Commit Graph

51 Commits

Author SHA1 Message Date
Michael Zalimeni 86b0818c1f
[NET-8601] security: upgrade vault/api to remove go-jose.v2 (#20910)
security: upgrade vault/api to remove go-jose.v2

This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.

Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
2024-05-04 00:18:51 +00:00
R.B. Boyer 8bea6cd82a
deployer: ensure the proxy/dns/pause containers do not continually get replaced due to a change in a docker default (#21043) 2024-05-03 15:21:43 -05:00
Deniz Onur Duzgun 3152ac3702
security: bump go, x/net and envoy versions (#20956)
* Bump go version

* Bump x/net

* Bump envoy version

* Add changelog

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2024-04-08 19:18:40 +00:00
Michael Zalimeni d4761c0ccd
security: upgrade google.golang.org/protobuf to 1.33.0 (#20801)
Resolves CVE-2024-24786.
2024-03-06 23:04:42 +00:00
mallikabandaru 1522678da8
replicated the changes made in ent repo for consistency (#20781)
* replicated the changes made in ent repo for consistency

* incorporated review comments
2024-03-06 09:29:54 +00:00
R.B. Boyer 235747d473
deployer: add a bunch of test coverage and fix a few panics (#20694)
This adds a bunch of coverage of the topology.Compile method. It is not complete, but it is a start.

- A few panics and miscellany were fixed.
- The testing/deployer tests are now also run in CI.
2024-02-22 13:31:50 -06:00
Eric Haberkorn b26282568f
Move sameness groups to v2beta1 version (#20531) 2024-02-08 11:05:06 -05:00
Nathan Coleman 2456fe5148
[NET-7657] Remove proto definitions for GatewayClass + GatewayClassConfig (#20523) 2024-02-07 16:53:39 -05:00
Eric Haberkorn d0243b618d
Change the multicluster group to v2 (#20430) 2024-02-01 12:08:26 -05:00
Sooraj Sreekumar eb6a59dd11
NET-6653 Enabling container logs when initConsulServers fails and ret… (#20396)
NET-6653 Enabling container logs when initConsulServers fails and return an error (container logs during launch() failure)
On branch NET-6653
	modified:   testing/deployer/sprawl/boot.go
2024-01-30 22:07:42 +05:30
Matt Keeler 34a32d4ce5
Remove V2 PeerName field from pbresource.Tenancy (#19865)
The peer name will eventually show up elsewhere in the resource. For now though this rips it out of where we don’t want it to be.
2024-01-29 15:08:31 -05:00
Nitya Dhanushkodi 92aab7ea31
[NET-5586][rebased] v2: Support virtual port references in config (#20371)
[OG Author: michael.zalimeni@hashicorp.com, rebase needed a separate PR]

* v2: support virtual port in Service port references

In addition to Service target port references, allow users to specify a
port by stringified virtual port value. This is useful in environments
such as Kubernetes where typical configuration is written in terms of
Service virtual ports rather than workload (pod) target port names.

Retaining the option of referencing target ports by name supports VMs,
Nomad, and other use cases where virtual ports are not used by default.

To support both uses cases at once, we will strictly interpret port
references based on whether the value is numeric. See updated
`ServicePort` docs for more details.

* v2: update service ref docs for virtual port support

Update proto and generated .go files with docs reflecting virtual port
reference support.

* v2: add virtual port references to L7 topo test

Add coverage for mixed virtual and target port references to existing
test.

* update failover policy controller tests to work with computed failover policy and assert error conditions against FailoverPolicy and ComputedFailoverPolicy resources

* accumulate services; don't overwrite them in enterprise

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2024-01-29 10:43:41 -08:00
Derek Menteer ba5cac434a
Use mirrored image for CICD tests. (#20378) 2024-01-29 10:22:34 -06:00
Derek Menteer e586a4490d
Fix CICD docker image rate limits. (#20304)
The docker image used in CICD was referencing `registry.k8s.io/pause:3.3`,
which appears to no longer function correctly. This commit swaps over to a
Hashicorp mirrored image that shouldn't have rate limits or disappearing
images.
2024-01-26 14:38:02 -06:00
cskh 528147e5ad
upgrade test: run validation func at every node during upgrade (#20293)
* upgrade test: run validation func at every node during upgrade

* add 3 servers in each cluster
2024-01-22 18:35:06 -05:00
cskh 539659508a
upgrade test: call validation func during upgrade (#20258) 2024-01-18 17:04:06 -05:00
cskh 748458a07b
upgrade test (LTS): utility functions to support ent users (#20186)
* upgrade test (LTS): utility functions to support ent users

* go mod tidy

* add comment
2024-01-12 18:35:44 -05:00
Matt Keeler 326c0ecfbe
In-Memory gRPC (#19942)
* Implement In-Process gRPC for use by controller caching/indexing

This replaces the pipe base listener implementation we were previously using. The new style CAN avoid cloning resources which our controller caching/indexing is taking advantage of to not duplicate resource objects in memory.

To maintain safety for controllers and for them to be able to modify data they get back from the cache and the resource service, the client they are presented in their runtime will be wrapped with an autogenerated client which clones request and response messages as they pass through the client.

Another sizable change in this PR is to consolidate how server specific gRPC services get registered and managed. Before this was in a bunch of different methods and it was difficult to track down how gRPC services were registered. Now its all in one place.

* Fix race in tests

* Ensure the resource service is registered to the multiplexed handler for forwarding from client agents

* Expose peer streaming on the internal handler
2024-01-12 11:54:07 -05:00
cskh 8e2d4e3aaf
upgrade test(LTS): import remaining agent config from usage profile (#19999)
* upgrade test(LTS): import remaining agent config from usage profile
2024-01-03 12:52:49 -05:00
Michael Zalimeni fe10339caa
[NET-7009] security: update x/crypto to 0.17.0 (#20023)
security: update x/crypto to 0.17.0

This addresses CVE-2023-48795 (x/crypto/ssh).
2023-12-21 20:11:19 +00:00
cskh 33a90edfab
Upgrade test(LTS): use network area to federate cluster (#19934)
- Join areas
- wait for members alive and validate cross area service discovery
2023-12-13 20:15:55 -05:00
cskh 0ca070b301
upgrade test(LTS): add segments to version 1.10 (#19861) 2023-12-08 12:22:16 -05:00
cskh 04d4412afd
NET-6643: upgrade test from 1.10 to 1.15 (lts) of a single cluster (#19847)
* NET-6643: upgrade test from 1.10 to 1.15 (lts) of a single cluster

* license header
2023-12-06 19:45:37 +00:00
aahel 7936e55807
added node health resource (#19803) 2023-12-02 11:14:03 +05:30
Semir Patel 2d1f308138
resource: add v2tenancy feature flag to deployer tests (#19774) 2023-11-30 11:41:30 -06:00
sarahalsmiller fd1d97c334
Add Kubebuilder tags to Gatewayclassconfig proto messages (#19725)
* add build tags/import k8s specific proto packages

* fix generated import paths

* fix gomod linting issue

* mod tidy every go mod file

* revert protobuff version, take care of in different pr

* cleaned up new lines

* added newline to end of file
2023-11-28 14:46:11 -06:00
cskh 04a3a3e8d0
Integ test (test/deployer): upgrade test with service mesh (#19658)
* Integ test (test/deployer): upgrade test with service mesh

* license
2023-11-15 19:32:37 -05:00
R.B. Boyer da8700f216
test: fix some multiport deployer bugs and remove a container test already handled by deployer tests (#19614) 2023-11-15 10:26:26 -06:00
R.B. Boyer b2979f6edf
testing/deployer: rename various terms to better align with v2 and avoid confusion (#19600)
Conceptually renaming the following topology terms to avoid confusion with v2 and to better align with it:

- ServiceID -> ID
- Service -> Workload
- Upstream -> Destination
2023-11-10 13:22:06 -06:00
R.B. Boyer a7f3069a94
test: add a v2 container integration test of xRoute splits (#19570)
This adds a deployer-based integration test verifying that a 90/10 traffic
split works for: HTTPRoute, GRPCRoute, and TCPRoute.
2023-11-08 17:20:00 -06:00
cskh 8d6545ec43
test/deployer: add the method of deregistering services (#19525) 2023-11-07 17:29:13 -05:00
R.B. Boyer d203c0abe3
test: update deployer default images (#19554) 2023-11-07 13:15:40 -06:00
R.B. Boyer a66cb58e71
test: fix some of the peering topology tests to safely run without tenancy in CE (#19540) 2023-11-07 10:11:42 -06:00
R.B. Boyer 6f4e037621
testing: disable v2 linkage to nodes in integration tests (#19509) 2023-11-03 21:00:48 +00:00
R.B. Boyer 65592d91a8
chore: apply enterprise changes that were missed to some testing files (#19504)
This should align between CE ef35525 and ENT 7f95226dbe40151c8f17dd4464784b60cf358dc1 in:

- testing/integration/consul-container
- test-integ
- testing/deployer
2023-11-03 11:43:43 -05:00
Dan Stough fd128f4947
build: dependency updates for 1.17.0 (#19453) 2023-11-03 12:29:59 -04:00
R.B. Boyer 4b85aa5a97
testing/deployer: support tproxy in v2 for dataplane (#19094)
This updates the testing/deployer (aka "topology test") framework to allow for a 
v2-oriented topology to opt services into enabling TransparentProxy. The restrictions 
are similar to that of #19046

The multiport Ports map that was added in #19046 was changed to allow for the 
protocol to be specified at this time, but for now the only supported protocol is TCP 
as only L4 functions currently on main.

As part of making transparent proxy work, the DNS server needed a new zonefile 
for responding to virtual.consul requests, since there is no Kubernetes DNS and 
the Consul DNS work for v2 has not happened yet. Once Consul DNS supports v2 we should switch over. For now the format of queries is:

<service>--<namespace>--<partition>.virtual.consul

Additionally:

- All transparent proxy enabled services are assigned a virtual ip in the 10.244.0/24
  range. This is something Consul will do in v2 at a later date, likely during 1.18.
- All services with exposed ports (non-mesh) are assigned a virtual port number for use
  with tproxy
- The consul-dataplane image has been made un-distroless, and gotten the necessary
  tools to execute consul connect redirect-traffic before running dataplane, thus simulating
  a kubernetes init container in plain docker.
2023-11-02 16:13:16 -05:00
R.B. Boyer a72f868218
testing/deployer: update deployer to use v2 catalog constructs when requested (#19046)
This updates the testing/deployer (aka "topology test") framework to conditionally 
configure and launch catalog constructs using v2 resources. This is controlled via a 
Version field on the Node construct in a topology.Config. This only functions for a 
dataplane type and has other restrictions that match the rest of v2 (no peering, no 
wanfed, no mesh gateways).

Like config entries, you can statically provide a set of initial resources to be synced 
when bringing up the cluster (beyond those that are generated for you such as 
workloads, services, etc).

If you want to author a test that can be freely converted between v1 and v2 then that 
is possible. If you switch to the multi-port definition on a topology.Service (aka 
"workload/instance") then that makes v1 ineligible.

This also adds a starter set of "on every PR" integration tests for single and multiport 
under test-integ/catalogv2
2023-11-02 14:25:48 -05:00
cskh 4b26ed8eba
integ test: snapshot mesh frozen bug test (#19435)
* integ test: snapshot mesh frozen bug test
2023-10-30 18:20:23 -04:00
cskh 3b806d41c0
test deployer: fix a bug when deploying cluster with various ent images (#19381) 2023-10-26 13:12:20 -04:00
Michael Zalimeni 8eb074e7c1
[NET-5944] security: Update Go version to 1.20.10 and `x/net` to 0.17.0 (#19225)
* Bump golang.org/x/net to 0.17.0

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).

* Update Go version to 1.20.10

This resolves [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
/ [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
(`net/http`).
2023-10-16 17:49:04 -04:00
R.B. Boyer df930a59ac
chore: fix ce/ent drift in sdk and testing/deployer submodules (#19041) 2023-10-03 10:06:50 -05:00
John Landa 9eaa8eb026
dns token (#17936)
* dns token

fix whitespace for docs and comments

fix test cases

fix test cases

remove tabs in help text

Add changelog

Peering dns test

Peering dns test

Partial implementation of Peered DNS test

Swap to new topology lib

expose dns port for integration tests on client

remove partial test implementation

remove extra port exposure

remove changelog from the ent pr

Add dns token to set-agent-token switch

Add enterprise golden file

Use builtin/dns template in tests

Update ent dns policy

Update ent dns template test

remove local gen certs

fix templated policy specs

* add changelog

* go mod tidy
2023-09-20 15:50:06 -06:00
Nick Irvine 3569d702d5
ENT port: test-integ/peering: peer through mesh gateway [NET-4609] (#18605)
Co-authored-by: Matt Keeler <mjkeeler7@gmail.com>
2023-09-08 12:04:56 -04:00
Nick Irvine 373c7dc144
switch all client nodes in dc2 to dataplane [NET-4299] (#18608) 2023-09-06 23:46:34 +00:00
Semir Patel 53e28a4963
OSS -> CE (community edition) changes (#18517) 2023-08-22 09:46:03 -05:00
hashicorp-copywrite[bot] 5fb9df1640
[COMPLIANCE] License changes (#18443)
* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Adding explicit MPL license for sub-package

This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.

* Updating the license from MPL to Business Source License

Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl.

* add missing license headers

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

* Update copyright file headers to BUSL-1.1

---------

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 09:12:13 -04:00
Dan Stough 948ce8bc23
build: updates for 1.16.1 release (#18415)
* build: updates for 1.16.1 release

* build: fix missing replace directive for envoyextensions

* build: go mod tidy testing/deployer
2023-08-09 17:12:34 -04:00
Michael Zalimeni 905e371607
[NET-5146] security: Update Go version to 1.20.7 and `x/net` to 0.13.0 (#18358)
* Update Go version to 1.20.7

This resolves [CVE-2023-29409]
(https://nvd.nist.gov/vuln/detail/CVE-2023-29409)(`crypto/tls`).

* Bump golang.org/x/net to 0.13.0

Addresses [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978)
for security scans (non-impacting).
2023-08-02 13:10:29 -04:00
Michael Zalimeni 72999bb735
Update submodules to latest following 1.16.0 (#18197)
Align all our internal use of submodules on the latest versions.
2023-07-19 18:57:34 -04:00