* Introduce a new type `ComputedProxyConfiguration` and add a controller for it. This is needed for two reasons. The first one is that external integrations like kubernetes may need to read the fully computed and sorted proxy configuration per workload. The second reasons is that it makes sidecar-proxy controller logic quite a bit simpler as it no longer needs to do this.
* Generalize workload selection mapper and fix a bug where it would delete IDs from the tree if only one is left after a removal is done.
* update main apigw overview
* moved the tech specs to main gw folder
* merged tech specs into single topic
* restructure nav part 1
* fix typo in nav json file
* moved k8s install up one level
* restructure nav part 2
* moved and created all listeners and routes content
* moved errors ref and upgrades
* fix error in upgrade-k8s link
* moved conf refs to appropriate spots
* updated conf overview
* fixed some links and bad formatting
* fixed link
* added JWT on VMs usage page
* added JWT conf to APIGW conf entry
* added JWTs to HTTP route conf entry
* added new gatwaypolicy k8s conf reference
* added metadesc for gatewaypolicy conf ref
* added http route auth filter k8s conf ref
* added http route auth filter k8s conf ref to nav
* updates to k8s route conf ref to include extensionRef
* added JWTs usage page for k8s
* fixed link in gwpolicy conf ref
* added openshift installation info to installation pages
* fixed bad link on tech specs
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* fixed VerityClaims param
* best guess at verifyclaims params
* tweaks to gateway policy dconf ref
* Docs/ce 475 retries timeouts for apigw (#19086)
* added timeout and retry conf ref for k8s
* added retry and TO filters to HTTP routes conf ref for VMs
* Apply suggestions from code review
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
* fix copy/paste error in http route conf entry
---------
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
* update links across site and add redirects
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
* Applied feedback from review
* Apply suggestions from code review
* Apply suggestions from code review
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* Update CRD configuration for responseHeaderModifiers
* Update Config Entry for http-route
* Add ResponseFilter example to service
* Update website/redirects.js
errant curly brace breaking the preview
* fix links and bad MD
* fixed md formatting issues
* fix formatting errors
* fix formatting errors
* Update website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx
* Apply suggestions from code review
* fixed typo
* Fix headers in http-route
* Apply suggestions from code review
Co-authored-by: John Maguire <john.maguire@hashicorp.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: John Maguire <john.maguire@hashicorp.com>
* updated nav; renamed L7 traffic folder
* Added locality-aware routing to traffic mgmt overview
* Added route to local upstreams topic
* Updated agent configuration reference
* Added locality param to services conf ref
* Added locality param to conf entries
* mentioned traffic management in proxies overview
* added locality-aware to failover overview
* added docs for service rate limiting
* updated service defaults conf entry
* Apply suggestions from code review
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
* updated links and added redirects
---------
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
This PR fixes an issue where upstreams did not correctly inherit the proper
namespace / partition from the parent service when attempting to fetch the
upstream protocol due to inconsistent normalization.
Some of the merge-service-configuration logic would normalize to default, while
some of the proxycfg logic would normalize to match the parent service. Due to
this mismatch in logic, an incorrect service-defaults configuration entry would
be fetched and have its protocol applied to the upstream.
* Add InboundPeerTrustBundle maps to Terminating Gateway
* Add notify and cancelation of watch for inbound peer trust bundles
* Pass peer trust bundles to the RBAC creation function
* Regenerate Golden Files
* add changelog, also adds another spot that needed peeredTrustBundles
* Add basic test for terminating gateway with peer trust bundle
* Add intention to cluster peered golden test
* rerun codegen
* update changelog
* really update the changelog
---------
Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
* updated architecture topic
* fixed type in arch diagram filenames
* fixed path to img file
* updated index page - still need to add links
* moved arch and tech specs to reference folder
* moved other ref topics to ref folder
* set up the Deploy folder and TF install topics
* merged secure conf into TF deploy instructions
* moved bind addr and route conf to their own topics
* moved arch and tech specs back to main folder
* update migrate-existing-tasks content
* merged manual deploy content; added serv conf ref
* fixed links
* added procedure for upgrading to dataplanes
* fixed linked reported by checker
* added updates to dataplanes overview page
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
* Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
* updated links and added redirects
* removed old architecture content
---------
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
Fix issues with empty sources
* Validate that each permission on traffic permissions resources has at least one source.
* Don't construct RBAC policies when there aren't any principals. This resulted in Envoy rejecting xDS updates with a validation error.
```
error=
| rpc error: code = Internal desc = Error adding/updating listener(s) public_listener: Proto constraint validation failed (RBACValidationError.Rules: embedded message failed validation | caused by RBACValidationError.Policies[consul-intentions-layer4-1]: embedded message failed validation | caused by PolicyValidationError.Principals: value must contain at least 1 item(s)): rules {
```
* Explicit container test
* remove static resources
* fix passing serviceBindPorts
* WIP
* fix explicit upstream test
* use my image in CI until dataplane is fixed.
* gofmt
* fixing reference to v2beta1 in test-containers
* WIP
* remove bad references
* add missing license headers
* allow access internal/resource/resourcetest
* fix check-allowed-imports to append array items
* use preview image for dataplane
* revert some inadverntent comment updates in peering_topology
* add building local consul-dataplane image to compatibility-tests CI
* fix substitution in CI
* change upstreams to destinations based on incoming change
* fixing use of upstreams in resource update
* remove commented out lines and enable envoy concurrency on dataplane.
* changes to addess PR feedback
* small fixes
---------
Co-authored-by: Eric <eric@haberkorn.co>
When using the no-auth acl resolver (the case for most controllers and the get-envoy-boostrap-params endpoint), ResolveTokenAndDefaultMeta
method only returns an acl resolver. However, the resource service relies on the ent meta to be filled in to do the tenancy defaulting and
inheriting it from the token when one is present.
So this change makes sure that the ent meta defaulting always happens in the ACL resolver.