* remove v2 tenancy, catalog, and mesh
- Inline the v2tenancy experiment to false
- Inline the resource-apis experiment to false
- Inline the hcp-v2-resource-apis experiment to false
- Remove ACL policy templates and rule language changes related to
workload identities (a v2-only concept) (e.g. identity and
identity_prefix)
- Update the gRPC endpoint used by consul-dataplane to no longer respond
specially for v2
- Remove stray v2 references scattered throughout the DNS v1.5 newer
implementation.
* changelog
* go mod tidy on consul containers
* lint fixes from ENT
---------
Co-authored-by: John Murret <john.murret@hashicorp.com>
k8s.gcr.io has been migrated to registry.k8s.io for several years now,
and the old registry is being shut down, causing image pull failures.
Update to target the new registry when pulling the pause image used in
Envoy integration tests.
* build: consolidate Envoy version management
Simplify Envoy version management by consolidating all runtime, build,
and CI sources of Envoy versions into a single plaintext file.
The goal of this change is to avoid common mistakes missing an update of
some Envoy versions (both in general and due to release branch
inconsistency), and enable automated Envoy version updates in the
future.
* ci: add missing ref argument for get-go-version
Supports nightly tests.
* bump go version
* changelog
* Update .changelog/21507.txt
* Update go.mod
Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
* go mod tidy
---------
Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
security: upgrade vault/api to remove go-jose.v2
This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.
Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
As of Docker Engine 26.0.0 (https://github.com/moby/moby/pull/47062),
IPv6 is enabled by default where supported. This causes issues for our
tests attempting to resolve requests to other containers over
localhost, since on Linux IPv6 will be preferred over IPv4 when
available when applying the default behavior defined in RFC3484.
As a workaround, force IPv4 with a flag passed to `docker run`.
* update go-control-plane envoy dependency to 0.12.0
* add changelog
* go mod tidy
* fix linting issues
* add agent/grpc-internal to the list of SA1019 ignores
* Revert "refactor the resource client (#20343)"
This reverts commit 3c5cb04b0f.
* Revert "clean up http client (#20342)"
This reverts commit 2b89025eab.
* remove deprecated peer
* fix the typo
* remove forwarding test as it tests grpc, should add it back
The docker image used in CICD was referencing `registry.k8s.io/pause:3.3`,
which appears to no longer function correctly. This commit swaps over to a
Hashicorp mirrored image that shouldn't have rate limits or disappearing
images.
Add missing import
Add explicit enum case for deny action
Remove extra comments
Add build tags to ent and ce tests
Add copyright headers for the ce files
Fix case statements for ce validator
Remove ce tests with Deny traffic permissions
Fix more integration tests
Split more ce and ent tests, add back ent deny tests for traffic permissions controller
temp rename before rebase
Readd ent deny tests for traffic permissions controller
Add case insensitive param on service route match
This commit adds in a new feature that allows service routers to specify that
paths and path prefixes should ignore upper / lower casing when matching URLs.
Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
* Implement In-Process gRPC for use by controller caching/indexing
This replaces the pipe base listener implementation we were previously using. The new style CAN avoid cloning resources which our controller caching/indexing is taking advantage of to not duplicate resource objects in memory.
To maintain safety for controllers and for them to be able to modify data they get back from the cache and the resource service, the client they are presented in their runtime will be wrapped with an autogenerated client which clones request and response messages as they pass through the client.
Another sizable change in this PR is to consolidate how server specific gRPC services get registered and managed. Before this was in a bunch of different methods and it was difficult to track down how gRPC services were registered. Now its all in one place.
* Fix race in tests
* Ensure the resource service is registered to the multiplexed handler for forwarding from client agents
* Expose peer streaming on the internal handler
* updating usage of http2_protocol_options and access_log_path
* add changelog
* update template for AdminAccessLogConfig
* remove mucking with AdminAccessLogConfig
* Add a make target to run lint-consul-retry on all the modules
* Cleanup sdk/testutil/retry
* Fix a bunch of retry.Run* usage to not use the outer testing.T
* Fix some more recent retry lint issues and pin to v1.4.0 of lint-consul-retry
* Fix codegen copywrite lint issues
* Don’t perform cleanup after each retry attempt by default.
* Use the common testutil.TestingTB interface in test-integ/tenancy
* Fix retry tests
* Update otel access logging extension test to perform requests within the retry block
* Upgrade hcp-sdk-go to latest version v0.73
Changes:
- go get github.com/hashicorp/hcp-sdk-go
- go mod tidy
* From upgrade: regenerate protobufs for upgrade from 1.30 to 1.31
Ran: `make proto`
Slack: https://hashicorp.slack.com/archives/C0253EQ5B40/p1701105418579429
* From upgrade: fix mock interface implementation
After upgrading, there is the following compile error:
cannot use &mockHCPCfg{} (value of type *mockHCPCfg) as "github.com/hashicorp/hcp-sdk-go/config".HCPConfig value in return statement: *mockHCPCfg does not implement "github.com/hashicorp/hcp-sdk-go/config".HCPConfig (missing method Logout)
Solution: update the mock to have the missing Logout method
* From upgrade: Lint: remove usage of deprecated req.ServerState.TLS
Due to upgrade, linting is erroring due to usage of a newly deprecated field
22:47:56 [consul]: make lint
--> Running golangci-lint (.)
agent/hcp/testing.go:157:24: SA1019: req.ServerState.TLS is deprecated: use server_tls.internal_rpc instead. (staticcheck)
time.Until(time.Time(req.ServerState.TLS.CertExpiry)).Hours()/24,
^
* From upgrade: adjust oidc error message
From the upgrade, this test started failing:
=== FAIL: internal/go-sso/oidcauth TestOIDC_ClaimsFromAuthCode/failed_code_exchange (re-run 2) (0.01s)
oidc_test.go:393: unexpected error: Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"
Prior to the upgrade, the error returned was:
```
Provider login failed: Error exchanging oidc code: oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"unexpected auth code\"}\n
```
Now the error returned is as below and does not contain "cannot fetch token"
```
Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"
```
* Update AgentPushServerState structs with new fields
HCP-side changes for the new fields are in:
https://github.com/hashicorp/cloud-global-network-manager-service/pull/1195/files
* Minor refactor for hcpServerStatus to abstract tlsInfo into struct
This will make it easier to set the same tls-info information to both
- status.TLS (deprecated field)
- status.ServerTLSMetadata (new field to use instead)
* Update hcpServerStatus to parse out information for new fields
Changes:
- Improve error message and handling (encountered some issues and was confused)
- Set new field TLSInfo.CertIssuer
- Collect certificate authority metadata and set on TLSInfo.CertificateAuthorities
- Set TLSInfo on both server.TLS and server.ServerTLSMetadata.InternalRPC
* Update serverStatusToHCP to convert new fields to GNM rpc
* Add changelog
* Feedback: connect.ParseCert, caCerts
* Feedback: refactor and unit test server status
* Feedback: test to use expected struct
* Feedback: certificate with intermediate
* Feedback: catch no leaf, remove expectedErr
* Feedback: update todos with jira ticket
* Feedback: mock tlsConfigurator
* add build tags/import k8s specific proto packages
* fix generated import paths
* fix gomod linting issue
* mod tidy every go mod file
* revert protobuff version, take care of in different pr
* cleaned up new lines
* added newline to end of file
As the V2 architecture hinges on eventual consistency and controllers reconciling the existing state in response to writes, there are potential issues we could run into regarding ordering and timing of operations. We want to be able to guarantee that given a set of resources the system will always eventually get to the desired correct state. The order of resource writes and delays in performing those writes should not alter the final outcome of reaching the desired state.
To that end, this commit introduces arbitrary randomized delays before performing resources writes into the `resourcetest.Client`. Its `PublishResources` method was already randomizing the order of resource writes. By default, no delay is added to normal writes and deletes but tests can opt-in via either passing hard coded options when creating the `resourcetest.Client` or using the `resourcetest.ConfigureTestCLIFlags` function to allow processing of CLI parameters.
In addition to allowing configurability of the request delay min and max, the client also has a configurable random number generator seed. When Using the CLI parameter helpers, a test log will be written noting the currently used settings. If the test fails then you can reproduce the same delays and order randomizations by providing the seed during the previous test failure.
This should align between CE ef35525 and ENT 7f95226dbe40151c8f17dd4464784b60cf358dc1 in:
- testing/integration/consul-container
- test-integ
- testing/deployer
R.B. Boyer
John Murret
Michael Zalimeni
sarahalsmiller
Dan Stough
Deniz Onur Duzgun
Chris S. Kim
wangxinyi7
Nathan Coleman
skpratt
wangxinyi7
Derek Menteer
John Landa
Lord-Y
Nick Cellino
cskh
Matt Keeler
Manoj Srinivasamurthy
aahel
lornasong
Semir Patel