Commit Graph

14320 Commits

Author SHA1 Message Date
Mark Anderson ff7fca756b Add simple test for downstream sockets
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-05-04 12:41:43 -07:00
Mark Anderson 8040f91a43 Add support for downstreams
Enhance config by adding SocketPath and LocalSocketPath config values

Supports syntax of the form:
```
services {
  name = "sock_forwarder"
  id = "sock_forwarder.1"
  socket_path = "/tmp/downstream_3.sock"
  connect {
    sidecar_service {
      proxy {
	local_service_socket_path = "/tmp/downstream.sock"
      }
    }
  }
}
```

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-05-04 12:41:43 -07:00
Mark Anderson 6be9cebad0 Add tests for xds/listeners
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-05-04 12:41:43 -07:00
Mark Anderson 583ae65d5b Convert mode to string representation
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-05-04 12:41:43 -07:00
Mark Anderson 06f0f79218 Continue working through proxy and agent
Rework/listeners, rename makeListener

Refactor, tests pass

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-05-04 12:41:43 -07:00
Mark Anderson 8b1217417a First changes for unix domain sockets upstreams
Start making structure changes to support unix domain socket address for upstreams

	upstreams = [
	  {
	    destination_name = "echo-service"
	    local_bind_socket_path = "/tmp/upstream.sock"
	    config {
	      passive_health_check {
		interval = "10s"
		max_failures = 42
	      }
	    }
	  }

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-05-04 12:41:43 -07:00
Daniel Nephin 981fb5322a
Merge pull request #10161 from hashicorp/dnephin/update-deps
Update a couple dependencies
2021-05-04 14:30:37 -04:00
Daniel Nephin ae2b3c1bdd Add changelog 2021-05-04 14:09:14 -04:00
Daniel Nephin 6713afdff3 lint: fix warning by removing reference to deprecated interface 2021-05-04 14:09:14 -04:00
Daniel Nephin 9a7fb48dcb Update a couple dependencies
To pickup bug fixes
2021-05-04 14:09:10 -04:00
Daniel Nephin f2489e098f
Merge pull request #10167 from hashicorp/dnephin/ci-cherry-pick-on-release-branch
ci: allow cherry-picking a manual backport to other release branches
2021-05-04 13:49:17 -04:00
hc-github-team-consul-core 8f9d5c8eef auto-updated agent/uiserver/bindata_assetfs.go from commit 07e11f32e 2021-05-04 16:56:40 +00:00
John Cowen 07e11f32ee
ui: Remove extra nspace value from service upstreams (#10152)
* ui: Remove extra nspace value from service upstreams
2021-05-04 17:42:13 +01:00
hc-github-team-consul-core fade7e6583 auto-updated agent/uiserver/bindata_assetfs.go from commit fc7fe23b4 2021-05-04 16:36:21 +00:00
John Cowen fc7fe23b4d
ui: Fix text search for upstream instances (#10151)
* ui: Fix text search for upstream instances

* Clean up predicates for other model types

* Add some docs around DataCollection and searching

* Enable UI Engineering Docs for our preview sites

* Use debug CSS in dev and staging
2021-05-04 17:25:57 +01:00
John Cowen 4533a5e959
ui: Adds CRD popover 'informed action' for intentions managed by CRDs (#10100)
* ui: Adds CRD popover 'informed action' for intentions add via CRDs
2021-05-04 17:21:54 +01:00
Freddy ed1082510d
Fixup discovery chain handling in transparent mode (#10168)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

Previously we would associate the address of a discovery chain target
with the discovery chain's filter chain. This was broken for a few reasons:

- If the upstream is a virtual service, the client proxy has no way of
dialing it because virtual services are not targets of their discovery
chains. The targets are distinct services. This is addressed by watching
the endpoints of all upstream services, not just their discovery chain
targets.

- If multiple discovery chains resolve to the same target, that would
lead to multiple filter chains attempting to match on the target's
virtual IP. This is addressed by only matching on the upstream's virtual
IP.

NOTE: this implementation requires an intention to the redirecting
virtual service and not just to the final destination. This is how
we can know that the virtual service is an upstream to watch.

A later PR will look into traversing discovery chains when computing
upstreams so that intentions are only required to the discovery chain
targets.
2021-05-04 08:45:19 -06:00
Paul Banks 3ad754ca7b
Make Raft trailing logs and snapshot timing reloadable (#10129)
* WIP reloadable raft config

* Pre-define new raft gauges

* Update go-metrics to change gauge reset behaviour

* Update raft to pull in new metric and reloadable config

* Add snapshot persistance timing and installSnapshot to our 'protected' list as they can be infrequent but are important

* Update telemetry docs

* Update config and telemetry docs

* Add note to oldestLogAge on when it is visible

* Add changelog entry

* Update website/content/docs/agent/options.mdx

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-05-04 15:36:53 +01:00
Luke Kysow 8d6cbe7281
Give descriptive error if auth method not found (#10163)
* Give descriptive error if auth method not found

Previously during a `consul login -method=blah`, if the auth method was not found, the
error returned would be "ACL not found". This is potentially confusing
because there may be many different ACLs involved in a login: the ACL of
the Consul client, perhaps the binding rule or the auth method.

Now the error will be "auth method blah not found", which is much easier
to debug.
2021-05-03 13:39:13 -07:00
Freddy 2ca3f481f8
Only consider virtual IPs for transparent proxies (#10162)
Initially we were loading every potential upstream address into Envoy
and then routing traffic to the logical upstream service. The downside
of this behavior is that traffic meant to go to a specific instance
would be load balanced across ALL instances.

Traffic to specific instance IPs should be forwarded to the original
destination and if it's a destination in the mesh then we should ensure
the appropriate certificates are used.

This PR makes transparent proxying a Kubernetes-only feature for now
since support for other environments requires generating virtual IPs,
and Consul does not do that at the moment.
2021-05-03 14:15:22 -06:00
Daniel Nephin c8f53a1d52 ci: allow cherry-picking a manual backport to other release branches
If an automatic backport fails to more than one release branch we need
to crate a PR to backport it. So far we've had to create a backport PR
for each target release branch.

With this change, we may be able to create only a single PR, and then
run the backport automation to cherry-pick it into other release
branches.

The idea is that if a change introduced in version n-1 caused a
conflict, and there are no other changes, then the backport automation
should be able to use the same commit for version n-2 and n-3.
2021-05-03 16:09:10 -04:00
Kendall Strautman 1cbea66717
[Assembly]: Website Branding Refresh (#9884)
* style: update gray brand colors

* style: update brand colors

* chore: upgrades base platform deps

* style: updates learn callouts label color

* style: icons to flat consul primary color

* style: errand link styles

* refactor(home): use react-learn-callout

* chore; adds ts config, upgrades components

* chore: upgrade deps

chore: upgrade to latest component styles

chore: upgrades nextjs-scripts

* chore: fix-router

* update deps, add new downloads page

* chore: upgrade to stable deps

chore: use npm 7

* style: home callouts body copy to gray-2

* chore: upgrade hashi-stack-menu

* style: home feature icons update

* chore: upgrade deps body copy colors

* chore: upgrades alert banner

* feat: updates favicon

* style(downloads): adds pre-release and release candidate styles

* fix(home): adds right padding to quote

* content(home): swap assets

* content(uses-cases): updates assets

* chore: removes use cases icon override

* content(use-cases): swap out svgs for pngs

* content: copies asset

* trying again with this asset

* try putting asset in public

* content(use-cases): updates mercedes case study aseset

* chore: upgrades product download page prerelease

* chore: updates product download page to stable

* chore: updates favicon path

Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
2021-05-03 12:01:36 -07:00
hc-github-team-consul-core a37c1e8466 auto-updated agent/uiserver/bindata_assetfs.go from commit 211bc824a 2021-05-03 15:24:01 +00:00
Hector Simpson 211bc824a9
Update brand assets (#10081)
* Update header logo and inline icon

* Update full logos + layout on loading screen

* Update favicon assets and strategy
- Switches to serve an ico file alongside an SVG file
- Introduces an apple-touch-icon

* Removes unused favicon/meta assets

* Changelog item for ui

* Create component for logo

* Simplify logo component, set brand color

* Fix docs loading state CSS issue
2021-05-03 16:19:09 +01:00
Frederic Hemberger 9a5a0ba209 docs(discovery/service): Clarify multiple service definitions
Be more explicit that the definition of multiple services only works in config files,
not using the HTTP API.

Ref: https://discuss.hashicorp.com/t/register-multiple-services-via-put-request/
2021-04-30 16:46:02 -07:00
Daniel Nephin 00d3283e93
Merge pull request #10149 from hashicorp/dnephin/config-use-streaming-backend-defualt-true
config: default UseStreamingBackend to true
2021-04-30 16:29:11 -04:00
R.B. Boyer 0f8cdfaeff
dev: adding a make target to regenerate envoy golden files (#10158) 2021-04-30 11:27:12 -05:00
Daniel Nephin a07a58a873 config-entry: use custom MarshalJSON for mesh type
So that the Kind field is added to the JSON object.
2021-04-29 17:49:43 -04:00
Daniel Nephin 62efaaab21 config-entry: remove Kind and Name field from Mesh config entry
No config entry needs a Kind field. It is only used to determine the Go type to
target. As we introduce new config entries (like this one) we can remove the kind field
and have the GetKind method return the single supported value.

In this case (similar to proxy-defaults) the Name field is also unnecessary. We always
use the same value. So we can omit the name field entirely.
2021-04-29 17:11:21 -04:00
R.B. Boyer abc1dc0fe9
connect: update supported envoy versions to 1.18.2, 1.17.2, 1.16.3, and 1.15.4 (#10101)
The only thing that needed fixing up pertained to this section of the 1.18.x release notes:

> grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default.

For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default.

Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.
2021-04-29 15:22:03 -05:00
R.B. Boyer 85a718da63
xds: ensure that all envoyproxy/go-control-plane protobuf symbols are linked into the final binary (#10131)
This ensures that if someone does include some extension Consul does not currently make use of, that extension is actually usable. Without linking these envoy protobufs into the main binary it can't round trip the escape hatches to send them down to envoy.

Whenenver the go-control-plane library is upgraded next we just have to re-run 'make envoy-library'.
2021-04-29 14:58:26 -05:00
R.B. Boyer 71d45a3460
Support Incremental xDS mode (#9855)
This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged.

Union of all commit messages follows to give an overarching summary:

xds: exclusively support incremental xDS when using xDS v3

Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail.
Work around a strange older envoy behavior involving empty CDS responses over incremental xDS.
xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support

Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead.
Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client.
xds: pull out checkStreamACLs method in advance of a later commit

xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings

In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty.

This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10.

xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 13:54:05 -05:00
Tara Tufano e345ef6086
make h2ping changelog entry conform with changelog template (#10111)
LGTM!
2021-04-29 14:48:16 -04:00
Luigi Tagliamonte 5220699696
Improve doc: add note about address validation (#10123)
* Update website/content/docs/discovery/services.mdx with address field behavior.

Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com>

Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com>
2021-04-29 13:37:50 -04:00
Iryna Shustava 8dffb89131
Implement traffic redirection exclusion based on proxy config and user-provided values (#10134)
* Use proxy outbound port from TransparentProxyConfig if provided
* If -proxy-id is provided to the redirect-traffic command, exclude any listener ports
  from inbound traffic redirection. This includes envoy_prometheus_bind_addr,
  envoy_stats_bind_addr, and the ListenerPort from the Expose configuration.
* Allow users to provide additional inbound and outbound ports, outbound CIDRs
  and additional user IDs to be excluded from traffic redirection.
  This affects both the traffic-redirect command and the iptables SDK package.
2021-04-29 09:21:15 -07:00
Daniel Nephin 5a87b8aaab Add changelog 2021-04-29 12:08:03 -04:00
hc-github-team-consul-core cbabf82587 auto-updated agent/uiserver/bindata_assetfs.go from commit 5d89ba031 2021-04-29 09:46:32 +00:00
John Cowen 5d89ba0313
ui: Add a max height and scroll to the intention perm header lists (#10128) 2021-04-29 10:41:26 +01:00
Freddy 701b49f772
Rename cluster config files to mesh as well (#10148) 2021-04-28 18:15:26 -06:00
Daniel Nephin bb472111fd config: default UseStreamingBackend to true 2021-04-28 18:58:02 -04:00
Freddy 078c40425f
Rename "cluster" config entry to "mesh" (#10127)
This config entry is being renamed primarily because in k8s the name
cluster could be confusing given that the config entry applies across
federated datacenters.

Additionally, this config entry will only apply to Consul as a service
mesh, so the more generic "cluster" name is not needed.
2021-04-28 16:13:29 -06:00
Daniel Nephin e19aef45cb
Merge pull request #10146 from hashicorp/dnephin/connect-proxy-test-deadlock
connect/proxy: fix a few problems with tests
2021-04-28 17:53:43 -04:00
Daniel Nephin 9b344b3300
Merge pull request #10112 from hashicorp/dnephin/remove-streaming-from-cache
streaming: replace agent/cache with submatview.Store
2021-04-28 17:31:42 -04:00
Daniel Nephin d18a03b07f connect/proxy: fix a number of problems with Listener
We noticed that TestUpstreamListener would deadlock sometimes when run
with the race detector. While debugging this issue I found and fixed the
following problems.

1. the net.Listener was not being closed properly when Listener.Stop was
   called. This caused the Listener.Serve goroutine to run forever.
   Fixed by storing a reference to net.Listener and closing it properly
   when Listener.Stop is called.
2. call connWG.Add in the correct place. WaitGroup.Add must be called
   before starting a goroutine, not from inside the goroutine.
3. Set metrics config EnableRuntimeMetrics to `false` so that we don't
   start a background goroutine in each test for no reason. There is no
   way to shutdown this goroutine, and it was an added distraction while
   debugging these timeouts.
5. two tests were calling require.NoError from a goroutine.
   require.NoError calls t.FailNow, which MUST be called from the main
   test goroutine. Instead use t.Errorf, which can be called from other
   goroutines and will still fail the test.
6. `assertCurrentGaugeValue` wass breaking out of a for loop, which
   would cause the `RWMutex.RUnlock` to be missed. Fixed by calling
   unlock before `break`.

The core issue of a deadlock  was fixed by https://github.com/armon/go-metrics/pull/124.
2021-04-28 17:21:35 -04:00
Jamie Finnigan 8fc62cb87f
remove Codecov from CI runs (#10145) 2021-04-28 13:23:31 -07:00
Kenia f9a4b6d050
ui: Add TProxy Mode notice banner to service instance Upstreams tab (#10136) 2021-04-28 14:06:18 -04:00
Daniel Nephin 146e1d3878 connect/proxy: remove t.Parallel from tests
These tests run in under 10ms, t.Parallel provides no value and makes debuging failures
more difficult.
2021-04-28 13:46:53 -04:00
Daniel Nephin 3a27fce2ad submatview: fix godoc and comment typos
Co-authored-by: Paul Banks <banks@banksco.de>
2021-04-28 12:27:38 -04:00
Kenia 0c9555ec0e
ui: Update not-defined intention popover and banner (#10133) 2021-04-28 10:31:14 -04:00
Kenia 7caa47da56
ui: Update conditional for topology empty state (#10124) 2021-04-28 09:23:02 -04:00