Backport of NET-4806: Fix ACL tokens for pods don't have pod name set into release/1.0.x #2818
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…roller Add SNI skip for client node configuration
…`null` to increase service registration times (#2008) * Update values.yaml
Clients are not required for ingress/terminating gateways.
Website has linting that errors when links have the developer.hashicorp.com prefix.
…shicorp/consul-k8s into bug/gateway-controller-incomplete-acl
[COMPLIANCE] add copyright headers to files
…lete-acl Update ACLs, add namespace.write permission
* Implement validation of TLS options * Use constants for annotation keys * Add changelog entry * Implement TLS options translation * Update changelog entry * Add unit test coverage for TLS option validation * Code review feedback
* JWT auth basic acceptance test * Update to run only in enterprise mode, update comment to be correct * Remove usage of `testing.t` in retry block * Fixed last `t` in retry block in tests * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <[email protected]> * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <[email protected]> * Updating filenames for gw jwt cases and adding message about why this test is skipped --------- Co-authored-by: Nathan Coleman <[email protected]>
Apply K8s node locality to services and sidecars Locality-aware routing is based on proxy locality rather than the proxied service. Ensure we propagate locality to both when registering services.
* Set privileged to false unless on OpenShift without CNI
* added fixtures * removed fixtures - intentions only gets added now if acls are enabled - payment-service-resolver is only for locality aware which isn't in scope for this PR * updated sameness tests to include peering - refactored with some helper functions for members (now TestClusters) - made names more uniform, tend more towards the cluster-01-a/cluster-02-a/etc. nomenclature * added 4 clusters to cni make target * disable proxy lifecycle
* add additional tproxy static-client - this doesn't specify an upstream so that tproxy will be able to handle routing * add tproxy coverage - add control-flow to handle using the virtual host name when tproxy is enabled
Add `PrioritizeByLocality` to `ProxyDefaults` CRD In addition to service resolver, add this field to the CRD for proxy defaults for parity with Consul config options.
* squash, add support for retry loops and timeouts to api-gateway NET-4889, NET-4890 * Update .changelog/2735.txt Co-authored-by: Andrew Stucki <[email protected]> * clean up extra files * delete custom struct, just use client.Object * delete * revert kustomization * lint cleanups * fix merge reversion, last bit of cleanup --------- Co-authored-by: Andrew Stucki <[email protected]>
…2786) * Fix Kustomization for cases * Fix patches in config * Update `Contributing`
Test locality propagation to services from k8s Verify that we propagate locality (region and zone) from standard k8s annotations to services registered by consul-k8s. This will later be expanded to exercise multi-cluster locality-based failover.
point mod to main to fix build errors
This commit fixes an issue where the peering tests would flake due to the fact that we were concurrently modifying a global map. It also adds in retry logic so that the consul servers have sufficient time to initialize before attempting to generate peering tokens.
Prior to this commit, tokens descriptions would have a missing
pod name and would have the form: {pod: "default/"}
This poses issues for the endpoints controller, which will try to
parse the metadata and use it to clean up the token. Without the
pod name, consul-k8s will continually leak tokens.
hc-github-team-consul-core
force-pushed
the
backport/derekm/NET-4806/acl-token-missing-pod/willingly-concrete-ladybird
branch
from
be6c40e
to
4713bbf
Compare
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 14 out of 15 committers have signed the CLA.
Paul Glass seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
|
Closing this PR due to a race condition in the automatic backport pulling in too many changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #2808 to be assessed for backporting due to the inclusion of the label backport/1.0.x.
The below text is copied from the body of the original PR.
Prior to this PR, tokens descriptions would have a missing pod name and would have the form:
{pod: "default/"}This poses issues for the endpoints controller, which will try to parse the metadata and use it to clean up the token. Without the pod name, consul-k8s will continually leak tokens.
Changes proposed in this PR:
How I've tested this PR:
Ran a cluster locally and manually inspected the token description field includes the pod name. Added a new step to an acceptance test.
How I expect reviewers to test this PR:
👀
Checklist:
Overview of commits