Chris Piraino
0bd5618cb2
Cleanup proxycfg for TLS
...
- Use correct enterprise metadata for finding config entry
- nil out cancel functions on config snapshot copy
- Look at HostsSet when checking validity
2020-05-07 10:22:57 -05:00
Jeff Escalante
f0df674e07
add alert banner to website
2020-05-06 20:06:39 -04:00
Chris Piraino
5105bf3d67
Require individual services in ingress entry to match protocols ( #7774 )
...
We require any non-wildcard services to match the protocol defined in
the listener on write, so that we can maintain a consistent experience
through ingress gateways. This also helps guard against accidental
misconfiguration by a user.
- Update tests that require an updated protocol for ingress gateways
2020-05-06 16:09:24 -05:00
Freddy
b069887b2a
Remove timeout and call to Fatal from goroutine ( #7797 )
2020-05-06 14:33:17 -06:00
R.B. Boyer
59b03b18d0
update changelog
2020-05-06 15:32:27 -05:00
R.B. Boyer
56ea112908
test: make auth method cli crud test work in both oss and ent ( #7800 )
2020-05-06 15:16:50 -05:00
Kyle Havlovitz
b2a0251f66
Add a check for custom host to ingress TLS integration test
2020-05-06 15:12:02 -05:00
Chris Piraino
0c22eacca8
Add TLS field to ingress API structs
...
- Adds test in api and command/config/write packages
2020-05-06 15:12:02 -05:00
Chris Piraino
30792e933b
Add test for adding DNSSAN for ConnectCALeaf cache type
2020-05-06 15:12:02 -05:00
Kyle Havlovitz
d452769d92
Add TLS integration test for ingress gateway
...
- Pull Consul Root CA from API in order to verify certificate chain
- Assert on the DNSSAN as well to ensure it is correct
2020-05-06 15:12:02 -05:00
Chris Piraino
0b9ba9660d
Validate hosts input in ingress gateway config entry
...
We can only allow host names that are valid domain names because we put
these hosts into a DNSSAN. In addition, we validate that the wildcard
specifier '*' is only present as the leftmost label to allow for a
wildcard DNSSAN and associated wildcard Host routing in the ingress
gateway proxy.
2020-05-06 15:12:02 -05:00
Kyle Havlovitz
f14c54e25e
Add TLS option and DNS SAN support to ingress config
...
xds: Only set TLS context for ingress listener when requested
2020-05-06 15:12:02 -05:00
R.B. Boyer
db870ba92b
test: make auth method cli crud test helper ignore the default namespace ( #7799 )
2020-05-06 15:09:47 -05:00
Chris Piraino
01e89f03ea
Merge pull request #7678 from hashicorp/ingress/host-header-routing
...
Allow ingress gateways to route traffic based on Host header
2020-05-06 15:07:36 -05:00
Chris Piraino
905279f5d1
A proxy-default config entry only exists in the default namespace
2020-05-06 15:06:14 -05:00
Chris Piraino
d498a0afc9
Correctly set a namespace label in the required domain for xds routes
...
If an upstream is not in the default namespace, we expect DNS requests
to be served over "<service-name>.ingress.<namespace>.*"
2020-05-06 15:06:14 -05:00
Chris Piraino
114a18e890
Remove outdated comment
2020-05-06 15:06:14 -05:00
Chris Piraino
d8517bd6fd
Better document wildcard specifier interactions
2020-05-06 15:06:14 -05:00
Chris Piraino
45e635286a
Re-add comment on connect-proxy virtual hosts
2020-05-06 15:06:14 -05:00
Kyle Havlovitz
f9672f9bf1
Make sure IngressHosts isn't parsed during JSON decode
2020-05-06 15:06:14 -05:00
Chris Piraino
c44f877758
Comment why it is ok to expect upstreams slice to not be empty
2020-05-06 15:06:13 -05:00
Chris Piraino
881760f701
xds: Use only the port number as the configured route name
...
This removes duplication of protocol from the stats_prefix
2020-05-06 15:06:13 -05:00
Kyle Havlovitz
89e6b16815
Filter wildcard gateway services to match listener protocol
...
This now requires some type of protocol setting in ingress gateway tests
to ensure the services are not filtered out.
- small refactor to add a max(x, y) function
- Use internal configEntryTxn function and add MaxUint64 to lib
2020-05-06 15:06:13 -05:00
Chris Piraino
f40833d094
Allow Hosts field to be set on an ingress config entry
...
- Validate that this cannot be set on a 'tcp' listener nor on a wildcard
service.
- Add Hosts field to api and test in consul config write CLI
- xds: Configure envoy with user-provided hosts from ingress gateways
2020-05-06 15:06:13 -05:00
Chris Piraino
b73a13fc9e
Remove service_subset field from ingress config entry
...
We decided that this was not a useful MVP feature, and just added
unnecessary complexity
2020-05-06 15:06:13 -05:00
Kyle Havlovitz
711d1389aa
Support multiple listeners referencing the same service in gateway definitions
2020-05-06 15:06:13 -05:00
Kyle Havlovitz
247f9eaf13
Allow ingress gateways to route traffic based on Host header
...
This commit adds the necessary changes to allow an ingress gateway to
route traffic from a single defined port to multiple different upstream
services in the Consul mesh.
To do this, we now require all HTTP requests coming into the ingress
gateway to specify a Host header that matches "<service-name>.*" in
order to correctly route traffic to the correct service.
- Differentiate multiple listener's route names by port
- Adds a case in xds for allowing default discovery chains to create a
route configuration when on an ingress gateway. This allows default
services to easily use host header routing
- ingress-gateways have a single route config for each listener
that utilizes domain matching to route to different services.
2020-05-06 15:06:13 -05:00
R.B. Boyer
a854e4d9c5
acl: oss plumbing to support auth method namespace rules in enterprise ( #7794 )
...
This includes website docs updates.
2020-05-06 13:48:04 -05:00
Preetha
760368bf1b
Merge pull request #7792 from hashicorp/changelog-fixup
...
Remove duplicated entries in CHANGELOG.md
2020-05-06 13:31:03 -05:00
Preetha
1d5f2fe9b0
Remove duplicated entries in CHANGELOG.md
...
Remove some duplicated entries in the unreleased section of the changelog that were released in 1.7.3
2020-05-06 08:56:41 -05:00
Hans Hasselberg
1d5f12e823
Update CHANGELOG.md
2020-05-06 01:38:59 +02:00
Luke Kysow
c33a241438
Merge pull request #7724 from hashicorp/helm-repo
...
Update k8s instructions for new helm repo
2020-05-05 16:17:53 -07:00
R.B. Boyer
3242d0816d
test: make the kube auth method test helper use freeport ( #7788 )
2020-05-05 16:55:21 -05:00
Hans Hasselberg
aa121bc8d2
segments: oss changes for enterprise network area changes ( #7786 )
...
OSS code changes for network segments
2020-05-05 21:41:19 +02:00
Hans Hasselberg
096a2f2f02
network_segments: stop advertising segment tags
2020-05-05 21:32:05 +02:00
Hans Hasselberg
995a24b8e4
agent: refactor to use a single addrFn
2020-05-05 21:08:10 +02:00
Hans Hasselberg
6994c0d47f
agent: rename local/global to src/dst
2020-05-05 21:07:34 +02:00
Chris Piraino
7361e11bc5
Update CHANGELOG.md
2020-05-05 10:56:50 -05:00
Chris Piraino
69b44fb942
Construct a default destination if one does not exist for service-router ( #7783 )
2020-05-05 10:49:50 -05:00
Matt Keeler
9eafa36fa9
Update CHANGELOG.md
2020-05-05 09:56:56 -04:00
Matt Keeler
50c2297aaa
Update CHANGELOG.md
2020-05-05 09:53:46 -04:00
Mike Morris
291e6af33a
vendor: revert golang.org/x/sys bump to avoid FreeBSD regression ( #7780 )
2020-05-05 09:26:17 +02:00
Iryna Shustava
543568fd9a
docs: add Helm docs for external servers and bootstrapToken ( #7725 )
2020-05-04 18:09:59 -07:00
R.B. Boyer
04671ed1b5
update changelog
2020-05-04 17:03:59 -05:00
R.B. Boyer
22eb016153
acl: add MaxTokenTTL field to auth methods ( #7779 )
...
When set to a non zero value it will limit the ExpirationTime of all
tokens created via the auth method.
2020-05-04 17:02:57 -05:00
s-christoff
08b335d8d6
Update CHANGELOG.md
2020-05-04 16:24:40 -05:00
s-christoff
f9956c1c46
cli: Add -config flag to "acl authmethod update/create" ( #7776 )
2020-05-04 16:21:28 -05:00
R.B. Boyer
68499f0204
update changelog
2020-05-04 15:21:08 -05:00
R.B. Boyer
ca52ba7068
acl: add DisplayName field to auth methods ( #7769 )
...
Also add a few missing acl fields in the api.
2020-05-04 15:18:25 -05:00
Hans Hasselberg
b5eab19183
vendor: fix case issue ( #7777 )
2020-05-04 21:39:01 +02:00