Commit Graph

20337 Commits

Author SHA1 Message Date
John Murret 691bc9673a
add a conditional around setting LANFilter.AllSegments to make sure it is valid (#18139)
### Description

This is to correct a code problem because this assumes all segments, but
when you get to Enterprise, you can be in partition that is not the
default partition, in which case specifying all segments does not
validate and fails. This is to correct the setting of this filter with
`AllSegments` to `true` to only occur when in the the `default`
partition.

### Testing & Reproduction steps

<!--

* In the case of bugs, describe how to replicate
* If any manual tests were done, document the steps and the conditions
to replicate
* Call out any important/ relevant unit tests, e2e tests or integration
tests you have added or are adding

-->

### Links

<!--

Include any links here that might be helpful for people reviewing your
PR (Tickets, GH issues, API docs, external benchmarks, tools docs, etc).
If there are none, feel free to delete this section.

Please be mindful not to leak any customer or confidential information.
HashiCorp employees may want to use our internal URL shortener to
obfuscate links.

-->

### PR Checklist

* [ ] updated test coverage
* [ ] external facing docs updated
* [ ] appropriate backport labels added
* [ ] not a security concern
2023-07-14 14:53:44 -06:00
John Murret 5af73901a2
[NET-4897] net/http host header is now verified and request.host that contains socked now error (#18129)
### Description

This is related to https://github.com/hashicorp/consul/pull/18124 where
we pinned the go versions in CI to 1.20.5 and 1.19.10.

go 1.20.6 and 1.19.11 now validate request host headers for validity,
including the hostname cannot be prefixed with slashes.

For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname. Prior versions go Go would
clean the host header, and strip slashes in the process, but go1.20.6
and go1.19.11 no longer do, and reject the host header. Around the
community we are seeing that others are intercepting the req.host and if
it starts with a slash or ends with .sock, they changing the host to
localhost or another dummy value.

[client: define a "dummy" hostname to use for local connections by
thaJeztah · Pull Request #45942 ·
moby/moby](https://github.com/moby/moby/pull/45942)

### Testing & Reproduction steps

Check CI tests.

### Links
* [ ] updated test coverage
* [ ] external facing docs updated
* [ ] appropriate backport labels added
* [ ] not a security concern
2023-07-14 14:53:27 -06:00
Chris S. Kim 747a4c73c1
Fix bug with Vault CA provider (#18112)
Updating RootPKIPath but not IntermediatePKIPath would not update 
leaf signing certs with the new root. Unsure if this happens in practice 
but manual testing showed it is a bug that would break mesh and agent 
connections once the old root is pruned.
2023-07-14 15:58:33 -04:00
Poonam Jadhav 5208ea90e4
NET-4657/add resource service client (#18053)
### Description

<!-- Please describe why you're making this change, in plain English.
-->
Dan had already started on this
[task](https://github.com/hashicorp/consul/pull/17849) which is needed
to start building the HTTP APIs. This just needed some cleanup to get it
ready for review.

Overview:

- Rename `internalResourceServiceClient` to
`insecureResourceServiceClient` for name consistency
- Configure a `secureResourceServiceClient` with auth enabled

### PR Checklist

* [ ] ~updated test coverage~
* [ ] ~external facing docs updated~
* [x] appropriate backport labels added
* [ ] ~not a security concern~
2023-07-14 14:09:02 -04:00
cskh ad6364af9e
Docs: fix unmatched bracket for health checks page (#18134) 2023-07-14 09:44:21 -04:00
Ronald 2229206bbe
Add docs for jwt cluster configuration (#18004)
### Description

<!-- Please describe why you're making this change, in plain English.
-->

- Add jwt-provider docs for jwks cluster configuration. The
configuration was added here:
https://github.com/hashicorp/consul/pull/17978
2023-07-14 11:10:42 +00:00
Jeff Apple 68863b42f8
Add ingress gateway deprecation notices to docs (#18102)
### Description

This adds notices, that ingress gateway is deprecated, to several places
in the product docs where ingress gateway is the topic.

### Testing & Reproduction steps

Tested with a local copy of the website.

### Links

Deprecation of ingress gateway was announced in the Release Notes for
Consul 1.16 and Consul-K8s 1.2. See:

[https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_16_x#what-s-deprecated](https://developer.hashicorp.com/consul/docs/release-notes/consul/v1_16_x#what-s-deprecated
)

[https://developer.hashicorp.com/consul/docs/release-notes/consul-k8s/v1_2_x#what-s-deprecated](https://developer.hashicorp.com/consul/docs/release-notes/consul-k8s/v1_2_x#what-s-deprecated)

### PR Checklist

* [N/A] updated test coverage
* [X] external facing docs updated
* [X] appropriate backport labels added
* [X] not a security concern

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-07-13 15:17:32 -07:00
John Murret a2c6953d0d
[NET-4895] ci - api tests and consul container tests error because of dependency bugs with go 1.20.6. Pin go to 1.20.5. (#18124)
### Description
The following jobs started failing when go 1.20.6 was released:
- `go-test-api-1-19`
- `go-test-api-1-20`
- `compatibility-integration-tests`
- `upgrade-integration-tests`

`compatibility-integration-tests` and `compatibility-integration-tests`
to this testcontainers issue:
https://github.com/testcontainers/testcontainers-go/issues/1359. This
issue calls for testcontainers to release a new version when one of
their dependencies is fixed. When that is done, we will unpin the go
versions in `compatibility-integration-tests` and
`compatibility-integration-tests`.

### Testing & Reproduction steps

See these jobs broken in CI and then see them work with this PR.

---------

Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
2023-07-13 19:26:35 +00:00
Iryna Shustava c328ba85bd
Split pbmesh.UpstreamsConfiguration as a resource out of pbmesh.Upstreams (#17991)
Configuration that previously was inlined into the Upstreams resource
applies to both explicit and implicit upstreams and so it makes sense to
split it out into its own resource.

It also has other minor changes:
- Renames `proxy.proto` proxy_configuration.proto`
- Changes the type of `Upstream.destination_ref` from `pbresource.ID` to
`pbresource.Reference`
- Adds comments to fields that didn't have them
2023-07-13 13:06:56 -06:00
nv-hashi efe981637b
:ermahgerd "Sevice Mesh" -> "Service Mesh" (#18116)
Just a typo in the docs.
2023-07-12 18:46:16 -07:00
Dan Bond 3b3aa1f260
[NET-4103] ci: build s390x (#18067)
* ci: build s390x

* ci: test s390x

* ci: dev build s390x

* no GOOS

* ent only

* build: publish s390x

* fix syntax error

* fix syntax error again

* fix syntax error again x2

* test branch

* Move s390x conditionals to step level

* remove test branch

---------

Co-authored-by: emilymianeil <eneil@hashicorp.com>
2023-07-12 16:10:34 -07:00
Eddie Rowe d1f5d9b905
api gw 1.16 updates (#18081)
* api gw 1.16 updates

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* update CodeBlockConfig filename

* Apply suggestions from code review

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

* remove non-standard intentions page

* Update website/content/docs/api-gateway/configuration/index.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

---------

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-07-12 21:43:22 +00:00
Vijay 2f20c77e4d
Displays Consul version of each nodes in UI nodes section (#17754)
* update UINodes and UINodeInfo response with consul-version info added as NodeMeta, fetched from serf members

* update test cases TestUINodes, TestUINodeInfo

* added nil check for map

* add consul-version in local agent node metadata

* get consul version from serf member and add this as node meta in catalog register request

* updated ui mock response to include consul versions as node meta

* updated ui trans and added version as query param to node list route

* updates in ui templates to display consul version with filter and sorts

* updates in ui - model class, serializers,comparators,predicates for consul version feature

* added change log for Consul Version Feature

* updated to get version from consul service, if for some reason not available from serf

* updated changelog text

* updated dependent testcases

* multiselection version filter

* Update agent/consul/state/catalog.go

comments updated

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

---------

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2023-07-12 13:34:39 -06:00
John Murret f51a9d29ae
docs - update upgrade index page to not recommend consul leave. (#18100) 2023-07-12 16:56:38 +00:00
Luke Kysow ebfed566b2
Docs for dataplane upgrade on k8s (#18051)
* Docs for dataplane upgrade on k8s

---------

Co-authored-by: David Yu <dyu@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-07-12 16:54:35 +00:00
Tom Davies f472164f05
Pass configured role name to Vault for AWS auth in Connect CA (#17885) 2023-07-12 08:24:12 -07:00
Curt Bushko 51d8eb8e07
Docs: Update proxy lifecycle annotations and consul-dataplane flags (#18075)
* Update proxy lifecycle annotations and consul-dataplane flags
2023-07-11 23:11:38 -04:00
Nick Irvine 3dc6f8fc06
ci: use gotestsum v1.10.1 [NET-4042] (#18088) 2023-07-11 17:13:54 -07:00
Curt Bushko bd5af7fe7d
Update helm docs on main (#18085) 2023-07-11 19:59:44 -04:00
david3a 0e58c89978
Update service-mesh-compare.mdx (#17279)
grammar change
2023-07-11 23:05:13 +00:00
David Yu bfb921229d
docs updates - cluster peering and virtual services (#18069)
* Update route-to-virtual-services.mdx
* Update establish-peering.mdx
2023-07-11 22:37:53 +00:00
Joshua Timmons a30ba335b6
Fix a couple typos in Agent Telemetry Metrics docs (#18080)
* Fix metrics docs

* Add changelog

Signed-off-by: josh <josh.timmons@hashicorp.com>

---------

Signed-off-by: josh <josh.timmons@hashicorp.com>
2023-07-11 20:13:30 +00:00
Dan Stough da79997f3d
test: fix FIPS inline cert test message (#18076) 2023-07-11 11:28:27 -04:00
Krastin Krastev 7decc305b9
ui: fix typos for peer service imports (#17999) 2023-07-11 16:09:32 +03:00
Dan Stough 1b08626358
[OSS] Fix initial_fetch_timeout to wait for all xDS resources (#18024)
* fix(connect): set initial_fetch_time to wait indefinitely

* changelog

* PR feedback 1
2023-07-10 17:08:06 -04:00
Fulvio f4b08040fd
Add verify server hostname to tls default (#17155) 2023-07-10 10:34:41 -05:00
David Yu b0a2e33e0a
address feedback (#18045) 2023-07-07 10:03:28 -07:00
David Yu b9a6a744d5
docs - add jobs use case for service mesh k8s (#18037)
* docs - add jobs use case for service mesh k8s
* add code blocks
2023-07-07 09:22:03 -07:00
David Yu 85f2ae024c
docs - add service sync annotations and k8s service weight annotation (#18032)
* Docs for https://github.com/hashicorp/consul-k8s/pull/2293
* remove versions for enterprise features since they are old

---------

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-07-06 19:46:48 +00:00
trujillo-adam 820cdbb226
removed sameness conf entry from failover nav (#18033) 2023-07-06 17:37:38 +00:00
trujillo-adam f7d399f7fc
fix stand-in text for name field (#18030) 2023-07-06 09:31:45 -07:00
Ronald ada3938115
Add first integration test for jwt auth with intention (#18005) 2023-07-06 07:27:30 -04:00
J.C. Jones 7689a5ef2d
Document that DNS lookups can target cluster peers (#17990)
Static DNS lookups, in addition to explicitly targeting a datacenter,
can target a cluster peer. This was added in 95dc0c7b30 but didn't make the documentation.

The driving function for the change is `parseLocality` here: 0b1299c28d/agent/dns_oss.go (L25)

The biggest change in this is to adjust the standard lookup syntax to tie
`.<datacenter>` to `.dc` as required-together, and to append in the similar `.<cluster-peer>.peer` optional argument, both to A record and SRV record lookups.

Co-authored-by: David Yu <dyu@hashicorp.com>
2023-07-05 15:03:42 -07:00
trujillo-adam 548829a72b
updated typo in tab heading (#18022)
* updated typo in tab heading

* updated tab group typo, too
2023-07-05 20:27:49 +00:00
Jeff Boruszak 7ef807df48
docs: Sameness "beta" warning (#18017)
* Warning updates

* .x
2023-07-05 19:56:25 +00:00
Michael Hofer 2c2e62852d
Fix removed service-to-service peering links (#17221)
* docs: fix removed service-to-service peering links

* docs: extend peering-via-mesh-gateways intro (thanks @trujillo-adam)

---------

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-07-05 12:22:21 -07:00
Ranjandas 7f3446ecec
Fixes Traffic rate limitting docs (#17997) 2023-07-05 10:49:19 -07:00
Dan Stough b94095d92e
[OSS] Improve Gateway Test Coverage of Catalog Health (#18011)
* fix(cli): remove failing check from 'connect envoy' registration for api gateway

* test(integration): add tests to check catalog statsus of gateways on startup

* remove extra sleep comment

* Update test/integration/consul-container/libs/assert/service.go

* changelog
2023-07-05 11:30:48 -04:00
Poonam Jadhav 8af4ad178c
feat: include nodes count in operator usage endpoint and cli command (#17939)
* feat: update operator usage api endpoint to include nodes count

* feat: update operator usange cli command to includes nodes count
2023-07-05 11:23:29 -04:00
Derek Menteer 0094dbf312
Fix incorrect protocol for transparent proxy upstreams. (#17894)
This PR fixes a bug that was introduced in:
https://github.com/hashicorp/consul/pull/16021

A user setting a protocol in proxy-defaults would cause tproxy implicit
upstreams to not honor the upstream service's protocol set in its
`ServiceDefaults.Protocol` field, and would instead always use the
proxy-defaults value.

Due to the fact that upstreams configured with "tcp" can successfully contact
upstream "http" services, this issue was not recognized until recently (a
proxy-defaults with "tcp" and a listening service with "http" would make
successful requests, but not the opposite).

As a temporary work-around, users experiencing this issue can explicitly set
the protocol on the `ServiceDefaults.UpstreamConfig.Overrides`, which should
take precedence.

The fix in this PR removes the proxy-defaults protocol from the wildcard
upstream that tproxy uses to configure implicit upstreams. When the protocol
was included, it would always overwrite the value during discovery chain
compilation, which was not correct. The discovery chain compiler also consumes
proxy defaults to determine the protocol, so simply excluding it from the
wildcard upstream config map resolves the issue.
2023-07-05 09:32:10 -05:00
Chris Thain 4f0bdd35e6
Integration test for ext-authz Envoy extension (#17980) 2023-07-04 08:09:17 -07:00
Ronald 80394278b8
Expose JWKS cluster config through JWTProviderConfigEntry (#17978)
* Expose JWKS cluster config through JWTProviderConfigEntry

* fix typos, rename trustedCa to trustedCA
2023-07-04 09:12:06 -04:00
Evan Phoenix dc6ea1b644
Fix typo (#17198)
servcies => services
2023-07-01 01:55:28 +00:00
Nathan Coleman df85dd83a7
Add changelog entry for 1.16.0 (#17987) 2023-06-30 20:29:47 +00:00
Jeff Boruszak f096fc53ca
docs: samenessGroup YAML examples (#17984)
* configuration entry syntax

* Example config
2023-06-30 20:26:08 +00:00
Chris Thain 0b1299c28d
Remove duplicate and unused newDecodeConfigEntry func (#17979) 2023-06-30 09:39:54 -07:00
wangxinyi7 9ce89c497a
update doc (#17910)
* update doc

* update link
2023-06-30 08:13:24 -07:00
Chris S. Kim 50a9d1b696
Remove POC code (#17974) 2023-06-30 14:05:13 +00:00
Tu Nguyen 5b7f360e77
Fix formatting codeblocks on APIgw docs (#17970)
* fix formatting codeblocks

* remove unnecessary indents
2023-06-30 06:17:38 +00:00
Ashesh Vidyut 2af6bc434a
feature - [NET - 4005] - [Supportability] Reloadable Configuration - enable_debug (#17565)
* # This is a combination of 9 commits.
# This is the 1st commit message:

init without tests

# This is the commit message #2:

change log

# This is the commit message #3:

fix tests

# This is the commit message #4:

fix tests

# This is the commit message #5:

added tests

# This is the commit message #6:

change log breaking change

# This is the commit message #7:

removed breaking change

# This is the commit message #8:

fix test

# This is the commit message #9:

keeping the test behaviour same

* # This is a combination of 12 commits.
# This is the 1st commit message:

init without tests

# This is the commit message #2:

change log

# This is the commit message #3:

fix tests

# This is the commit message #4:

fix tests

# This is the commit message #5:

added tests

# This is the commit message #6:

change log breaking change

# This is the commit message #7:

removed breaking change

# This is the commit message #8:

fix test

# This is the commit message #9:

keeping the test behaviour same

# This is the commit message #10:

made enable debug atomic bool

# This is the commit message #11:

fix lint

# This is the commit message #12:

fix test true enable debug

* parent 10f500e895d92cc3691ade7b74a33db755d22039
author absolutelightning <ashesh.vidyut@hashicorp.com> 1687352587 +0530
committer absolutelightning <ashesh.vidyut@hashicorp.com> 1687352592 +0530

init without tests

change log

fix tests

fix tests

added tests

change log breaking change

removed breaking change

fix test

keeping the test behaviour same

made enable debug atomic bool

fix lint

fix test true enable debug

using enable debug in agent as atomic bool

test fixes

fix tests

fix tests

added update on correct locaiton

fix tests

fix reloadable config enable debug

fix tests

fix init and acl 403

* revert commit
2023-06-30 08:30:29 +05:30