Commit Graph

17763 Commits

Author SHA1 Message Date
Jeff Boruszak 42b049726f
Merge pull request #13693 from hashicorp/docs-cluster-peering-updates
docs: Cluster Peering docs fixes
2022-07-11 12:34:07 -05:00
Nathan Coleman 4da7e04a4d
Merge pull request #13681 from hashicorp/docs/install-capigw-version-env-var
docs(consul-api-gateway): use VERSION env var in install steps
2022-07-11 10:32:19 -05:00
Nathan Coleman 6938ce4b39
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx 2022-07-11 11:26:04 -04:00
cskh cf6b6dddaf
feat(cli): enable to delete config entry from an input file (#13677)
* feat(cli): enable to delete config entry from an input file

- A new flag to config delete to delete a config entry in a
  valid config file, e.g., config delete -filename
  intention-allow.hcl
- Updated flag validation; -filename and -kind can't be set
  at the same time
- Move decode config entry method from config_write.go to
  helpers.go for reusing ParseConfigEntry()
- add changelog

Co-authored-by: Dan Upton <daniel@floppy.co>
2022-07-11 10:13:40 -04:00
Kyle Havlovitz e68487f254
Merge pull request #13678 from hashicorp/envoy-prometheus-tls-fix
Fix syntax for envoy bootstrap prometheus secret config
2022-07-08 15:58:19 -07:00
R.B. Boyer af04851637
peering: move peer replication to the external gRPC port (#13698)
Peer replication is intended to be between separate Consul installs and
effectively should be considered "external". This PR moves the peer
stream replication bidirectional RPC endpoint to the external gRPC
server and ensures that things continue to function.
2022-07-08 12:01:13 -05:00
Mike Morris 8f74cb52f3
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:38:30 -04:00
Mike Morris 66fdf29d42
Update website/content/docs/api-gateway/consul-api-gateway-install.mdx
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-07-07 17:37:12 -04:00
boruszak 9ba349de8c Clarification around "peering_token.json" and adding Partition names 2022-07-07 16:10:21 -05:00
Chris Thain 3766870719
Docs: Fix path to consul-ecs Terraform modules (#13689) 2022-07-07 13:30:19 -07:00
R.B. Boyer ea58f235f5
server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data (#13687)
Currently servers exchange information about their WAN serf port
and RPC port with serf tags, so that they all learn of each other's
addressing information. We intend to make larger use of the new
public-facing gRPC port exposed on all of the servers, so this PR
addresses that by passing around the gRPC port via serf tags and
then ensuring the generated consul service in the catalog has
metadata about that new port as well for ease of non-serf-based lookup.
2022-07-07 13:55:41 -05:00
John Cowen 70274865a0
ui: Peer Deletion (#13665)
* ui: Peer Deletion (#13665)
* ui: Add sorting peer listing by State (#13684)
* ui: Add filtering peer listing by State (#13685)
2022-07-07 18:23:26 +01:00
John Cowen 2dc949f17d
ui: CopyableCode component (#13686)
* ui: CopyableCode component plus switch into existing implementations
2022-07-07 17:42:47 +01:00
boruszak 759f5a2bf5 "<service-name" fix - added brackets 2022-07-07 10:08:53 -05:00
Mike Morris ccb2ee48e0 docs(consul-api-gateway): use VERSION env var in install steps 2022-07-06 17:22:05 -04:00
Usha Kodali f332fa8f86
Consul on ECS compatibility matrix docs update (#13060) 2022-07-06 12:34:14 -07:00
Kyle Havlovitz 407e858389 Fix syntax for bootstrap sds secret config 2022-07-06 09:53:40 -07:00
Freddy 3542138e4d
Parse peer name for virtual IP DNS queries (#13602)
This commit updates the DNS query locality parsing so that the virtual
IP for an imported service can be queried.

Note that:
- Support for parsing a peer in other service discovery queries was not
  added.
- Querying another datacenter for a virtual IP is not supported. This
  was technically allowed in 1.11 but is being rolled back for 1.13
  because it is not a use-case we intended to support. Virtual IPs in
  different datacenters are going to collide because they are allocated
  sequentially.
2022-07-06 10:30:04 -06:00
R.B. Boyer 2a945facec
test: update mockery use to put mocks into test files (#13656)
--testonly doesn't do anything anymore so switch to --filename instead
2022-07-05 16:57:15 -05:00
Jared Kirschner 4371bc0171
Merge pull request #13654 from hashicorp/docs/correct-1.10.x-upgrade-path
docs: improve large version change upgrade path
2022-07-05 14:33:28 -04:00
John Cowen 892032acae
ui: Slight update to peering mocks to more properly match actual (#13664) 2022-07-04 18:49:41 +01:00
John Cowen aaad7692ce
ui: Fixup peering imported/exported service counts (#13662)
* ui: Fix up peer states and counts in the listing
2022-07-04 18:49:21 +01:00
Chris S. Kim f07132dacc
Revise possible states for a peering. (#13661)
These changes are primarily for Consul's UI, where we want to be more
specific about the state a peering is in.

- The "initial" state was renamed to pending, and no longer applies to
  peerings being established from a peering token.

- Upon request to establish a peering from a peering token, peerings
  will be set as "establishing". This will help distinguish between the
  two roles: the cluster that generates the peering token and the
  cluster that establishes the peering.

- When marked for deletion, peering state will be set to "deleting".
  This way the UI determines the deletion via the state rather than the
  "DeletedAt" field.

Co-authored-by: freddygv <freddy@hashicorp.com>
2022-07-04 10:47:58 -04:00
John Cowen 27e50ae925
ui: Add peer searching and sorting (#13634)
* ui: Add peer searching and sorting

Initial name search and sort only, more to come here

* Remove old peerings::search component

* Use @model peers

* ui: Peer listing with dc/ns/partition/name based unique IDs and polling deletion (#13648)

* ui: Add peer repo with listing datasource

* ui: Use data-loader component to use the data-source

* ui: Remove ember-data REST things and Route.model hook

* 10 second not 1 second poll

* Fill out Datacenter and Partition

* route > routeName

* Faker randomised mocks for peering endpoint

* ui: Adds initial peer detail page plus address tab (#13651)
2022-07-04 11:31:58 +01:00
John Cowen ea33bc249c
ui: Gradual deprecation of old StateChart interface (#13604) 2022-07-04 11:22:14 +01:00
Daniel Upton 07e4e6bd7d Changelog entry 2022-07-04 10:48:36 +01:00
Daniel Upton 45886848b4 proxycfg: server-local intention upstreams data source
This is the OSS portion of enterprise PR 2157.

It builds on the local blocking query work in #13438 to implement the
proxycfg.IntentionUpstreams interface using server-local data.

Also moves the ACL filtering logic from agent/consul into the acl/filter
package so that it can be reused here.
2022-07-04 10:48:36 +01:00
Daniel Upton 37ccbd2826 proxycfg: server-local intentions data source
This is the OSS portion of enterprise PR 2141.

This commit provides a server-local implementation of the `proxycfg.Intentions`
interface that sources data from streaming events.

It adds events for the `service-intentions` config entry type, and then consumes
event streams (via materialized views) for the service's explicit intentions and
any applicable wildcard intentions, merging them into a single list of intentions.

An alternative approach I considered was to consume _all_ intention events (via
`SubjectWildcard`) and filter out the irrelevant ones. This would admittedly
remove some complexity in the `agent/proxycfg-glue` package but at the expense
of considerable overhead from waking potentially many thousands of connect
proxies every time any intention is updated.
2022-07-04 10:48:36 +01:00
Daniel Upton 653b8c4f9d proxycfg: server-local config entry data sources
This is the OSS portion of enterprise PR 2056.

This commit provides server-local implementations of the proxycfg.ConfigEntry
and proxycfg.ConfigEntryList interfaces, that source data from streaming events.

It makes use of the LocalMaterializer type introduced for peering replication,
adding the necessary support for authorization.

It also adds support for "wildcard" subscriptions (within a topic) to the event
publisher, as this is needed to fetch service-resolvers for all services when
configuring mesh gateways.

Currently, events will be emitted for just the ingress-gateway, service-resolver,
and mesh config entry types, as these are the only entries required by proxycfg
— the events will be emitted on topics named IngressGateway, ServiceResolver,
and MeshConfig topics respectively.

Though these events will only be consumed "locally" for now, they can also be
consumed via the gRPC endpoint (confirmed using grpcurl) so using them from
client agents should be a case of swapping the LocalMaterializer for an
RPCMaterializer.
2022-07-04 10:48:36 +01:00
Jared Kirschner 41990d52e0 docs: improve large version change upgrade path 2022-07-01 05:47:24 -07:00
Michael Klein 65b0faf96b
ui: allow searching services by admin-partition (#13650) 2022-06-30 17:24:52 +01:00
Michael Klein ef21100435
ui: peering chores (#13636)
* Update empty state topology downstreams to included peer info

* Add filter for filtering for service without ExternalSources
2022-06-30 15:47:04 +01:00
alex cd9ca4290a
peering: add imported/exported counts to peering (#13644)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2022-06-29 14:07:30 -07:00
Chris S. Kim b186731a2e
Fix ENT drift in files (#13647) 2022-06-29 16:53:22 -04:00
Matt Keeler 5105835cb2
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646)
Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
2022-06-29 16:38:17 -04:00
Chris S. Kim d8b7940e40
Add internal endpoint to fetch peered upstream candidates from VirtualIP table (#13642)
For initial cluster peering TProxy support we consider all imported services of a partition to be potential upstreams.

We leverage the VirtualIP table because it stores plain service names (e.g. "api", not "api-sidecar-proxy").
2022-06-29 16:34:58 -04:00
Eric Haberkorn 653cb42944
Fix spelling mistake in serverless patcher (#13607)
passhthrough -> passthrough
2022-06-29 15:21:21 -04:00
David Yu 8552d875ae
docs: add controller to cluster peering docs (#13639)
* docs: add controller to cluster peering docs
2022-06-29 11:08:37 -07:00
John Cowen d66f5a6364
ui: Fix up peer ENT tests (#13633)
* ui: Add missing @nspaces

* Reorder peerings to be before any optionals

* Merge params instead of overwriting

* Reorder int tests
2022-06-29 19:07:39 +01:00
alex 07bc22e405
no 1.9 style metrics (#13532)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-29 09:46:37 -07:00
alex beb8b03e8a
peering: reconcile/ hint active state for list (#13619)
Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-06-29 09:43:50 -07:00
R.B. Boyer 31b95c747b
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629)
When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:

    mTLS SAN field must be the service's local mesh gateway leaf cert
      AND
    the first XFCC header (from the MGW) must have a URI field that matches the original intention source

Also:

- Update the regex program limit to be much higher than the teeny
  defaults, since the RBAC regex constructions are more complicated now.

- Fix a few stray panics in xds generation.
2022-06-29 10:29:54 -05:00
Tu Nguyen 214495f2a2
Fix typo in cluster peering docs (#13574)
* Fix typo in cluster peering docs
* Remove highlight, update curly quotes
2022-06-28 15:54:57 -07:00
R.B. Boyer de0f9ac519
xds: have mesh gateways forward peered SpiffeIDs using the XFCC header (#13625) 2022-06-28 15:32:42 -05:00
R.B. Boyer 1a9c86ea8f
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624)
A mesh gateway will now configure the filter chains for L7 exported
services using the correct discovery chain information.
2022-06-28 14:52:25 -05:00
R.B. Boyer 7133ee38f6
test: for upgrade compatibility tests retain assigned container ip addresses on upgrade (#13615)
Use a synthetic pod construct to hold onto the IP address in the
interim.
2022-06-28 09:50:13 -05:00
Dan Upton ebf74d08fd
test: run Envoy integration tests against both servers and clients (#13610) 2022-06-28 13:15:45 +01:00
Michele Degges 977c6e58de
Turn off sec-scanner check (#13614) 2022-06-27 15:52:51 -07:00
Evan Culver d4fdddf8d4
Fix verifications by using updated arm package names (#13601)
Co-authored-by: alex <8968914+acpana@users.noreply.github.com>
2022-06-27 14:00:27 -07:00
R.B. Boyer 0fa828db76
peering: replicate all SpiffeID values necessary for the importing side to do SAN validation (#13612)
When traversing an exported peered service, the discovery chain
evaluation at the other side may re-route the request to a variety of
endpoints. Furthermore we intend to terminate mTLS at the mesh gateway
for arriving peered traffic that is http-like (L7), so the caller needs
to know the mesh gateway's SpiffeID in that case as well.

The following new SpiffeID values will be shipped back in the peerstream
replication:

- tcp: all possible SpiffeIDs resulting from the service-resolver
        component of the exported discovery chain

- http-like: the SpiffeID of the mesh gateway
2022-06-27 14:37:18 -05:00