802 Commits

Author SHA1 Message Date
freddygv
7bd51ff536 Replace TransparentProxy bool with ProxyMode
This PR replaces the original boolean used to configure transparent
proxy mode. It was replaced with a string mode that can be set to:

- "": Empty string is the default for when the setting should be
defaulted from other configuration like config entries.
- "direct": Direct mode is how applications originally opted into the
mesh. Proxy listeners need to be dialed directly.
- "transparent": Transparent mode enables configuring Envoy as a
transparent proxy. Traffic must be captured and redirected to the
inbound and outbound listeners.

This PR also adds a struct for transparent proxy specific configuration.
Initially this is not stored as a pointer. Will revisit that decision
before GA.
2021-04-12 09:35:14 -06:00
freddygv
98ba582797 Fixup mesh gateway docs 2021-04-11 15:48:04 -06:00
Freddy
a02245b75a
Merge pull request from hashicorp/centralized-upstream-fixups 2021-04-08 12:26:56 -06:00
freddygv
d6db67ef86 Fixup test 2021-04-08 11:53:07 -06:00
Daniel Nephin
5d21d4d77f
Merge pull request from hashicorp/dnephin/update-memberlist
Update memberlist to v0.2.3
2021-04-08 12:17:29 -04:00
freddygv
ab752c1c86 Avoid sending zero-value upstream defaults from api 2021-04-07 15:03:42 -06:00
R.B. Boyer
499fee73b3
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled ()
This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 13:19:59 -05:00
Daniel Nephin
46279547ec Update memberlist to v0.2.3
To pickup data race fixes
2021-03-24 18:20:19 -04:00
Seth Hoenig
cd1cd4febd api: enable query options on agent endpoints
This PR adds support for setting QueryOptions on a few agent API
endpoints. Nomad needs to be able to set the Namespace field on
these endpoints to:
 - query for services / checks in a namespace
 - deregister services / checks in a namespace
 - update TTL status on checks in a namespace
2021-03-19 13:08:26 -05:00
Freddy
8207b832df
Add TransparentProxy option to proxy definitions 2021-03-17 17:01:45 -06:00
Freddy
c664938bae
Add per-upstream configuration to service-defaults 2021-03-17 16:59:51 -06:00
Christopher Broglie
f0307c73e5 Add support for configuring TLS ServerName for health checks
Some TLS servers require SNI, but the Golang HTTP client doesn't
include it in the ClientHello when connecting to an IP address. This
change adds a new TLSServerName field to health check definitions to
optionally set it. This fixes .
2021-03-16 18:16:44 -04:00
freddygv
6090cfcf68 PR comments 2021-03-15 16:02:03 -06:00
freddygv
8b46d8dcbb Restore old Envoy prefix on escape hatches
This is done because after removing ID and NodeName from
ServiceConfigRequest we will no longer know whether a request coming in
is for a Consul client earlier than v1.10.
2021-03-15 14:12:57 -06:00
freddygv
41b2ba1e58 Add omitempty across the board for UpstreamConfig 2021-03-15 13:23:18 -06:00
Matt Keeler
30903db442
AutopilotServerHealth now handles the 429 status code ()
AutopilotServerHealthy now handles the 429 status code

Previously we would error out and not parse the response. Now either a 200 or 429 status code are considered expected statuses and will result in the method returning the reply allowing API consumers to not only see if the system is healthy or not but which server is unhealthy.
2021-03-12 09:40:49 -05:00
freddygv
23ffa3d3f3 And another test fix 2021-03-11 18:39:53 -07:00
Kyle Havlovitz
1e87c7183a
Merge pull request from hashicorp/ca-force-skip-xc
connect/ca: Allow ForceWithoutCrossSigning for all providers
2021-03-11 11:49:15 -08:00
freddygv
6fd30d0384 Add TransparentProxy opt to proxy definition 2021-03-11 11:37:21 -07:00
freddygv
e3dc2a49df Turn Limits and PassiveHealthChecks into pointers 2021-03-11 11:04:40 -07:00
freddygv
87cde19b4c Create new types for service-defaults upstream cfg 2021-03-08 22:10:27 -07:00
Mark Anderson
b9d22f48cd
Add fields to the /acl/auth-methods endpoint. ()
* A GET of the /acl/auth-method/:name endpoint returns the fields
MaxTokenTTL and TokenLocality, while a LIST (/acl/auth-methods) does
not.

The list command returns a filtered subset of the full set. This is
somewhat deliberate, so that secrets aren't shown, but the TTL and
Locality fields aren't (IMO) security critical, and it is useful for
the front end to be able to show them.

For consistency these changes mirror the 'omit empty' and string
representation choices made for the GET call.

This includes changes to the gRPC and API code in the client.

The new output looks similar to this
curl 'http://localhost:8500/v1/acl/auth-methods' | jq '.'

  {
    "MaxTokenTTL": "8m20s",
    "Name": "minikube-ttl-local2",
    "Type": "kubernetes",
    "Description": "minikube auth method",
    "TokenLocality": "local",
    "CreateIndex": 530,
    "ModifyIndex": 530,
    "Namespace": "default"
  }
]

Signed-off-by: Mark Anderson <manderson@hashicorp.com>

* Add changelog

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-02-17 08:16:57 -08:00
Kyle Havlovitz
7dac583863 connect/ca: Allow ForceWithoutCrossSigning for all providers
This allows setting ForceWithoutCrossSigning when reconfiguring the CA
for any provider, in order to forcibly move to a new root in cases where
the old provider isn't reachable or able to cross-sign for whatever
reason.
2021-01-29 13:38:11 -08:00
Conor Mongey
7a368bd2b6
Move header methods from config to client 2021-01-20 01:30:54 +00:00
Conor Mongey
eb65e59741
Only override headers if they're set 2021-01-20 01:12:19 +00:00
Conor Mongey
f647569b84
Prefer http.Header over map[string]string to allow for multi-valued headers 2021-01-20 01:12:19 +00:00
Conor Mongey
cdc8cd7b0e
Allow setting arbitrary headers in API client 2021-01-20 01:12:19 +00:00
Daniel Nephin
5a7f4c0dea
Merge pull request from hashicorp/dnephin/add-query-options-to-ServiceRegister
api: Add a context to ServiceRegisterOpts
2021-01-06 18:52:49 -05:00
Mike Morris
ab927d5480 Merge pull request from hashicorp/release/1.9.0
merge: release/1.9.0 back into 1.9.x
2020-11-24 17:36:47 -05:00
R.B. Boyer
7c7a3e5165
command: when generating envoy bootstrap configs use the datacenter returned from the agent services endpoint ()
Fixes 
2020-11-19 15:27:31 -06:00
Matt Keeler
66fd23d67f
Refactor to call non-voting servers read replicas ()
Co-authored-by: Kit Patella <kit@jepsen.io>
2020-11-17 10:53:57 -05:00
Freddy
fe728855ed
Add DC and NS support for Envoy metrics ()
This PR updates the tags that we generate for Envoy stats.

Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
2020-11-16 16:37:19 -07:00
Matt Keeler
7f87adbcf4
Remove this constant as it is soon to be changing and we want to prevent backwards compat issues () 2020-11-13 17:09:51 -05:00
R.B. Boyer
61eac21f1a
agent: return the default ACL policy to callers as a header ()
Header is: X-Consul-Default-ACL-Policy=<allow|deny>

This is of particular utility when fetching matching intentions, as the
fallthrough for a request that doesn't match any intentions is to
enforce using the default acl policy.
2020-11-12 10:38:32 -06:00
Matt Keeler
7ef9b04f90
Add a CLI command for retrieving the autopilot configuration. () 2020-11-11 13:19:02 -05:00
Matt Keeler
c048e86bb2
Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
R.B. Boyer
8baf158ea8
Revert "Add namespace support for metrics (OSS) ()" ()
This reverts commit 06b3b017d326853dbb53bc0ec08ce371265c5ce9.
2020-11-06 10:24:32 -06:00
Freddy
06b3b017d3
Add namespace support for metrics (OSS) () 2020-11-05 18:24:29 -07:00
R.B. Boyer
e113dc0fe2
upstream some differences from enterprise () 2020-10-09 09:42:53 -05:00
Matt Keeler
38f5ddce2a
Add per-agent reconnect timeouts ()
This allows for client agent to be run in a more stateless manner where they may be abruptly terminated and not expected to come back. If advertising a per-agent reconnect timeout using the advertise_reconnect_timeout configuration when that agent leaves, other agents will wait only that amount of time for the agent to come back before reaping it.

This has the advantageous side effect of causing servers to deregister the node/services/checks for that agent sooner than if the global reconnect_timeout was used.
2020-10-08 15:02:19 -04:00
R.B. Boyer
0c9177f6a5
api: unflake some intention-related api tests () 2020-10-07 13:32:53 -05:00
R.B. Boyer
1b413b0444
connect: support defining intentions using layer 7 criteria ()
Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 17:09:13 -05:00
R.B. Boyer
a2a8e9c783
connect: intentions are now managed as a new config entry kind "service-intentions" ()
- Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older
copies of consul will not see new config entries it doesn't understand
replicate down.

- Add shim conversion code so that the old API/CLI method of interacting
with intentions will continue to work so long as none of these are
edited via config entry endpoints. Almost all of the read-only APIs will
continue to function indefinitely.

- Add new APIs that operate on individual intentions without IDs so that
the UI doesn't need to implement CAS operations.

- Add a new serf feature flag indicating support for
intentions-as-config-entries.

- The old line-item intentions way of interacting with the state store
will transparently flip between the legacy memdb table and the config
entry representations so that readers will never see a hiccup during
migration where the results are incomplete. It uses a piece of system
metadata to control the flip.

- The primary datacenter will begin migrating intentions into config
entries on startup once all servers in the datacenter are on a version
of Consul with the intentions-as-config-entries feature flag. When it is
complete the old state store representations will be cleared. We also
record a piece of system metadata indicating this has occurred. We use
this metadata to skip ALL of this code the next time the leader starts
up.

- The secondary datacenters continue to run the old intentions
replicator until all servers in the secondary DC and primary DC support
intentions-as-config-entries (via serf flag). Once this condition it met
the old intentions replicator ceases.

- The secondary datacenters replicate the new config entries as they are
migrated in the primary. When they detect that the primary has zeroed
it's old state store table it waits until all config entries up to that
point are replicated and then zeroes its own copy of the old state store
table. We also record a piece of system metadata indicating this has
occurred. We use this metadata to skip ALL of this code the next time
the leader starts up.
2020-10-06 13:24:05 -05:00
R.B. Boyer
d2eb27e0a3
api: support GetMeta() and GetNamespace() on all config entry kinds ()
Fixes 

Since I was updating the interface, i also added the missing `GetNamespace()`.

Depending upon how you look at it, this is a breaking change since it adds methods to the exported interface `api.ConfigEntry`. Given that you cannot define your own config entry kinds, and all of the machinery of the `api.Client` acts like a factory to construct the canned ones from the rest of the module, this feels like it's not a problematic change as it would only break someone who had reimplemented the `ConfigEntry` interface themselves for no apparent utility?
2020-09-29 09:11:57 -05:00
freddygv
7b9d1b41d5 Resolve conflicts against master 2020-09-11 18:41:58 -06:00
freddygv
768dbaa68d Add session flag to cookie config 2020-09-11 18:34:03 -06:00
freddygv
eab90ea9fa Revert EnvoyConfig nesting 2020-09-11 09:21:43 -06:00
Seth Hoenig
9fab3fe990
api: create fresh http client for unix sockets ()
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2020-09-06 12:27:39 -04:00
Freddy
c9c9e4face
Make LockDelay configurable in api locks () 2020-09-04 13:38:26 -06:00
Daniel Nephin
d083d4717b api: Add a context to ServiceRegisterOpts
So that operations can timeout instead of hanging forever
2020-09-03 12:25:06 -04:00