Commit Graph

19826 Commits

Author SHA1 Message Date
R.B. Boyer 5af94fb2a0
connect: use -dev-no-store-token for test vaults to reduce source of flakes (#15691)
It turns out that by default the dev mode vault server will attempt to interact with the
filesystem to store the provided root token. If multiple vault instances are running
they'll all awkwardly share the filesystem and if timing results in one server stopping
while another one is starting then the starting one will error with:

    Error initializing Dev mode: rename /home/circleci/.vault-token.tmp /home/circleci/.vault-token: no such file or directory

This change uses `-dev-no-store-token` to bypass that source of flakes. Also the
stdout/stderr from the vault process is included if the test fails.

The introduction of more `t.Parallel` use in https://github.com/hashicorp/consul/pull/15669
increased the likelihood of this failure, but any of the tests with multiple vaults in use
(or running multiple package tests in parallel that all use vault) were eventually going
to flake on this.
2022-12-06 13:15:13 -06:00
R.B. Boyer 900584ca82
connect: ensure all vault connect CA tests use limited privilege tokens (#15669)
All of the current integration tests where Vault is the Connect CA now use non-root tokens for the test. This helps us detect privilege changes in the vault model so we can keep our guides up to date.

One larger change was that the RenewIntermediate function got refactored slightly so it could be used from a test, rather than the large duplicated function we were testing in a test which seemed error prone.
2022-12-06 10:06:36 -06:00
R.B. Boyer 4940a728ab
Detect Vault 1.11+ import in secondary datacenters and update default issuer (#15661)
The fix outlined and merged in #15253 fixed the issue as it occurs in the primary
DC. There is a similar issue that arises when vault is used as the Connect CA in a
secondary datacenter that is fixed by this PR.

Additionally: this PR adds support to run the existing suite of vault related integration
tests against the last 4 versions of vault (1.9, 1.10, 1.11, 1.12)
2022-12-05 15:39:21 -06:00
Curt Bushko 95bcfd207d
Update consul-k8s docs based on the consul-k8s release/1.0.x branch (#15678) 2022-12-05 13:20:14 -08:00
David Yu 98cbf341ae
docs: Update Consul K8s CRDs (#15675) 2022-12-05 13:06:02 -08:00
Jeff Boruszak d16a9dc409
docs: Agentless performance clarifications (#15671)
* Requested changes
2022-12-05 12:43:15 -08:00
Chris S. Kim c046d1a4d8
Add warn log when all ACL policies are filtered out (#15632) 2022-12-05 11:26:10 -05:00
Evan Culver 692a6fdecf
Fix broken link to Consul Dataplane index (#15660)
The `/index` appears to result in a 404.
2022-12-03 10:17:06 -08:00
Jared Kirschner 66e28f35f1
docs: clarify Vault CA provider permissions needed (#15478) 2022-12-03 09:17:33 -05:00
Jared Kirschner 5efdd8bb91
Clarify Vault CA changelog entry (#15662) 2022-12-02 20:16:49 -05:00
James Oulman 2da843818c
docs: fix agent catalog-services caching method (#15645)
* docs: fix agent catalog-services caching method
2022-12-02 18:42:49 +00:00
Dao Thanh Tung b890c40ce4
Fixing CLI ACL token processing unexpected precedence (#15274)
* Fixing CLI ACL token processing unexpected precedence

* Minor flow format and add Changelog

* Fixed failed tests and improve error logging message

* Add unit test cases and minor changes from code review

* Unset env var once the test case finishes running

* remove label FINISH
2022-12-02 12:19:52 -05:00
am-ak d73871b5a2
docs: Correct a typo in checks.mdx (#15426)
* Update checks.mdx

Correcting a typo under  `UDP + Interval`

* Update website/content/docs/discovery/checks.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-12-02 08:22:32 -08:00
skpratt 06880bd51f
update docs for exp v2 licensing changes (#15563) 2022-12-01 11:30:29 -06:00
Chris S. Kim 10349bd84b
clean up go.mod (#15638) 2022-12-01 16:24:35 +00:00
cskh 36f05bc8fb
integ-test: test consul upgrade from the snapshot of a running cluster (#15595)
* integ-test: test consul upgrade from the snapshot of a running cluster

* use Target version as default


Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
2022-12-01 10:39:09 -05:00
Dan Stough 227fd14287
chore: updates from 1.14.2 release (#15633)
* chore: updates from 1.14.2 release
2022-11-30 22:15:58 -05:00
David Yu 7a1ce08861
CHANGELOG: add alpn config for ingress and connect proxy (#15613) 2022-11-30 15:47:52 -08:00
David Yu 62e5c65e59
docs: fix typos helm install (#15625)
* fix typos helm install and small compat matrix change related to host ports not required any longer
2022-11-30 12:36:40 -08:00
Michael Wilkerson ae9a1e681e
added changelog for enterprise only change (#15621) 2022-11-30 11:39:20 -08:00
Tyler Wendlandt b8347ae8c6
ui: Add ServerExternalAddresses to peer token create form (#15555)
* ui: Add ServerExternalAddresses field to token generation

* Add test for ServerExternalAddresses on peer token create

* Add changelog entry

* Update translations

* Format hbs files

* Update translations
2022-11-30 11:42:36 -07:00
R.B. Boyer 11a277f372
peering: better represent non-passing states during peer check flattening (#15615)
During peer stream replication we flatten checks from the source cluster and build one thin overall check to hide the irrelevant details from the consuming cluster. This flattening logic did correctly flip to non-passing if there were any non-passing checks, but WHICH status it got during that was random (warn/error).

Also it didn't represent "maintenance" operations. There is an api package call AggregatedStatus which more correctly flattened check statuses.

This PR replicated the more complete logic into the peer stream package.
2022-11-30 11:29:21 -06:00
Freddy 941f6da202
Remove log line about server mgmt token init (#15610)
* Remove log line about server mgmt token init

Currently the server management token is only being bootstrapped in the
primary datacenter. That means that servers on the secondary datacenter
will never have this token available, and would log this line any time a
token is resolved.

Bootstrapping the token in secondary datacenters will be done in a
follow-up.

* Add changelog entry
2022-11-29 17:56:03 -05:00
James Oulman 7e78fb7818
Add support for configuring Envoys route idle_timeout (#14340)
* Add idleTimeout

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
2022-11-29 17:43:15 -05:00
Chris S. Kim 31d58014fd
docs: Update acl-tokens.mdx (#15607) 2022-11-29 16:20:39 -05:00
Conrad Kleinespel b168b5c353
Fix AWS IAM trusted identity entity_tags.<key> (#14727)
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-11-29 12:34:28 -08:00
David Yu 1b0e20a681
docs: typo on cluster peering k8s (#15602) 2022-11-29 11:49:54 -08:00
David Yu 54a3714543
docs: Clean up k8s cluster peering instructions (#15592) 2022-11-29 10:58:13 -08:00
Derek Menteer 95dc0c7b30
Add peering `.service` and `.node` DNS lookups. (#15596)
Add peering `.service` and `.node` DNS lookups.
2022-11-29 12:23:18 -06:00
cskh 7561303855
docs: clarify envoy proxy configuration (#15562)
- Specify using the service config entry to configure
  service's envoy proxy
- add missing fields in proxy.config
2022-11-28 20:33:54 -05:00
David Yu 25c4ed6ea0
docs: Fix language to describe clients previously ran on each node (#15580) 2022-11-28 14:50:48 -08:00
cskh 97c9432843
fix(peering): increase the gRPC limit to 8MB (#15503)
* fix(peering): increase the gRPC limit to 50MB

* changelog

* update gRPC limit to 8MB
2022-11-28 17:48:43 -05:00
Jeff Boruszak 73e2b96f9f
Load Balancer addition (#15583) 2022-11-28 16:48:01 -06:00
David Yu 62205d60cc
docs: Update Consul K8s Release Notes to mention updates to Cluster Peering (#15573) 2022-11-28 13:26:56 -08:00
Chris S. Kim c9ec9fa320
Fix Vault managed intermediate PKI bug (#15525) 2022-11-28 16:17:58 -05:00
Jeff Boruszak b856a17cbf
docs: Dataplane performance impact (#15566)
* New image + performance considerations

* Image related updates

* Update website/content/docs/connect/dataplane/index.mdx

Co-authored-by: David Yu <dyu@hashicorp.com>

Co-authored-by: David Yu <dyu@hashicorp.com>
2022-11-28 14:33:22 -06:00
Dan Stough 95204f4f93
chore(ci): update backport-assistant to use gh automerge (#14839) 2022-11-28 13:21:04 -05:00
Dan Stough f9dc083b6d
[OSS] chore(ci): add auto-approve workflow for consul bot (#15533) 2022-11-28 12:29:46 -05:00
Jared Kirschner 1a68dfc668
docs: add peering control plane diagrams (#15498) 2022-11-26 09:37:56 -05:00
Chris S. Kim cc819ad83b
[OSS] Add boilerplate for proto files implementing BlockableQuery (#15554) 2022-11-25 15:46:56 -05:00
Nitya Dhanushkodi d4ca1b5316
update docs with mesh and proxydefaults config (#15526) 2022-11-24 10:02:47 -08:00
Chris S. Kim 27c53f6c82
Use backport-compatible assertion (#15546)
* Use backport-compatible assertion

* Add workaround for broken apt-get
2022-11-24 11:44:20 -05:00
Chris S. Kim 386da5439a
Use rpcHoldTimeout to calculate blocking timeout (#15541)
Adds buffer to clients so that servers have time to respond to blocking queries.
2022-11-24 10:13:02 -05:00
Chris Thain 6b477ceff8
Snapshot agent docs updates (#15504) 2022-11-22 06:13:13 -08:00
Chris Thain b030a3ee99
Add changelog for snapshot agent updates (#15516) 2022-11-22 06:11:46 -08:00
Tu Nguyen 5ea70d7d83
fix typo in cluster peering docs (#15519) 2022-11-21 13:51:40 -08:00
Jared Kirschner d3dede5f8b
docs: add retry_max agent config option (#15487) 2022-11-21 16:16:56 -05:00
Derek Menteer 8079686bf0
Add 1.14.1 release updates. (#15514)
Add post-release changes for 1.14.1 updates.
2022-11-21 13:35:30 -06:00
Jeff Boruszak ef235c7c36
ServerExternalAddresses parameter clarification (#15506) 2022-11-21 11:51:09 -06:00
Dan Stough 44097c1154
docs: revert peering API changes (#15505) 2022-11-21 12:45:51 -05:00