Commit Graph

19995 Commits

Author SHA1 Message Date
Semir Patel 3b83c7ee9a
Enforce ACLs on resource `Write` and `Delete` endpoints (#16956) 2023-04-12 16:22:44 -05:00
Dan Bond 5ea2ad856a
circleci: remove frontend jobs (#16906)
* circleci: remove fronted jobs

Signed-off-by: Dan Bond <danbond@protonmail.com>

* remove frontend-cache

Signed-off-by: Dan Bond <danbond@protonmail.com>

---------

Signed-off-by: Dan Bond <danbond@protonmail.com>
2023-04-12 14:07:18 -07:00
Eric Haberkorn 6bab6696cc
add sameness to exported services structs in the api package (#16984) 2023-04-12 16:49:28 -04:00
Dhia Ayachi b85a149eaf
Memdb Txn Commit race condition fix (#16871)
* Add a test to reproduce the race condition

* Fix race condition by publishing the event after the commit and adding a lock to prevent out of order events.

* split publish to generate the list of events before committing the transaction.

* add changelog

* remove extra func

* Apply suggestions from code review

Co-authored-by: Dan Upton <daniel@floppy.co>

* add comment to explain test

---------

Co-authored-by: Dan Upton <daniel@floppy.co>
2023-04-12 13:18:01 -04:00
Dan Bond 1384b34b33
ci: split frontend ember jobs (#16973)
Signed-off-by: Dan Bond <danbond@protonmail.com>
2023-04-12 04:48:09 +00:00
Nathan Coleman fdcbf67df9
Added backport labels to PR template checklist (#16966) 2023-04-11 19:18:11 +00:00
Poonam Jadhav 8255cc97f5
feat: add reporting config with reload (#16890) 2023-04-11 15:04:02 -04:00
John Murret 37569837a2
ci: remove build-distros from CircleCI (#16941) 2023-04-11 18:52:35 +00:00
Luke Kysow d3d7847ca1
Remove global.name requirement for APs (#16964)
This is not a requirement when using APs because each AP has its own
auth method so it's okay if the names overlap.
2023-04-11 11:41:33 -07:00
Dan Upton d595e6ade9
resource: `WriteStatus` endpoint (#16886) 2023-04-11 19:23:14 +01:00
Derek Menteer 2ef812f68b
Update docs for service-defaults overrides. (#16960)
Update docs for service-defaults overrides.

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2023-04-11 11:40:55 -05:00
Thomas Eckert 380d74ca95
Fix the indentation of the copyAnnotations example (#16873) 2023-04-11 15:34:52 +00:00
Derek Menteer 1bcaeabfc3
Remove deprecated service-defaults upstream behavior. (#16957)
Prior to this change, peer services would be targeted by service-default
overrides as long as the new `peer` field was not found in the config entry.
This commit removes that deprecated backwards-compatibility behavior. Now
it is necessary to specify the `peer` field in order for upstream overrides
to apply to a peer upstream.
2023-04-11 10:20:33 -05:00
Semir Patel 317240fca7
Resource validation hook for `Write` endpoint (#16950) 2023-04-11 06:55:32 -05:00
Semir Patel 686f49346c
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 06:10:14 -05:00
John Murret 2f524ae472
ci: build-artifacts - fix platform missing in manifest error (#16940)
* ci: build-artifacts - fix platform missing in manifest error

* remove platform key
2023-04-10 16:42:42 -06:00
John Murret be4a436a42
ci: remove go-tests workflow from CircleCI (#16855)
* remove go-tests workflow from CircleCI

* add yaml anchor back
2023-04-10 14:47:32 -06:00
John Murret f6b07a147d
ci: remove verify-ci from circleci (#16860) 2023-04-10 12:35:07 -06:00
John Maguire 92be8bd762
APIGW: Routes with duplicate parents should be invalid (#16926)
* ensure route parents are unique when creating an http route

* Ensure tcp route parents are unique

* Added unit tests
2023-04-10 13:20:32 -04:00
John Murret c165a29c9a
ci: add GOTAGS to build-distros (#16934) 2023-04-10 11:16:44 -06:00
Andrea Scarpino a1404d6dcf
docs: fix typo in LocalRequestTimeoutMs (#16917) 2023-04-10 09:56:49 -07:00
cskh 82915d225f
Test: add noCleanup to TestServer stop (#16919) 2023-04-07 20:47:54 -04:00
Jared Kirschner e5be4b4550
docs: improve upgrade path guidance (#16925) 2023-04-07 20:47:15 +00:00
John Eikenberry eccd2f9871
highlight the agent.tls cert metric with CA ones
Include server agent certificate with list of cert metrics that need monitoring.
2023-04-07 20:41:14 +00:00
John Eikenberry 97173725b7
log warning about certificate expiring sooner and with more details
The old setting of 24 hours was not enough time to deal with an expiring certificates. This change ups it to 28 days OR 40% of the full cert duration, whichever is shorter. It also adds details to the log message to indicate which certificate it is logging about and a suggested action.
2023-04-07 20:38:07 +00:00
John Murret d9c02c5761
increase ENT runner size for xl to match OSS. have guild-distros use xl to match CircleCI (#16920) 2023-04-07 11:10:47 -06:00
John Murret 430df05e61
ci: Add success jobs. make go-test-enterprise conditional. build-distros and go-tests trigger on push to main and release branches (#16905)
* Add go-tests-success job and make go-test-enterprise conditional

* fixing lint-32bit reference

* fixing reference to -go-test-troubleshoot

* add all jobs that fan out.

* fixing success job to need set up

* add echo to success job

* adding success jobs to build-artifacts, build-distros, and frontend.

* changing the name of the job in verify ci to be consistent with other workflows

* enable go-tests, build-distros, and verify-ci to run on merge to main and release branches because they currently do not with just the pull_request trigger
2023-04-06 16:29:32 -06:00
Eddie Rowe 5bdf795f2b
Fix API GW broken link (#16885)
* Fix API GW broken link

* Update website/content/docs/api-gateway/upgrades.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-04-06 22:29:09 +00:00
Chris Thain 175bb1a303
Wasm Envoy HTTP extension (#16877) 2023-04-06 14:12:07 -07:00
Semir Patel 1794484298
Resource `Delete` endpoint (#16756) 2023-04-06 08:58:54 -05:00
Dan Upton 4fa2537b3b
Resource `Write` endpoint (#16786) 2023-04-06 10:40:04 +01:00
John Murret ad3a68a040
temporarily disable macos-arm64 tests job in go-tests (#16898) 2023-04-05 17:10:31 -06:00
John Murret 3f74827593
always test oss and conditionally test enterprise (#16827) 2023-04-05 16:49:48 -06:00
Dan Bond bdff71500f
ci: fixes missing deps in frontend gha workflows (#16872)
Signed-off-by: Dan Bond <danbond@protonmail.com>
2023-04-05 15:42:36 -07:00
Eddie Rowe 25f9da48d7
Omit false positives from 404 checker (#16881)
* Remove false positives from 404 checker

* fix remaining 404s
2023-04-05 17:58:29 +00:00
John Murret dcb9da2eb2
ad arm64 testing (#16876) 2023-04-05 09:58:00 -06:00
Dan Upton 671d5825ca
Raft storage backend (#16619) 2023-04-04 17:30:06 +01:00
John Murret afc8f978a2
ci: increase deep-copy and lint-enum jobs to use large runner as they hang in ENT (#16866)
* docs: add envoy to the proxycfg diagram (#16834)

* docs: add envoy to the proxycfg diagram

* increase dee-copy job to use large runner.  disable lint-enums on ENT

* set lint-enums to a large

* remove redunant installation of deep-copy

---------

Co-authored-by: cskh <hui.kang@hashicorp.com>
2023-04-04 09:15:45 -06:00
cskh a319953576
docs: add envoy to the proxycfg diagram (#16834)
* docs: add envoy to the proxycfg diagram
2023-04-04 09:42:42 -04:00
Dao Thanh Tung 0582f137c5
Fix broken doc in consul-k8s upgrade (#16852)
Signed-off-by: dttung2905 <ttdao.2015@accountancy.smu.edu.sg>
Co-authored-by: David Yu <dyu@hashicorp.com>
2023-04-03 21:21:51 +00:00
John Eikenberry 40854125a5
CA mesh CA expiration to it's own section
This is part of an effort to raise awareness that you need to monitor
your mesh CA if coming from an external source as you'll need to manage
the rotation.
2023-04-03 20:02:08 +00:00
Freddy f6de5ff635
Allow dialer to re-establish terminated peering (#16776)
Currently, if an acceptor peer deletes a peering the dialer's peering
will eventually get to a "terminated" state. If the two clusters need to
be re-peered the acceptor will re-generate the token but the dialer will
encounter this error on the call to establish:

"failed to get addresses to dial peer: failed to refresh peer server
addresses, will continue to use initial addresses: there is no active
peering for "<<<ID>>>""

This is because in `exchangeSecret().GetDialAddresses()` we will get an
error if fetching addresses for an inactive peering. The peering shows
up as inactive at this point because of the existing terminated state.

Rather than checking whether a peering is active we can instead check
whether it was deleted. This way users do not need to delete terminated
peerings in the dialing cluster before re-establishing them.
2023-04-03 12:07:45 -06:00
Hariram Sankaran 71c32b4607
Fix typo on cli-flags.mdx (#16843)
Change "segements" to segments
2023-04-03 10:28:18 -07:00
Michael Zalimeni f54e310d4e
Update changelog with patch releases (#16856)
* Update changelog with patch releases

* Backport missed 1.0.4 patch release to changelog
2023-04-03 13:05:36 -04:00
Chris S. Kim a5397b1f23
Connect CA Primary Provider refactor (#16749)
* Rename Intermediate cert references to LeafSigningCert

Within the Consul CA subsystem, the term "Intermediate"
is confusing because the meaning changes depending on
provider and datacenter (primary vs secondary). For
example, when using the Consul CA the "ActiveIntermediate"
may return the root certificate in a primary datacenter.

At a high level, we are interested in knowing which
CA is responsible for signing leaf certs, regardless of
its position in a certificate chain. This rename makes
the intent clearer.

* Move provider state check earlier

* Remove calls to GenerateLeafSigningCert

GenerateLeafSigningCert (formerly known
as GenerateIntermediate) is vestigial in
non-Vault providers, as it simply returns
the root certificate in primary
datacenters.

By folding Vault's intermediate cert logic
into `GenerateRoot` we can encapsulate
the intermediate cert handling within
`newCARoot`.

* Move GenerateLeafSigningCert out of PrimaryProvidder

Now that the Vault Provider calls
GenerateLeafSigningCert within
GenerateRoot, we can remove the method
from all other providers that never
used it in a meaningful way.

* Add test for IntermediatePEM

* Rename GenerateRoot to GenerateCAChain

"Root" was being overloaded in the Consul CA
context, as different providers and configs
resulted in a single root certificate or
a chain originating from an external trusted
CA. Since the Vault provider also generates
intermediates, it seems more accurate to
call this a CAChain.
2023-04-03 11:40:33 -04:00
malizz fc64a702f4
add region field (#16825)
* add region field

* fix syntax error in test file

* go fmt

* go fmt

* remove test
2023-03-31 12:05:47 -07:00
Dan Bond 3e6f8b7e95
[NET-3029] Migrate dev-* jobs to GHA (#16792)
* ci: add build-artifacts workflow

Signed-off-by: Dan Bond <danbond@protonmail.com>

* makefile for gha dev-docker

Signed-off-by: Dan Bond <danbond@protonmail.com>

* use docker actions instead of make

Signed-off-by: Dan Bond <danbond@protonmail.com>

* Add context

Signed-off-by: Dan Bond <danbond@protonmail.com>

* testing push

Signed-off-by: Dan Bond <danbond@protonmail.com>

* set short sha

Signed-off-by: Dan Bond <danbond@protonmail.com>

* upload to s3

Signed-off-by: Dan Bond <danbond@protonmail.com>

* rm s3 upload

Signed-off-by: Dan Bond <danbond@protonmail.com>

* use runner setup job

Signed-off-by: Dan Bond <danbond@protonmail.com>

* on push

Signed-off-by: Dan Bond <danbond@protonmail.com>

* testing

Signed-off-by: Dan Bond <danbond@protonmail.com>

* on pr

Signed-off-by: Dan Bond <danbond@protonmail.com>

* revert testing

Signed-off-by: Dan Bond <danbond@protonmail.com>

* OSS/ENT logic

Signed-off-by: Dan Bond <danbond@protonmail.com>

* add comments

Signed-off-by: Dan Bond <danbond@protonmail.com>

* Update .github/workflows/build-artifacts.yml

Co-authored-by: John Murret <john.murret@hashicorp.com>

---------

Signed-off-by: Dan Bond <danbond@protonmail.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
2023-03-31 19:02:40 +00:00
Eric Haberkorn a6d69adcf5
Add default resolvers to disco chains based on the default sameness group (#16837) 2023-03-31 14:35:56 -04:00
Derek Menteer 8d40cf9858
Add sameness-group to exported-services config entries (#16836)
This PR adds the sameness-group field to exported-service
config entries, which allows for services to be exported
to multiple destination partitions / peers easily.
2023-03-31 12:36:44 -05:00
Ronald bf64a33caa
Remove UI brand-loader copyright headers as they do not render appropriately (#16835) 2023-03-31 11:29:19 -04:00