Commit Graph

464 Commits

Author SHA1 Message Date
sarahalsmiller 6f31bfebbe
Update retryable-http-client to resolve CVE-2024-6104 (#21384)
* update retryable-http-client

* changelog
2024-07-02 10:12:13 -05:00
sarahalsmiller 2cdc387bd3
Bump Envoy Versions (#21277)
* update envoy versions

* add changelog

* update nightly integrations
2024-06-10 15:29:26 +00:00
Michael Zalimeni 9e23fa7840
[NET-9445] chore: update submodule versions (#21263)
chore: update submodule versions

- Update submodule versions that were released
- Add missing replace directive to troubleshoot submodule
2024-06-05 13:31:43 -04:00
Dan Stough cf1c030043
feat: update supported envoy to 1.29 (#21142) 2024-05-24 13:26:07 -04:00
R.B. Boyer 502346029d
test: remove v2 integration tests (#21056)
This removes any references to v2 integration tests from:

- envoy integration tests (test/integration/connect)
- container tests (test/integration/consul-container)
- deployer tests (test-integ)
2024-05-07 10:24:50 -05:00
Michael Zalimeni 86b0818c1f
[NET-8601] security: upgrade vault/api to remove go-jose.v2 (#20910)
security: upgrade vault/api to remove go-jose.v2

This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.

Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
2024-05-04 00:18:51 +00:00
Deniz Onur Duzgun 8209b3ff86
security: fine-tune release scanner and bump coredns (#21038)
* security: bump coredns

* add changelog

* Revert "security: bump coredns"

This reverts commit dcca09d83e89b6d5a4f03106e86d72a2b791001d.

* security: bump coredns

* fine-tune security scanner on release

* dismiss changelog
2024-05-03 15:09:40 -04:00
Michael Zalimeni 5eea0b6c76
test: force IPv4 on Docker 26+ to fix Envoy int tests (#20986)
As of Docker Engine 26.0.0 (https://github.com/moby/moby/pull/47062),
IPv6 is enabled by default where supported. This causes issues for our
tests attempting to resolve requests to other containers over
localhost, since on Linux IPv6 will be preferred over IPv4 when
available when applying the default behavior defined in RFC3484.

As a workaround, force IPv4 with a flag passed to `docker run`.
2024-04-17 19:49:33 +00:00
John Murret d261a987f1
update go-control-plane envoy dependency to 0.12.0 (#20973)
* update go-control-plane envoy dependency to 0.12.0

* add changelog

* go mod tidy

* fix linting issues

* add agent/grpc-internal to the list of SA1019 ignores
2024-04-10 01:23:04 +00:00
Deniz Onur Duzgun 3152ac3702
security: bump go, x/net and envoy versions (#20956)
* Bump go version

* Bump x/net

* Bump envoy version

* Add changelog

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2024-04-08 19:18:40 +00:00
Chris S. Kim f3f2175edd
Update go-jose library (#20888) 2024-03-22 10:54:58 -04:00
Michael Zalimeni d4761c0ccd
security: upgrade google.golang.org/protobuf to 1.33.0 (#20801)
Resolves CVE-2024-24786.
2024-03-06 23:04:42 +00:00
wangxinyi7 b1bd6ab91a
revert grpc to http (#20716)
* Revert "refactor the resource client (#20343)"

This reverts commit 3c5cb04b0f.

* Revert "clean up http client (#20342)"

This reverts commit 2b89025eab.

* remove deprecated peer

* fix the typo

* remove forwarding test as it tests grpc, should add it back
2024-02-23 12:27:49 -08:00
Nathan Coleman 2456fe5148
[NET-7657] Remove proto definitions for GatewayClass + GatewayClassConfig (#20523) 2024-02-07 16:53:39 -05:00
skpratt 57bad0df85
add traffic permissions excludes and tests (#20453)
* add traffic permissions tests

* review fixes

* Update internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go

Co-authored-by: John Landa <jonathanlanda@gmail.com>

---------

Co-authored-by: John Landa <jonathanlanda@gmail.com>
2024-02-07 20:21:44 +00:00
wangxinyi7 ab8f23478a
add more integration tests (#20479)
* add more integration tests
2024-02-06 11:00:59 -08:00
Derek Menteer 266f6548f9
Debug failing CICD tests (#20455)
Fix CICD test flakes by locking container socket.
2024-02-02 15:05:10 -06:00
wangxinyi7 fb2b696c0e
missing prefix / (#20447)
* missing prefix / and fix typos
2024-02-02 12:48:45 -08:00
Derek Menteer ba5cac434a
Use mirrored image for CICD tests. (#20378) 2024-01-29 10:22:34 -06:00
Derek Menteer e586a4490d
Fix CICD docker image rate limits. (#20304)
The docker image used in CICD was referencing `registry.k8s.io/pause:3.3`,
which appears to no longer function correctly. This commit swaps over to a
Hashicorp mirrored image that shouldn't have rate limits or disappearing
images.
2024-01-26 14:38:02 -06:00
John Landa 65920dccf4
move deny action to enterprise only for traffic permissions (#20313)
Add missing import

Add explicit enum case for deny action

Remove extra comments

Add build tags to ent and ce tests

Add copyright headers for the ce files

Fix case statements for ce validator

Remove ce tests with Deny traffic permissions

Fix more integration tests

Split more ce and ent tests, add back ent deny tests for traffic permissions controller

temp rename before rebase

Readd ent deny tests for traffic permissions controller
2024-01-24 13:01:22 -07:00
Lord-Y 758ddf84e9
Case sensitive route match (#19647)
Add case insensitive param on service route match

This commit adds in a new feature that allows service routers to specify that
paths and path prefixes should ignore upper / lower casing when matching URLs.

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
2024-01-22 09:23:24 -06:00
Nick Cellino fe678e9da1
Sync cluster attributes from GNM to Link resource (#20158)
* Add 'GetCluster' function to HCP client

* Sync cluster data inside Link controller

* Add access mode to HCP Link

* Sync AccessLevel property

* Fix imports and remove outdated comments

* Switch accessMode to access level

* Add comment around HCPClientFn

* Fix spacing in link.proto

* Add helper for writing status. Fix reconciliation loop
2024-01-19 10:02:55 -05:00
cskh cba3b25196
integ test: import missing changes from ent (#20187) 2024-01-12 13:27:36 -05:00
Matt Keeler 326c0ecfbe
In-Memory gRPC (#19942)
* Implement In-Process gRPC for use by controller caching/indexing

This replaces the pipe base listener implementation we were previously using. The new style CAN avoid cloning resources which our controller caching/indexing is taking advantage of to not duplicate resource objects in memory.

To maintain safety for controllers and for them to be able to modify data they get back from the cache and the resource service, the client they are presented in their runtime will be wrapped with an autogenerated client which clones request and response messages as they pass through the client.

Another sizable change in this PR is to consolidate how server specific gRPC services get registered and managed. Before this was in a bunch of different methods and it was difficult to track down how gRPC services were registered. Now its all in one place.

* Fix race in tests

* Ensure the resource service is registered to the multiplexed handler for forwarding from client agents

* Expose peer streaming on the internal handler
2024-01-12 11:54:07 -05:00
Manoj Srinivasamurthy fa6eb61f70
NET-6813: adding resolver default subset test in agentless upgrade test (#20046) 2024-01-10 21:25:50 +05:30
John Murret 0f3cc3d631
fix formatting issue in envoy bootstrapping. (#20036) 2023-12-21 15:18:11 -07:00
John Murret a19df32fa5
NET-6942 - Replace usage of deprecated Envoy field envoy.config.cluster.v3.Cluster.http_protocol_options. (#20010)
* NET-6942 - Replace usage of deprecated Envoy field envoy.config.cluster.v3.Cluster.http_protocol_options.

* add changelog
2023-12-21 15:41:05 -05:00
Michael Zalimeni fe10339caa
[NET-7009] security: update x/crypto to 0.17.0 (#20023)
security: update x/crypto to 0.17.0

This addresses CVE-2023-48795 (x/crypto/ssh).
2023-12-21 20:11:19 +00:00
John Murret a995505976
NET-6317 - update usage of deprecated fields: http2_protocol_options and access_log_path (#19940)
* updating usage of http2_protocol_options and access_log_path

* add changelog

* update template for AdminAccessLogConfig

* remove mucking with AdminAccessLogConfig
2023-12-14 13:08:53 -07:00
Matt Keeler 123bc95e1a
Add Common Controller Caching Infrastructure (#19767)
* Add Common Controller Caching Infrastructure
2023-12-13 10:06:39 -05:00
Matt Keeler d4fda945bb
Fix a test flake where a retry timer was being reused causing tests after the first to exit early (#19864)
Fix a test flake where a retry timer was being reused causing tests after the first to exit too early.
2023-12-08 11:31:59 -05:00
Matt Keeler efe279f802
Retry lint fixes (#19151)
* Add a make target to run lint-consul-retry on all the modules
* Cleanup sdk/testutil/retry
* Fix a bunch of retry.Run* usage to not use the outer testing.T
* Fix some more recent retry lint issues and pin to v1.4.0 of lint-consul-retry
* Fix codegen copywrite lint issues
* Don’t perform cleanup after each retry attempt by default.
* Use the common testutil.TestingTB interface in test-integ/tenancy
* Fix retry tests
* Update otel access logging extension test to perform requests within the retry block
2023-12-06 12:11:32 -05:00
aahel 649aa5655f
skip TestCatalogUpgrade for consul versions < 1.18.0 (#19811)
skip TestCatalogUpgrade for conul versions < 1.18.0
2023-12-04 18:27:36 +00:00
lornasong edf4610ed9
[Cloud][CC-6925] Updates to pushing server state (#19682)
* Upgrade hcp-sdk-go to latest version v0.73

Changes:
- go get github.com/hashicorp/hcp-sdk-go
- go mod tidy

* From upgrade: regenerate protobufs for upgrade from 1.30 to 1.31

Ran: `make proto`

Slack: https://hashicorp.slack.com/archives/C0253EQ5B40/p1701105418579429

* From upgrade: fix mock interface implementation

After upgrading, there is the following compile error:

cannot use &mockHCPCfg{} (value of type *mockHCPCfg) as "github.com/hashicorp/hcp-sdk-go/config".HCPConfig value in return statement: *mockHCPCfg does not implement "github.com/hashicorp/hcp-sdk-go/config".HCPConfig (missing method Logout)

Solution: update the mock to have the missing Logout method

* From upgrade: Lint: remove usage of deprecated req.ServerState.TLS

Due to upgrade, linting is erroring due to usage of a newly deprecated field

22:47:56 [consul]: make lint
--> Running golangci-lint (.)
agent/hcp/testing.go:157:24: SA1019: req.ServerState.TLS is deprecated: use server_tls.internal_rpc instead. (staticcheck)
                time.Until(time.Time(req.ServerState.TLS.CertExpiry)).Hours()/24,
                                     ^

* From upgrade: adjust oidc error message

From the upgrade, this test started failing:

=== FAIL: internal/go-sso/oidcauth TestOIDC_ClaimsFromAuthCode/failed_code_exchange (re-run 2) (0.01s)
    oidc_test.go:393: unexpected error: Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"

Prior to the upgrade, the error returned was:
```
Provider login failed: Error exchanging oidc code: oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"unexpected auth code\"}\n
```

Now the error returned is as below and does not contain "cannot fetch token"
```
Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"

```

* Update AgentPushServerState structs with new fields

HCP-side changes for the new fields are in:
https://github.com/hashicorp/cloud-global-network-manager-service/pull/1195/files

* Minor refactor for hcpServerStatus to abstract tlsInfo into struct

This will make it easier to set the same tls-info information to both
 - status.TLS (deprecated field)
 - status.ServerTLSMetadata (new field to use instead)

* Update hcpServerStatus to parse out information for new fields

Changes:
 - Improve error message and handling (encountered some issues and was confused)
 - Set new field TLSInfo.CertIssuer
 - Collect certificate authority metadata and set on TLSInfo.CertificateAuthorities
 - Set TLSInfo on both server.TLS and server.ServerTLSMetadata.InternalRPC

* Update serverStatusToHCP to convert new fields to GNM rpc

* Add changelog

* Feedback: connect.ParseCert, caCerts

* Feedback: refactor and unit test server status

* Feedback: test to use expected struct

* Feedback: certificate with intermediate

* Feedback: catch no leaf, remove expectedErr

* Feedback: update todos with jira ticket

* Feedback: mock tlsConfigurator
2023-12-04 10:25:18 -05:00
sarahalsmiller fd1d97c334
Add Kubebuilder tags to Gatewayclassconfig proto messages (#19725)
* add build tags/import k8s specific proto packages

* fix generated import paths

* fix gomod linting issue

* mod tidy every go mod file

* revert protobuff version, take care of in different pr

* cleaned up new lines

* added newline to end of file
2023-11-28 14:46:11 -06:00
cskh 04a3a3e8d0
Integ test (test/deployer): upgrade test with service mesh (#19658)
* Integ test (test/deployer): upgrade test with service mesh

* license
2023-11-15 19:32:37 -05:00
R.B. Boyer da8700f216
test: fix some multiport deployer bugs and remove a container test already handled by deployer tests (#19614) 2023-11-15 10:26:26 -06:00
cskh 4ab7adaf54
upgrade test: remove duplicate test case (#19643) 2023-11-15 10:18:25 -05:00
Matt Keeler a7774a9538
Introduce randomized timings and reproducible randomization into controller integration tests. (#19393)
As the V2 architecture hinges on eventual consistency and controllers reconciling the existing state in response to writes, there are potential issues we could run into regarding ordering and timing of operations. We want to be able to guarantee that given a set of resources the system will always eventually get to the desired correct state. The order of resource writes and delays in performing those writes should not alter the final outcome of reaching the desired state.

To that end, this commit introduces arbitrary randomized delays before performing resources writes into the `resourcetest.Client`. Its `PublishResources` method was already randomizing the order of resource writes. By default, no delay is added to normal writes and deletes but tests can opt-in via either passing hard coded options when creating the `resourcetest.Client` or using the `resourcetest.ConfigureTestCLIFlags` function to allow processing of CLI parameters.

In addition to allowing configurability of the request delay min and max, the client also has a configurable random number generator seed. When Using the CLI parameter helpers, a test log will be written noting the currently used settings. If the test fails then you can reproduce the same delays and order randomizations by providing the seed during the previous test failure.
2023-11-08 10:45:25 -05:00
Dan Stough 20f43d81bf
test: update certs for 10 year expiry (#19481) 2023-11-07 14:57:52 -05:00
cskh 38d94282ca
Ci upgrade test 1 17 (#19536)
CI: upgrade test from 1.17
2023-11-06 21:35:59 +00:00
R.B. Boyer 65592d91a8
chore: apply enterprise changes that were missed to some testing files (#19504)
This should align between CE ef35525 and ENT 7f95226dbe40151c8f17dd4464784b60cf358dc1 in:

- testing/integration/consul-container
- test-integ
- testing/deployer
2023-11-03 11:43:43 -05:00
Dan Stough fd128f4947
build: dependency updates for 1.17.0 (#19453) 2023-11-03 12:29:59 -04:00
Semir Patel ef35525cf1
resource: finalizer aware delete endpoint (2 of 5) (#19493)
resource: make delete endpoint finalizer aware
2023-11-03 10:10:58 -04:00
R.B. Boyer 4b85aa5a97
testing/deployer: support tproxy in v2 for dataplane (#19094)
This updates the testing/deployer (aka "topology test") framework to allow for a 
v2-oriented topology to opt services into enabling TransparentProxy. The restrictions 
are similar to that of #19046

The multiport Ports map that was added in #19046 was changed to allow for the 
protocol to be specified at this time, but for now the only supported protocol is TCP 
as only L4 functions currently on main.

As part of making transparent proxy work, the DNS server needed a new zonefile 
for responding to virtual.consul requests, since there is no Kubernetes DNS and 
the Consul DNS work for v2 has not happened yet. Once Consul DNS supports v2 we should switch over. For now the format of queries is:

<service>--<namespace>--<partition>.virtual.consul

Additionally:

- All transparent proxy enabled services are assigned a virtual ip in the 10.244.0/24
  range. This is something Consul will do in v2 at a later date, likely during 1.18.
- All services with exposed ports (non-mesh) are assigned a virtual port number for use
  with tproxy
- The consul-dataplane image has been made un-distroless, and gotten the necessary
  tools to execute consul connect redirect-traffic before running dataplane, thus simulating
  a kubernetes init container in plain docker.
2023-11-02 16:13:16 -05:00
Semir Patel aaac20f4a8
resource: misc finalizer apis (#19474) 2023-11-02 15:56:02 -05:00
R.B. Boyer a72f868218
testing/deployer: update deployer to use v2 catalog constructs when requested (#19046)
This updates the testing/deployer (aka "topology test") framework to conditionally 
configure and launch catalog constructs using v2 resources. This is controlled via a 
Version field on the Node construct in a topology.Config. This only functions for a 
dataplane type and has other restrictions that match the rest of v2 (no peering, no 
wanfed, no mesh gateways).

Like config entries, you can statically provide a set of initial resources to be synced 
when bringing up the cluster (beyond those that are generated for you such as 
workloads, services, etc).

If you want to author a test that can be freely converted between v1 and v2 then that 
is possible. If you switch to the multi-port definition on a topology.Service (aka 
"workload/instance") then that makes v1 ineligible.

This also adds a starter set of "on every PR" integration tests for single and multiport 
under test-integ/catalogv2
2023-11-02 14:25:48 -05:00
Derek Menteer 8f4c43727d
[NET-5916] Fix locality-aware routing config and tests (CE) (#19483)
Fix locality-aware routing config and tests
2023-11-02 14:05:06 -05:00
Semir Patel 815c52ac0d
Regen expired test certs (#19476) 2023-11-02 10:25:32 -05:00