168 Commits

Author SHA1 Message Date
Semir Patel
0abd96c0d9
resource: resource service now checks for v2tenancy feature flag (#19400) 2023-10-27 08:55:02 -05:00
Poonam Jadhav
1806bcb38c
test: add missing tests for list endpoint (#19364) 2023-10-26 11:24:33 -04:00
Semir Patel
96606d114c
resource: default peername to local in list endpoints (#19340) 2023-10-23 16:30:47 -05:00
Dhia Ayachi
d5c9f11b59
Tenancy Bridge v2 (#19220)
* tenancy bridge v2 for v2 resources

* add missing copywrite headers
2023-10-20 14:49:54 -04:00
Semir Patel
ad177698f7
resource: enforce lowercase v2 resource names (#19218) 2023-10-16 12:55:30 -05:00
Iryna Shustava
105ebfdd00
catalog, mesh: implement missing ACL hooks (#19143)
This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.
2023-10-13 23:16:26 +00:00
Dhia Ayachi
5fbf0c00d3
Add namespace read write tests (#19173) 2023-10-13 12:03:06 -04:00
Iryna Shustava
25283f0ec2
get-envoy-bootstrap-params: when v2 is enabled, use computed proxy configuration (#19175) 2023-10-12 14:01:36 -06:00
Semir Patel
830c4ea81c
v2tenancy: cluster scoped reads (#19082) 2023-10-10 13:30:23 -05:00
Chris S. Kim
92ce814693
Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
John Murret
d67e5c6e35
NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params (#19049)
* NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params

* gofmt file
2023-10-03 22:02:23 +00:00
Iryna Shustava
e6b724d062
catalog,mesh,auth: Move resource types to the proto-public module (#18935) 2023-09-22 15:50:56 -06:00
R.B. Boyer
7688178ad2
peerstream: fix flaky test related to autopilot integration (#18979) 2023-09-22 13:12:00 -05:00
Iryna Shustava
d88888ee8b
catalog,mesh,auth: Bump versions to v2beta1 (#18930) 2023-09-22 10:51:15 -06:00
R.B. Boyer
ef6f2494c7
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925)
The ACLs.Read hook for a resource only allows for the identity of a 
resource to be passed in for use in authz consideration. For some 
resources we wish to allow for the current stored value to dictate how 
to enforce the ACLs (such as reading a list of applicable services from 
the payload and allowing service:read on any of them to control reading the enclosing resource).

This change update the interface to usually accept a *pbresource.ID, 
but if the hook decides it needs more data it returns a sentinel error 
and the resource service knows to defer the authz check until after
 fetching the data from storage.
2023-09-22 09:53:55 -05:00
Nitya Dhanushkodi
3a2e62053a
v2: various fixes to make K8s tproxy multiport acceptance tests and manual explicit upstreams (single port) tests pass (#18874)
Adding coauthors who mobbed/paired at various points throughout last week.
Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com>
2023-09-20 00:02:01 +00:00
Semir Patel
62796a1454
resource: mutate and validate before acls on write (#18868) 2023-09-18 17:04:29 -05:00
Dhia Ayachi
4435e4a420
add v2 tenancy bridge Flag and v2 Tenancy Bridge initial implementation (#18830)
* add v2 tenancy bridge and a feature flag for v2 tenancy

* move tenancy bridge v2 under resource package
2023-09-18 12:25:05 -04:00
skpratt
1fda2965e8
Allow empty data writes for resources (#18819)
* allow nil data writes for resources

* update demo to test valid type with no data
2023-09-15 14:00:23 -05:00
Semir Patel
d3dad14030
resource: default peername to "local" for now (#18822) 2023-09-15 09:34:18 -05:00
Iryna Shustava
4eb2197e82
dataplane: Allow getting bootstrap parameters when using V2 APIs (#18504)
This PR enables the GetEnvoyBootstrapParams endpoint to construct envoy bootstrap parameters from v2 catalog and mesh resources.

   * Make bootstrap request and response parameters less specific to services so that we can re-use them for workloads or service instances.
   * Remove ServiceKind from bootstrap params response. This value was unused previously and is not needed for V2.
   * Make access logs generation generic so that we can generate them using v1 or v2 resources.
2023-09-06 16:46:25 -06:00
Semir Patel
b96cff7436
resource: Require scope for resource registration (#18635) 2023-09-01 09:44:53 -05:00
Semir Patel
7b9e243297
resource: Allow nil tenancy (#18618) 2023-08-31 09:24:09 -05:00
Semir Patel
2225bf0550
resource: Make resource writestatus tenancy aware (#18577) 2023-08-24 19:18:47 +00:00
Semir Patel
067a0112e2
resource: Make resource listbyowner tenancy aware (#18566) 2023-08-24 10:49:46 -05:00
Semir Patel
53e28a4963
OSS -> CE (community edition) changes (#18517) 2023-08-22 09:46:03 -05:00
Semir Patel
6d22179625
resource: Make resource watchlist tenancy aware (#18539) 2023-08-21 15:02:23 -05:00
Semir Patel
e6c1c479b7
resource: Make resource delete tenancy aware (#18476)
resource: Make resource delete tenancy awarae
2023-08-16 11:44:10 -05:00
Semir Patel
217107f627
resource: Make resource list tenancy aware (#18475) 2023-08-15 16:57:59 -05:00
hashicorp-copywrite[bot]
5fb9df1640
[COMPLIANCE] License changes (#18443)
* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Updating the license from MPL to Business Source License

Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl.

* add missing license headers

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

---------

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 09:12:13 -04:00
Semir Patel
bee12c6b1f
resource: Make resource write tenancy aware (#18423) 2023-08-10 09:53:38 -05:00
Semir Patel
63cc037110
resource: Make resource read tenancy aware (#18397) 2023-08-07 16:37:03 -05:00
wangxinyi7
1f28ac2664
expose grpc as http endpoint (#18221)
expose resource grpc endpoints as http endpoints
2023-08-04 11:27:48 -07:00
Semir Patel
ada767fc9f
resource: Pass resource to Write ACL hook instead of just resource Id [NET-4908] (#18192) 2023-07-20 12:06:29 -05:00
Semir Patel
003370ded0
Call resource mutate hook before validate hook (NET-4907) (#18178) 2023-07-19 13:10:57 -05:00
Dan Upton
b117eb0126
resource: enforce consistent naming of resource types (#17611)
For consistency, resource type names must follow these rules:

- `Group` must be snake case, and in most cases a single word.
- `GroupVersion` must be lowercase, start with a "v" and end with a number.
- `Kind` must be pascal case.

These were chosen because they map to our protobuf type naming
conventions.
2023-06-26 13:25:14 +01:00
R.B. Boyer
820cdf53da
fix some testing.T retry.R mixups (#17600)
Fix some linter warnings before updating the lint-consul-retry code in hashicorp/lint-consul-retry#4
2023-06-07 13:53:27 -05:00
skpratt
a35cafa728
update tests for fips (#17592) 2023-06-07 10:57:56 -05:00
skpratt
a065eef3ef
add FIPS to dataplane features (#17522) 2023-05-31 10:53:37 -05:00
Derek Menteer
e2f15cfe56
Fix namespaced peer service updates / deletes. (#17456)
* Fix namespaced peer service updates / deletes.

This change fixes a function so that namespaced services are
correctly queried when handling updates / deletes. Prior to this
change, some peered services would not correctly be un-exported.

* Add changelog.
2023-05-24 16:32:45 -05:00
R.B. Boyer
e00280e7df
prototest: fix early return condition in AssertElementsMatch (#17416) 2023-05-22 13:49:50 -05:00
Matt Keeler
93bad3ea1b
Allow resource updates to omit an owner refs UID (#17423)
This change enables workflows where you are reapplying a resource that should have an owner ref to publish modifications to the resources data without performing a read to figure out the current owner resource incarnations UID.

Basically we want workflows similar to `kubectl apply` or `consul config write` to be able to work seamlessly even for owned resources.

In these cases the users intention is to have the resource owned by the “current” incarnation of the owner resource.
2023-05-22 10:44:49 -04:00
R.B. Boyer
21c6e0e8e6
fix two typos (#17389) 2023-05-17 08:50:26 -07:00
Semir Patel
abeccb4c76
Support update resource with change in GroupVersion (#17330) 2023-05-15 09:42:01 -05:00
Dan Upton
0a38fc1a2a
resource: handle ErrWatchClosed in WatchList endpoint (#17289) 2023-05-15 12:35:10 +01:00
Eric Haberkorn
8bb16567cd
sidecar-proxy refactor (#17328) 2023-05-12 16:49:42 -04:00
Dan Upton
5030101cdb
resource: add missing validation to the List and WatchList endpoints (#17213) 2023-05-10 10:38:48 +01:00
Semir Patel
40eefaba18
Reaper controller for cascading deletes of owner resources (#17256) 2023-05-09 13:57:40 -05:00
Dan Upton
d53a1d4a27
resource: add helpers for more efficiently comparing IDs etc (#17224) 2023-05-09 19:02:24 +01:00
Derek Menteer
50ef6a697e
Fix issue with peer stream node cleanup. (#17235)
Fix issue with peer stream node cleanup.

This commit encompasses a few problems that are closely related due to their
proximity in the code.

1. The peerstream utilizes node IDs in several locations to determine which
nodes / services / checks should be cleaned up or created. While VM deployments
with agents will likely always have a node ID, agentless uses synthetic nodes
and does not populate the field. This means that for consul-k8s deployments, all
services were likely bundled together into the same synthetic node in some code
paths (but not all), resulting in strange behavior. The Node.Node field should
be used instead as a unique identifier, as it should always be populated.

2. The peerstream cleanup process for unused nodes uses an incorrect query for
node deregistration. This query is NOT namespace aware and results in the node
(and corresponding services) being deregistered prematurely whenever it has zero
default-namespace services and 1+ non-default-namespace services registered on
it. This issue is tricky to find due to the incorrect logic mentioned in #1,
combined with the fact that the affected services must be co-located on the same
node as the currently deregistering service for this to be encountered.

3. The stream tracker did not understand differences between services in
different namespaces and could therefore report incorrect numbers. It was
updated to utilize the full service name to avoid conflicts and return proper
results.
2023-05-08 13:13:25 -05:00