-
Notifications
You must be signed in to change notification settings - Fork 317
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport of NET-4806: Fix ACL tokens for pods don't have pod name set into release/1.0.x #2818
Conversation
…roller Add SNI skip for client node configuration
…`null` to increase service registration times (#2008) * Update values.yaml
Clients are not required for ingress/terminating gateways.
Website has linting that errors when links have the developer.hashicorp.com prefix.
…shicorp/consul-k8s into bug/gateway-controller-incomplete-acl
[COMPLIANCE] add copyright headers to files
…lete-acl Update ACLs, add namespace.write permission
* Implement validation of TLS options * Use constants for annotation keys * Add changelog entry * Implement TLS options translation * Update changelog entry * Add unit test coverage for TLS option validation * Code review feedback
* JWT auth basic acceptance test * Update to run only in enterprise mode, update comment to be correct * Remove usage of `testing.t` in retry block * Fixed last `t` in retry block in tests * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <[email protected]> * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <[email protected]> * Updating filenames for gw jwt cases and adding message about why this test is skipped --------- Co-authored-by: Nathan Coleman <[email protected]>
Apply K8s node locality to services and sidecars Locality-aware routing is based on proxy locality rather than the proxied service. Ensure we propagate locality to both when registering services.
* Set privileged to false unless on OpenShift without CNI
* added fixtures * removed fixtures - intentions only gets added now if acls are enabled - payment-service-resolver is only for locality aware which isn't in scope for this PR * updated sameness tests to include peering - refactored with some helper functions for members (now TestClusters) - made names more uniform, tend more towards the cluster-01-a/cluster-02-a/etc. nomenclature * added 4 clusters to cni make target * disable proxy lifecycle
* add additional tproxy static-client - this doesn't specify an upstream so that tproxy will be able to handle routing * add tproxy coverage - add control-flow to handle using the virtual host name when tproxy is enabled
Add `PrioritizeByLocality` to `ProxyDefaults` CRD In addition to service resolver, add this field to the CRD for proxy defaults for parity with Consul config options.
* squash, add support for retry loops and timeouts to api-gateway NET-4889, NET-4890 * Update .changelog/2735.txt Co-authored-by: Andrew Stucki <[email protected]> * clean up extra files * delete custom struct, just use client.Object * delete * revert kustomization * lint cleanups * fix merge reversion, last bit of cleanup --------- Co-authored-by: Andrew Stucki <[email protected]>
…2786) * Fix Kustomization for cases * Fix patches in config * Update `Contributing`
Test locality propagation to services from k8s Verify that we propagate locality (region and zone) from standard k8s annotations to services registered by consul-k8s. This will later be expanded to exercise multi-cluster locality-based failover.
point mod to main to fix build errors
This commit fixes an issue where the peering tests would flake due to the fact that we were concurrently modifying a global map. It also adds in retry logic so that the consul servers have sufficient time to initialize before attempting to generate peering tokens.
Prior to this commit, tokens descriptions would have a missing pod name and would have the form: {pod: "default/"} This poses issues for the endpoints controller, which will try to parse the metadata and use it to clean up the token. Without the pod name, consul-k8s will continually leak tokens.
be6c40e
to
4713bbf
Compare
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 14 out of 15 committers have signed the CLA.
Paul Glass seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
Closing this PR due to a race condition in the automatic backport pulling in too many changes. |
Backport
This PR is auto-generated from #2808 to be assessed for backporting due to the inclusion of the label backport/1.0.x.
The below text is copied from the body of the original PR.
Prior to this PR, tokens descriptions would have a missing pod name and would have the form:
{pod: "default/"}
This poses issues for the endpoints controller, which will try to parse the metadata and use it to clean up the token. Without the pod name, consul-k8s will continually leak tokens.
Changes proposed in this PR:
How I've tested this PR:
Ran a cluster locally and manually inspected the token description field includes the pod name. Added a new step to an acceptance test.
How I expect reviewers to test this PR:
👀
Checklist:
Overview of commits