Commit Graph

10218 Commits

Author SHA1 Message Date
R.B. Boyer 6393edba53
connect: reconcile how upstream configuration works with discovery chains (#6225)
* connect: reconcile how upstream configuration works with discovery chains

The following upstream config fields for connect sidecars sanely
integrate into discovery chain resolution:

- Destination Namespace/Datacenter: Compilation occurs locally but using
different default values for namespaces and datacenters. The xDS
clusters that are created are named as they normally would be.

- Mesh Gateway Mode (single upstream): If set this value overrides any
value computed for any resolver for the entire discovery chain. The xDS
clusters that are created may be named differently (see below).

- Mesh Gateway Mode (whole sidecar): If set this value overrides any
value computed for any resolver for the entire discovery chain. If this
is specifically overridden for a single upstream this value is ignored
in that case. The xDS clusters that are created may be named differently
(see below).

- Protocol (in opaque config): If set this value overrides the value
computed when evaluating the entire discovery chain. If the normal chain
would be TCP or if this override is set to TCP then the result is that
we explicitly disable L7 Routing and Splitting. The xDS clusters that
are created may be named differently (see below).

- Connect Timeout (in opaque config): If set this value overrides the
value for any resolver in the entire discovery chain. The xDS clusters
that are created may be named differently (see below).

If any of the above overrides affect the actual result of compiling the
discovery chain (i.e. "tcp" becomes "grpc" instead of being a no-op
override to "tcp") then the relevant parameters are hashed and provided
to the xDS layer as a prefix for use in naming the Clusters. This is to
ensure that if one Upstream discovery chain has no overrides and
tangentially needs a cluster named "api.default.XXX", and another
Upstream does have overrides for "api.default.XXX" that they won't
cross-pollinate against the operator's wishes.

Fixes #6159
2019-08-01 22:03:34 -05:00
R.B. Boyer 5e32bbdf4d update changelog 2019-08-01 13:27:14 -05:00
R.B. Boyer 8564b6bb38
connect: validate upstreams and prevent duplicates (#6224)
* connect: validate upstreams and prevent duplicates

* Actually run Upstream.Validate() instead of ignoring it as dead code.

* Prevent two upstreams from declaring the same bind address and port.
  It wouldn't work anyway.

* Prevent two upstreams from being declared that use the same
  type+name+namespace+datacenter. Due to how the Upstream.Identity()
  function worked this ended up mostly being enforced in xDS at use-time,
  but it should be enforced more clearly at register-time.
2019-08-01 13:26:02 -05:00
Paul Banks e87cef2bb8 Revert "connect: support AWS PCA as a CA provider" (#6251)
This reverts commit 3497b7c00d.
2019-07-31 09:08:10 -04:00
Todd Radel 3497b7c00d
connect: support AWS PCA as a CA provider (#6189)
Port AWS PCA provider from consul-ent
2019-07-30 22:57:51 -04:00
Todd Radel 2552f4a11a
connect: Support RSA keys in addition to ECDSA (#6055)
Support RSA keys in addition to ECDSA
2019-07-30 17:47:39 -04:00
Freddy 919316f188
Update CHANGELOG.md 2019-07-30 11:03:16 -06:00
freddygv 1a14b94441 Update default gossip encryption key size to 32 bytes 2019-07-30 09:45:41 -06:00
Matt Keeler 5bb8d60786
Update CHANGELOG.md 2019-07-30 09:58:38 -04:00
Matt Keeler 1fdda51839
Fix envoy canBind (#6238)
* Fix envoy cli canBind function

The string form of an Addr was including the CIDR causing the str equals to not match.

* Remove debug prints
2019-07-30 09:56:56 -04:00
hashicorp-ci 847b90288a Merge Consul OSS branch 'master' at commit a1725e6b52 2019-07-30 02:00:29 +00:00
Matt Keeler a1725e6b52 Fix flaky tests (#6229) 2019-07-29 15:07:25 -04:00
Matt Keeler 5288dec952
Update CHANGELOG.md 2019-07-29 11:19:39 -04:00
Matt Keeler 64bc7a6c47
Update CHANGELOG.md 2019-07-29 11:17:58 -04:00
Matt Keeler fcc18c1675
Fix prepared query upstream endpoint generation (#6236)
Use the correct SNI value for prepared query upstreams
2019-07-29 11:15:55 -04:00
hashicorp-ci 5ff04a303e
Release v1.6.0-beta3 2019-07-26 23:15:20 +00:00
hashicorp-ci 1527616c8c
update bindata_assetfs.go 2019-07-26 23:15:20 +00:00
Alvin Huang b2944bdbe1 Merge remote-tracking branch 'origin/master' into release/1-6 2019-07-26 16:22:53 -04:00
Matt Keeler 0481187152
Update CHANGELOG.md 2019-07-26 15:59:20 -04:00
Matt Keeler 35e67b1d1a
Fix CA Replication when ACLs are enabled (#6201)
Secondary CA initialization steps are:

• Wait until the primary will be capable of signing intermediate certs. We use serf metadata to check the versions of servers in the primary which avoids needing a token like the previous implementation that used RPCs. We require at least one alive server in the primary and the all alive servers meet the version requirement.
• Initialize the secondary CA by getting the primary to sign an intermediate

When a primary dc is configured, if no existing CA is initialized and for whatever reason we cannot initialize a secondary CA the secondary DC will remain without a CA. As soon as it can it will initialize the secondary CA by pulling the primaries roots and getting the primary to sign an intermediate.

This also fixes a segfault that can happen during leadership revocation. There was a spot in the secondaryCARootsWatch that was getting the CA Provider and executing methods on it without nil checking. Under normal circumstances it wont be nil but during leadership revocation it gets nil'ed out. Therefore there is a period of time between closing the stop chan and when the go routine is actually stopped where it could read a nil provider and cause a segfault.
2019-07-26 15:57:57 -04:00
Matt Keeler 59454c7edc
Set --max-obj-name-len 256 when execing Envoy (#6202)
* Pass -max-obj-name-len 256 to envoy

* Update test expectations.

* Add a note about requireing the max-obj-name-len option to be set
2019-07-26 15:43:15 -04:00
Todd Radel dbae899796
Merge pull request #6210 from hashicorp/docs/fix-ambassador-link
Fix links to ambassador website
2019-07-26 14:29:03 -04:00
R.B. Boyer 3ca566a152
Merge pull request #6223 from hashicorp/master-merge-b3541c4f3
Master merge b3541c4f3
2019-07-26 11:44:01 -05:00
R.B. Boyer c6c4a2251a Merge Consul OSS branch master at commit b3541c4f34 2019-07-26 10:34:24 -05:00
Jack Pearkes b3541c4f34 Putting source back into Dev Mode 2019-07-25 17:58:56 -07:00
hashicorp-ci a42ded477c
Release v1.5.3 2019-07-25 23:41:17 +00:00
hashicorp-ci 0c9c5bfa98
update bindata_assetfs.go 2019-07-25 23:41:16 +00:00
Jack Pearkes 43996ce05f
Update CHANGELOG.md 2019-07-25 14:20:11 -07:00
Mike Morris 34984e4764
docs: add TCP half-close broken pipe to common errors (#6203) 2019-07-25 16:01:33 -04:00
Jack Pearkes 4e0a16ab2d
config: correct limit to limits in config example (#6219)
This isn't yet documented on the website, but wanted to update this to add the missing s.
2019-07-25 12:38:57 -07:00
Matt Keeler 69629870fe
Update CHANGELOG.md 2019-07-25 14:27:22 -04:00
Matt Keeler 8b54307be2
Allow forwarding of some status RPCs (#6198)
* Allow forwarding of some status RPCs

* Update docs

* add comments about not using the regular forward
2019-07-25 14:26:22 -04:00
Alvin Huang 54ef3d5a40
check vendor folder (#6006)
* check vendor in circleci

* make vendor checking step more descriptive

* reorganize check-vendor and gofmt jobs
2019-07-25 11:17:07 -04:00
Alvin Huang 3c889b4e65
remove sdk and api packages (#6214) 2019-07-25 10:00:20 -04:00
Alvin Huang 3558f9cf6d
add dev docker image upload (#5879)
* add dev docker image upload

* remove the go cache since that isn't needed

* add comment and image labels

* get password from stdin
2019-07-25 09:19:09 -04:00
Jeff Mitchell 1ea7a34756 Make the chunking test multidimensional (#6212)
This ensures that it's not just a single operation we restores
successfully, but many. It's the same foundation, just with multiple
going on at once.
2019-07-25 11:40:09 +01:00
Freddy 89158c7a76
auto-encrypt: Fix port resolution and fallback to default port (#6205)
Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value:
"missing port in address" vs "address $HOST: missing port in address"

Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available.
2019-07-24 16:49:37 -07:00
Matt Keeler eab413d5d5
Update CHANGELOG.md 2019-07-24 17:08:08 -04:00
Jeff Mitchell 94c73d0c92 Chunking support (#6172)
* Initial chunk support

This uses the go-raft-middleware library to allow for chunked commits to the KV
2019-07-24 17:06:39 -04:00
Matt Keeler 3053342198
Envoy Mesh Gateway integration tests (#6187)
* Allow setting the mesh gateway mode for an upstream in config files

* Add envoy integration test for mesh gateways

This necessitated many supporting changes in most of the other test cases.

Add remote mode mesh gateways integration test
2019-07-24 17:01:42 -04:00
Todd Radel 569b37133a Fix links to ambassador website 2019-07-24 13:23:49 -04:00
Freddy 199f6cc41d
Make new config when retrying testServer creation (#6204) 2019-07-24 08:41:00 -06:00
R.B. Boyer e5e3f483c5 update changelog 2019-07-23 20:57:53 -05:00
R.B. Boyer ad9e7b6ae9
connect: allow L7 routers to match on http methods (#6164)
Fixes #6158
2019-07-23 20:56:39 -05:00
R.B. Boyer 85cf2706e6
connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. (#6163)
This is a breaking change, but only in the context of the beta series.
2019-07-23 20:55:26 -05:00
R.B. Boyer 880d149c19 update changelog 2019-07-23 20:51:58 -05:00
R.B. Boyer 1dbd92e091
connect: validate and test more of the L7 config entries (#6156) 2019-07-23 20:50:23 -05:00
R.B. Boyer 483effd496 update changelog 2019-07-23 20:21:30 -05:00
R.B. Boyer e039dfd7f8
connect: rework how the service resolver subset OnlyPassing flag works (#6173)
The main change is that we no longer filter service instances by health,
preferring instead to render all results down into EDS endpoints in
envoy and merely label the endpoints as HEALTHY or UNHEALTHY.

When OnlyPassing is set to true we will force consul checks in a
'warning' state to render as UNHEALTHY in envoy.

Fixes #6171
2019-07-23 20:20:24 -05:00
R.B. Boyer aca2c5de3f
tests: adding new envoy integration tests for L7 service-resolvers (#6129)
Additionally:

- wait for bootstrap config entries to be applied

- run the verify container in the host's PID namespace so we can kill
envoys without mounting the docker socket

* assert that we actually send HEALTHY and UNHEALTHY endpoints down in EDS during failover
2019-07-23 20:08:36 -05:00