
6d39328771
Add documentation for remote debugging of integration tests. (#17800)
* Add documentation for remote debugging of integration tests.

* add link from main docs page.

* changes related to PR feedback
2023-06-20 15:14:15 +00:00
Paul Glass
d2363eb711
Test permissive mTLS filter chain not configured with tproxy disabled (#17747) 2023-06-20 09:49:50 -05:00
Michael Zalimeni
18b1555a6d
Improve Prop Override docs examples (#17799)
- Provide more realistics examples for setting properties not already
  supported natively by Consul
- Remove superfluous commas from HCL, correct target service name, and
  fix service defaults vs. proxy defaults in examples
- Align existing integration test to updated docs
2023-06-20 10:00:01 -04:00
Ashesh Vidyut
00c85757f7
Fix Docs for Trails Leader By (#17763)
* init

* fix tests

* added -detailed in docs

* added change log

* fix doc

* checking for entry in map

* fix tests

* removed detailed flag

* removed detailed flag

* revert unwanted changes

* removed unwanted changes

* updated change log

* pr review comment changes

* pr comment changes single API instead of two

* fix change log

* fix tests

* fix tests

* fix test operator raft endpoint test

* Update .changelog/17582.txt

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* nits

* updated docs

* explanation added

* fix doc

* fix docs

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
2023-06-17 07:42:35 +05:30
Matt Keeler
37636eab71
Catalog V2 Container Based Integration Test (#17674)
* Implement the Catalog V2 controller integration container tests

This now allows the container tests to import things from the root module. However for now we want to be very restrictive about which packages we allow importing.

* Add an upgrade test for the new catalog

Currently this should be dormant and not executed. However its put in place to detect breaking changes in the future and show an example of how to do an upgrade test with integration tests structured like catalog v2.

* Make testutil.Retry capable of performing cleanup operations

These cleanup operations are executed after each retry attempt.

* Move TestContext to taking an interface instead of a concrete testing.T

This allows this to be used on a retry.R or generally anything that meets the interface.

* Move to using TestContext instead of background contexts

Also this forces all test methods to implement the Cleanup method now instead of that being an optional interface.


Co-authored-by: Daniel Upton <daniel@floppy.co>
2023-06-16 16:29:50 -04:00
chappie
5352ccf8ed
HCP Add node id/name to config (#17750) 2023-06-16 18:44:13 +00:00
Matt Keeler
653a886689
Implement a Catalog Controllers Lifecycle Integration Test (#17435)
* Implement a Catalog Controllers Lifecycle Integration Test

* Prevent triggering the race detector.

This allows defining some variables for protobuf constants and using those in comparisons. Without that, something internal in the fmt package ended up looking at the protobuf message size cache and triggering the race detector.
2023-06-16 12:58:53 -04:00
Ronald
5f95f5f6d8
Stop referenced jwt providers from being deleted (#17755)
* Stop referenced jwt providers from being deleted
2023-06-16 10:31:53 -04:00
Michael Zalimeni
265c003033
Add Patch index to Prop Override validation errors (#17777)
When a patch is found invalid, include its index for easier debugging
when multiple patches are provided.
2023-06-16 09:37:47 -04:00
Mark Campbell-Vincent
730c599adc
Update license get explanation (#17782)
This PR is to clarify what happens if the license get command is run on a follower if the leader hasn't been updated with a newer license.
2023-06-15 21:25:07 +00:00
Jeff Boruszak
414a61da28
Fixes (#17765) 2023-06-15 11:24:40 -07:00
Michael Zalimeni
f9aa7aebb3
Property Override validation improvements (#17759)
* Reject inbound Prop Override patch with Services

Services filtering is only supported for outbound TrafficDirection patches.

* Improve Prop Override unexpected type validation

- Guard against additional invalid parent and target types
- Add specific error handling for Any fields (unsupported)
2023-06-15 13:51:47 -04:00
Derek Menteer
04edace1de
Fix issue with streaming service health watches. (#17775)
Fix issue with streaming service health watches.

This commit fixes an issue where the health streams were unaware of service
export changes. Whenever an exported-services config entry is modified, it is
effectively an ACL change.

The bug would be triggered by the following situation:

- no services are exported
- an upstream watch to service X is spawned
- the streaming backend filters out data for service X (due to lack of exports)
- service X is finally exported

In the situation above, the streaming backend does not trigger a refresh of its
data.  This means that any events that were supposed to have been received prior
to the export are NOT backfilled, and the watches never see service X spawning.

We currently have decided to not trigger a stream refresh in this situation due
to the potential for a thundering herd effect (touching exports would cause a
re-fetch of all watches for that partition, potentially).  Therefore, a local
blocking-query approach was added by this commit for agentless.

It's also worth noting that the streaming subscription is currently bypassed
most of the time with agentful, because proxycfg has a `req.Source.Node != ""`
which prevents the `streamingEnabled` check from passing.  This means that while
agents should technically have this same issue, they don't experience it with
mesh health watches.

Note that this is a temporary fix that solves the issue for proxycfg, but not
service-discovery use cases.
2023-06-15 12:46:58 -05:00
John Murret
ad0a277e09
docs - remove use of consul leave during upgrade instructions (#17758) 2023-06-15 11:06:23 -06:00
Derek Menteer
8c74a1d33e
Add transparent proxy enhancements changelog (#17757) 2023-06-15 11:48:39 -05:00
trujillo-adam
7dec75f8a6
added redirects and updated links (#17764) 2023-06-15 16:43:02 +00:00
Luke Kysow
0e9a0121a5
Update index.mdx (#17749) 2023-06-15 08:59:29 -07:00
Ashesh Vidyut
fdde92c8c2
Updated docs added explanation. (#17751)
* init

* fix tests

* added -detailed in docs

* added change log

* fix doc

* checking for entry in map

* fix tests

* removed detailed flag

* removed detailed flag

* revert unwanted changes

* removed unwanted changes

* updated change log

* pr review comment changes

* pr comment changes single API instead of two

* fix change log

* fix tests

* fix tests

* fix test operator raft endpoint test

* Update .changelog/17582.txt

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* nits

* updated docs

* explanation added

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
2023-06-15 09:41:04 -05:00
Eric Haberkorn
0994ccf162
validate localities on agent configs and registration endpoints (#17712) 2023-06-15 10:01:04 -04:00
David Yu
37bd0e1b40
docs - update Envoy and Dataplane compat matrix (#17752)
* Update envoy.mdx

added more detail around default versus other compatible versions
2023-06-15 06:33:48 +00:00
Jeff Boruszak
a6333471d4
docs: Failover overview minor fix (#17743)
* Incorrect symbol

* Clarification

* slight edit for clarity
2023-06-14 13:46:22 -07:00
chappie
7ab287c1d5
Add truncation to body (#17723) 2023-06-14 11:17:13 -07:00
dependabot[bot]
abb05deeed
Bump atlassian/gajira-transition from 3.0.0 to 3.0.1 (#17741)
Bumps [atlassian/gajira-transition](https://github.com/atlassian/gajira-transition) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/atlassian/gajira-transition/releases)
- [Commits](4749176faf...38fc9cd61b)

---
updated-dependencies:
- dependency-name: atlassian/gajira-transition
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-14 17:39:48 +00:00
Chris Thain
9289e680d6
OSS merge: Update error handling login when applying extensions (#17740) 2023-06-14 10:04:40 -07:00
Ashesh Vidyut
fa40654885
[NET-3865] [Supportability] Additional Information in the output of 'consul operator raft list-peers' (#17582)
* init

* fix tests

* added -detailed in docs

* added change log

* fix doc

* checking for entry in map

* fix tests

* removed detailed flag

* removed detailed flag

* revert unwanted changes

* removed unwanted changes

* updated change log

* pr review comment changes

* pr comment changes single API instead of two

* fix change log

* fix tests

* fix tests

* fix test operator raft endpoint test

* Update .changelog/17582.txt

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* nits

* updated docs

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
2023-06-14 15:12:50 +00:00
Paul Glass
6a90c2343b
NET-1825: New ACL token creation docs (#16465)
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2023-06-14 09:17:30 -05:00
David Yu
212e0902fb
Bump Alpine to 3.18 (#17719)
* Update Dockerfile

* Create 17719.txt
2023-06-14 01:02:05 +00:00
Tobias Birkefeld
8d9f2eb410
fix: typo in link to section (#17527)
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-06-13 17:41:34 -07:00
David Yu
9acbe76ee9
Remove extraneous version info for Config entries (#17716)
* Update terminating-gateway.mdx
* Update exported-services.mdx
* Update mesh.mdx
2023-06-13 22:50:28 +00:00
David Yu
28647ef086
Update compatibility.mdx (#17713) 2023-06-13 21:51:26 +00:00
trujillo-adam
ab909b4dae
add enterprise notes for IP-based rate limits (#17711)
* add enterprise notes for IP-based rate limits

* Apply suggestions from code review

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>

* added bolded 'Enterprise' in list items.

---------

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
2023-06-13 21:28:54 +00:00
Dan Stough
d497623266
docs: missing changelog for _5517 (#17706) 2023-06-13 15:11:33 -04:00
Curt Bushko
0c15748c5a
[core]: Pin github action workflows (#17695) 2023-06-13 13:00:55 -04:00
R.B. Boyer
72f991d8d3
agent: remove agent cache dependency from service mesh leaf certificate management (#17075)
* agent: remove agent cache dependency from service mesh leaf certificate management

This extracts the leaf cert management from within the agent cache.

This code was produced by the following process:

1. All tests in agent/cache, agent/cache-types, agent/auto-config,
   agent/consul/servercert were run at each stage.

    - The tests in agent matching .*Leaf were run at each stage.

    - The tests in agent/leafcert were run at each stage after they
      existed.

2. The former leaf cert Fetch implementation was extracted into a new
   package behind a "fake RPC" endpoint to make it look almost like all
   other cache type internals.

3. The old cache type was shimmed to use the fake RPC endpoint and
   generally cleaned up.

4. I selectively duplicated all of Get/Notify/NotifyCallback/Prepopulate
   from the agent/cache.Cache implementation over into the new package.
   This was renamed as leafcert.Manager.

    - Code that was irrelevant to the leaf cert type was deleted
      (inlining blocking=true, refresh=false)

5. Everything that used the leaf cert cache type (including proxycfg
   stuff) was shifted to use the leafcert.Manager instead.

6. agent/cache-types tests were moved and gently replumbed to execute
   as-is against a leafcert.Manager.

7. Inspired by some of the locking changes from derek's branch I split
   the fat lock into N+1 locks.

8. The waiter chan struct{} was eventually replaced with a
   singleflight.Group around cache updates, which was likely the biggest
   net structural change.

9. The awkward two layers or logic produced as a byproduct of marrying
   the agent cache management code with the leaf cert type code was
   slowly coalesced and flattened to remove confusion.

10. The .*Leaf tests from the agent package were copied and made to work
    directly against a leafcert.Manager to increase direct coverage.

I have done a best effort attempt to port the previous leaf-cert cache
type's tests over in spirit, as well as to take the e2e-ish tests in the
agent package with Leaf in the test name and copy those into the
agent/leafcert package to get more direct coverage, rather than coverage
tangled up in the agent logic.

There is no net-new test coverage, just coverage that was pushed around
from elsewhere.
2023-06-13 10:54:45 -05:00
Eric Haberkorn
0a1efe73f3
Refactor disco chain prioritize by locality structs (#17696)
This includes prioritize by localities on disco chain targets rather than
resolvers, allowing different targets within the same partition to have
different policies.
2023-06-13 11:03:30 -04:00
Dan Stough
bba5cd8455
fix: stop peering delete routine on leader loss (#17483) 2023-06-13 10:20:56 -04:00
Chris Thain
ddce431bd7
docs: Update default values for Envoy extension proxy types (#17676) 2023-06-13 07:04:01 -07:00
Chris Thain
a8f1350835
ENT merge of ext-authz extension updates (#17684) 2023-06-13 06:57:11 -07:00
Ashesh Vidyut
d54d5fb85c
[NET-4107][Supportability] Log Level set to TRACE and duration set to 5m for consul-debug (#17596)
* changed duration to 5 mins and log level to trace

* documentation update

* change log
2023-06-13 11:07:46 +05:30
Tu Nguyen
4b843ae1b7
Fix FIPS copy (#17691)
* fix release notes links

* fix typos on fips docs
2023-06-13 03:35:47 +00:00