78b170ad50
* Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com> |
||
|---|---|---|
| .changelog | ||
| .github | ||
| .release | ||
| acl | ||
| agent | ||
| api | ||
| bench | ||
| build-support | ||
| command | ||
| connect | ||
| contributing | ||
| docs | ||
| envoyextensions | ||
| grafana | ||
| internal | ||
| ipaddr | ||
| lib | ||
| logging | ||
| proto | ||
| proto-public | ||
| sdk | ||
| sentinel | ||
| service_os | ||
| snapshot | ||
| test | ||
| test-integ | ||
| testing/deployer | ||
| testrpc | ||
| tlsutil | ||
| tools/internal-grpc-proxy | ||
| troubleshoot | ||
| types | ||
| ui | ||
| version | ||
| website | ||
| .copywrite.hcl | ||
| .dockerignore | ||
| .gitignore | ||
| .golangci.yml | ||
| CHANGELOG.md | ||
| Dockerfile | ||
| Dockerfile-windows | ||
| LICENSE | ||
| Makefile | ||
| NOTICE.md | ||
| README.md | ||
| buf.work.yaml | ||
| fixup_acl_move.sh | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
README.md
Consul
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
- Website: https://www.consul.io
- Tutorials: HashiCorp Learn
- Forum: Discuss
Consul provides several key features:
-
Multi-Datacenter - Consul is built to be datacenter aware, and can support any number of regions without complex configuration.
-
Service Mesh - Consul Service Mesh enables secure service-to-service communication with automatic TLS encryption and identity-based authorization. Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections with Transparent Proxy.
-
Service Discovery - Consul makes it simple for services to register themselves and to discover other services via a DNS or HTTP interface. External services such as SaaS providers can be registered as well.
-
Health Checking - Health Checking enables Consul to quickly alert operators about any issues in a cluster. The integration with service discovery prevents routing traffic to unhealthy hosts and enables service level circuit breakers.
-
Dynamic App Configuration - An HTTP API that allows users to store indexed objects within Consul, for storing configuration parameters and application metadata.
Consul runs on Linux, macOS, FreeBSD, Solaris, and Windows and includes an optional browser based UI. A commercial version called Consul Enterprise is also available.
Please note: We take Consul's security and our users' trust very seriously. If you believe you have found a security issue in Consul, please responsibly disclose by contacting us at security@hashicorp.com.
Quick Start
A few quick start guides are available on the Consul website:
- Standalone binary install: https://learn.hashicorp.com/collections/consul/get-started-vms
- Minikube install: https://learn.hashicorp.com/tutorials/consul/kubernetes-minikube
- Kind install: https://learn.hashicorp.com/tutorials/consul/kubernetes-kind
- Kubernetes install: https://learn.hashicorp.com/tutorials/consul/kubernetes-deployment-guide
- Deploy HCP Consul: https://learn.hashicorp.com/tutorials/consul/hcp-gs-deploy
Documentation
Full, comprehensive documentation is available on the Consul website: https://consul.io/docs
Contributing
Thank you for your interest in contributing! Please refer to CONTRIBUTING.md for guidance. For contributions specifically to the browser based UI, please refer to the UI's README.md for guidance.