Commit Graph

1327 Commits

Author SHA1 Message Date
Nitya Dhanushkodi ed738a6f98
fix: use Envoy's default for validate_clusters to fix breaking routes when some backend clusters don't exist (#21587) 2024-08-19 22:39:28 -07:00
John Maguire 1fa428552b
[NET-10719] Fix cluster generation for jwt clusters for external jwt providers (#21604)
* Fix cluster generation for jwt clusters for external jwt providers

* add changelog
2024-08-14 15:41:02 -04:00
sarahalsmiller 929d602dbb
ui: Upgrade d3 packages to update color dependency (#21588)
* upgrade d3 packages to update color dependency

* yarn package bump

* deps moved into devdeps

---------

Co-authored-by: Phil Renaud <phil@riotindustries.com>
2024-08-12 09:52:16 -04:00
John Maguire c0faddbe1f
[NET-10246] use correct enterprise meta for service name for LinkedService (#21382)
* use correct enterprise meta for service name for LinkedService

* add changelog
2024-07-10 10:55:53 -04:00
Nathan Coleman 8d2370da76
[NET-10290] Update ENVOY_VERSIONS (#21524)
* [NET-10290] Update ENVOY_VERSIONS

* Add changelog entry

* Link to CVE for more info in changelog entry

Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>

---------

Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
2024-07-08 18:59:51 -04:00
Phil Renaud dce6241869
[ui] File-specified deps for consul-ui (#21378)
* Namespaced and file-specified deps

* Pinning to a specific version of tailwind and setting config for js packages to come from npmjs

* Pin glob instead of reverting tailwind or any other (grand)parent dependency

* ember-cli-build fixed path resolution for now-namespaced submodules

* Dropping the namespace prefix and relying on relative pathing
2024-07-08 16:36:29 -04:00
Dan Stough a251f8ad80
fix(dns): spam ttl logs for prepared queries (#21381) 2024-07-08 10:34:00 -04:00
Dan Stough 763cd0bffb
fix(txn): validate verbs (#21519)
* fix(txn): validate verbs

* changelog
2024-07-05 14:51:20 -04:00
sarahalsmiller f3649e16a7
NET-10288-Bump-go-to-resolve-CVE-2024-24791 (#21507)
* bump go version

* changelog

* Update .changelog/21507.txt

* Update go.mod

Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>

* go mod tidy

---------

Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com>
2024-07-03 12:47:20 -05:00
sarahalsmiller 6f31bfebbe
Update retryable-http-client to resolve CVE-2024-6104 (#21384)
* update retryable-http-client

* changelog
2024-07-02 10:12:13 -05:00
Dan Stough a4a3aec567
fix(dns): bug with standard lookup tags not working; SRV questions returning duplicate hostnames (#21361) 2024-06-25 13:42:25 -04:00
sarahalsmiller c18c911ac8
[Security] Close cross scripting vulnerability (#21342)
* close vulnerability

* add changelog
2024-06-17 13:54:37 -04:00
Deniz Onur Duzgun 7a19d2e7a4
security: fix AliasCheck panic (#21339)
* security: fix AliasCheck panic

* add changelog
2024-06-14 11:03:10 -04:00
sarahalsmiller 2cdc387bd3
Bump Envoy Versions (#21277)
* update envoy versions

* add changelog

* update nightly integrations
2024-06-10 15:29:26 +00:00
Dhia Ayachi 2631ec843a
update go version to 1.22.4 (#21265)
* update go version to 1.22.4

* add changelog
2024-06-06 10:46:05 -04:00
Deniz Onur Duzgun 68a7648d14
security: resolve incorrect type conversions (#21251)
* security: resolve incorrect type conversions

* add changelog

* fix more incorrect type conversions
2024-06-04 21:55:53 +00:00
John Murret 11bcf521ae
dns v2 - both empty string and default should be allowed for namespace and partition in CE (#21230)
* dns v2 - both empty string and default should be allowed for namespace and partition in Ce

* add changelog

* use default partition constant

* use constants in validation.

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2024-05-28 16:20:59 -06:00
Dan Stough cf1c030043
feat: update supported envoy to 1.29 (#21142) 2024-05-24 13:26:07 -04:00
Dhia Ayachi 1f4caaedf2
upgrade deep-copy version, upgrade go to 1.22.3 (#21113)
* upgrade deep-copy version, upgrade go to 1.22.3

* add changelog
2024-05-16 13:40:15 -04:00
Michael Zalimeni f56405e745
security: Upgrade Go to 1.21.10 (#21074)
This resolves CVE-2024-24787 and CVE-2024-24788.
2024-05-09 11:11:01 -04:00
Michael Zalimeni 86b0818c1f
[NET-8601] security: upgrade vault/api to remove go-jose.v2 (#20910)
security: upgrade vault/api to remove go-jose.v2

This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.

Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
2024-05-04 00:18:51 +00:00
Deniz Onur Duzgun 3a6f2fba18
security: bump envoy version and k8s.io/apimachinery (#21017)
* security: bump envoy version

* add changelog
2024-05-02 13:36:02 -04:00
Dan Stough 03ab7367a6
feat(dataplane): allow token and tenancy information for proxied DNS (#20899)
* feat(dataplane): allow token and tenancy information for proxied DNS

* changelog
2024-04-22 14:30:43 -04:00
sarahalsmiller 08761f16c8
Net 6820 customize mesh gateway limits (#20945)
* add upstream limits to mesh gateway cluster generation

* changelog

* go mod tidy

* readd changelog data

* undo reversion from rebase

* run codegen

* Update .changelog/20945.txt

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* address notes

* gofmt

* clean up

* gofmt

* Update agent/proxycfg/mesh_gateway.go

* gofmt

* nil check

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
2024-04-16 10:59:41 -05:00
Nathan Coleman 5e9f02d4be
[NET-8091] Add file-system-certificate config entry for API gateway (#20873)
* Define file-system-certificate config entry

* Collect file-system-certificate(s) referenced by api-gateway onto snapshot

* Add file-system-certificate to config entry kind allow lists

* Remove inapplicable validation

This validation makes sense for inline certificates since Consul server is holding the certificate; however, for file system certificates, Consul server never actually sees the certificate.

* Support file-system-certificate as source for listener TLS certificate

* Add more required mappings for the new config entry type

* Construct proper TLS context based on certificate kind

* Add support or SDS in xdscommon

* Remove unused param

* Adds back verification of certs for inline-certificates

* Undo tangential changes to TLS config consumption

* Remove stray curly braces

* Undo some more tangential changes

* Improve function name for generating API gateway secrets

* Add changelog entry

* Update .changelog/20873.txt

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

* Add some nil-checking, remove outdated TODO

* Update test assertions to include file-system-certificate

* Add documentation for file-system-certificate config entry

Add new doc to nav

* Fix grammar mistake

* Rename watchmaps, remove outdated TODO

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2024-04-15 16:45:05 -04:00
Michael Zalimeni a8d08e759f
fix: consume ignored entries in CE downgrade via Ent snapshot (#20977)
This operation would previously fail due to unconsumed bytes in the
decoder buffer when reading the Ent snapshot (the first byte of the
record would be misinterpreted as a type indicator, and the remaining
bytes would fail to be deserialized or read as invalid data).

Ensure restore succeeds by decoding the ignored record as an
interface{}, which will consume the record bytes without requiring a
concrete target struct, then moving on to the next record.
2024-04-11 21:08:44 +00:00
Eric Haberkorn e231f0ee9b
Add an agent config option to diable per tenancy usage metrics. (#20976) 2024-04-11 15:20:09 -04:00
John Murret d261a987f1
update go-control-plane envoy dependency to 0.12.0 (#20973)
* update go-control-plane envoy dependency to 0.12.0

* add changelog

* go mod tidy

* fix linting issues

* add agent/grpc-internal to the list of SA1019 ignores
2024-04-10 01:23:04 +00:00
Deniz Onur Duzgun 3152ac3702
security: bump go, x/net and envoy versions (#20956)
* Bump go version

* Bump x/net

* Bump envoy version

* Add changelog

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2024-04-08 19:18:40 +00:00
Nathan Coleman 9af713ff17
[NET-5772] Make tcp external service registered on terminating gw reachable from peered cluster (#19881)
* Include SNI + root PEMs from peered cluster on terminating gw filter chain

This allows an external service registered on a terminating gateway to be exported to and reachable from a peered cluster

* Abstract existing logic into re-usable function

* Regenerate golden files w/ new listener logic

* Add changelog entry

* Use peering bundles that are stable across test runs
2024-04-03 12:38:09 -04:00
John Murret 39112c7a98
GH-20889 - put conditionals are hcp initialization for consul server (#20926)
* put conditionals are hcp initialization for consul server

* put more things behind configuration flags

* add changelog

* TestServer_hcpManager

* fix TestAgent_scadaProvider
2024-03-28 14:47:11 -06:00
David Yu 4259b7b33c
Update Dockerfile: bump alpine (#20897)
* Update Dockerfile: bump alpine

* Create 20897

* Rename 20897 to 20897.txt
2024-03-27 14:43:14 -07:00
Dan Stough 6026ada0c9
[CE] feat(v2dns): enable v2 dns as default (#20715)
* feat(v2dns): enable v2 dns as default

* changelog
2024-03-25 16:09:01 -04:00
Iryna Shustava d747b51dab
Handle ACL errors consistently when blocking query timeout is reached. (#20876)
Currently, when a client starts a blocking query and an ACL token expires within
that time, Consul will return ACL not found error with a 403 status code. However,
sometimes if an ACL token is invalidated at the same time as the query's deadline is reached,
Consul will instead return an empty response with a 200 status code.

This is because of the events being executed.
1. Client issues a blocking query request with timeout `t`.
2. ACL is deleted.
3. Server detects a change in ACLs and force closes the gRPC stream.
4. Client resubscribes with the same token and resets its state (view).
5. Client sees "ACL not found" error.

If ACL is deleted before step 4, the client is unaware that the stream was closed due to
an ACL error and will return an empty view (from the reset state) with the 200 status code.

To fix this problem, we introduce another state to the subsciption to indicate when a change
to ACLs has occured. If the server sees that there was an error due to ACL change, it will
re-authenticate the request and return an error if the token is no longer valid.

Fixes #20790
2024-03-22 14:59:54 -06:00
Derek Menteer ac83ac1343
Fix streaming RPCs for agentless. (#20868)
* Fix streaming RPCs for agentless.

This PR fixes an issue where cross-dc RPCs were unable to utilize
the streaming backend due to having the node name set. The result
of this was the agent-cache being utilized, which would cause high
cpu utilization and memory consumption due to the fact that it
keeps queries alive for 72 hours before purging inactive entries.

This resource consumption is compounded by the fact that each pod
in consul-k8s gets a unique token. Since the agent-cache uses the
token as a component of the key, the same query is duplicated for
each pod that is deployed.

* Add changelog.
2024-03-15 14:44:51 -05:00
Derek Menteer 0ac8ae6c3b
Fix xDS deadlock due to syncLoop termination. (#20867)
* Fix xDS deadlock due to syncLoop termination.

This fixes an issue where agentless xDS streams can deadlock permanently until
a server is restarted. When this issue occurs, no new proxies are able to
successfully connect to the server.

Effectively, the trigger for this deadlock stems from the following return
statement:
https://github.com/hashicorp/consul/blob/v1.18.0/agent/proxycfg-sources/catalog/config_source.go#L199-L202

When this happens, the entire `syncLoop()` terminates and stops consuming from
the following channel:
https://github.com/hashicorp/consul/blob/v1.18.0/agent/proxycfg-sources/catalog/config_source.go#L182-L192

Which results in the `ConfigSource.cleanup()` function never receiving a
response and holding a mutex indefinitely:
https://github.com/hashicorp/consul/blob/v1.18.0/agent/proxycfg-sources/catalog/config_source.go#L241-L247

Because this mutex is shared, it effectively deadlocks the server's ability to
process new xDS streams.

----

The fix to this issue involves removing the `chan chan struct{}` used like an
RPC-over-channels pattern and replacing it with two distinct channels:

+ `stopSyncLoopCh` - indicates that the `syncLoop()` should terminate soon.  +
`syncLoopDoneCh` - indicates that the `syncLoop()` has terminated.

Splitting these two concepts out and deferring a `close(syncLoopDoneCh)` in the
`syncLoop()` function ensures that the deadlock above should no longer occur.

We also now evict xDS connections of all proxies for the corresponding
`syncLoop()` whenever it encounters an irrecoverable error. This is done by
hoisting the new `syncLoopDoneCh` upwards so that it's visible to the xDS delta
processing. Prior to this fix, the behavior was to simply orphan them so they
would never receive catalog-registration or service-defaults updates.

* Add changelog.
2024-03-15 13:57:11 -05:00
Derek Menteer eabff257d7
Various bug-fixes and improvements (#20866)
* Shuffle the list of servers returned by `pbserverdiscovery.WatchServers`.

This randomizes the list of servers to help reduce the chance of clients
all connecting to the same server simultaneously. Consul-dataplane is one
such client that does not randomize its own list of servers.

* Fix potential goroutine leak in xDS recv loop.

This commit ensures that the goroutine which receives xDS messages from
proxies will not block forever if the stream's context is cancelled but
the `processDelta()` function never consumes the message (due to being
terminated).

* Add changelog.
2024-03-15 13:10:48 -05:00
Matt Keeler 8fcafb139c
Add `consul snapshot decode` command (#20824)
Add snapshot decoding command
2024-03-14 12:59:06 -04:00
Deniz Onur Duzgun e9029ccd7a
[NET-8368] security: bump Go version to 1.21.8 (#20812)
* [NET-8368] Bump Go version
2024-03-14 09:46:15 -04:00
Chris Hut bfbc0ee4fd
Revert link existing but better 🪦 (#20830)
* Revert "feat: add alert to link to hcp modal to ask a user refresh a page; up… (#20682)"

This reverts commit dd833d9a36.

* Revert "chor: change cluster name param to have datacenter.name as default value (#20644)"

This reverts commit 8425cd0f90.

* Revert "chor: adds informative error message when acls disabled and read-only… (#20600)"

This reverts commit 9d712ccfc7.

* Revert "Cc 7147 link to hcp modal (#20474)"

This reverts commit 8c05e57ac1.

* Revert "Add nav bar item to show HCP link status and encourage folks to link (#20370)"

This reverts commit 22e6ce0df1.

* Revert "Cc 7145 hcp link status api (#20330)"

This reverts commit 049ca102c4.

* Revert "💜 Cc 7187/purple banner for linking existing clusters (#20275)"

This reverts commit 5119667cd1.
2024-03-13 13:59:00 -07:00
sarahalsmiller 262f435800
NET-6821 Disable Terminating Gateway Auto Host Header Rewrite (#20802)
* disable terminating gateway auto host rewrite

* add changelog

* clean up unneeded additional snapshot fields

* add new field to docs

* squash

* fix test
2024-03-12 15:37:20 -05:00
Michael Zalimeni d4761c0ccd
security: upgrade google.golang.org/protobuf to 1.33.0 (#20801)
Resolves CVE-2024-24786.
2024-03-06 23:04:42 +00:00
Matt Keeler abe14f11e6
Remove redundant usage metrics (#20674)
* Remove redundant usage metrics

* Add the changelog

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-specific.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2024-03-05 14:09:47 -05:00
Matt Keeler 5c936fba33
Enable callers to control whether per-tenant usage metrics are included in calls to store.ServiceUsage (#20672)
* Enable callers to control whether per-tenant usage metrics are included in calls to store.ServiceUsage

* Add changelog
2024-03-01 13:44:55 -05:00
Chris Hut a58f346f55
Hardcode links to CCM to be false (#20732)
Hardcode links to CCM to be false - due to CCM deprecation

Remove changelog item for breaking Ui change
 - since CCM linking no longer exists
2024-02-26 12:34:01 -08:00
sarahalsmiller 670ee90a77
Use correct enterprise meta on wildcard service update (#20721)
* use correct enterprise meta on wildcard service update

* changelog

* rename changelog file
2024-02-26 12:03:08 -06:00
Matt Keeler 16a0800777
Update API and API Docs regarding disabling gossip for a partition. (#20669) 2024-02-26 12:14:39 -05:00
John Murret 26eed12f04
NET-7813 - DNS : SERVFAIL when resolving PTR records (#20679)
* NET-7813 - DNS : SERVFAIL when resolving PTR records

* Update agent/dns.go

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* PR feedback

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2024-02-21 17:44:04 +00:00
Dan Stough 14efb28086
fix(v2dns): add node ttl to workloads, comment cleanup, and changelog (#20643)
* fix(v2dns): add node ttl to workloads, plus comment cleanup

* docs(v2dns): changelog
2024-02-14 17:38:11 -05:00
Derek Menteer 9f7626d501
Ensure all topics are refreshed on FSM restore and add supervisor loop to v1 controller subscriptions (#20642)
Ensure all topics are refreshed on FSM restore and add supervisor loop to v1 controller subscriptions

This PR fixes two issues:

1. Not all streams were force closed whenever a snapshot restore happened. This means that anything consuming data from the stream (controllers, queries, etc) were unaware that the data they have is potentially stale / invalid. This first part ensures that all topics are purged.

2. The v1 controllers did not properly handle stream errors (which are likely to appear much more often due to 1 above) and so it introduces a supervisor thread to restart the watches when these errors occur.
2024-02-14 14:17:55 -06:00