This refactors and relocates the following packages to live under internal/gossip instead of either in the toplevel lib or agent/consul:
- librtt : related to serf coordinates
- libserf : random serf stuff
security: upgrade vault/api to remove go-jose.v2
This dependency has an open vulnerability (GO-2024-2631), and is no
longer needed by the latest `vault/api`. This is a follow-up to the
upgrade of `go-jose/v3` in this repository to make all our dependencies
consolidate on v3.
Also remove the recently added security scan triage block for
GO-2024-2631, which was added due to incorrect reports that
`go-jose/v3@3.0.3` was impacted; in reality, is was this indirect
client dependency (not impacted by CVE) that the scanner was flagging. A
bug report has been filed to address the incorrect reporting.
* DNS cache page
* Add page to nav
* Replace old link text
* Page edits
* fix content check error
* formatting fixes
* Heading adjustment
* nav
* It was an H1 error all along
* Initial rebrand for HCP Terraform
* Apply suggestions from code review
Co-authored-by: Rose M Koron <32436232+rkoron007@users.noreply.github.com>
* path fix and redirect
* reintroduce nav from #20873 and #20994
---------
Co-authored-by: Rose M Koron <32436232+rkoron007@users.noreply.github.com>
Co-authored-by: Krastin Krastev <krastin@hashicorp.com>
As of Docker Engine 26.0.0 (https://github.com/moby/moby/pull/47062),
IPv6 is enabled by default where supported. This causes issues for our
tests attempting to resolve requests to other containers over
localhost, since on Linux IPv6 will be preferred over IPv4 when
available when applying the default behavior defined in RFC3484.
As a workaround, force IPv4 with a flag passed to `docker run`.
* Define file-system-certificate config entry
* Collect file-system-certificate(s) referenced by api-gateway onto snapshot
* Add file-system-certificate to config entry kind allow lists
* Remove inapplicable validation
This validation makes sense for inline certificates since Consul server is holding the certificate; however, for file system certificates, Consul server never actually sees the certificate.
* Support file-system-certificate as source for listener TLS certificate
* Add more required mappings for the new config entry type
* Construct proper TLS context based on certificate kind
* Add support or SDS in xdscommon
* Remove unused param
* Adds back verification of certs for inline-certificates
* Undo tangential changes to TLS config consumption
* Remove stray curly braces
* Undo some more tangential changes
* Improve function name for generating API gateway secrets
* Add changelog entry
* Update .changelog/20873.txt
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
* Add some nil-checking, remove outdated TODO
* Update test assertions to include file-system-certificate
* Add documentation for file-system-certificate config entry
Add new doc to nav
* Fix grammar mistake
* Rename watchmaps, remove outdated TODO
---------
Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
This operation would previously fail due to unconsumed bytes in the
decoder buffer when reading the Ent snapshot (the first byte of the
record would be misinterpreted as a type indicator, and the remaining
bytes would fail to be deserialized or read as invalid data).
Ensure restore succeeds by decoding the ignored record as an
interface{}, which will consume the record bytes without requiring a
concrete target struct, then moving on to the next record.
* update go-control-plane envoy dependency to 0.12.0
* add changelog
* go mod tidy
* fix linting issues
* add agent/grpc-internal to the list of SA1019 ignores
* Include SNI + root PEMs from peered cluster on terminating gw filter chain
This allows an external service registered on a terminating gateway to be exported to and reachable from a peered cluster
* Abstract existing logic into re-usable function
* Regenerate golden files w/ new listener logic
* Add changelog entry
* Use peering bundles that are stable across test runs
Update python SDKs
The original python-consul is unmaintained with no activity for 6 years.
The python-consul2 fork has had no activity for 3 years, whether it's commits or responding to PRs and issues.
* put conditionals are hcp initialization for consul server
* put more things behind configuration flags
* add changelog
* TestServer_hcpManager
* fix TestAgent_scadaProvider
* Adds docs to upgrade-specific page to include the removal of the deprecated API Gateway stanza for 1.19
* Apply suggestions from code review
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
* Remove legacy api-gateway from helm docs
* change .Values.apiGateway to .apiGateway
---------
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
Currently, when a client starts a blocking query and an ACL token expires within
that time, Consul will return ACL not found error with a 403 status code. However,
sometimes if an ACL token is invalidated at the same time as the query's deadline is reached,
Consul will instead return an empty response with a 200 status code.
This is because of the events being executed.
1. Client issues a blocking query request with timeout `t`.
2. ACL is deleted.
3. Server detects a change in ACLs and force closes the gRPC stream.
4. Client resubscribes with the same token and resets its state (view).
5. Client sees "ACL not found" error.
If ACL is deleted before step 4, the client is unaware that the stream was closed due to
an ACL error and will return an empty view (from the reset state) with the 200 status code.
To fix this problem, we introduce another state to the subsciption to indicate when a change
to ACLs has occured. If the server sees that there was an error due to ACL change, it will
re-authenticate the request and return an error if the token is no longer valid.
Fixes#20790
* Fix streaming RPCs for agentless.
This PR fixes an issue where cross-dc RPCs were unable to utilize
the streaming backend due to having the node name set. The result
of this was the agent-cache being utilized, which would cause high
cpu utilization and memory consumption due to the fact that it
keeps queries alive for 72 hours before purging inactive entries.
This resource consumption is compounded by the fact that each pod
in consul-k8s gets a unique token. Since the agent-cache uses the
token as a component of the key, the same query is duplicated for
each pod that is deployed.
* Add changelog.
R.B. Boyer
Nathan Coleman
Michael Zalimeni
wangxinyi7
Deniz Onur Duzgun
Dan Stough
natemollica-dev
Jeff Boruszak
Ranjandas
sarahalsmiller
Di Sheng
Eric Haberkorn
John Murret
Freddy
Jared Kirschner
Manu Nicolas
George Ma
David Yu
Melisa Griffin
Iryna Shustava
Chris S. Kim
Derek Menteer