Commit Graph

20751 Commits

Author SHA1 Message Date
Anita Akaeze 27f649c4ba
remove branch name causing conflicts (#19319) 2023-10-20 19:50:56 +00:00
Dhia Ayachi d5c9f11b59
Tenancy Bridge v2 (#19220)
* tenancy bridge v2 for v2 resources

* add missing copywrite headers
2023-10-20 14:49:54 -04:00
Anita Akaeze b962d91056
skip envoy version check in ci (#19315) 2023-10-20 18:09:31 +00:00
aahel 1280f45485
added ent to ce downgrade changes (#19311)
* added ent to ce downgrade changes

* added changelog

* added busl headers
2023-10-20 22:34:25 +05:30
Chris Thain b1871fd08c
Backout Envoy 1.28.0 (#19306) 2023-10-20 17:03:54 +00:00
Chris S. Kim 9d00b13140
Vault CA bugfixes (#19285)
* Re-add retry logic to Vault token renewal

* Fix goroutine leak

* Add test for detecting goroutine leak

* Add changelog

* Rename tests

* Add comment
2023-10-20 15:03:27 +00:00
Anita Akaeze 6ffcf28df0
enable verify envoy script (#19303) 2023-10-19 16:47:57 -07:00
Nitya Dhanushkodi def66ddf0e
mesh: provide missing domain to route configurations in ProxyStateTemplate (#19298)
* add empty domains

* update unit tests
2023-10-19 17:14:16 -04:00
Chris Thain 681aef31e9
Update supported Envoy versions (#19276) 2023-10-19 21:08:20 +00:00
Anita Akaeze ef27bc2fd6
NET-6239: Temporarily disable verify envoy check (#19299)
* skip verify envoy version

* cleanup
2023-10-19 13:24:17 -07:00
Iryna Shustava dfea3a0efe
acls,catalog,mesh: properly authorize workload selectors on writes (#19260)
To properly enforce writes on resources that have workload selectors with prefixes, we need another service authorization rule that allows us to check whether read is allowed within a given prefix. Specifically we need to only allow writes if the policy prefix allows for a wider set of names than the prefix selector on the resource. We should also not allow policies with exact names for prefix matches.

Part of [NET-3993]
2023-10-19 11:09:41 -06:00
trujillo-adam e5a49bf56f
reformatted the JSON schema server conf ref (#19288) 2023-10-19 08:24:17 -07:00
Poonam Jadhav 2bd38d8806
fix: allow snake case keys for ip based rate limit config entry (#19277)
* fix: allow snake case keys for ip based rate limit config entry

* chore: add changelog
2023-10-19 10:54:00 -04:00
Michael Zalimeni 5e517c5980
[NET-6221] Ensure LB policy set for locality-aware routing (CE) (#19283)
Ensure LB policy set for locality-aware routing (CE)

`overprovisioningFactor` should be overridden with the expected value
(100,000) when there are multiple endpoint groups. Update code and
tests to enforce this.

This is an Enterprise feature. This commit represents the CE portions of
the change; tests are added in the corresponding `consul-enterprise`
change.
2023-10-19 10:13:27 -04:00
cskh d52ee6a222
fix nightly integration test: envoy version and n-2 version (#19286) 2023-10-18 21:18:57 +00:00
Dan Stough a94c013c8d
build(docker): always publish full and minor version tags for dev images (#19278) 2023-10-18 19:39:52 +00:00
Eric Haberkorn f45be222bb
Prevent circular dependencies between v2 resources and generate a mermaid diagram with their dependencies (#19230) 2023-10-18 10:55:32 -04:00
David Yu 16f0a24ff5
docs: Fix multi-port install (#19262)
* Update configure.mdx

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2023-10-17 16:59:31 -07:00
Jeff Boruszak c4d6d4d307
docs: Multiport HCP constraint update (#19261)
* Add sentence

* link text adjustment
2023-10-17 16:35:17 -07:00
Nitya Dhanushkodi 51b58cd910
fix expose paths (#19257)
When testing adding http probes to apps, I ran into some issues which I fixed here:
- The listener should be listening on the exposed listener port, updated that.
- The listener and route names were pointing to the path of the exposed path. In my test, the path was "/" resulting in an empty string path. Also, the path may not be unique across exposed path listeners, so I decided to use the path+exposed port as the unique identifier.
2023-10-17 14:47:21 -07:00
Dan Stough 9b719e6dec
test: add 1.17 nightly integrations test (#19253) 2023-10-17 16:45:40 -04:00
Blake Covarrubias 9976e08505
docs: Fix example control-plane-request-limit HCL and JSON (#19105)
The control-plane-request-limit config entry does not support
specifying parameter names in snake case format.

This commit updates the HCL and JSON examples to use the supported
camel case key format.
2023-10-17 19:50:12 +00:00
Sophie Gairo 61bd08c8b9
Net 4893- Ensure we're testing all the latest versions of Vault/Nomad (#19119)
* NET-5592 - update Nomad integration testing

* NET-4893: Ensure we're testing all the latest versions of Vault/Nomad
2023-10-17 12:55:16 -05:00
John Maguire b78465b491
[NET-5810] CE changes for multiple virtual hosts (#19246)
CE changes for multiple virtual hosts
2023-10-17 15:08:04 +00:00
Chris Hut a6c990c6fe
Cc 5545: Upgrade HDS packages and modifiers (#19226)
* Upgrade @hashicorp/design-system-tokens to 1.9.0

* Upgrade @hashicorp/design-system-components to 1.8.1

* Upgrade @hashicorp/design-system-components and ember-in-viewport

* Explicitly install ember-modifier@4.1.0

* rename copy-button

* Fix how cleanup is done in with-copyable

* Update aria-menu modifier for new structure

* Update css-prop modifier to new structure

* Convert did-upsert to regular class modifier

* Update notification modifier for new structure

* Update on-oustside modifier for new structure

* Move destroy handler registration in with-copyable

* Update style modifier for new structure

* Update validate modifier for new structure

* Guard against setting on destroyed object

* Upgrade @hashicorp/design-system-components to 2.14.1

* Remove debugger

* Guard against null in aria-menu

* Fix undefined hash in validate addon

* Upgrade ember-on-resize-modifier

* Fix copy button import, missing import and array destructuring

---------

Co-authored-by: wenincode <tyler.wendlandt@hashicorp.com>
2023-10-17 07:27:42 -06:00
John Murret 9f4f99c626
NET-6097 - sidecar proxy controller - give name to first failover policy target (#19239) 2023-10-17 01:45:54 +00:00
Michael Zalimeni 8eb074e7c1
[NET-5944] security: Update Go version to 1.20.10 and `x/net` to 0.17.0 (#19225)
* Bump golang.org/x/net to 0.17.0

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).

* Update Go version to 1.20.10

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
(`net/http`).
2023-10-16 17:49:04 -04:00
Semir Patel 4c5a46e5e1
v2tenancy: rename v1alpha1 -> v2beta1 (#19227) 2023-10-16 21:43:47 +00:00
David Yu b81c8627db
Add reason why port 53 is not used by default (#19222)
* Update dns-configuration.mdx

* Update website/content/docs/services/discovery/dns-configuration.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-10-16 14:21:58 -07:00
Jeff Boruszak dcd593004e
docs: Multi-port corrections (#19224)
* typo fixes and instruction corrections

* typo

* link path correction
2023-10-16 13:52:30 -07:00
R.B. Boyer 6741392a4f
catalog: add FailoverPolicy ACL hook tenancy test (#19179) 2023-10-16 14:05:39 -05:00
R.B. Boyer df8ea430c6
mesh: add DestinationPolicy ACL hook tenancy tests (#19178)
Enhance the DestinationPolicy ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.
2023-10-16 13:44:24 -05:00
Semir Patel ad177698f7
resource: enforce lowercase v2 resource names (#19218) 2023-10-16 12:55:30 -05:00
R.B. Boyer 6c7d0759e4
mesh: add xRoute ACL hook tenancy tests (#19177)
Enhance the xRoute ACL hook tests to cover tenanted situations.
These tests will only execute in enterprise.
2023-10-16 12:18:56 -05:00
modrake 3716b69792
Relplat 897 copywrite bot workarounds (#19200)
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
2023-10-16 08:53:31 -07:00
John Murret a7fbd00865
NET-5073 - ProxyConfiguration: implement various connection options (#19187)
* NET-5073 - ProxyConfiguration: implement various connection options

* PR feedback - LocalConnection and InboundConnection do not affect exposed routes. configure L7 route destinations. fix connection proto sequence numbers.

* add timeout to L7 Route Destinations
2023-10-14 13:54:08 +00:00
Iryna Shustava 105ebfdd00
catalog, mesh: implement missing ACL hooks (#19143)
This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions.

It refactors a lot of the common testing functions so that they can be re-used between resources.

There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing.
2023-10-13 23:16:26 +00:00
Iryna Shustava 2ea33e9b86
mesh: add more validations to Destinations resource (#19202) 2023-10-13 16:52:20 -06:00
Iryna Shustava e94d6ceca6
mesh: add validation hook to proxy configuration (#19186) 2023-10-13 15:21:39 -06:00
Michael Zalimeni 9b0f4b7fc5
chore: update version and nightly CI for 1.17 (#19208)
Update version file to 1.18-dev, and replace 1.13 nightly test with
1.17.
2023-10-13 21:12:36 +00:00
Ashwin Venkatesh 3d1a606c3b
Clone proto into deepcopy correctly (#19204) 2023-10-13 16:41:22 -04:00
R.B. Boyer 20d1fb8c78
server: run the api checks against the path without params (#19205) 2023-10-13 15:32:06 -05:00
R.B. Boyer 99f7a1219e
catalog: add metadata filtering to refine workload selectors (#19198)
This implements the Filter field on pbcatalog.WorkloadSelector to be
a post-fetch in-memory filter using the https://github.com/hashicorp/go-bexpr
expression language to filter resources based on their envelope metadata fields.

All existing usages of WorkloadSelector should be able to make use of the filter.
2023-10-13 13:37:42 -05:00
R.B. Boyer f0e4897736
mesh: ensure that xRoutes have ParentRefs that have matching Tenancy to the enclosing resource (#19176)
We don't want an xRoute controlling traffic for a Service in another tenancy.
2023-10-13 11:31:56 -05:00
Dhia Ayachi 5fbf0c00d3
Add namespace read write tests (#19173) 2023-10-13 12:03:06 -04:00
Thomas Eckert 76c60fdfac
Golden File Tests for TermGW w/ Cluster Peering (#19096)
Add intention to create golden file for terminating gateway peered trust bundle
2023-10-13 11:56:58 -04:00
Ashwin Venkatesh c2a0d4f9ca
Create DeepCopy() and Json Marshal/Unmarshal for proto-public (#19015)
* Override Marshal/UnmarshalJSON for proto-public types
* Generate Deepcopy() for proto-public types for Kubernetes CRDs.
2023-10-13 14:55:58 +00:00
Poonam Jadhav a50a9e984a
Net-5771/apply command stdin input (#19084)
* feat: apply command now accepts input from stdin

* feat: accept first positional non-flag file path arg

* fix: detect hcl format
2023-10-13 09:24:16 -04:00
Nitya Dhanushkodi 95d9b2c7e4
[NET-4931] xdsv2, sidecarproxycontroller, l4 trafficpermissions: support L7 (#19185)
* xdsv2: support l7 by adding xfcc policy/headers, tweaking routes, and make a bunch of listeners l7 tests pass

* sidecarproxycontroller: add l7 local app support 

* trafficpermissions: make l4 traffic permissions work on l7 workloads

* rename route name field for consistency with l4 cluster name field

* resolve conflicts and rebase

* fix: ensure route name is used in l7 destination route name as well. previously it was only in the route names themselves, now the route name and l7 destination route name line up
2023-10-12 23:45:45 +00:00
Iryna Shustava e3cb4ec35e
mesh: properly handle missing workload protocols (#19172)
Sometimes workloads could come with unspecified protocols such as when running on Kubernetes. Currently, if this is the case, we will just default to tcp protocol.

However, to make sidecar-proxy controller work with l7 protocols we should instead inherit the protocol from service. This change adds tracking for services that a workload is part of and attempts to inherit the protocol whenever services a workload is part of doesn't have conflicting protocols.
2023-10-12 15:41:03 -06:00