Prior to the introduction of this configuration, grpc keepalive messages were
sent after 2 hours of inactivity on the stream. This posed issues in various
scenarios where the server-side xds connection balancing was unaware that envoy
instances were uncleanly killed / force-closed, since the connections would
only be cleaned up after ~5 minutes of TCP timeouts occurred. Setting this
config to a 30 second interval with a 20 second timeout ensures that at most,
it should take up to 50 seconds for a dead xds connection to be closed.
* Upgrading node to node 18
* Ensure we're on latest version of yarn as well
* add comma to make frontend tests run
* Use Node 18 Alpine image in UI build dockerfile
* delete package-lock.json
---------
Co-authored-by: wenincode <tyler.wendlandt@hashicorp.com>
Co-authored-by: Ella Cai <ella.y.cai@gmail.com>
Co-authored-by: Ella Cai <ella@hashicorp.com>
To properly enforce writes on resources that have workload selectors with prefixes, we need another service authorization rule that allows us to check whether read is allowed within a given prefix. Specifically we need to only allow writes if the policy prefix allows for a wider set of names than the prefix selector on the resource. We should also not allow policies with exact names for prefix matches.
Part of [NET-3993]
Ensure LB policy set for locality-aware routing (CE)
`overprovisioningFactor` should be overridden with the expected value
(100,000) when there are multiple endpoint groups. Update code and
tests to enforce this.
This is an Enterprise feature. This commit represents the CE portions of
the change; tests are added in the corresponding `consul-enterprise`
change.
When testing adding http probes to apps, I ran into some issues which I fixed here:
- The listener should be listening on the exposed listener port, updated that.
- The listener and route names were pointing to the path of the exposed path. In my test, the path was "/" resulting in an empty string path. Also, the path may not be unique across exposed path listeners, so I decided to use the path+exposed port as the unique identifier.
The control-plane-request-limit config entry does not support
specifying parameter names in snake case format.
This commit updates the HCL and JSON examples to use the supported
camel case key format.
* Upgrade @hashicorp/design-system-tokens to 1.9.0
* Upgrade @hashicorp/design-system-components to 1.8.1
* Upgrade @hashicorp/design-system-components and ember-in-viewport
* Explicitly install ember-modifier@4.1.0
* rename copy-button
* Fix how cleanup is done in with-copyable
* Update aria-menu modifier for new structure
* Update css-prop modifier to new structure
* Convert did-upsert to regular class modifier
* Update notification modifier for new structure
* Update on-oustside modifier for new structure
* Move destroy handler registration in with-copyable
* Update style modifier for new structure
* Update validate modifier for new structure
* Guard against setting on destroyed object
* Upgrade @hashicorp/design-system-components to 2.14.1
* Remove debugger
* Guard against null in aria-menu
* Fix undefined hash in validate addon
* Upgrade ember-on-resize-modifier
* Fix copy button import, missing import and array destructuring
---------
Co-authored-by: wenincode <tyler.wendlandt@hashicorp.com>
This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.
It refactors a lot of the common testing functions so that they can be re-used between resources.
There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.
This implements the Filter field on pbcatalog.WorkloadSelector to be
a post-fetch in-memory filter using the https://github.com/hashicorp/go-bexpr
expression language to filter resources based on their envelope metadata fields.
All existing usages of WorkloadSelector should be able to make use of the filter.