Commit Graph

20779 Commits

Author SHA1 Message Date
skpratt 202090e5d5
v2 explicit destination traffic permissions (#18823)
* workload identity boilerplate

* notes from discussion with Iryna

* WIP traffic permissions controller poc

* workload identity, traffic permissions validation, errors, types

* traffic permissions mapper framing, traffic permissions controller updates.

* more roughing out of the controller

* cleanup

* controller and mapper logic

* tests

* refactor mapper logic, add tests

* clean up tenancy and integration test stubs

* consolidate mapping

* cleanup cache leak, revert bimapper changes

* address review comments

* test fix and rebase

* use resource helper

---------

Co-authored-by: John Landa <john.landa@hashicorp.com>
2023-09-25 16:50:07 +00:00
cskh bd2fdb7f7d
grafana: fix a query metrics from ent and add consul version (#18998) 2023-09-25 12:41:13 -04:00
Tim Gross e5f5fc9301
api: add `CheckRegisterOpts` method to Agent API (#18943)
Ongoing work to support Nomad Workload Identity for authenticating with Consul
will mean that Nomad's service registration sync with Consul will want to use
Consul tokens scoped to individual workloads for registering services and
checks. The `CheckRegister` method in the API doesn't have an option to pass the
token in, which prevent us from sharing the same Consul connection for all
workloads. Add a `CheckRegisterOpts` to match the behavior of
`ServiceRegisterOpts`.
2023-09-25 08:25:02 -07:00
Tim Gross aedc03b7ae
api: add Token field to ServiceRegisterOpts (#18983)
Ongoing work to support Nomad Workload Identity for authenticating with Consul
will mean that Nomad's service registration sync with Consul will want to use
Consul tokens scoped to individual workloads for registering services and
checks. The `ServiceRegisterOpts` type in the API doesn't have an option to pass
the token in, which prevent us from sharing the same Consul connection for all
workloads. Add a `Token` field to match the behavior of `ServiceDeregisterOpts`.
2023-09-25 08:24:30 -07:00
Nitya Dhanushkodi 58d06175ab
docs: add changelog (#18994) 2023-09-25 10:46:51 -04:00
R.B. Boyer ca7533850c
mesh: update various protobuf comments for mesh types (#18993) 2023-09-22 18:41:49 -05:00
Iryna Shustava e6b724d062
catalog,mesh,auth: Move resource types to the proto-public module (#18935) 2023-09-22 15:50:56 -06:00
R.B. Boyer 9e48607893
mesh: compute more of the xRoute features into ComputedRoutes (#18980)
Convert more of the xRoutes features that were skipped in an earlier PR into ComputedRoutes and make them work:

- DestinationPolicy defaults
- more timeouts
- load balancer policy
- request/response header mutations
- urlrewrite
- GRPCRoute matches
2023-09-22 16:13:24 -05:00
Dhia Ayachi d3bb5ff21a
Add CLI support for json (#18991)
* add cli support for json format

* add tests for json parsing

* make owner and id pointers.

* add copyright header

* remove print

---------

Co-authored-by: Poonam Jadhav <poonam.jadhav@hashicorp.com>
2023-09-22 20:51:18 +00:00
R.B. Boyer 11d6b0df45
mesh: store bound reference pointers on a ComputedRoutes resource and use during reconcile (#18965)
xRoute resource types contain a slice of parentRefs to services that they 
manipulate traffic for. All xRoutes that have a parentRef to given Service 
will be merged together to generate a ComputedRoutes resource 
name-aligned with that Service.

This means that a write of an xRoute with 2 parent ref pointers will cause 
at most 2 reconciles for ComputedRoutes.

If that xRoute's list of parentRefs were ever to be reduced, or otherwise
 lose an item, that subsequent map event will only emit events for the current 
set of refs. The removed ref will not cause the generated ComputedRoutes 
related to that service to be re-reconciled to omit the influence of that xRoute.

To combat this, we will store on the ComputedRoutes resource a 
BoundResources []*pbresource.Reference field with references to all 
resources that were used to influence the generated output.

When the routes controller reconciles, it will use a bimapper to index this
 influence, and the dependency mappers for the xRoutes will look 
themselves up in that index to discover additional (former) ComputedRoutes
 that need to be notified as well.
2023-09-22 15:46:14 -05:00
Poonam Jadhav 4e77482e95
feat: remove resource api client from api module (#18984)
* feat: remove resource api client from api module

* fix: go mod clean up
2023-09-22 16:32:08 -04:00
Eric Haberkorn 4d6ff29392
Traffic Permissions Validations (#18907)
add TP validations and mutation and add CTP validations
2023-09-22 16:10:10 -04:00
R.B. Boyer 633c6c9458
mesh: add ACL checks for xRoute resources (#18926)
xRoute resources are not name-aligned with the Services they control. They
have a list of "parent ref" services that they alter traffic flow for, and they
contain a list of "backend ref" services that they direct that traffic to.

The ACLs should be:

- list: (default)
- read:
  - ALL service:<parent_ref_service>:read
- write:
  - ALL service:<parent_ref_service>:write
  - ALL service:<backend_ref_service>:read
2023-09-22 14:24:44 -05:00
R.B. Boyer 43a8dbb188
mesh: add ACL checks for DestinationPolicy resources (#18920)
DestinationPolicy resources are name-aligned with the Service they control.

The ACLs should be:

- list: (default)
- read: service:<resource_name>:read
- write: service:<resource_name>:write
2023-09-22 14:05:23 -05:00
R.B. Boyer 7688178ad2
peerstream: fix flaky test related to autopilot integration (#18979) 2023-09-22 13:12:00 -05:00
R.B. Boyer c814bb014e
remove now orphaned generated v1alpha1 pb.go files (#18982) 2023-09-22 12:56:27 -05:00
Ronald 20b86ce0c8
[Docs] Add note to jwt docs to specify the need for ACLs (#18942) 2023-09-22 13:19:57 -04:00
Iryna Shustava d88888ee8b
catalog,mesh,auth: Bump versions to v2beta1 (#18930) 2023-09-22 10:51:15 -06:00
R.B. Boyer de231bbbdd
catalog: fix for new method argument (#18978) 2023-09-22 10:42:16 -05:00
R.B. Boyer ec6189fd2f
catalog: add ACL checks for FailoverPolicy resources (#18919)
FailoverPolicy resources are name-aligned with the Service they control.
They also contain a list of possible failover destinations that are References
 to other Services.

The ACLs should be:

- list: (default)
- read: service:<resource_name>:read
- write: service:<resource_name>:write + service:<destination_name>:read (for any destination)
2023-09-22 09:59:14 -05:00
R.B. Boyer ef6f2494c7
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925)
The ACLs.Read hook for a resource only allows for the identity of a 
resource to be passed in for use in authz consideration. For some 
resources we wish to allow for the current stored value to dictate how 
to enforce the ACLs (such as reading a list of applicable services from 
the payload and allowing service:read on any of them to control reading the enclosing resource).

This change update the interface to usually accept a *pbresource.ID, 
but if the hook decides it needs more data it returns a sentinel error 
and the resource service knows to defer the authz check until after
 fetching the data from storage.
2023-09-22 09:53:55 -05:00
Ashesh Vidyut 5b3ab2eaed
Fix docs for log file name changes (#18913)
* fix docs

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-09-22 19:22:35 +05:30
Derek Menteer eb7e20307c
[NET-5589] Add jitter to xds v2 leaf cert watches (#18940)
Add jitter to xds v2 leaf cert watches.
2023-09-22 08:00:10 -05:00
Semir Patel d2be7577b9
tenancy: split up tenancy `types.go` into CE version (#18966) 2023-09-22 07:33:15 -05:00
Nitya Dhanushkodi 0a11499588
net-5689 fix disabling panic threshold logic (#18958) 2023-09-21 15:52:30 -07:00
Blake Covarrubias 5d0edec01f
docs: Replace unicode quotes with ASCII quotes (#18950)
Replaces unicode quotation marks with ASCII quotation marks.

For code examples, this fixes HCL decoding errors that would otherwise
be raised when attempting to read the file.
2023-09-21 15:17:14 -07:00
Blake Covarrubias 4e1e18fe66
docs: Change heading to filename in CodeBlockConfig (#18951)
Change various CodeBlockConfig objects to use the `filename` attribute
instead of `heading` when the code block references a named file.
2023-09-21 15:16:29 -07:00
Matt Keeler 53fcc5d9a5
Add protoc generator to emit resource type variables (#18957)
The annotations include a little more data than is strictly necessary because we will also have a protoc generator for openapi output.
2023-09-21 17:18:47 -04:00
Chris S. Kim 565e79344f
Dump response body on fail (#18962) 2023-09-21 21:10:53 +00:00
Anita Akaeze f5985fedce
do not trigger integration tests (#18948) 2023-09-21 19:10:34 +00:00
Blake Covarrubias cc40e084bb
docs: Fix invalid JSON in code examples (#18932)
This commit fixes invalid JSON in various code examples.
2023-09-21 11:35:16 -07:00
Ronald 276c60a947
skip flaky test (#18949) 2023-09-21 14:25:12 -04:00
Eric Haberkorn f87ae3636c
Fix V2 Wildcard RBAC Regular Expressions (#18941)
fix wildcard rbac regular expressions
2023-09-21 13:53:49 -04:00
Curt Bushko bc142cd152
NET-4884 - Terminating gateway tests for namespaces & partitions (#18820)
* Add gateway test to CE
2023-09-21 10:25:27 -04:00
Derek Menteer d4ed3047f8
[NET-5589] Optimize leaf watch diff on xds controller. (#18921)
Optimize leaf watch diff on xds controller.
2023-09-21 08:11:20 -05:00
Ronald f463ebd569
Fix create dns token docs (#18927) 2023-09-21 08:33:24 -04:00
Anita Akaeze 1f941e48c1
Fix for loop in filter_changed_files_go_test script (#18931)
* iterate through array

* remove comment
2023-09-20 16:10:38 -07:00
John Murret 700d1bb37c
NET-5131 - support multiple ported upstreams tests (#18923)
* add multiple upstream ports to golden file test for destination builder

* NET-5131 - add unit tests for multiple ported upstreams

* fix merge conflicts
2023-09-20 16:14:08 -06:00
John Landa 9eaa8eb026
dns token (#17936)
* dns token

fix whitespace for docs and comments

fix test cases

fix test cases

remove tabs in help text

Add changelog

Peering dns test

Peering dns test

Partial implementation of Peered DNS test

Swap to new topology lib

expose dns port for integration tests on client

remove partial test implementation

remove extra port exposure

remove changelog from the ent pr

Add dns token to set-agent-token switch

Add enterprise golden file

Use builtin/dns template in tests

Update ent dns policy

Update ent dns template test

remove local gen certs

fix templated policy specs

* add changelog

* go mod tidy
2023-09-20 15:50:06 -06:00
Anita Akaeze 0236c48369
Update base ref property name (#18851)
* Update base ref property name

* Test skip ci (#18924)

test_push_merge

* cleanup test push code
2023-09-20 14:33:30 -07:00
Dhia Ayachi 341dc28ff9
Add namespace proto and registration (#18848)
* add namespace proto and registration

* fix proto generation

* add missing copywrite headers

* fix proto linter errors

* fix exports and Type export

* add mutate hook and more validation

* add more validation rules and tests

* Apply suggestions from code review

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* fix owner error and add test

* remove ACL for now

* add tests around space suffix prefix.

* only fait when ns and ap are default, add test for it

---------

Co-authored-by: Semir Patel <semir.patel@hashicorp.com>
2023-09-20 15:20:20 -04:00
John Maguire 9e3794ee48
Fix changelog order (#18918)
* Fix changelog order

* fix ordering or entries
2023-09-20 13:42:17 -04:00
R.B. Boyer d574473fd1
mesh: make FailoverPolicy work in xdsv2 and ProxyStateTemplate (#18900)
Ensure that configuring a FailoverPolicy for a service that is reachable via a xRoute or a direct upstream causes an envoy aggregate cluster to be created for the original cluster name, but with separate clusters for each one of the possible destinations.
2023-09-20 11:59:01 -05:00
Ronald c8299522b5
[NET-5332] Add nomad server templated policy (#18888)
* [NET-5332] Add nomad server templated policy

* slksfd
2023-09-20 12:10:55 -04:00
John Maguire 6533e70141
Added changelog entries for 1.14.10, 1.15.6, 1.16.2 (#18917) 2023-09-20 11:37:46 -04:00
Nitya Dhanushkodi 3a2e62053a
v2: various fixes to make K8s tproxy multiport acceptance tests and manual explicit upstreams (single port) tests pass (#18874)
Adding coauthors who mobbed/paired at various points throughout last week.
Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>
2023-09-20 00:02:01 +00:00
Nick Ethier 1a3081ab32
agent/config: prevent startup if resource-apis experiment and cloud are enabled (#18876) 2023-09-19 19:50:45 -04:00
Blake Covarrubias 5d349cf6f3
docs: Add complete auth method payloads (#18849)
This commit modifies the example payloads for various auth methods to
remove 'other fields' and instead use complete example payloads.
2023-09-19 23:34:54 +00:00
R.B. Boyer 07d916e84f
resource: ensure resource.AuthorizerContext properly strips the local… (#18908)
resource: ensure resource.AuthorizerContext properly strips the local peer name
2023-09-19 17:14:15 -05:00
Blake Covarrubias 019c62e1ba
xds: Use downstream protocol when connecting to local app (#18573)
Configure Envoy to use the same HTTP protocol version used by the
downstream caller when forwarding requests to a local application that
is configured with the protocol set to either `http2` or `grpc`.

This allows upstream applications that support both HTTP/1.1 and
HTTP/2 on a single port to receive requests using either protocol. This
is beneficial when the application primarily communicates using HTTP/2,
but also needs to support HTTP/1.1, such as to respond to Kubernetes
HTTP readiness/liveness probes.

Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>
2023-09-19 14:32:28 -07:00