Commit Graph

20637 Commits

Author SHA1 Message Date
John Maguire 7a323c492b
[NET-5457] Golden Files for Multiple Virtual Hosts (#19131)
* Add new golden file tests

* Update with latest deterministic code
2023-10-11 18:11:29 +00:00
trujillo-adam ca1a755f0c
fix broken link (#19140) 2023-10-11 17:14:34 +00:00
R.B. Boyer 5146810acc
cli: do not hide the resource HCL parsing error and replace it with a JSON error (#19107)
We serially attempt to decode resources in the consul resource apply command
using HCL and then falling back on JSON. This causes the HCL errors to be 
dropped completely in the case where the HCL decode failed due to a typo 
instead of it actually being JSON instead.

This PR proposes sniffing to see if the first non-whitespace character in the 
input is { and if so treat it as JSON, otherwise as HCL and not 
double-decode on error.
2023-10-11 11:37:50 -05:00
John Murret 6cbd417f29
NET-5822 - Add default outbound router in TProxy (#19087)
* NET-5822 - Add default outbound router in TProxy

* fixing connection timeout to be 5 s instead of 10 seconds
2023-10-11 10:31:45 -06:00
R.B. Boyer b9ab63c55d
server: when the v2 catalog experiment is enabled reject api and rpc requests that are for the v1 catalog (#19129)
When the v2 catalog experiment is enabled the old v1 catalog apis will be
forcibly disabled at both the API (json) layer and the RPC (msgpack) layer.
This will also disable anti-entropy as it uses the v1 api.

This includes all of /v1/catalog/*, /v1/health/*, most of /v1/agent/*,
/v1/config/*, and most of /v1/internal/*.
2023-10-11 10:44:03 -05:00
Dhia Ayachi ab1e08f1a4
fix flaking container tests (#19134) 2023-10-11 11:26:07 -04:00
Tu Nguyen 1b35c81834
Add 1.17 release notes (#19135)
add 1.17 release notes
2023-10-11 15:11:41 +00:00
Jeff Boruszak d6b61da988
docs: Multi-port and catalog changes (#19050)
* Page creation + nav listing

* Overview page

* Updated end-to-end configuration

* Nav error fix

* Edits

* Fixes

* Background/catalog explanation updates

* updates

* Updates

* Typo fix

* Additional method

* additional fixes

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Code review and other fixes

* "similar to" fix

* Apply suggestions from code review

Co-authored-by: Dan Stough <dan.stough@hashicorp.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
2023-10-10 16:44:36 -07:00
Iryna Shustava c35df12c95
mesh: Add ComputedProxyConfiguration and a controller that computes it. (#19043)
* Introduce a new type `ComputedProxyConfiguration` and add a controller for it. This is needed for two reasons. The first one is that external integrations like kubernetes may need to read the fully computed and sorted proxy configuration per workload. The second reasons is that it makes sidecar-proxy controller logic quite a bit simpler as it no longer needs to do this.
* Generalize workload selection mapper and fix a bug where it would delete IDs from the tree if only one is left after a removal is done.
2023-10-10 17:34:53 -06:00
Jeff Boruszak 679b0f650f
docs: Sameness groups GA (#19103)
* New page creation

* Initial DNS edits

* IncludeLocal added

* Beta callout removal

* Create group page updates

* K8s page edits

* Failover usage intro

* sameness grop failover task

* Upstreams and DNS for VMs and K8s

* Additional failover and links

* <Tab> corrections

* HCP Consul Central edit

* Update website/content/docs/connect/cluster-peering/usage/create-sameness-groups.mdx

* Suggestions from review

* path update in links

* conflict fix

* nav fix

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-10-10 16:20:36 -07:00
trujillo-adam 78938c163a
Docs/api-gw-jwts-openshift-1-17-x (#19035)
* update main apigw overview

* moved the tech specs to main gw folder

* merged tech specs into single topic

* restructure nav part 1

* fix typo in nav json file

* moved k8s install up one level

* restructure nav part 2

* moved and created all listeners and routes content

* moved errors ref and upgrades

* fix error in upgrade-k8s link

* moved conf refs to appropriate spots

* updated conf overview

* fixed some links and bad formatting

* fixed link

* added JWT on VMs usage page

* added JWT conf to APIGW conf entry

* added JWTs to HTTP route conf entry

* added new gatwaypolicy k8s conf reference

* added metadesc for gatewaypolicy conf ref

* added http route auth filter k8s conf ref

* added http route auth filter k8s conf ref to nav

* updates to k8s route conf ref to include extensionRef

* added JWTs usage page for k8s

* fixed link in gwpolicy conf ref

* added openshift installation info to installation pages

* fixed bad link on tech specs

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* fixed VerityClaims param

* best guess at verifyclaims params

* tweaks to gateway policy dconf ref

* Docs/ce 475 retries timeouts for apigw (#19086)

* added timeout and retry conf ref for k8s

* added retry and TO filters to HTTP routes conf ref for VMs

* Apply suggestions from code review

Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* fix copy/paste error in http route conf entry

---------

Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* update links across site and add redirects

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* Applied feedback from review

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* Update CRD configuration for responseHeaderModifiers

* Update Config Entry for http-route

* Add ResponseFilter example to service

* Update website/redirects.js

errant curly brace breaking the preview

* fix links and bad MD

* fixed md formatting issues

* fix formatting errors

* fix formatting errors

* Update website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx

* Apply suggestions from code review

* fixed typo

* Fix headers in http-route

* Apply suggestions from code review

Co-authored-by: John Maguire <john.maguire@hashicorp.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>
Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: John Maguire <john.maguire@hashicorp.com>
2023-10-10 13:29:55 -07:00
John Maguire 8bebfc147d
[NET-5457] Fix CE code for jwt multiple virtual hosts bug (#19123)
* Fix CE code for jwt multiple virtual hosts bug

* Fix struct definition

* fix bug with always appending route to jwt config

* Update comment to be correct

* Update comment
2023-10-10 16:25:36 -04:00
Semir Patel 830c4ea81c
v2tenancy: cluster scoped reads (#19082) 2023-10-10 13:30:23 -05:00
Dhia Ayachi 226590541c
Activate verifier when running WAL with experimental features (#19102)
* activate verifier when running WAL with experimental features

* only change verifier parameters if it's disabled (default value)
2023-10-10 14:14:20 -04:00
Chris S. Kim 92ce814693
Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
Chris Thain dcdf2fc6ba
Update Vault CA provider namespace configuration (#19095) 2023-10-10 13:53:00 +00:00
Chris S. Kim d6200faefb
Minor update to ratelimit wording (#19106) 2023-10-10 09:24:14 -04:00
Ashesh Vidyut b9314de14f
Stop windows integration tests (#19118)
stop windows integration tests
2023-10-09 17:11:10 +05:30
Ashesh Vidyut a30ccdf5dc
NET-4135 - Fix NodeMeta filtering Catalog List Services API (#18322)
* logs for debugging

* Init

* white spaces fix

* added change log

* Fix tests

* fix typo

* using queryoptionfilter to populate args.filter

* tests

* fix test

* fix tests

* fix tests

* fix tests

* fix tests

* fix variable name

* fix tests

* fix tests

* fix tests

* Update .changelog/18322.txt

Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* fix change log

* address nits

* removed unused line

* doing join only when filter has nodemeta

* fix tests

* fix tests

* Update agent/consul/catalog_endpoint.go

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* fix tests

* removed unwanted code

---------

Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2023-10-08 12:48:31 +00:00
Matt Keeler 4713317457
protohcl: allow attribute syntax for all map fields (#19108) 2023-10-06 19:07:08 -04:00
trujillo-adam a9747dc38c
Docs/ce 470 locality aware (#19071)
* updated nav; renamed L7 traffic folder

* Added locality-aware routing to traffic mgmt overview

* Added route to local upstreams topic

* Updated agent configuration reference

* Added locality param to services conf ref

* Added locality param to conf entries

* mentioned traffic management in proxies overview

* added locality-aware to failover overview

* added docs for service rate limiting

* updated service defaults conf entry

* Apply suggestions from code review

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* updated links and added redirects

---------

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-10-06 12:48:05 -07:00
Derek Menteer af3439b53d
Ensure that upstream configuration is properly normalized. (#19076)
This PR fixes an issue where upstreams did not correctly inherit the proper
namespace / partition from the parent service when attempting to fetch the
upstream protocol due to inconsistent normalization.

Some of the merge-service-configuration logic would normalize to default, while
some of the proxycfg logic would normalize to match the parent service. Due to
this mismatch in logic, an incorrect service-defaults configuration entry would
be fetched and have its protocol applied to the upstream.
2023-10-06 13:59:47 -05:00
Eric Haberkorn ad3aab1ef7
Add traffic permissions integration tests. (#19008)
Add traffic permissions integration tests.
2023-10-06 12:06:12 -04:00
Dhia Ayachi ed882e2522
Make raft-wal default when `resource-apis` is active (#19090)
Make raft-wal default when v2 catalog experiment is on
2023-10-06 10:24:21 -04:00
David Yu 677e16a830
Replace `hub` with `gh` for member roles on JIRA sync checks (#19089)
Update jira-pr.yaml

Change from `hub` to `gh` for checking member roles
2023-10-05 15:56:20 -07:00
R.B. Boyer 754ab9abf2
mesh: ensure we add the virtual port number for L7 implicit upstreams (#19085) 2023-10-05 17:07:41 -05:00
Thomas Eckert 342306c312
Allow connections through Terminating Gateways from peered clusters NET-3463 (#18959)
* Add InboundPeerTrustBundle maps to Terminating Gateway

* Add notify and cancelation of watch for inbound peer trust bundles

* Pass peer trust bundles to the RBAC creation function

* Regenerate Golden Files

* add changelog, also adds another spot that needed peeredTrustBundles

* Add basic test for terminating gateway with peer trust bundle

* Add intention to cluster peered golden test

* rerun codegen

* update changelog

* really update the changelog

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
2023-10-05 21:54:23 +00:00
Chris S. Kim aa526db225
Retry flaky tests (#19088) 2023-10-05 21:27:28 +00:00
Chris S. Kim ad26494016
[CE] Add workload bind type and templated policy (#19077) 2023-10-05 19:45:41 +00:00
Chris S. Kim ca4ff6ba1d
Bump up compatibility test runner (#19081) 2023-10-05 13:02:12 -04:00
cskh 079c9d6927
docs: clarify the requriment for cross-partition network (#19052) 2023-10-05 15:19:15 +00:00
trujillo-adam 788c58699e
Docs/ce 477 dataplanes on ecs (#19010)
* updated architecture topic

* fixed type in arch diagram filenames

* fixed path to img file

* updated index page - still need to add links

* moved arch and tech specs to reference folder

* moved other ref topics to ref folder

* set up the Deploy folder and TF install topics

* merged secure conf into TF deploy instructions

* moved bind addr and route conf to their own topics

* moved arch and tech specs back to main folder

* update migrate-existing-tasks content

* merged manual deploy content; added serv conf ref

* fixed links

* added procedure for upgrading to dataplanes

* fixed linked reported by checker

* added updates to dataplanes overview page

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>

* updated links and added redirects

* removed old architecture content

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com>
2023-10-05 07:33:44 -07:00
Ashesh Vidyut af9a486fdc
Fixes docs of Consul Debug - Adds info about Since Flag (#19056)
fix docs
2023-10-05 11:05:18 +05:30
Valeriia Ruban 344f4638bb
chor: update rule to run frontend github tasks when changes are made … (#19053) 2023-10-04 13:15:12 -07:00
Chris S. Kim cf9e1b6158
Add upgrade warnings (#19061) 2023-10-04 16:10:19 -04:00
Eric Haberkorn 9656fd157f
Fix Explicit Destination Integration Test (#19060)
fix explicit destination integration test
2023-10-04 12:52:12 -04:00
Chris S. Kim 1a9666c49d
Remove parallel flag (#19057) 2023-10-04 08:47:47 -07:00
Chris S. Kim b43cde5d19
Add workload identity hooks (#19045) 2023-10-04 14:24:32 +00:00
Eric Haberkorn f2b7b4591a
Fix Traffic Permissions Default Deny (#19028)
Whenver a traffic permission exists for a given workload identity, turn on default deny.

Previously, this was only working at the port level.
2023-10-04 09:58:28 -04:00
John Murret d67e5c6e35
NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params (#19049)
* NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params

* gofmt file
2023-10-03 22:02:23 +00:00
Chris S. Kim 41e6f6cd8b
Reduce number of ports that consul test agents take (#19047) 2023-10-03 18:57:53 +00:00
R.B. Boyer df930a59ac
chore: fix ce/ent drift in sdk and testing/deployer submodules (#19041) 2023-10-03 10:06:50 -05:00
Poonam Jadhav 6c92dd1359
NET-5600/container-test-acl-enabled (#18887)
* feat: add container tests for resource http api with acl enabled

* refactor: clean up
2023-10-03 10:55:31 -04:00
sarahalsmiller 9addd9ed7c
[NET-5788] Fix needed for JWTAuth in Consul Enterprise (#19038)
change needed for fix in consul-enterprise
2023-10-03 09:48:50 -05:00
Chris S. Kim 2467660ab2
Remove explicit -p from CI tests (#18999) 2023-10-03 10:11:47 -04:00
cskh a62cfd997b
docs: fix the description of meshgateway.mode=local in peering doc (#19042)
docs: fix the description of meshgateway=local in peering doc
2023-10-02 19:12:15 -04:00
skpratt 21ea527089
TrafficPermissions: add ACL hooks (#19023)
* add ACL hooks

* add hooks for CTPs
2023-10-02 15:24:19 -05:00
Nitya Dhanushkodi 9a48266712
remove log (#19029) 2023-09-29 16:11:50 -07:00
Chris Thain 5e45db18b7
Include RequestTimeout in marshal/unmarshal of ServiceResolverConfigE… (#19031) 2023-09-29 10:39:46 -07:00
Eric Haberkorn 7ce6ebaeb3
Handle Traffic Permissions With Empty Sources Properly (#19024)
Fix issues with empty sources

* Validate that each permission on traffic permissions resources has at least one source.
* Don't construct RBAC policies when there aren't any principals. This resulted in Envoy rejecting xDS updates with a validation error.

```
error=
  | rpc error: code = Internal desc = Error adding/updating listener(s) public_listener: Proto constraint validation failed (RBACValidationError.Rules: embedded message failed validation | caused by RBACValidationError.Policies[consul-intentions-layer4-1]: embedded message failed validation | caused by PolicyValidationError.Principals: value must contain at least 1 item(s)): rules {
```
2023-09-28 15:11:59 -04:00