Commit Graph

20763 Commits

Author SHA1 Message Date
Ronald 20b86ce0c8
[Docs] Add note to jwt docs to specify the need for ACLs (#18942) 2023-09-22 13:19:57 -04:00
Iryna Shustava d88888ee8b
catalog,mesh,auth: Bump versions to v2beta1 (#18930) 2023-09-22 10:51:15 -06:00
R.B. Boyer de231bbbdd
catalog: fix for new method argument (#18978) 2023-09-22 10:42:16 -05:00
R.B. Boyer ec6189fd2f
catalog: add ACL checks for FailoverPolicy resources (#18919)
FailoverPolicy resources are name-aligned with the Service they control.
They also contain a list of possible failover destinations that are References
 to other Services.

The ACLs should be:

- list: (default)
- read: service:<resource_name>:read
- write: service:<resource_name>:write + service:<destination_name>:read (for any destination)
2023-09-22 09:59:14 -05:00
R.B. Boyer ef6f2494c7
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925)
The ACLs.Read hook for a resource only allows for the identity of a 
resource to be passed in for use in authz consideration. For some 
resources we wish to allow for the current stored value to dictate how 
to enforce the ACLs (such as reading a list of applicable services from 
the payload and allowing service:read on any of them to control reading the enclosing resource).

This change update the interface to usually accept a *pbresource.ID, 
but if the hook decides it needs more data it returns a sentinel error 
and the resource service knows to defer the authz check until after
 fetching the data from storage.
2023-09-22 09:53:55 -05:00
Ashesh Vidyut 5b3ab2eaed
Fix docs for log file name changes (#18913)
* fix docs

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-09-22 19:22:35 +05:30
Derek Menteer eb7e20307c
[NET-5589] Add jitter to xds v2 leaf cert watches (#18940)
Add jitter to xds v2 leaf cert watches.
2023-09-22 08:00:10 -05:00
Semir Patel d2be7577b9
tenancy: split up tenancy `types.go` into CE version (#18966) 2023-09-22 07:33:15 -05:00
Nitya Dhanushkodi 0a11499588
net-5689 fix disabling panic threshold logic (#18958) 2023-09-21 15:52:30 -07:00
Blake Covarrubias 5d0edec01f
docs: Replace unicode quotes with ASCII quotes (#18950)
Replaces unicode quotation marks with ASCII quotation marks.

For code examples, this fixes HCL decoding errors that would otherwise
be raised when attempting to read the file.
2023-09-21 15:17:14 -07:00
Blake Covarrubias 4e1e18fe66
docs: Change heading to filename in CodeBlockConfig (#18951)
Change various CodeBlockConfig objects to use the `filename` attribute
instead of `heading` when the code block references a named file.
2023-09-21 15:16:29 -07:00
Matt Keeler 53fcc5d9a5
Add protoc generator to emit resource type variables (#18957)
The annotations include a little more data than is strictly necessary because we will also have a protoc generator for openapi output.
2023-09-21 17:18:47 -04:00
Chris S. Kim 565e79344f
Dump response body on fail (#18962) 2023-09-21 21:10:53 +00:00
Anita Akaeze f5985fedce
do not trigger integration tests (#18948) 2023-09-21 19:10:34 +00:00
Blake Covarrubias cc40e084bb
docs: Fix invalid JSON in code examples (#18932)
This commit fixes invalid JSON in various code examples.
2023-09-21 11:35:16 -07:00
Ronald 276c60a947
skip flaky test (#18949) 2023-09-21 14:25:12 -04:00
Eric Haberkorn f87ae3636c
Fix V2 Wildcard RBAC Regular Expressions (#18941)
fix wildcard rbac regular expressions
2023-09-21 13:53:49 -04:00
Curt Bushko bc142cd152
NET-4884 - Terminating gateway tests for namespaces & partitions (#18820)
* Add gateway test to CE
2023-09-21 10:25:27 -04:00
Derek Menteer d4ed3047f8
[NET-5589] Optimize leaf watch diff on xds controller. (#18921)
Optimize leaf watch diff on xds controller.
2023-09-21 08:11:20 -05:00
Ronald f463ebd569
Fix create dns token docs (#18927) 2023-09-21 08:33:24 -04:00
Anita Akaeze 1f941e48c1
Fix for loop in filter_changed_files_go_test script (#18931)
* iterate through array

* remove comment
2023-09-20 16:10:38 -07:00
John Murret 700d1bb37c
NET-5131 - support multiple ported upstreams tests (#18923)
* add multiple upstream ports to golden file test for destination builder

* NET-5131 - add unit tests for multiple ported upstreams

* fix merge conflicts
2023-09-20 16:14:08 -06:00
John Landa 9eaa8eb026
dns token (#17936)
* dns token

fix whitespace for docs and comments

fix test cases

fix test cases

remove tabs in help text

Add changelog

Peering dns test

Peering dns test

Partial implementation of Peered DNS test

Swap to new topology lib

expose dns port for integration tests on client

remove partial test implementation

remove extra port exposure

remove changelog from the ent pr

Add dns token to set-agent-token switch

Add enterprise golden file

Use builtin/dns template in tests

Update ent dns policy

Update ent dns template test

remove local gen certs

fix templated policy specs

* add changelog

* go mod tidy
2023-09-20 15:50:06 -06:00
Anita Akaeze 0236c48369
Update base ref property name (#18851)
* Update base ref property name

* Test skip ci (#18924)

test_push_merge

* cleanup test push code
2023-09-20 14:33:30 -07:00
Dhia Ayachi 341dc28ff9
Add namespace proto and registration (#18848)
* add namespace proto and registration

* fix proto generation

* add missing copywrite headers

* fix proto linter errors

* fix exports and Type export

* add mutate hook and more validation

* add more validation rules and tests

* Apply suggestions from code review

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* fix owner error and add test

* remove ACL for now

* add tests around space suffix prefix.

* only fait when ns and ap are default, add test for it

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
2023-09-20 15:20:20 -04:00
John Maguire 9e3794ee48
Fix changelog order (#18918)
* Fix changelog order

* fix ordering or entries
2023-09-20 13:42:17 -04:00
R.B. Boyer d574473fd1
mesh: make FailoverPolicy work in xdsv2 and ProxyStateTemplate (#18900)
Ensure that configuring a FailoverPolicy for a service that is reachable via a xRoute or a direct upstream causes an envoy aggregate cluster to be created for the original cluster name, but with separate clusters for each one of the possible destinations.
2023-09-20 11:59:01 -05:00
Ronald c8299522b5
[NET-5332] Add nomad server templated policy (#18888)
* [NET-5332] Add nomad server templated policy

* slksfd
2023-09-20 12:10:55 -04:00
John Maguire 6533e70141
Added changelog entries for 1.14.10, 1.15.6, 1.16.2 (#18917) 2023-09-20 11:37:46 -04:00
Nitya Dhanushkodi 3a2e62053a
v2: various fixes to make K8s tproxy multiport acceptance tests and manual explicit upstreams (single port) tests pass (#18874)
Adding coauthors who mobbed/paired at various points throughout last week.
Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>
2023-09-20 00:02:01 +00:00
Nick Ethier 1a3081ab32
agent/config: prevent startup if resource-apis experiment and cloud are enabled (#18876) 2023-09-19 19:50:45 -04:00
Blake Covarrubias 5d349cf6f3
docs: Add complete auth method payloads (#18849)
This commit modifies the example payloads for various auth methods to
remove 'other fields' and instead use complete example payloads.
2023-09-19 23:34:54 +00:00
R.B. Boyer 07d916e84f
resource: ensure resource.AuthorizerContext properly strips the local… (#18908)
resource: ensure resource.AuthorizerContext properly strips the local peer name
2023-09-19 17:14:15 -05:00
Blake Covarrubias 019c62e1ba
xds: Use downstream protocol when connecting to local app (#18573)
Configure Envoy to use the same HTTP protocol version used by the
downstream caller when forwarding requests to a local application that
is configured with the protocol set to either `http2` or `grpc`.

This allows upstream applications that support both HTTP/1.1 and
HTTP/2 on a single port to receive requests using either protocol. This
is beneficial when the application primarily communicates using HTTP/2,
but also needs to support HTTP/1.1, such as to respond to Kubernetes
HTTP readiness/liveness probes.

Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
2023-09-19 14:32:28 -07:00
Tu Nguyen db9ac4dc55
Add note about service upstream env var dot broken (#18895)
* add note about service upstream env var dot broken

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-09-19 12:06:01 -07:00
Chris Thain a071899684
Add otel-access-logging Envoy extension integration test (#18898) 2023-09-19 19:04:47 +00:00
Blake Covarrubias a62c75f43c
docs: Remove YAML service registration examples (#18877)
Remove YAML service registration examples and replace them with JSON.
This is because YAML is not a supported configuration format for the
Consul's agent configuration, nor is it supported by the HTTP API.

This commit replaces the YAML examples with JSON and adds additional
JSON examples where they were missing.
2023-09-19 18:41:16 +00:00
Ronald 70e738ce20
Add operator audit endpoint changes (#18899) 2023-09-19 13:05:06 -04:00
Jeff Boruszak 203a36821e
docs: Apigee extension backport (#18847)
* commit

* link text edits
2023-09-19 09:23:52 -07:00
Blake Covarrubias a2e50a63ad
docs: Fix Kubernetes CRD example configs (#18878)
Fixes configuration examples for several Consul Kubernetes CRDs. The
CRDs were missing required fields such as `apiVersion`, `metadata`,
and `spec`.

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2023-09-19 15:50:03 +00:00
Blake Covarrubias 5843efe16a
Fix code block examples on dns-static-lookups.mdx (#18880)
HCL and JSON configuration examples were being displayed in the same
code block. This commit separates the configurations to properly
display them as independent configuration examples.
2023-09-19 08:39:57 -07:00
Blake Covarrubias f3bf3295f6
docs: Fix HCL, JSON, and YAML syntax errors (#18879)
This commit fixes syntax errors in HCL, JSON, and YAML example
configurations. In some cases, it replaces the code example with the
proper format for the code block.

Also fixes HCL formatting and misc opportunistic updates to codeblock.

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2023-09-19 08:39:26 -07:00
Eric Haberkorn 170417ac97
Honor Default Traffic Permissions in V2 (#18886)
wire up v2 default traffic permissions
2023-09-19 10:42:32 -04:00
cskh 9b497f8c78
CI: lint test-integ (#18875)
* CI: lint test-integ

* fix lint error
2023-09-19 10:05:51 -04:00
Ashesh Vidyut 6fd33ba30d
NET-4519 Collecting journald logs in "consul debug" bundle (#18797)
* debug since

* fix docs

* chagelog added

* fix go mod

* debug test fix

* fix test

* tabs test fix

* Update .changelog/18797.txt

Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

---------

Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
2023-09-19 08:46:50 +05:30
Iryna Shustava 212793a4ee
mesh: only build tproxy outbound listener once per destination (#18836)
Previously, when using implicit upstreams, we'd build outbound listener per destination instead of one for all destinations. This will result in port conflicts when trying to send this config to envoy.

This PR also makes sure that leaf and root references are always added (before we would only add it if there are inbound non-mesh ports).

Also, black-hole traffic when there are no inbound ports other than mesh
2023-09-18 18:26:13 -06:00
Chris S. Kim 91e6c3a82f
Remove flaky test assertions (#18870) 2023-09-18 15:56:23 -07:00
Semir Patel 62796a1454
resource: mutate and validate before acls on write (#18868) 2023-09-18 17:04:29 -05:00
R.B. Boyer dabbc9627b
mesh: normalize/default/validate tenancy components of mesh internal References (#18827)
HTTPRoute, GRPCRoute, TCPRoute, and Upstreams resources contain inner
Reference fields. We want to ensure that components of those reference Tenancy
fields left unspecified are defaulted using the tenancy of the enclosing resource.

As the underlying helper being used to do the normalization calls the function
modified in #18822, it also means that the PeerName field will be set to "local" for
now automatically to avoid "local" != "" issues downstream.
2023-09-18 17:02:13 -05:00
R.B. Boyer 696aa1bbd2
mesh: update xds controller to synthesize empty endpoints when no endpoints ref is found (#18835) 2023-09-18 16:19:54 -05:00