Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add tls config to unix socket when https is used #16301

Merged
merged 2 commits into from
Feb 21, 2023

Conversation

huikang
Copy link
Collaborator

@huikang huikang commented Feb 17, 2023

Description

Add tls config to unix socket when https is used

Testing & Reproduction steps

Manually tested with the following agent config

"addresses": {
        "grpc_tls" : "unix://consul/consul_grpc.sock",
        "http" : "unix://consul/consul_http.sock",
        "https" : "unix://consul/consul_https.sock"
    },
export CONSUL_HTTP_ADDR=unix://consul/consul_https.sock
CONSUL_HTTP_SSL=true consul connect 

Links

fix #16252

PR Checklist

  • updated test coverage
  • external facing docs updated
  • not a security concern

Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To not be surprising this fix is necessary (although in this case TLS isn't really providing any extra security).

Should we have a test somewhere that starts a unix https listener and attempts to connect via TLS to ensure its working?

@huikang
Copy link
Collaborator Author

huikang commented Feb 17, 2023

To not be surprising this fix is necessary (although in this case TLS isn't really providing any extra security).

Should we have a test somewhere that starts a unix https listener and attempts to connect via TLS to ensure its working?

Thanks for the prompt response.

Agreed that we need some form of test on this agent configuration. The closet example I can find is

consul/agent/agent_test.go

Lines 3905 to 3908 in 2460ac9

// Should still succeed with only HTTPS addresses
newConf.HTTPSAddrs = newConf.HTTPAddrs
newConf.HTTPAddrs = make([]net.Addr, 0)
newConf.Watches = []map[string]interface{}{

Or do you have any recommendation on which example I shall follow? Thanks.

@mkeeler
Copy link
Member

mkeeler commented Feb 17, 2023

@huikang You could probably copy/paste + modify this test:

func TestHTTPServer_UnixSocket(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
if runtime.GOOS == "windows" {
t.SkipNow()
}
tempDir := testutil.TempDir(t, "consul")
socket := filepath.Join(tempDir, "test.sock")
// Only testing mode, since uid/gid might not be settable
// from test environment.
a := NewTestAgent(t, `
addresses {
http = "unix://`+socket+`"
}
unix_sockets {
mode = "0777"
}
`)
defer a.Shutdown()
// Ensure the socket was created
if _, err := os.Stat(socket); err != nil {
t.Fatalf("err: %s", err)
}
// Ensure the mode was set properly
fi, err := os.Stat(socket)
if err != nil {
t.Fatalf("err: %s", err)
}
if fi.Mode().String() != "Srwxrwxrwx" {
t.Fatalf("bad permissions: %s", fi.Mode())
}
// Ensure we can get a response from the socket.
trans := cleanhttp.DefaultTransport()
trans.DialContext = func(_ context.Context, _, _ string) (net.Conn, error) {
return net.Dial("unix", socket)
}
client := &http.Client{
Transport: trans,
}
// This URL doesn't look like it makes sense, but the scheme (http://) and
// the host (127.0.0.1) are required by the HTTP client library. In reality
// this will just use the custom dialer and talk to the socket.
resp, err := client.Get("http://127.0.0.1/v1/agent/self")
if err != nil {
t.Fatalf("err: %s", err)
}
defer resp.Body.Close()
if body, err := io.ReadAll(resp.Body); err != nil || len(body) == 0 {
t.Fatalf("bad: %s %v", body, err)
}
}

@@ -151,9 +241,13 @@ func TestSetupHTTPServer_HTTP2(t *testing.T) {
a := StartTestAgent(t, TestAgent{
UseHTTPS: true,
HCL: `
key_file = "../test/client_certs/server.key"
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deprecated

@huikang huikang added backport/1.14 backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. labels Feb 17, 2023
@huikang
Copy link
Collaborator Author

huikang commented Feb 17, 2023

@mkeeler , the unit test is added. Please take a look whenever you have a chance. Thanks.

@huikang huikang merged commit 8e5942f into main Feb 21, 2023
@huikang huikang deleted the gh-16525-fix-http-unix-socket branch February 21, 2023 13:28
hc-github-team-consul-core added a commit that referenced this pull request Mar 10, 2023
…ock into release/1.14.x (#16605)

* docs: Migrate link formats (#15976)

* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* Updating docs-content-check-legacy-links-format hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <[email protected]>

* Post upgrade test validation: envoy endpoint and register service (#16067)

* Run config entry controller routines on leader (#16054)

* feat: panic handler in rpc rate limit interceptor (#16022)

* feat: handle panic in rpc rate limit interceptor

* test: additional test cases to rpc rate limiting interceptor

* refactor: remove unused listener

* flaky test: use retry long to wait for config entry upgrade (#16068)

* flaky test: use retry long to wait for config entry upgrade

* increase wait for rbac policy

* Update service-resolver.mdx (#16073)

* Update service-resolver.mdx

Fixing links in the Documentation for service-resolver filter options.

* Update website/content/docs/connect/config-entries/service-resolver.mdx

Co-authored-by: trujillo-adam <[email protected]>

Co-authored-by: trujillo-adam <[email protected]>

* docs: update Nomad 1.14 upgrade note to detail additonal info. (#16071)

Co-authored-by: James Rasell <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>

* docs: CLI page descriptions for automated checker (#16056)

* ACL

* ACL

* Catalog

* consul config

* consul connect

* top-level updates

* consul intention

* consul kv

* consul namespace

* consul peering

* consul peering delete

* consul services

* consul snapshot

* consul tls

* consul acl auth-method

* acl binding-rule

* acl policy

* acl role

* acl token

* fix

* standardization

* Update website/content/commands/snapshot/save.mdx

Co-authored-by: Bryce Kalow <[email protected]>

* consul debug
consul keyring

Co-authored-by: Bryce Kalow <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>

* docs: Consul at scale guide (#15890)

* Initial page and nav data

* Formatting

* Fixes

* Page description

* DNS lookup fixes

* admin partition link

* Control Plane Resiliency rephrase

* Dataplanes/xDS callout

* word choice correction

* Consul as Vault backend clarifications

* Link to blog post on testing

* Update website/content/docs/architecture/scale.mdx

Co-authored-by: Jared Kirschner <[email protected]>

* Update website/content/docs/architecture/scale.mdx

* Apply suggestions from code review

Co-authored-by: Tu Nguyen <[email protected]>

* Update website/content/docs/architecture/scale.mdx

* Update website/content/docs/architecture/scale.mdx

Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: Jared Kirschner <[email protected]>

* Add trigger for doing reconciliation based on watch sets (#16052)

* Add trigger for doing reconciliation based on watch sets

* update doc string

* Fix my grammar fail

* Fixes (#16086)

* Mw/lambda envoy extension parse region (#4107) (#16069)

* updated builtin extension to parse region directly from ARN
- added a unit test
- added some comments/light refactoring

* updated golden files with proper ARNs
- ARNs need to be right format now that they are being processed

* updated tests and integration tests
- removed 'region' from all EnvoyExtension arguments
- added properly formatted ARN which includes the same region found in the removed "Region" field: 'us-east-1'

* Match route and listener protocols when binding (#16057)

* Add GatewayMeta for matching routes to listeners based on protocols
* Add GetGatewayMeta
* Apply suggestions from code review
Co-authored-by: Nathan Coleman <[email protected]>
* Make GatewayMeta private
* Bound -> BoundGateway
* Document gatewayMeta more
* Simplify conditional
* Parallelize tests and simplify bind conditional
* gofmt
* :droplet: getGatewayMeta
---------
Co-authored-by: Nathan Coleman <[email protected]>

* Remove legacy acl tokens (#15947)

* remove legacy tokens

* Update test comment

Co-authored-by: Paul Glass <[email protected]>

* fix imports

* update docs for additional CLI changes

* add test case for anonymous token

* set deprecated api fields to json ignore and fix patch errors

* update changelog to breaking-change

* fix import

* update api docs to remove legacy reference

* fix docs nav data

---------

Co-authored-by: Paul Glass <[email protected]>

* integ test: remove hardcoded upstream local bind port and max number of envoy sidecar (#16092)

* Upgrade test: peering control plane traffic through mesh gateway (#16091)

* Add a server-only method for updating ConfigEntry Statuses (#16053)

* Add a server-only method for updating ConfigEntry Statuses

* Address PR feedback

* Regen proto

* troubleshoot: service to service validation (#16096)

* Add Tproxy support to Envoy Extensions (this is needed for service to service validation)

* Add validation for Envoy configuration for an upstream service

* Use both /config_dump and /cluster to validate Envoy configuration
This is because of a bug in Envoy where the EndpointsConfigDump does not
include a cluster_name, making it impossible to match an endpoint to
verify it exists.

This removes endpoints support for builtin extensions since only the
validate plugin was using it, and it is no longer used. It also removes
test cases for endpoint validation. Endpoints validation now only occurs
in the top level test from config_dump and clusters json files.

Co-authored-by: Eric <[email protected]>

* Changelog for Consul 1.14.4, 1.13.6, and 1.12.9 (#16098)

* add missing field to oss struct (#16094)

* Upgrade test: retain sidecar containers during upgrade. (#16100)

* Update docs for tls commands (#16077)

* Add extension validation on config save and refactor extensions. (#16110)

* feat: apply retry policy to read only grpc endpoints (#16085)

* improvement: prevent filter being added twice from any enovy extension (#16112)

* improvement: prevent filter being added twice from any enovy extension

* break if error != nil

* update test

* Add Envoy extension metrics. (#16114)

* Add a flag for enabling debug logs to the `connect envoy` command (#15988)

* Add a flag for enabling debug logs to the `connect envoy` command

* Update website/content/commands/connect/envoy.mdx

Co-authored-by: Jeff Boruszak <[email protected]>

* Add changelog note

* Add debug log note to envoy proxy doc page

* Update website/content/docs/connect/proxies/envoy.mdx

Co-authored-by: Kendall Strautman <[email protected]>

* Wording tweak in envoy bootstrap section

---------

Co-authored-by: Jeff Boruszak <[email protected]>
Co-authored-by: Kendall Strautman <[email protected]>

* APIGateway HTTPRoute scaffolding (#15859)

* Stub Config Entries for Consul Native API Gateway (#15644)

* Add empty InlineCertificate struct and protobuf

* apigateway stubs

* new files

* Stub HTTPRoute in api pkg

* checkpoint

* Stub HTTPRoute in structs pkg

* Simplify api.APIGatewayConfigEntry to be consistent w/ other entries

* Update makeConfigEntry switch, add docstring for HTTPRouteConfigEntry

* Add TCPRoute to MakeConfigEntry, return unique Kind

* proto generated files

* Stub BoundAPIGatewayConfigEntry in agent

Since this type is only written by a controller and read by xDS, it doesn't need to be defined in the `api` pkg

* Add RaftIndex to APIGatewayConfigEntry stub

* Add new config entry kinds to validation allow-list

* Add RaftIndex to other added config entry stubs

* fix panic

* Update usage metrics assertions to include new cfg entries

* Regenerate proto w/ Go 1.19

* Run buf formatter on config_entry.proto

* Add Meta and acl.EnterpriseMeta to all new ConfigEntry types

* Remove optional interface method Warnings() for now

Will restore later if we wind up needing it

* Remove unnecessary Services field from added config entry types

* Implement GetMeta(), GetEnterpriseMeta() for added config entry types

* Add meta field to proto, name consistently w/ existing config entries

* Format config_entry.proto

* Add initial implementation of CanRead + CanWrite for new config entry types

* Add unit tests for decoding of new config entry types

* Add unit tests for parsing of new config entry types

* Add unit tests for API Gateway config entry ACLs

* Return typed PermissionDeniedError on BoundAPIGateway CanWrite

* Add unit tests for added config entry ACLs

* Add BoundAPIGateway type to AllConfigEntryKinds

* Return proper kind from BoundAPIGateway

* Add docstrings for new config entry types

* Add missing config entry kinds to proto def

* Update usagemetrics_oss_test.go

* Use utility func for returning PermissionDeniedError

* Add BoundAPIGateway to proto def

Co-authored-by: Sarah Alsmiller <[email protected]>
Co-authored-by: Nathan Coleman <[email protected]>

* Add APIGateway validation

* Fix comment

* Add additional validations

* Add cert ref validation

* Add protobuf definitions

* Tabs to spaces

* Fix up field types

* Add API structs

* Move struct fields around a bit

* EventPublisher subscriptions for Consul Native API Gateway (#15757)

* Create new event topics in subscribe proto
* Add tests for PBSubscribe func
* Make configs singular, add all configs to PBToStreamSubscribeRequest
* Add snapshot methods
* Add config_entry_events tests
* Add config entry kind to topic for new configs
* Add unit tests for snapshot methods
* Start adding integration test
* Test using the new controller code
* Update agent/consul/state/config_entry_events.go
Co-authored-by: Nathan Coleman <[email protected]>
* Check value of error
Co-authored-by: Nathan Coleman <[email protected]>

* Add controller stubs for API Gateway (#15837)

* update initial stub implementation

* move files, clean up mutex references

* Remove embed, use idiomatic names for constructors

* Remove stray file introduced in merge

Co-authored-by: Nathan Coleman <[email protected]>

* Initial server-side and proto defs

* drop trailing whitespace

* Add APIGateway validation (#15847)

* Add APIGateway validation

* Fix comment

* Add additional validations

* Add cert ref validation

* Add protobuf definitions

* Tabs to spaces

* Fix up field types

* Add API structs

* Move struct fields around a bit

* APIGateway InlineCertificate validation (#15856)

* Add APIGateway validation

* Add additional validations

* Add protobuf definitions

* Tabs to spaces

* Add API structs

* Move struct fields around a bit

* Add validation for InlineCertificate

* Fix ACL test

* APIGateway BoundAPIGateway validation (#15858)

* Add APIGateway validation

* Fix comment

* Add additional validations

* Add cert ref validation

* Add protobuf definitions

* Tabs to spaces

* Fix up field types

* Add API structs

* Move struct fields around a bit

* Add validation for BoundAPIGateway

* drop trailing whitespace

* APIGateway TCPRoute validation (#15855)

* Add APIGateway validation

* Fix comment

* Add additional validations

* Add cert ref validation

* Add protobuf definitions

* Tabs to spaces

* Fix up field types

* Add API structs

* Move struct fields around a bit

* Add TCPRoute normalization and validation

* Address PR feedback

* Add forgotten Status

* Add some more field docs in api package

* Fix test

* Fix bad merge

* Remove duplicate helpers

* Fix up proto defs

* Fix up stray changes

* remove extra newline

---------

Co-authored-by: Thomas Eckert <[email protected]>
Co-authored-by: Sarah Alsmiller <[email protected]>
Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: sarahalsmiller <[email protected]>

* NO_JIRA: Add function to get container status before making api call (#16116)

* Add unit test and update golden files. (#16115)

* add troubleshoot cli (#16070)

* add troubleshoot cli

* fix lint issue

* fix merge conflict

* fix lint issue

* Ent merge move envoy extension proto (#16126)

* Mw/lambda envoy extension parse region (#4107)

* updated builtin extension to parse region directly from ARN
- added a unit test
- added some comments/light refactoring

* updated golden files with proper ARNs
- ARNs need to be right format now that they are being processed

* updated tests and integration tests
- removed 'region' from all EnvoyExtension arguments
- added properly formatted ARN which includes the same region found in the removed "Region" field: 'us-east-1'

* regenerated proto files

* update troubleshoot CLI (#16129)

* Docs: change connect to SM for mTLS page  (#16082)

* Update connect-internals.mdx

Removed most references for 'Connect' given the terminology has long been deprecated in official use.

* Apply suggestions from code review

Co-authored-by: Blake Covarrubias <[email protected]>

* Update connect-internals.mdx

Updates based on Blakes recommendations

* Update connect-internals.mdx

---------

Co-authored-by: Blake Covarrubias <[email protected]>
Co-authored-by: Kendall Strautman <[email protected]>

* validate certs and get stats (#16139)

* refactor: move service to service validation to troubleshoot package (#16132)

This is to reduce the dependency on xds from within the troubleshoot package.

* rate: add prometheus definitions, docs, and clearer names (#15945)

* Use agent token for service/check deregistration during anti-entropy (#16097)

Use only the agent token for deregistration during anti-entropy

The previous behavior had the agent attempt to use the "service" token
(i.e. from the `token` field in a service definition file), and if that
was not set then it would use the agent token.

The previous behavior was problematic because, if the service token had
been deleted, the deregistration request would fail. The agent would
retry the deregistration during each anti-entropy sync, and the
situation would never resolve.

The new behavior is to only/always use the agent token for service and
check deregistration during anti-entropy. This approach is:

* Simpler: No fallback logic to try different tokens
* Faster (slightly): No time spent attempting the service token
* Correct: The agent token is able to deregister services on that
  agent's node, because:
  * node:write permissions allow deregistration of services/checks on
    that node.
  * The agent token must have node:write permission, or else the agent
    is not be able to (de)register itself into the catalog

Co-authored-by: Vesa Hagström <[email protected]>

* add assertions (#16087)

* [OSS] Add Peer field to service-defaults upstream overrides (#15956)

* Add Peer field to service-defaults upstream overrides.

* add api changes, compat mode for service default overrides

* Fixes based on testing

---------

Co-authored-by: DanStough <[email protected]>

* API Gateway Controller Logic (#16058)

* Add initial API gateway controller logic

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>
Co-authored-by: Thomas Eckert <[email protected]>

* docs(service-defaults): upstream overrides for peered services (#16122)


Co-authored-by: trujillo-adam <[email protected]>

* fix goroutine leak in renew testing (#16142)

fix goroutine leak in renew testing

Test overwrote the stopWatcher() function variable for the test without
keeping and calling the original value. The original value is the
function that stops the goroutine... so it needs to be called.

* docs: use proxy health checks when enabled (#16033)

* command: Fix logger not initializing properly in envoy command (#16148)

* Update helm docs based on consul-k8s release/1.0.x branch (#16157)

* docs - Docs/k8s 1.0.3 helm docs

* remove openebs entry

* Remove legacy acl policies (#15922)

* remove legacy tokens

* remove legacy acl policies

* flatten test policies to *_prefix

* address oss feedback re: phrasing and tests

* Set `codegen-tools` to be a dependency of `deep-copy` (#16124)

* Add a little message if the user runs deep-copy without it installed

* Take codegen-tools as a dependency to deep-copy

* feat: client RPC is retries on ErrRetryElsewhere error and forwardRequestToLeader method retries ErrRetryLater error (#16099)

* refactor: remove troubleshoot module dependency on consul top level module (#16162)

Ensure nothing in the troubleshoot go module depends on consul's top level module. This is so we can import troubleshoot into consul-k8s and not import all of consul.

* turns troubleshoot into a go module [authored by @curtbushko]
* gets the envoy protos into the troubleshoot module [authored by @curtbushko]
* adds a new go module `envoyextensions` which has xdscommon and extensioncommon folders that both the xds package and the troubleshoot package can import
* adds testing and linting for the new go modules
* moves the unit tests in `troubleshoot/validateupstream` that depend on proxycfg/xds into the xds package, with a comment describing why those tests cannot be in the troubleshoot package
* fixes all the imports everywhere as a result of these changes 

Co-authored-by: Curt Bushko <[email protected]>

* Document how numRetries can't be set to 0 (#16123)

* Document how numRetries can't be set to 0

Resolves https://github.com/hashicorp/consul/issues/11816 and https://github.com/hashicorp/consul/issues/8516.

* Update website/content/docs/connect/config-entries/service-router.mdx

Co-authored-by: trujillo-adam <[email protected]>

---------

Co-authored-by: trujillo-adam <[email protected]>

* docs: refine server TLS Vault PKI role config (#16166)

The generate_lease=true configuration is unnecessary and generates a note about performance implications in Vault logs. Remove this configuration so that the default value of generate_lease=false is used instead.

* Add links in release-notes for the last five patch releases (#16109)

* NET-2087: Restart proxy sidecar during cluster upgrade (#16140)

* docs(service-resolver): clarify the default time unit in service-resolver.ConnectTimeout (#16149)

* doc: clarify the default time unit in service-resolver.ConnectTimeout

* Update website/content/docs/connect/config-entries/service-resolver.mdx

Co-authored-by: trujillo-adam <[email protected]>

---------

Co-authored-by: trujillo-adam <[email protected]>

* Net 2229/rpc reduce max retries 2 (#16165)

* feat: calculate retry wait time with exponential back-off

* test: add test for getWaitTime method

* feat: enforce random jitter between min value from previous iteration and current

* extract randomStagger to simplify tests and use Milliseconds to avoid float math.

* rename variables

* add test and rename comment

---------

Co-authored-by: Poonam Jadhav <[email protected]>

* Remove empty tags 2 (#16113)

* Add support for RemoveEmptyTags in API client

* Add changelog

---------

Co-authored-by: Rémi Lapeyre <[email protected]>

* change log level (#16128)

* Rotate Circle CI SSH Key (#16178)

* revert ui changes (#16180)

* exclude inbound/outbound listeners from upstreams output (#16184)

* Add missing doc for gRPC TLS (#16161)

Signed-off-by: dttung2905 <[email protected]>

* docs: update redirected links (#16179)

* add cert tests (#16192)

* Update token language to distinguish Accessor and Secret ID usage (#16044)

* remove legacy tokens

* remove lingering legacy token references from docs

* update language and naming for token secrets and accessor IDs

* updates all tokenID references to clarify accessorID

* remove token type references and lookup tokens by accessorID index

* remove unnecessary constants

* replace additional tokenID param names

* Add warning info for deprecated -id parameter

Co-authored-by: Paul Glass <[email protected]>

* Update field comment

Co-authored-by: Paul Glass <[email protected]>

---------

Co-authored-by: Paul Glass <[email protected]>

* Upgrade test: verify the agent token is working after upgrade (#16164)

1. Upgraded agent can inherit the persisted token and join the cluster
2. Agent token prior to upgrade is still valid after upgrade
3. Enable ACL in the agent configuration

* revert method name change in xds server protocol for version compatibility (#16195)

* remove redundant vault api retry logic (#16143)

remove redundant vault api retry logic

We upgraded Vault API module version to a version that has built-in
retry logic. So this code is no longer necessary.
Also add mention of re-configuring the provider in comments.

* get upstream IPs (#16197)

* get upstream IPs

* separate test data

* fix lint issue

* fix lint issue

* Bump github.com/prometheus/client_golang from 1.4.0 to 1.14.0 (#15292)

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.4.0 to 1.14.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.4.0...v1.14.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Matt Keeler <[email protected]>

* feat: envoy extension - http local rate limit (#16196)

- http local rate limit
- Apply rate limit only to local_app
- unit test and integ test

* Adding experimental support for a more efficient LogStore implementation (#16176)

* Adding experimental support for a more efficient LogStore implementation

* Adding changelog entry

* Fix go mod tidy issues

* Add additional controller implementations (#16188)

* Add additional controller implementations

* remove additional interface

* Fix comparison checks and mark unused contexts

* Switch to time.Now().UTC()

* Add a pointer helper for shadowing loop variables

* Extract anonymous functions for readability

* clean up logging

* Add Type to the Condition proto

* Update some comments and add additional space for readability

* Address PR feedback

* Fix up dirty checks and change to pointer receiver

* Add the `operator usage instances` command and api endpoint (#16205)

This endpoint shows total services, connect service instances and
billable service instances in the local datacenter or globally. Billable
instances = total service instances - connect services - consul server instances.

* troubleshoot: output messages for the troubleshoot proxy command (#16208)

* Implement APIGateway proxycfg snapshot (#16194)

* Stub proxycfg handler for API gateway

* Add Service Kind constants/handling for API Gateway

* Begin stubbing for SDS

* Add new Secret type to xDS order of operations

* Continue stubbing of SDS

* Iterate on proxycfg handler for API gateway

* Handle BoundAPIGateway config entry subscription in proxycfg-glue

* Add API gateway to config snapshot validation

* Add API gateway to config snapshot clone, leaf, etc.

* Subscribe to bound route + cert config entries on bound-api-gateway

* Track routes + certs on API gateway config snapshot

* Generate DeepCopy() for types used in watch.Map

* Watch all active references on api-gateway, unwatch inactive

* Track loading of initial bound-api-gateway config entry

* Use proper proto package for SDS mapping

* Use ResourceReference instead of ServiceName, collect resources

* Fix typo, add + remove TODOs

* Watch discovery chains for TCPRoute

* Add TODO for updating gateway services for api-gateway

* make proto

* Regenerate deep-copy for proxycfg

* Set datacenter on upstream ID from query source

* Watch discovery chains for http-route service backends

* Add ServiceName getter to HTTP+TCP Service structs

* Clean up unwatched discovery chains on API Gateway

* Implement watch for ingress leaf certificate

* Collect upstreams on http-route + tcp-route updates

* Remove unused GatewayServices update handler

* Remove unnecessary gateway services logic for API Gateway

* Remove outdate TODO

* Use .ToIngress where appropriate, including TODO for cleaning up

* Cancel before returning error

* Remove GatewayServices subscription

* Add godoc for handlerAPIGateway functions

* Update terminology from Connect => Consul Service Mesh

Consistent with terminology changes in https://github.com/hashicorp/consul/pull/12690

* Add missing TODO

* Remove duplicate switch case

* Rerun deep-copy generator

* Use correct property on config snapshot

* Remove unnecessary leaf cert watch

* Clean up based on code review feedback

* Note handler properties that are initialized but set elsewhere

* Add TODO for moving helper func into structs pkg

* Update generated DeepCopy code

* gofmt

* Generate DeepCopy() for API gateway listener types

* Improve variable name

* Regenerate DeepCopy() code

* Fix linting issue

* Temporarily remove the secret type from resource generation

* UI: Update padding for the content wrapper (#16209)

* troubleshoot: handle tproxy dialed directly case (#16210)

* ACL error improvements: incomplete bootstrapping and non-existent token (#16105)

* add bootstrapping detail for acl errors

* error detail improvements

* update acl bootstrapping test coverage

* update namespace errors

* update test coverage

* add changelog

* update message for unbootstrapped error

* consolidate error message code and update changelog

* logout message change

* update troubleshoot CLI, update flags and upstreams output (#16211)

* update troubleshoot CLI, update flags and upstreams output

* update troubleshoot upstreams output

* Merge pull request #4216 from hashicorp/NET-2252-add-assert-fortioname (#16212)

NET-2252: integration tests: add assert.FortioName

* Clean-up Gateway Controller Binding Logic (#16214)

* Fix detecting when a route doesn't bind to a gateway because it's already bound

* Clean up status setting code

* rework binding a bit

* More cleanup

* Flatten all files

* Fix up docstrings

* Add basic smoke test to make sure an APIGateway runs (#16217)

* API Gateway to Ingress Gateway Snapshot Translation and Routes to Virtual Routers and Splitters (#16127)

* Stub proxycfg handler for API gateway

* Add Service Kind constants/handling for API Gateway

* Begin stubbing for SDS

* Add new Secret type to xDS order of operations

* Continue stubbing of SDS

* Iterate on proxycfg handler for API gateway

* Handle BoundAPIGateway config entry subscription in proxycfg-glue

* Add API gateway to config snapshot validation

* Add API gateway to config snapshot clone, leaf, etc.

* Subscribe to bound route + cert config entries on bound-api-gateway

* Track routes + certs on API gateway config snapshot

* Generate DeepCopy() for types used in watch.Map

* Watch all active references on api-gateway, unwatch inactive

* Track loading of initial bound-api-gateway config entry

* Use proper proto package for SDS mapping

* Use ResourceReference instead of ServiceName, collect resources

* Fix typo, add + remove TODOs

* Watch discovery chains for TCPRoute

* Add TODO for updating gateway services for api-gateway

* make proto

* Regenerate deep-copy for proxycfg

* Set datacenter on upstream ID from query source

* Watch discovery chains for http-route service backends

* Add ServiceName getter to HTTP+TCP Service structs

* Clean up unwatched discovery chains on API Gateway

* Implement watch for ingress leaf certificate

* Collect upstreams on http-route + tcp-route updates

* Remove unused GatewayServices update handler

* Remove unnecessary gateway services logic for API Gateway

* Remove outdate TODO

* Use .ToIngress where appropriate, including TODO for cleaning up

* Cancel before returning error

* Remove GatewayServices subscription

* Add godoc for handlerAPIGateway functions

* Update terminology from Connect => Consul Service Mesh

Consistent with terminology changes in https://github.com/hashicorp/consul/pull/12690

* Add missing TODO

* Remove duplicate switch case

* Rerun deep-copy generator

* Use correct property on config snapshot

* Remove unnecessary leaf cert watch

* Clean up based on code review feedback

* Note handler properties that are initialized but set elsewhere

* Add TODO for moving helper func into structs pkg

* Update generated DeepCopy code

* gofmt

* Begin stubbing for SDS

* Start adding tests

* Remove second BoundAPIGateway case in glue

* TO BE PICKED: fix formatting of str

* WIP

* Fix merge conflict

* Implement HTTP Route to Discovery Chain config entries

* Stub out function to create discovery chain

* Add discovery chain merging code (#16131)

* Test adding TCP and HTTP routes

* Add some tests for the synthesizer

* Run go mod tidy

* Pairing with N8

* Run deep copy

* Clean up GatewayChainSynthesizer

* Fix missing assignment of BoundAPIGateway topic

* Separate out synthesizeChains and toIngressTLS

* Fix build errors

* Ensure synthesizer skips non-matching routes by protocol

* Rebase on N8s work

* Generate DeepCopy() for API gateway listener types

* Improve variable name

* Regenerate DeepCopy() code

* Fix linting issue

* fix protobuf import

* Fix more merge conflict errors

* Fix synthesize test

* Run deep copy

* Add URLRewrite to proto

* Update agent/consul/discoverychain/gateway_tcproute.go

Co-authored-by: Nathan Coleman <[email protected]>

* Remove APIGatewayConfigEntry that was extra

* Error out if route kind is unknown

* Fix formatting errors in proto

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>

* Fix typo in checks.mdx (#16187)

Typo severeal -> several

* troubleshoot basic envoy stats for an upstream (#16215)

* troubleshoot basic envoy stats for an upstream

* remove envoyID arg

* Add some fixes to allow for registering via consul connect envoy -gateway api (#16219)

* Add some fixes to allow for registering via consul connect envoy -gateway api

* Fix infinite recursion

---------

Co-authored-by: Nathan Coleman <[email protected]>

* Synthesize anonymous token pre-bootstrap when needed (#16200)

* add bootstrapping detail for acl errors

* error detail improvements

* update acl bootstrapping test coverage

* update namespace errors

* update test coverage

* consolidate error message code and update changelog

* synthesize anonymous token

* Update token language to distinguish Accessor and Secret ID usage (#16044)

* remove legacy tokens

* remove lingering legacy token references from docs

* update language and naming for token secrets and accessor IDs

* updates all tokenID references to clarify accessorID

* remove token type references and lookup tokens by accessorID index

* remove unnecessary constants

* replace additional tokenID param names

* Add warning info for deprecated -id parameter

Co-authored-by: Paul Glass <[email protected]>

* Update field comment

Co-authored-by: Paul Glass <[email protected]>

---------

Co-authored-by: Paul Glass <[email protected]>

* revert naming change

* add testing

* revert naming change

---------

Co-authored-by: Paul Glass <[email protected]>

* Simple API Gateway e2e test for tcp routes (#16222)

* Simple API Gateway e2e test for tcp routes

* Drop DNSSans since we don't front the Gateway with a leaf cert

* update the api in envoyextensions and troubleshoot modules (#16226)

* Fix peering acceptors in secondary datacenters. (#16230)

Prior to this commit, secondary datacenters could not be initialized
as peering acceptors if ACLs were enabled. This is due to the fact that
internal server-to-server API calls would fail because the management
token was not generated. This PR makes it so that both primary and
secondary datacenters generate their own management token whenever
a leader is elected in their respective clusters.

* [API Gateway] Add integration test for conflicted TCP listeners (#16225)

* troubleshoot: make output have tables and colors (#16235)

Adds tables and colors using libraries used in consul-k8s. It doesn't add the full `terminal` UI package that consul-k8s uses since there is an existing UI in Consul that I didn't want to affect too much. So instead this adds to the existing UI.

* Fix missing references to enterprise metadata (#16237)

* [API Gateway] Update simple test to leverage intentions and multiple listeners (#16228)

* [API Gateway] Add integration test for conflicted TCP listeners

* [API Gateway] Update simple test to leverage intentions and multiple listeners

* Fix broken unit test

* PR suggestions

* [UI]: update Ember to 3.27  (#16227)

* Upgrade to 3.25 via ember-cli-update

* v3.25.3...v3.26.1

* v3.26.1...v3.27.0


Co-authored-by: Michael Klein <[email protected]>

* ui: add vercel info to the ui readme (#16239)

* Bump x/time to 0.3.0 and fix related breakage linked to RPCRateLimit (#16241)

* Bump x/time to 0.3.0 and fix related breakage linked to RPCRateLimit initialization

* Apply limitVal(...) to other rate.Limit config fields

* UI: CC-4032 - Update sidebar width (#16204)

* Update chrome-width var to be 280px

* Formatting & Changelog

* upgrade test: peering with http router config entry (#16231)

* upgrade test: peering with http router config entry

* [API Gateway] Add integration test for HTTP routes (#16236)

* [API Gateway] Add integration test for conflicted TCP listeners

* [API Gateway] Update simple test to leverage intentions and multiple listeners

* Fix broken unit test

* [API Gateway] Add integration test for HTTP routes

* integ test: fix retry upstream test (#16246)

* get clusters from route if listener uses RDS (#16243)

* Update index.mdx (#16247)

* Update index.mdx

* Update website/content/docs/connect/dataplane/index.mdx

Co-authored-by: Tu Nguyen <[email protected]>

---------

Co-authored-by: Tu Nguyen <[email protected]>

* [OSS] Post Consul 1.15 updates (#16256)

* chore: update dev build to 1.16

* chore(ci): add nightly 1.15 test

* add integration tests for troubleshoot (#16223)

* draft

* expose internal admin port and add proxy test

* update tests

* move comment

* add failure case, fix lint issues

* cleanup

* handle error

* revert changes to service interface

* address review comments

* fix merge conflict

* merge the tests so cluster is created once

* fix other test

* upgrade test: fix flaky peering through mesh gateway (#16271)

* Add inline-certificate as possible payload of config-entry wrapper (#16254)

Co-authored-by: Andrew Stucki <[email protected]>

* [OSS] connect: Bump Envoy 1.22.5 to 1.22.7, 1.23.2 to 1.23.4, 1.24.0 to 1.24.2, add 1.25.1, remove 1.21.5 (#16274)

* Bump Envoy 1.22.5 to 1.22.7, 1.23.2 to 1.23.4, 1.24.0 to 1.24.2, add 1.25.1, remove 1.21.5

* Fix nil-pointer panics from proxycfg package. (#16277)

Prior to this PR, servers / agents would panic and crash if an ingress
or api gateway were configured to use a discovery chain that both:

1. Referenced a peered service
2. Had a mesh gateway mode of local

This could occur, because code for handling upstream watches was shared
between both connect-proxy and the gateways. As a short-term fix, this
PR ensures that the maps are always initialized for these gateway services.

This PR also wraps the proxycfg execution and service
registration calls with recover statements to ensure that future issues
like this do not put the server into an unrecoverable state.

* Fix infinite recursion in inline-certificate config entry (#16276)

* Fix infinite recursion on InlineCertificateConfigEntry

GetNamespace() + GetMeta() were calling themselves. This change also simplifies by removing nil-checking to match pre-existing config entries

Co-Authored-By: Andrew Stucki <[email protected]>

* Add tests for inline-certificate

* Add alias for private key field on inline-certificate

* Use valid certificate + private key for inline-certificate tests

---------

Co-authored-by: Andrew Stucki <[email protected]>

* Docs/reformat service splitters conf entry (#16264)

* for tab testing

* updates

* Update

* adding sandbox to test conf ref types

* testing tweaks to the conf ref template

* reintroduce tabbed specification

* applied feedback from MKO session

* applied feedback on format from luke and jared

* Apply suggestions from code review

Co-authored-by: Dan Upton <[email protected]>

* fixed some minor HCL formatting in complete conf

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* fixed bad link

* resolving conflicts

---------

Co-authored-by: boruszak <[email protected]>
Co-authored-by: Dan Upton <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

* Fix mesh gateways incorrectly matching peer locality. (#16257)

Fix mesh gateways incorrectly matching peer locality.

This fixes an issue where local mesh gateways use an
incorrect address when attempting to forward traffic to a
peered datacenter. Prior to this change it would use the
lan address instead of the wan if the locality matched. This
should never be done for peering, since we must route all
traffic through the remote mesh gateway.

* add server side rate-limiter changelog entry (#16292)

* API Gateway Envoy Golden Listener Tests (#16221)

* Simple API Gateway e2e test for tcp routes

* Drop DNSSans since we don't front the Gateway with a leaf cert

* WIP listener tests for api-gateway

* Return early if no routes

* Add back in leaf cert to testing

* Fix merge conflicts

* Re-add kind to setup

* Fix iteration over listener upstreams

* New tcp listener test

* Add tests for API Gateway with TCP and HTTP routes

* Move zero-route check back

* Drop generateIngressDNSSANs

* Check for chains not routes

---------

Co-authored-by: Andrew Stucki <[email protected]>

* troubleshoot: fixes and updated messages (#16294)

* Inline API Gateway TLS cert code (#16295)

* Include secret type when building resources from config snapshot

* First pass at generating envoy secrets from api-gateway snapshot

* Update comments for xDS update order

* Add secret type + corresponding golden files to existing tests

* Initialize test helpers for testing api-gateway resource generation

* Generate golden files for new api-gateway xDS resource test

* Support ADS for TLS certificates on api-gateway

* Configure TLS on api-gateway listeners

* Inline TLS cert code

* update tests

* Add SNI support so we can have multiple certificates

* Remove commented out section from helper

* regen deep-copy

* Add tcp tls test

---------

Co-authored-by: Nathan Coleman <[email protected]>

* ISSUE_TEMPLATE: Update issue template to include ask for HCL config files for bugs (#16307)

* Update bug_report.md

* Fix hostname alignment checks for HTTPRoutes (#16300)

* Fix hostname alignment checks for HTTPRoutes

* Fix panicky xDS test flakes (#16305)

* Add defensive guard to make some tests less flaky and panic less

* Do the actual fix

* Add stricter validation and some normalization code for API Gateway ConfigEntries (#16304)

* Add stricter validation and some normalization code for API Gateway ConfigEntries

* ISSUE TEMPLATE: update issue templates to include comments instead of inline text for instructions (#16313)

* Update bug_report.md
* Update feature_request.md
* Update ui_issues.md
* Update pull_request_template.md

* [OSS] security: update go to 1.20.1 (#16263)

* security: update go to 1.20.1

* Protobuf Refactoring for Multi-Module Cleanliness (#16302)

Protobuf Refactoring for Multi-Module Cleanliness

This commit includes the following:

Moves all packages that were within proto/ to proto/private
Rewrites imports to account for the packages being moved
Adds in buf.work.yaml to enable buf workspaces
Names the proto-public buf module so that we can override the Go package imports within proto/buf.yaml
Bumps the buf version dependency to 1.14.0 (I was trying out the version to see if it would get around an issue - it didn't but it also doesn't break things and it seemed best to keep up with the toolchain changes)

Why:

In the future we will need to consume other protobuf dependencies such as the Google HTTP annotations for openapi generation or grpc-gateway usage.
There were some recent changes to have our own ratelimiting annotations.
The two combined were not working when I was trying to use them together (attempting to rebase another branch)
Buf workspaces should be the solution to the problem
Buf workspaces means that each module will have generated Go code that embeds proto file names relative to the proto dir and not the top level repo root.
This resulted in proto file name conflicts in the Go global protobuf type registry.
The solution to that was to add in a private/ directory into the path within the proto/ directory.
That then required rewriting all the imports.

Is this safe?

AFAICT yes
The gRPC wire protocol doesn't seem to care about the proto file names (although the Go grpc code does tack on the proto file name as Metadata in the ServiceDesc)
Other than imports, there were no changes to any generated code as a result of this.

* new docs for consul and consul-k8s troubleshoot command (#16284)

* new docs for consul and consul-k8s troubleshoot command

* add changelog

* add troubleshoot command

* address comments, and update cli output to match

* revert changes to troubleshoot upstreams, changes will happen in separate pr

* Update .changelog/16284.txt

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* address comments

* update trouble proxy output

* add missing s, add required fields in usage

---------

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Normalize all API Gateway references (#16316)

* Fix HTTPRoute and TCPRoute expectation for enterprise metadata (#16322)

* ISSUE_TEMPLATE: formatting for comments (#16325)

* Update all templates.

* fix: revert go mod compat for sdk,api to 1.19 (#16323)

* fix: add tls config to unix socket when https is used (#16301)

* fix: add tls config to unix socket when https is used

* unit test and changelog

* fix flakieness (#16338)

* chore: document and unit test sdk/testutil/retry (#16049)

* [API Gateway] Validate listener name is not empty (#16340)

* [API Gateway] Validate listener name is not empty

* Update docstrings and test

* Fix issue with peer services incorrectly appearing as connect-enabled. (#16339)

Prior to this commit, all peer services were transmitted as connect-enabled
as long as a one or more mesh-gateways were healthy. With this change, there
is now a difference between typical services and connect services transmitted
via peering.

A service will be reported as "connect-enabled" as long as any of these
conditions are met:

1. a connect-proxy sidecar is registered for the service name.
2. a connect-native instance of the service is registered.
3. a service resolver / splitter / router is registered for the service name.
4. a terminating gateway has registered the service.

* [API Gateway] Turn down controller log levels (#16348)

* [API Gateway] Fix targeting service splitters in HTTPRoutes (#16350)

* [API Gateway] Fix targeting service splitters in HTTPRoutes

* Fix test description

* [API Gateway] Various fixes for Config Entry fields (#16347)

* [API Gateway] Various fixes for Config Entry fields

* simplify logic per PR review

* upgrade test: splitter and resolver config entry in peered cluster (#16356)

* Upgrade Alpine image to 3.17 (#16358)

* Update existing docs from Consul API Gateway -> API Gateway for Kubernetes (#16360)

* Update existing docs from Consul API Gateway -> API Gateway for Kubernetes

* Update page header to reflect page title change

* Update nav title to match new page title

* initial code (#16296)

* Add changelog entry for API Gateway (Beta) (#16369)

* Placeholder commit for changelog entry

* Add changelog entry announcing support for API Gateway on VMs

* Adjust casing

* [API Gateway] Fix infinite loop in controller and binding non-accepted routes and gateways (#16377)

* Rate limiter/add ip prefix (#16342)

* add support for prefixes in the config tree

* fix to use default config when the prefix have no config

* Documentation update: Adding K8S clusters to external Consul servers (#16285)

* Remove Consul Client installation option

With Consul-K8S 1.0 and introduction of Consul-Dataplane, K8S has
the option to run without running Consul Client agents.

* remove note referring to the same documentation

* Added instructions on the use of httpsPort when servers are not running TLS enabled

* Modified titile and description

* Add docs for usage endpoint and command (#16258)

* Add docs for usage endpoint and command

* NET-2285: Assert total number of expected instances by Consul (#16371)

* set BRANCH_NAME to release-1.15.x (#16374)

* Docs/rate limiting 1.15 (#16345)

* Added rate limit section to agent overview, updated headings per style guide

* added GTRL section and overview

* added usage docs for rate limiting 1.15

* added file for initializing rate limits

* added steps for initializing rate limits

* updated descriptions for rate_limits in agent conf

* updated rate limiter-related metrics

* tweaks to agent index

* Apply suggestions from code review

Co-authored-by: Dhia Ayachi <[email protected]>
Co-authored-by: Krastin Krastev <[email protected]>

* Apply suggestions from code review

Co-authored-by: Krastin Krastev <[email protected]>

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

---------

Co-authored-by: Dhia Ayachi <[email protected]>
Co-authored-by: Krastin Krastev <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

* [UI] CC-4031: change from Action, a and button to hds::Button (#16251)

* Correct WAL metrics registrations (#16388)

* chore: remove stable-website (#16386)

* Refactor the disco chain -> xds logic (#16392)

* Add envoy extension docs (#16376)

* Add envoy extension docs

* Update message about envoy extensions with proxy defaults

* fix tab error

* Update website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx

* fix operator prerender issue

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* update envoyextension warning in proxy defaults so its inline

* Update website/content/docs/connect/proxies/envoy-extensions/index.mdx

---------

Co-authored-by: trujillo-adam <[email protected]>

* upgrade test: peering with resolver and failover (#16391)

* Troubleshoot service to service comms (#16385)

* Troubleshoot service to service comms

* adjustments

* breaking fix

* api-docs breaking fix

* Links added to CLI pages

* Update website/content/docs/troubleshoot/troubleshoot-services.mdx

Co-authored-by: Eric Haberkorn <[email protected]>

* Update website/content/docs/troubleshoot/troubleshoot-services.mdx

Co-authored-by: Tu Nguyen <[email protected]>

* Update website/content/docs/troubleshoot/troubleshoot-services.mdx

Co-authored-by: Tu Nguyen <[email protected]>

* nav re-ordering

* Edits recommended in code review

---------

Co-authored-by: Eric Haberkorn <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>

* Docs/cluster peering 1.15 updates (#16291)

* initial commit

* initial commit

* Overview updates

* Overview page improvements

* More Overview improvements

* improvements

* Small fixes/updates

* Updates

* Overview updates

* Nav data

* More nav updates

* Fix

* updates

* Updates + tip test

* Directory test

* refining

* Create restructure w/ k8s

* Single usage page

* Technical Specification

* k8s pages

* typo

* L7 traffic management

* Manage connections

* k8s page fix

* Create page tab corrections

* link to k8s

* intentions

* corrections

* Add-on intention descriptions

* adjustments

* Missing </CodeTabs>

* Diagram improvements

* Final diagram update

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: David Yu <[email protected]>

* diagram name fix

* Fixes

* Updates to index.mdx

* Tech specs page corrections

* Tech specs page rename

* update link to tech specs

* K8s - new pages + tech specs

* k8s - manage peering connections

* k8s L7 traffic management

* Separated establish connection pages

* Directory fixes

* Usage clean up

* k8s docs edits

* Updated nav data

* CodeBlock Component fix

* filename

* CodeBlockConfig removal

* Redirects

* Update k8s filenames

* Reshuffle k8s tech specs for clarity, fmt yaml files

* Update general cluster peering docs, reorder CLI > API > UI, cross link to kubernetes

* Fix config rendering in k8s usage docs, cross link to general usage from k8s docs

* fix legacy link

* update k8s docs

* fix nested list rendering

* redirect fix

* page error

---------

Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: David Yu <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>

* Fix rendering error on new operator usage docs (#16393)

* add missing field to oss struct (#16401)

* fix(docs): correct rate limit metrics (#16400)

* Fix various flaky tests (#16396)

* Native API Gateway Docs (#16365)

* Create empty files

* Copy over content for overview

* Copy over content for usage

* Copy over content for api-gateway config

* Copy over content for http-route config

* Copy over content for tcp-route config

* Copy over content for inline-certificate config

* Add docs to the sidebar

* Clean up overview. Start cleaning up usage

* Add BETA badge to API Gateways portion of nav

* Fix header

* Fix up usage

* Fix up API Gateway config

* Update paths to be consistent w/ other gateway docs

* Fix up http-route

* Fix up inline-certificate

* rename path

* Fix up tcp-route

* Add CodeTabs

* Add headers to config pages

* Fix configuration model for http route and inline certificate

* Add version callout to API gateway overview page

* Fix values for inline certificate

* Fix values for api gateway configuration

* Fix values for TCP Route config

* Fix values for HTTP Route config

* Adds link from k8s gateway to vm gateway page

* Remove versioning warning

* Serve overview page at ../api-gateway, consistent w/ mesh-gateway

* Remove weight field from tcp-route docs

* Linking to usage instead of overview from k8s api-gateway to vm api-gateway

* Fix issues in usage page

* Fix links in usage

* Capitalize Kubernetes

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* remove optional callout

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* Apply suggestions from code review

* Update website/content/docs/connect/gateways/api-gateway/configuration/api-gateway.mdx

* Fix formatting of Hostnames

* Update website/content/docs/api-gateway/index.mdx

* Update website/content/docs/connect/gateways/api-gateway/configuration/http-route.mdx

Co-authored-by: Andrew Stucki <[email protected]>

* Add cross-linking of config entries

* Fix rendering error on new operator usage docs

* Update website/content/docs/connect/gateways/api-gateway/configuration/http-route.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Update website/content/docs/connect/gateways/api-gateway/configuration/http-route.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Apply suggestions from code review

* Apply suggestions from code review

* Add BETA badges to config entry links

* http route updates

* Add Enterprise keys

* Use map instead of list for meta field, use consistent formatting

* Convert spaces to tabs

* Add all Enterprise info to TCP Route

* Use pascal case for JSON api-gateway example

* Add enterprise to HCL api-gw cfg

* Use pascal case for missed JSON config fields

* Add enterprise to JSON api-gw cfg

* Add enterprise to api-gw values

* adds enterprise to http route

* Update website/content/docs/connect/gateways/api-gateway/index.mdx

Co-authored-by: danielehc <[email protected]>

* Add enterprise to api-gw spec

* Add missing namespace, partition + meta to specification

* fixes for http route

* Fix ordering of API Gatetway cfg spec items

* whitespace

* Add linking of values to tcp

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* Fix comma in wrong place

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* Move Certificates down

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* Tabs to spaces in httproute

* Use configuration entry instead of config entry

* Fix indentations on api-gateway and tcp-route

* Add whitespace between code block and prose

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* adds <> to http route

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Melisa Griffin <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: Melisa Griffin <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>
Co-authored-by: danielehc <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

* NET-2286: Add tests to verify traffic redirects between services (#16390)

* Try DRYing up createCluster in integration tests (#16199)

* add back staging bits (#16411)

* Fix a couple inconsistencies in `operator usage instances` command (#16260)

* NO_JIRA: refactor validate function in traffic mgt tests (#16422)

* Basic gobased API gateway spinup test (#16278)

* wip, proof of concept, gateway service being registered, don't know how to hit it

* checkpoint

* Fix up API Gateway go tests (#16297)

* checkpoint, getting InvalidDiscoveryChain route protocol does not match targeted service protocol

* checkpoint

* httproute hittable

* tests working, one header test failing

* differentiate services by status code, minor cleanup

* working tests

* updated GetPort interface

* fix getport

---------

Co-authored-by: Andrew Stucki <[email protected]>

* Fix attempt for test fail panics in xDS (#16319)

* Fix attempt for test fail panics in xDS

* switch to a mutex pointer

* update changelog (#16426)

* update changelog

* fix changelog formatting

* feat: update alerts to Hds::Alert component (CC-4035) (#16412)

* fix: ui tests run is fixed (applying class attribute twice to the hbs element caused the issue (#16428)

* Refactor and move wal docs (#16387)

* Add WAL documentation. Also fix some minor metrics registration details

* Add tests to verify metrics are registered correctly

* refactor and move wal docs

* Updates to the WAL overview page

* updates to enable WAL usage topic

* updates to the monitoring WAL backend topic

* updates for revert WAL topic

* a few tweaks to overview and udpated metadescriptions

* Apply suggestions from code review

Co-authored-by: Paul Banks <[email protected]>

* make revert docs consistent with enable

* Apply suggestions from code review

Co-authored-by: Paul Banks <[email protected]>

* address feedback

* address final feedback

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

---------

Co-authored-by: Paul Banks <[email protected]>
Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

* UI: Update Consul UI colors to use HDS colors (#16111)

* update red color variables to hds

* change background red to be one step lighter

* map oranges

* map greens

* map blues

* map greys

* delete themes, colours: lemon, magenta, strawberry, and vault color aliases

* add unmapped rainbow colours

* replace white and transparent vars, remove unused semantic vars and frame placeholders

* small tweaks to improve contrast, change node health status x/check colours for non-voters to match design doc, replace semantic colour action w hds colour

* add unmapped grays, remove dark theme, manually set nav bar to use dark colours

* map consul pink colour

* map yellows

* add unmapped oranges, delete light theme

* remove readme, base variables, clean up dangling colours

* Start working on the nav disclosure menus

* Update main-nav-horizontal dropdowns

* Format template

* Update box-shadow tokens

* Replace --tone- usage with tokens

* Update nav disabled state and panel border colour

* Replace rgb usage on tile

* Fix permissions modal overlay

* More fixes

* Replace orange-500 with amber-200

* Update badge colors

* Update vertical sidebar colors

* Remove top border on consul peer list ul

---------

Co-authored-by: wenincode <[email protected]>

* Add missing link (#16437)

* docs: remove extra whitespace in frontmatter (#16436)

* Delete Vagrantfile (#16442)

* upgrade test: consolidate resolver test cases (#16443)

* UI: Fix rendering issue in search and lists (#16444)

* Upgrade ember-cli-string-helpers

* add extra lock change

* Update docs for consul-k8s 1.1.0 (#16447)

* Update ingress-gateways.mdx (#16330)

* Update ingress-gateways.mdx

Added an example of running the HELM install for the ingress gateways using values.yaml

* Apply suggestions from code review

* Update ingress-gateways.mdx

Adds closing back ticks on example command. The suggesting UI strips them out.

---------

Co-authored-by: trujillo-adam <[email protected]>

* grpc: fix data race in balancer registration (#16229)

Registering gRPC balancers is thread-unsafe because they are stored in a
global map variable that is accessed without holding a lock. Therefore,
it's expected that balancers are registered _once_ at the beginning of
your program (e.g. in a package `init` function) and certainly not after
you've started dialing connections, etc.

> NOTE: this function must only be called during initialization time
> (i.e. in an init() function), and is not thread-safe.

While this is fine for us in production, it's challenging for tests that
spin up multiple agents in-memory. We currently register a balancer per-
agent which holds agent-specific state that cannot safely be shared.

This commit introduces our own registry that _is_ thread-safe, and
implements the Builder interface such that we can call gRPC's `Register`
method once, on start-up. It uses the same pattern as our resolver
registry where we use the dial target's host (aka "authority"), which is
unique per-agent, to determine which builder to use.

* cli: ensure acl token read -self works (#16445)

Fixes a regression in #16044

The consul acl token read -self cli command should not require an -accessor-id because typically the persona invoking this would not already know the accessor id of their own token.

* docs: Add backwards compatibility for Consul 1.14.x and consul-dataplane in the Envoy compat matrix (#16462)

* Update envoy.mdx

* gateways: add e2e test for API Gateway HTTPRoute ParentRef change (#16408)

* test(gateways): add API Gateway HTTPRoute ParentRef change test

* test(gateways): add checkRouteError helper

* test(gateways): remove EOF check

in CI this seems to sometimes be 'connection reset by peer' instead

* Update test/integration/consul-container/test/gateways/http_route_test.go

* Gateway Test HTTPPathRewrite (#16418)

* add http url path rewrite

* add Mike's test back in

* update kind to use api.APIGateway

* cli: remove stray whitespace when loading the consul version from the VERSION file (#16467)

Fixes a regression from #15631 in the output of `consul version` from:

    Consul v1.16.0-dev
    +ent
    Revision 56b86acbe5+CHANGES

to

    Consul v1.16.0-dev+ent
    Revision 56b86acbe5+CHANGES

* Docs/services refactor docs day 122022 (#16103)

* converted main services page to services overview page

* set up services usage dirs

* added Define Services usage page

* converted health checks everything page to Define Health Checks usage page

* added Register Services and Nodes usage page

* converted Query with DNS to Discover Services and Nodes Overview page

* added Configure DNS Behavior usage page

* added Enable Static DNS Lookups usage page

* added the Enable Dynamic Queries DNS Queries usage page

* added the Configuration dir and overview page - may not need the overview, tho

* fixed the nav from previous commit

* added the Services Configuration Reference page

* added Health Checks Configuration Reference page

* updated service defaults configuraiton entry to new configuration ref format

* fixed some bad links found by checker

* more bad links found by checker

* another bad link found by checker

* converted main services page to services overview page

* set up services usage dirs

* added Define Services usage page

* converted health checks everything page to Define Health Checks usage page

* added Register Services and Nodes usage page

* converted Query with DNS to Discover Services and Nodes Overview page

* added Configure DNS Behavior usage page

* added Enable Static DNS Lookups usage page

* added the Enable Dynamic Queries DNS Queries usage page

* added the Configuration dir and overview page - may not need the overview, tho

* fixed the nav from previous commit

* added the Services Configuration Reference page

* added Health Checks Configuration Reference page

* updated service defaults configuraiton entry to new configuration ref format

* fixed some bad links found by checker

* more bad links found by check…
hc-github-team-consul-core added a commit that referenced this pull request Apr 7, 2023
…16927)

* ISSUE_TEMPLATE: Update issue template to include ask for HCL config files for bugs (#16307)

* Update bug_report.md

* Fix hostname alignment checks for HTTPRoutes (#16300)

* Fix hostname alignment checks for HTTPRoutes

* Fix panicky xDS test flakes (#16305)

* Add defensive guard to make some tests less flaky and panic less

* Do the actual fix

* Add stricter validation and some normalization code for API Gateway ConfigEntries (#16304)

* Add stricter validation and some normalization code for API Gateway ConfigEntries

* ISSUE TEMPLATE: update issue templates to include comments instead of inline text for instructions (#16313)

* Update bug_report.md
* Update feature_request.md
* Update ui_issues.md
* Update pull_request_template.md

* [OSS] security: update go to 1.20.1 (#16263)

* security: update go to 1.20.1

* Protobuf Refactoring for Multi-Module Cleanliness (#16302)

Protobuf Refactoring for Multi-Module Cleanliness

This commit includes the following:

Moves all packages that were within proto/ to proto/private
Rewrites imports to account for the packages being moved
Adds in buf.work.yaml to enable buf workspaces
Names the proto-public buf module so that we can override the Go package imports within proto/buf.yaml
Bumps the buf version dependency to 1.14.0 (I was trying out the version to see if it would get around an issue - it didn't but it also doesn't break things and it seemed best to keep up with the toolchain changes)

Why:

In the future we will need to consume other protobuf dependencies such as the Google HTTP annotations for openapi generation or grpc-gateway usage.
There were some recent changes to have our own ratelimiting annotations.
The two combined were not working when I was trying to use them together (attempting to rebase another branch)
Buf workspaces should be the solution to the problem
Buf workspaces means that each module will have generated Go code that embeds proto file names relative to the proto dir and not the top level repo root.
This resulted in proto file name conflicts in the Go global protobuf type registry.
The solution to that was to add in a private/ directory into the path within the proto/ directory.
That then required rewriting all the imports.

Is this safe?

AFAICT yes
The gRPC wire protocol doesn't seem to care about the proto file names (although the Go grpc code does tack on the proto file name as Metadata in the ServiceDesc)
Other than imports, there were no changes to any generated code as a result of this.

* new docs for consul and consul-k8s troubleshoot command (#16284)

* new docs for consul and consul-k8s troubleshoot command

* add changelog

* add troubleshoot command

* address comments, and update cli output to match

* revert changes to troubleshoot upstreams, changes will happen in separate pr

* Update .changelog/16284.txt

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* address comments

* update trouble proxy output

* add missing s, add required fields in usage

---------

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Normalize all API Gateway references (#16316)

* Fix HTTPRoute and TCPRoute expectation for enterprise metadata (#16322)

* ISSUE_TEMPLATE: formatting for comments (#16325)

* Update all templates.

* fix: revert go mod compat for sdk,api to 1.19 (#16323)

* fix: add tls config to unix socket when https is used (#16301)

* fix: add tls config to unix socket when https is used

* unit test and changelog

* fix flakieness (#16338)

* chore: document and unit test sdk/testutil/retry (#16049)

* [API Gateway] Validate listener name is not empty (#16340)

* [API Gateway] Validate listener name is not empty

* Update docstrings and test

* Fix issue with peer services incorrectly appearing as connect-enabled. (#16339)

Prior to this commit, all peer services were transmitted as connect-enabled
as long as a one or more mesh-gateways were healthy. With this change, there
is now a difference between typical services and connect services transmitted
via peering.

A service will be reported as "connect-enabled" as long as any of these
conditions are met:

1. a connect-proxy sidecar is registered for the service name.
2. a connect-native instance of the service is registered.
3. a service resolver / splitter / router is registered for the service name.
4. a terminating gateway has registered the service.

* [API Gateway] Turn down controller log levels (#16348)

* [API Gateway] Fix targeting service splitters in HTTPRoutes (#16350)

* [API Gateway] Fix targeting service splitters in HTTPRoutes

* Fix test description

* [API Gateway] Various fixes for Config Entry fields (#16347)

* [API Gateway] Various fixes for Config Entry fields

* simplify logic per PR review

* upgrade test: splitter and resolver config entry in peered cluster (#16356)

* Upgrade Alpine image to 3.17 (#16358)

* Update existing docs from Consul API Gateway -> API Gateway for Kubernetes (#16360)

* Update existing docs from Consul API Gateway -> API Gateway for Kubernetes

* Update page header to reflect page title change

* Update nav title to match new page title

* initial code (#16296)

* Add changelog entry for API Gateway (Beta) (#16369)

* Placeholder commit for changelog entry

* Add changelog entry announcing support for API Gateway on VMs

* Adjust casing

* [API Gateway] Fix infinite loop in controller and binding non-accepted routes and gateways (#16377)

* Rate limiter/add ip prefix (#16342)

* add support for prefixes in the config tree

* fix to use default config when the prefix have no config

* Documentation update: Adding K8S clusters to external Consul servers (#16285)

* Remove Consul Client installation option

With Consul-K8S 1.0 and introduction of Consul-Dataplane, K8S has
the option to run without running Consul Client agents.

* remove note referring to the same documentation

* Added instructions on the use of httpsPort when servers are not running TLS enabled

* Modified titile and description

* Add docs for usage endpoint and command (#16258)

* Add docs for usage endpoint and command

* NET-2285: Assert total number of expected instances by Consul (#16371)

* set BRANCH_NAME to release-1.15.x (#16374)

* Docs/rate limiting 1.15 (#16345)

* Added rate limit section to agent overview, updated headings per style guide

* added GTRL section and overview

* added usage docs for rate limiting 1.15

* added file for initializing rate limits

* added steps for initializing rate limits

* updated descriptions for rate_limits in agent conf

* updated rate limiter-related metrics

* tweaks to agent index

* Apply suggestions from code review

Co-authored-by: Dhia Ayachi <[email protected]>
Co-authored-by: Krastin Krastev <[email protected]>

* Apply suggestions from code review

Co-authored-by: Krastin Krastev <[email protected]>

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

---------

Co-authored-by: Dhia Ayachi <[email protected]>
Co-authored-by: Krastin Krastev <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

* [UI] CC-4031: change from Action, a and button to hds::Button (#16251)

* Correct WAL metrics registrations (#16388)

* chore: remove stable-website (#16386)

* Refactor the disco chain -> xds logic (#16392)

* Add envoy extension docs (#16376)

* Add envoy extension docs

* Update message about envoy extensions with proxy defaults

* fix tab error

* Update website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx

* fix operator prerender issue

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* update envoyextension warning in proxy defaults so its inline

* Update website/content/docs/connect/proxies/envoy-extensions/index.mdx

---------

Co-authored-by: trujillo-adam <[email protected]>

* upgrade test: peering with resolver and failover (#16391)

* Troubleshoot service to service comms (#16385)

* Troubleshoot service to service comms

* adjustments

* breaking fix

* api-docs breaking fix

* Links added to CLI pages

* Update website/content/docs/troubleshoot/troubleshoot-services.mdx

Co-authored-by: Eric Haberkorn <[email protected]>

* Update website/content/docs/troubleshoot/troubleshoot-services.mdx

Co-authored-by: Tu Nguyen <[email protected]>

* Update website/content/docs/troubleshoot/troubleshoot-services.mdx

Co-authored-by: Tu Nguyen <[email protected]>

* nav re-ordering

* Edits recommended in code review

---------

Co-authored-by: Eric Haberkorn <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>

* Docs/cluster peering 1.15 updates (#16291)

* initial commit

* initial commit

* Overview updates

* Overview page improvements

* More Overview improvements

* improvements

* Small fixes/updates

* Updates

* Overview updates

* Nav data

* More nav updates

* Fix

* updates

* Updates + tip test

* Directory test

* refining

* Create restructure w/ k8s

* Single usage page

* Technical Specification

* k8s pages

* typo

* L7 traffic management

* Manage connections

* k8s page fix

* Create page tab corrections

* link to k8s

* intentions

* corrections

* Add-on intention descriptions

* adjustments

* Missing </CodeTabs>

* Diagram improvements

* Final diagram update

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: David Yu <[email protected]>

* diagram name fix

* Fixes

* Updates to index.mdx

* Tech specs page corrections

* Tech specs page rename

* update link to tech specs

* K8s - new pages + tech specs

* k8s - manage peering connections

* k8s L7 traffic management

* Separated establish connection pages

* Directory fixes

* Usage clean up

* k8s docs edits

* Updated nav data

* CodeBlock Component fix

* filename

* CodeBlockConfig removal

* Redirects

* Update k8s filenames

* Reshuffle k8s tech specs for clarity, fmt yaml files

* Update general cluster peering docs, reorder CLI > API > UI, cross link to kubernetes

* Fix config rendering in k8s usage docs, cross link to general usage from k8s docs

* fix legacy link

* update k8s docs

* fix nested list rendering

* redirect fix

* page error

---------

Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: David Yu <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>

* Fix rendering error on new operator usage docs (#16393)

* add missing field to oss struct (#16401)

* fix(docs): correct rate limit metrics (#16400)

* Fix various flaky tests (#16396)

* Native API Gateway Docs (#16365)

* Create empty files

* Copy over content for overview

* Copy over content for usage

* Copy over content for api-gateway config

* Copy over content for http-route config

* Copy over content for tcp-route config

* Copy over content for inline-certificate config

* Add docs to the sidebar

* Clean up overview. Start cleaning up usage

* Add BETA badge to API Gateways portion of nav

* Fix header

* Fix up usage

* Fix up API Gateway config

* Update paths to be consistent w/ other gateway docs

* Fix up http-route

* Fix up inline-certificate

* rename path

* Fix up tcp-route

* Add CodeTabs

* Add headers to config pages

* Fix configuration model for http route and inline certificate

* Add version callout to API gateway overview page

* Fix values for inline certificate

* Fix values for api gateway configuration

* Fix values for TCP Route config

* Fix values for HTTP Route config

* Adds link from k8s gateway to vm gateway page

* Remove versioning warning

* Serve overview page at ../api-gateway, consistent w/ mesh-gateway

* Remove weight field from tcp-route docs

* Linking to usage instead of overview from k8s api-gateway to vm api-gateway

* Fix issues in usage page

* Fix links in usage

* Capitalize Kubernetes

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* remove optional callout

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* Apply suggestions from code review

* Update website/content/docs/connect/gateways/api-gateway/configuration/api-gateway.mdx

* Fix formatting of Hostnames

* Update website/content/docs/api-gateway/index.mdx

* Update website/content/docs/connect/gateways/api-gateway/configuration/http-route.mdx

Co-authored-by: Andrew Stucki <[email protected]>

* Add cross-linking of config entries

* Fix rendering error on new operator usage docs

* Update website/content/docs/connect/gateways/api-gateway/configuration/http-route.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Update website/content/docs/connect/gateways/api-gateway/configuration/http-route.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Apply suggestions from code review

* Apply suggestions from code review

* Add BETA badges to config entry links

* http route updates

* Add Enterprise keys

* Use map instead of list for meta field, use consistent formatting

* Convert spaces to tabs

* Add all Enterprise info to TCP Route

* Use pascal case for JSON api-gateway example

* Add enterprise to HCL api-gw cfg

* Use pascal case for missed JSON config fields

* Add enterprise to JSON api-gw cfg

* Add enterprise to api-gw values

* adds enterprise to http route

* Update website/content/docs/connect/gateways/api-gateway/index.mdx

Co-authored-by: danielehc <[email protected]>

* Add enterprise to api-gw spec

* Add missing namespace, partition + meta to specification

* fixes for http route

* Fix ordering of API Gatetway cfg spec items

* whitespace

* Add linking of values to tcp

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* Fix comma in wrong place

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* Move Certificates down

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* Tabs to spaces in httproute

* Use configuration entry instead of config entry

* Fix indentations on api-gateway and tcp-route

* Add whitespace between code block and prose

* Apply suggestions from code review

Co-authored-by: trujillo-adam <[email protected]>

* adds <> to http route

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Melisa Griffin <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Tu Nguyen <[email protected]>
Co-authored-by: Melisa Griffin <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>
Co-authored-by: danielehc <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

* NET-2286: Add tests to verify traffic redirects between services (#16390)

* Try DRYing up createCluster in integration tests (#16199)

* add back staging bits (#16411)

* Fix a couple inconsistencies in `operator usage instances` command (#16260)

* NO_JIRA: refactor validate function in traffic mgt tests (#16422)

* Basic gobased API gateway spinup test (#16278)

* wip, proof of concept, gateway service being registered, don't know how to hit it

* checkpoint

* Fix up API Gateway go tests (#16297)

* checkpoint, getting InvalidDiscoveryChain route protocol does not match targeted service protocol

* checkpoint

* httproute hittable

* tests working, one header test failing

* differentiate services by status code, minor cleanup

* working tests

* updated GetPort interface

* fix getport

---------

Co-authored-by: Andrew Stucki <[email protected]>

* Fix attempt for test fail panics in xDS (#16319)

* Fix attempt for test fail panics in xDS

* switch to a mutex pointer

* update changelog (#16426)

* update changelog

* fix changelog formatting

* feat: update alerts to Hds::Alert component (CC-4035) (#16412)

* fix: ui tests run is fixed (applying class attribute twice to the hbs element caused the issue (#16428)

* Refactor and move wal docs (#16387)

* Add WAL documentation. Also fix some minor metrics registration details

* Add tests to verify metrics are registered correctly

* refactor and move wal docs

* Updates to the WAL overview page

* updates to enable WAL usage topic

* updates to the monitoring WAL backend topic

* updates for revert WAL topic

* a few tweaks to overview and udpated metadescriptions

* Apply suggestions from code review

Co-authored-by: Paul Banks <[email protected]>

* make revert docs consistent with enable

* Apply suggestions from code review

Co-authored-by: Paul Banks <[email protected]>

* address feedback

* address final feedback

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

---------

Co-authored-by: Paul Banks <[email protected]>
Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: trujillo-adam <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

* UI: Update Consul UI colors to use HDS colors (#16111)

* update red color variables to hds

* change background red to be one step lighter

* map oranges

* map greens

* map blues

* map greys

* delete themes, colours: lemon, magenta, strawberry, and vault color aliases

* add unmapped rainbow colours

* replace white and transparent vars, remove unused semantic vars and frame placeholders

* small tweaks to improve contrast, change node health status x/check colours for non-voters to match design doc, replace semantic colour action w hds colour

* add unmapped grays, remove dark theme, manually set nav bar to use dark colours

* map consul pink colour

* map yellows

* add unmapped oranges, delete light theme

* remove readme, base variables, clean up dangling colours

* Start working on the nav disclosure menus

* Update main-nav-horizontal dropdowns

* Format template

* Update box-shadow tokens

* Replace --tone- usage with tokens

* Update nav disabled state and panel border colour

* Replace rgb usage on tile

* Fix permissions modal overlay

* More fixes

* Replace orange-500 with amber-200

* Update badge colors

* Update vertical sidebar colors

* Remove top border on consul peer list ul

---------

Co-authored-by: wenincode <[email protected]>

* Add missing link (#16437)

* docs: remove extra whitespace in frontmatter (#16436)

* Delete Vagrantfile (#16442)

* upgrade test: consolidate resolver test cases (#16443)

* UI: Fix rendering issue in search and lists (#16444)

* Upgrade ember-cli-string-helpers

* add extra lock change

* Update docs for consul-k8s 1.1.0 (#16447)

* Update ingress-gateways.mdx (#16330)

* Update ingress-gateways.mdx

Added an example of running the HELM install for the ingress gateways using values.yaml

* Apply suggestions from code review

* Update ingress-gateways.mdx

Adds closing back ticks on example command. The suggesting UI strips them out.

---------

Co-authored-by: trujillo-adam <[email protected]>

* grpc: fix data race in balancer registration (#16229)

Registering gRPC balancers is thread-unsafe because they are stored in a
global map variable that is accessed without holding a lock. Therefore,
it's expected that balancers are registered _once_ at the beginning of
your program (e.g. in a package `init` function) and certainly not after
you've started dialing connections, etc.

> NOTE: this function must only be called during initialization time
> (i.e. in an init() function), and is not thread-safe.

While this is fine for us in production, it's challenging for tests that
spin up multiple agents in-memory. We currently register a balancer per-
agent which holds agent-specific state that cannot safely be shared.

This commit introduces our own registry that _is_ thread-safe, and
implements the Builder interface such that we can call gRPC's `Register`
method once, on start-up. It uses the same pattern as our resolver
registry where we use the dial target's host (aka "authority"), which is
unique per-agent, to determine which builder to use.

* cli: ensure acl token read -self works (#16445)

Fixes a regression in #16044

The consul acl token read -self cli command should not require an -accessor-id because typically the persona invoking this would not already know the accessor id of their own token.

* docs: Add backwards compatibility for Consul 1.14.x and consul-dataplane in the Envoy compat matrix (#16462)

* Update envoy.mdx

* gateways: add e2e test for API Gateway HTTPRoute ParentRef change (#16408)

* test(gateways): add API Gateway HTTPRoute ParentRef change test

* test(gateways): add checkRouteError helper

* test(gateways): remove EOF check

in CI this seems to sometimes be 'connection reset by peer' instead

* Update test/integration/consul-container/test/gateways/http_route_test.go

* Gateway Test HTTPPathRewrite (#16418)

* add http url path rewrite

* add Mike's test back in

* update kind to use api.APIGateway

* cli: remove stray whitespace when loading the consul version from the VERSION file (#16467)

Fixes a regression from #15631 in the output of `consul version` from:

    Consul v1.16.0-dev
    +ent
    Revision 56b86acbe5+CHANGES

to

    Consul v1.16.0-dev+ent
    Revision 56b86acbe5+CHANGES

* Docs/services refactor docs day 122022 (#16103)

* converted main services page to services overview page

* set up services usage dirs

* added Define Services usage page

* converted health checks everything page to Define Health Checks usage page

* added Register Services and Nodes usage page

* converted Query with DNS to Discover Services and Nodes Overview page

* added Configure DNS Behavior usage page

* added Enable Static DNS Lookups usage page

* added the Enable Dynamic Queries DNS Queries usage page

* added the Configuration dir and overview page - may not need the overview, tho

* fixed the nav from previous commit

* added the Services Configuration Reference page

* added Health Checks Configuration Reference page

* updated service defaults configuraiton entry to new configuration ref format

* fixed some bad links found by checker

* more bad links found by checker

* another bad link found by checker

* converted main services page to services overview page

* set up services usage dirs

* added Define Services usage page

* converted health checks everything page to Define Health Checks usage page

* added Register Services and Nodes usage page

* converted Query with DNS to Discover Services and Nodes Overview page

* added Configure DNS Behavior usage page

* added Enable Static DNS Lookups usage page

* added the Enable Dynamic Queries DNS Queries usage page

* added the Configuration dir and overview page - may not need the overview, tho

* fixed the nav from previous commit

* added the Services Configuration Reference page

* added Health Checks Configuration Reference page

* updated service defaults configuraiton entry to new configuration ref format

* fixed some bad links found by checker

* more bad links found by checker

* another bad link found by checker

* fixed cross-links between new topics

* updated links to the new services pages

* fixed bad links in scale file

* tweaks to titles and phrasing

* fixed typo in checks.mdx

* started updating the conf ref to latest template

* update SD conf ref to match latest CT standard

* Apply suggestions from code review

Co-authored-by: Eddie Rowe <[email protected]>

* remove previous version of the checks page

* fixed cross-links

* Apply suggestions from code review

Co-authored-by: Eddie Rowe <[email protected]>

---------

Co-authored-by: Eddie Rowe <[email protected]>

* docs: clarify license expiration upgrade behavior (#16464)

* add provider ca auth-method support for azure

Does the required dance with the local HTTP endpoint to get the required
data for the jwt based auth setup in Azure. Keeps support for 'legacy'
mode where all login data is passed on via the auth methods parameters.
Refactored check for hardcoded /login fields.

* Changed titles for services pages to sentence style cap (#16477)

* Changed titles for services pages to sentence style cap

* missed a meta title

* docs: Consul 1.15.0 and Consul K8s 1.0 release notes (#16481)

* add new release notes
---------

Co-authored-by: Tu Nguyen <[email protected]>

* fix (cli): return error msg if acl policy not found (#16485)

* fix: return error msg if acl policy not found

* changelog

* add test

* update services nav titles (#16484)

* Improve ux to help users avoid overwriting fields of ACL tokens, roles and policies (#16288)

* Deprecate merge-policies and add options add-policy-name/add-policy-id to improve CLI token update command

* deprecate merge-roles fields

* Fix potential flakey tests and update ux to remove 'completely' + typo fixes

* NET-2292: port ingress-gateway test case "http" from BATS addendum (#16490)

* docs: Update release notes with Envoy compat issue (#16494)

* Update v1_15_x.mdx

---------

Co-authored-by: Tu Nguyen <[email protected]>

* Suppress AlreadyRegisteredError to fix test retries (#16501)

* Suppress AlreadyRegisteredError to fix test retries

* Remove duplicate sink

* Speed up test by registering services concurrently (#16509)

* add provider ca support for jwt file base auth

Adds support for a jwt token in a file. Simply reads the file and sends
the read in jwt along to the vault login.

It also supports a legacy mode with the jwt string being passed
directly. In which case the path is made optional.

* docs(architecture): remove merge conflict leftovers (#16507)

* add provider ca auth support for kubernetes

Adds support for Kubernetes jwt/token file based auth. Only needs to
read the file and save the contents as the jwt/token.

* Merge pull request #4538 from hashicorp/NET-2396 (#16516)

NET-2396: refactor test to reduce duplication

* Merge pull request #4584 from hashicorp/refactor_cluster_config (#16517)

NET-2841: PART 1 - refactor NewPeeringCluster to support custom config

* Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495)

* Leverage ServiceResolver ConnectTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable

* Regenerate golden files

* Add RequestTimeout field

* Add changelog entry

* Fix issue where terminating gateway service resolvers weren't properly cleaned up (#16498)

* Fix issue where terminating gateway service resolvers weren't properly cleaned up

* Add integration test for cleaning up resolvers

* Add changelog entry

* Use state test and drop integration test

* Add support for failover policies (#16505)

* modified unsupported envoy version error (#16518)

- When an envoy version is out of a supported range, we now return the envoy version being used as `major.minor.x` to indicate that it is the minor version at most that is incompatible
- When an envoy version is in the list of unsupported envoy versions we return back the envoy version in the error message as `major.minor.patch` as now the exact version matters.

* Remove private prefix from proto-gen-rpc-glue e2e test (#16433)

* Fix resolution of service resolvers with subsets for external upstreams (#16499)

* Fix resolution of service resolvers with subsets for external upstreams

* Add tests

* Add changelog entry

* Update view filter logic

* fixed broken links associated with cluster peering updates (#16523)

* fixed broken links associated with cluster peering updates

* additional links to fix

* typos

* fixed redirect file

* add provider ca support for approle auth-method

Adds support for the approle auth-method. Only handles using the approle
role/secret to auth and it doesn't support the agent's extra management
configuration options (wrap and delete after read) as they are not
required as part of the auth (ie. they are vault agent things).

* update connect/ca's vault AuthMethod conf section (#16346)

Updated Params field to re-frame as supporting arguments specific to the
supported vault-agent auth-auth methods with links to each methods
"#configuration" section.
Included a call out limits on parameters supported.

* proxycfg: ensure that an irrecoverable error in proxycfg closes the xds session and triggers a replacement proxycfg watcher (#16497)

Receiving an "acl not found" error from an RPC in the agent cache and the
streaming/event components will cause any request loops to cease under the
assumption that they will never work again if the token was destroyed. This
prevents log spam (#14144, #9738).

Unfortunately due to things like:

- authz requests going to stale servers that may not have witnessed the token
  creation yet

- authz requests in a secondary datacenter happening before the tokens get
  replicated to that datacenter

- authz requests from a primary TO a secondary datacenter happening before the
  tokens get replicated to that datacenter

The caller will get an "acl not found" *before* the token exists, rather than
just after. The machinery added above in the linked PRs will kick in and
prevent the request loop from looping around again once the tokens actually
exist.

For `consul-dataplane` usages, where xDS is served by the Consul servers
rather than the clients ultimately this is not a problem because in that
scenario the `agent/proxycfg` machinery is on-demand and launched by a new xDS
stream needing data for a specific service in the catalog. If the watching
goroutines are terminated it ripples down and terminates the xDS stream, which
CDP will eventually re-establish and restart everything.

For Consul client usages, the `agent/proxycfg` machinery is ahead-of-time
launched at service registration time (called "local" in some of the proxycfg
machinery) so when the xDS stream comes in the data is already ready to go. If
the watching goroutines terminate it should terminate the xDS stream, but
there's no mechanism to re-spawn the watching goroutines. If the xDS stream
reconnects it will see no `ConfigSnapshot` and will not get one again until
the client agent is restarted, or the service is re-registered with something
changed in it.

This PR fixes a few things in the machinery:

- there was an inadvertent deadlock in fetching snapshot from the proxycfg
  machinery by xDS, such that when the watching goroutine terminated the
  snapshots would never be fetched. This caused some of the xDS machinery to
  get indefinitely paused and not finish the teardown properly.

- Every 30s we now attempt to re-insert all locally registered services into
  the proxycfg machinery.

- When services are re-inserted into the proxycfg machinery we special case
  "dead" ones such that we unilaterally replace them rather that doing that
  conditionally.

* NET-2903 Normalize weight for http routes (#16512)

* NET-2903 Normalize weight for http routes

* Update website/content/docs/connect/gateways/api-gateway/configuration/http-route.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Add some basic UI improvements for api-gateway services (#16508)

* Add some basic ui improvements for api-gateway services

* Add changelog entry

* Use ternary for null check

* Update gateway doc links

* rename changelog entry for new PR

* Fix test

* fixes empty link in DNS usage page (#16534)

* NET-2904 Fixes API Gateway Route Service Weight Division Error

* Improve ux around ACL token to help users avoid overwriting node/service identities (#16506)

* Deprecate merge-node-identities and merge-service-identities flags

* added tests for node identities changes

* added changelog file and docs

* Follow-up fixes to consul connect envoy command (#16530)

* Merge pull request #4573 from hashicorp/NET-2841 (#16544)

* Merge pull request #4573 from hashicorp/NET-2841

NET-2841: PART 2 refactor upgrade tests to include version 1.15

* update upgrade versions

* upgrade test: discovery chain across partition (#16543)

* Update the consul-k8s cli docs for the new `proxy log` subcommand (#16458)

* Update the consul-k8s cli docs for the new `proxy log` subcommand

* Updated consul-k8s docs from PR feedback

* Added proxy log command to release notes

* Delete test-link-rewrites.yml (#16546)

* feat: update notification to use hds toast component (#16519)

* Fix flakey tests related to ACL token updates (#16545)

* Fix flakey tests related to ACL token updates

* update all acl token update tests

* extra create_token function to its own thing

* support vault auth config for alicloud ca provider

Add support for using existing vault auto-auth configurations as the
provider configuration when using Vault's CA provider with AliCloud.

AliCloud requires 2 extra fields to enable it to use STS (it's preferred
auth setup). Our vault-plugin-auth-alicloud package contained a method
to help generate them as they require you to make an http call to
a faked endpoint proxy to get them (url and headers base64 encoded).

* Update docs to reflect functionality (#16549)

* Update docs to reflect functionality

* make consistent with other client runtimes

* upgrade test: use retry with ModifyIndex and remove ent test file (#16553)

* add agent locality and replicate it across peer streams (#16522)

* docs: Document config entry permissions (#16556)

* Broken link fixes (#16566)

* NET-2954: Improve integration tests CI execution time (#16565)

* NET-2954: Improve integration tests CI execution time

* fix ci

* remove comments and modify config file

* fix bug that can lead to peering service deletes impacting the state of local services (#16570)

* Update changelog with patch releases (#16576)

* Bump submodules from latest 1.15.1 patch release (#16578)

* Update changelog with Consul patch releases 1.13.7, 1.14.5, 1.15.1

* Bump submodules from latest patch release

* Forgot one

* website: adds content-check command and README update (#16579)

* added a backport-checker GitHub action (#16567)

* added a backport-checker GitHub action

* Update .github/workflows/backport-checker.yml

* auto-updated agent/uiserver/dist/ from commit 63204b518 (#16587)

Co-authored-by: hc-github-team-consul-core <[email protected]>

* GRPC stub for the ResourceService (#16528)

* UI: Fix htmlsafe errors throughout the app (#16574)

* Upgrade ember-intl

* Add changelog

* Add yarn lock

* Add namespace file with build tag for OSS gateway tests (#16590)

* Add namespace file with build tag for OSS tests

* Remove TODO comment

* JIRA pr check: Filter out OSS/ENT merges (#16593)

* jira pr check filter out dependabot and oss/ent merges

* allow setting locality on services and nodes (#16581)

* Add Peer Locality to Discovery Chains (#16588)

Add peer locality to discovery chains

* fixes for unsupported partitions field in CRD metadata block (#16604)

* fixes for unsupported partitions field in CRD metadata block

* Apply suggestions from code review

Co-authored-by: Luke Kysow <[email protected]>

---------

Co-authored-by: Luke Kysow <[email protected]>

* Create a weekly 404 checker for all Consul docs content (#16603)

* Consul WAN Fed with Vault Secrets Backend document updates (#16597)

* Consul WAN Fed with Vault Secrets Backend document updates

* Corrected dc1-consul.yaml and dc2-consul.yaml file highlights

* Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Update website/content/docs/k8s/deployment-configurations/vault/wan-federation.mdx

Co-authored-by: trujillo-adam <[email protected]>

---------

Co-authored-by: trujillo-adam <[email protected]>

* Allow HCP metrics collection for Envoy proxies

Co-authored-by: Ashvitha Sridharan <[email protected]>
Co-authored-by: Freddy <[email protected]>

Add a new envoy flag: "envoy_hcp_metrics_bind_socket_dir", a directory
where a unix socket will be created with the name
`<namespace>_<proxy_id>.sock` to forward Envoy metrics.

If set, this will configure:
- In bootstrap configuration a local stats_sink and static cluster.
  These will forward metrics to a loopback listener sent over xDS.

- A dynamic listener listening at the socket path that the previously
  defined static cluster is sending metrics to.

- A dynamic cluster that will forward traffic received at this listener
  to the hcp-metrics-collector service.


Reasons for having a static cluster pointing at a dynamic listener:
- We want to secure the metrics stream using TLS, but the stats sink can
  only be defined in bootstrap config. With dynamic listeners/clusters
  we can use the proxy's leaf certificate issued by the Connect CA,
  which isn't available at bootstrap time.

- We want to intelligently route to the HCP collector. Configuring its
  addreess at bootstrap time limits our flexibility routing-wise. More
  on this below.

Reasons for defining the collector as an upstream in `proxycfg`:
- The HCP collector will be deployed as a mesh service.

- Certificate management is taken care of, as mentioned above.

- Service discovery and routing logic is automatically taken care of,
  meaning that no code changes are required in the xds package.

- Custom routing rules can be added for the collector using discovery
  chain config entries. Initially the collector is expected to be
  deployed to each admin partition, but in the future could be deployed
  centrally in the default partition. These config entries could even be
  managed by HCP itself.

* Add copywrite setup file (#16602)

* Add sameness-group configuration entry. (#16608)

This commit adds a sameness-group config entry to the API and structs packages. It includes some validation logic and a new memdb index that tracks the default sameness-group for each partition. Sameness groups will simplify the effort of managing failovers / intentions / exports for peers and partitions.

Note that this change purely to introduce the configuration entry and does not include the full functionality of sameness-groups.

* Preserve CARoots when updating Vault CA configuration (#16592)

If a CA config update did not cause a root change, the codepath would return early and skip some steps which preserve its intermediate certificates and signing key ID. This commit re-orders some code and prevents updates from generating new intermediate certificates.

* Add UI copyright headers files (#16614)

* Add copyright headers to UI files

* Ensure copywrite file ignores external libs

* Docs discovery typo (#16628)

* docs(discovery): typo

* docs(discovery): EOF and trim lines

---------

Co-authored-by: trujillo-adam <[email protected]>

* Fix issue with trust bundle read ACL check. (#16630)

This commit fixes an issue where trust bundles could not be read
by services in a non-default namespace, unless they had excessive
ACL permissions given to them.

Prior to this change, `service:write` was required in the default
namespace in order to read the trust bundle. Now, `service:write`
to a service in any namespace is sufficient.

* Basic resource type registry (#16622)

* Backport ENT-4704 (#16612)

* feat: update typography to consume hds styles (#16577)

* Add known issues to Raft WAL docs. (#16600)

* Add known issues to Raft WAL docs.

* Refactor update based on review feedback

* Tune 404 checker to exclude false-positives and use intended file path (#16636)

* Update e2e tests for namespaces (#16627)

* Refactored "NewGatewayService" to handle namespaces, fixed
TestHTTPRouteFlattening test

* Fixed existing http_route tests for namespacing

* Squash aclEnterpriseMeta for ResourceRefs and HTTPServices, accept
namespace for creating connect services and regular services

* Use require instead of assert after creating namespaces in
http_route_tests

* Refactor NewConnectService and NewGatewayService functions to use cfg
objects to reduce number of method args

* Rename field on SidecarConfig in tests from `SidecarServiceName` to
`Name` to avoid stutter

* net 2731 ip config entry OSS version (#16642)

* ip config entry

* name changing

* move to ent

* ent version

* renaming

* change format

* renaming

* refactor

* add default values

* fix confusing spiffe ids in golden tests (#16643)

* First cluster grpc service should be NodePort for the second cluster to connect (#16430)

* First cluster grpc service should be NodePort

This is based on the issue opened here https://github.com/hashicorp/consul-k8s/issues/1903

If you follow the documentation https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/single-dc-multi-k8s exactly as it is, the first cluster will only create the consul UI service on NodePort but not the rest of the services (including for grpc). By default, from the helm chart, they are created as headless services by setting clusterIP None. This will cause an issue for the second cluster to discover consul server on the first cluster over gRPC as it cannot simply cannot through gRPC default port 8502 and it ends up in an error as shown in the issue https://github.com/hashicorp/consul-k8s/issues/1903

As a solution, the grpc service should be exposed using NodePort (or LoadBalancer). I added those changes required in both cluster1-values.yaml and cluster2-values.yaml, and also a description for those changes for the normal users to understand. Kindly review and I hope this PR will be accepted.

* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx

Co-authored-by: trujillo-adam <[email protected]>

* Update website/content/docs/k8s/deployment-configurations/single-dc-multi-k8s.mdx

Co-authored-by: trujillo-adam <[email protected]>

---------

Co-authored-by: trujillo-adam <[email protected]>

* Add in query options for catalog service existing in a specific (#16652)

namespace when creating service for tests

* fix: add AccessorID property to PUT token request (#16660)

* add sameness group support to service resolver failover and redirects (#16664)

* Fix incorrect links on Envoy extensions documentation (#16666)

* [API Gateway] Fix invalid cluster causing gateway programming delay (#16661)

* Add test for http routes

* Add fix

* Fix tests

* Add changelog entry

* Refactor and fix flaky tests

* Bump tomhjp/gh-action-jira-search from 0.2.1 to 0.2.2 (#16667)

Bumps [tomhjp/gh-action-jira-search](https://github.com/tomhjp/gh-action-jira-search) from 0.2.1 to 0.2.2.
- [Release notes](https://github.com/tomhjp/gh-action-jira-search/releases)
- [Commits](https://github.com/tomhjp/gh-action-jira-search/compare/v0.2.1...v0.2.2)

---
updated-dependencies:
- dependency-name: tomhjp/gh-action-jira-search
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump atlassian/gajira-transition from 2.0.1 to 3.0.1 (#15921)

Bumps [atlassian/gajira-transition](https://github.com/atlassian/gajira-transition) from 2.0.1 to 3.0.1.
- [Release notes](https://github.com/atlassian/gajira-transition/releases)
- [Commits](https://github.com/atlassian/gajira-transition/compare/v2.0.1...v3.0.1)

---
updated-dependencies:
- dependency-name: atlassian/gajira-transition
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Yu <[email protected]>

* Snapshot restore tests (#16647)

* add snapshot restore test

* add logstore as test parameter

* Use the correct image version

* make sure we read the logs from a followers to test the follower snapshot install path.

* update to raf-wal v0.3.0

* add changelog.

* updating changelog for bug description and removed integration test.

* setting up test container builder to only set logStore for 1.15 and higher

---------

Co-authored-by: Paul Banks <[email protected]>
Co-authored-by: John Murret <[email protected]>

* add sameness groups to discovery chains (#16671)

* feat: add category annotation to RPC and gRPC methods (#16646)

* Update GH actions to create Jira issue automatically (#16656)

* Adds check to verify that the API Gateway is being created with at least one listener

* Fix route subscription when using namespaces (#16677)

* Fix route subscription when using namespaces

* Update changelog

* Fix changelog entry to reference that the bug was enterprise only

* peering: peering partition failover fixes (#16673)

add local source partition for peered upstreams

* fix jira sync actions, remove custom fields (#16686)

* Docs/update jira sync pr issue (#16688)

* fix jira sync actions, remove custom fields

* remove more additional fields, debug

* Docs: Jira sync Update issuetype to bug (#16689)

* update issuetype to bug

* fix conditional for pr edu

* build(deps): bump tomhjp/gh-action-jira-create from 0.2.0 to 0.2.1 (#16685)

Bumps [tomhjp/gh-action-jira-create](https://github.com/tomhjp/gh-action-jira-create) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/tomhjp/gh-action-jira-create/releases)
- [Commits](https://github.com/tomhjp/gh-action-jira-create/compare/v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: tomhjp/gh-action-jira-create
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Yu <[email protected]>

* build(deps): bump tomhjp/gh-action-jira-comment from 0.1.0 to 0.2.0 (#16684)

Bumps [tomhjp/gh-action-jira-comment](https://github.com/tomhjp/gh-action-jira-comment) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/tomhjp/gh-action-jira-comment/releases)
- [Commits](https://github.com/tomhjp/gh-action-jira-comment/compare/v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: tomhjp/gh-action-jira-comment
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Yu <[email protected]>

* NET-2397: Add readme.md to upgrade test subdirectory (#16610)

* NET-2397: Add readme.md to upgrade test subdirectory

* remove test code

* fix link and update  steps of adding new test cases (#16654)

* fix link and update  steps of adding new test cases

* Apply suggestions from code review

Co-authored-by: Nick Irvine <[email protected]>

---------

Co-authored-by: Nick Irvine <[email protected]>

---------

Co-authored-by: cskh <[email protected]>
Co-authored-by: Nick Irvine <[email protected]>

* chore: replace hardcoded node name with a constant (#16692)

* Fix broken links from api docs (#16695)

* Update WAL Known issues (#16676)

* UI:  update Ember to 3.28.6 (#16616)


---------

Co-authored-by: wenincode <[email protected]>

* Regen helm docs (#16701)

* Remove unused are hosts set check (#16691)

* Remove unused are hosts set check

* Remove all traces of unused 'AreHostsSet' parameter

* Remove unused Hosts attribute

* Remove commented out use of snap.APIGateway.Hosts

* [NET-3029] Migrate build-distros to GHA (#16669)

* migrate build distros to GHA

Signed-off-by: Dan Bond <[email protected]>

* build-arm

Signed-off-by: Dan Bond <[email protected]>

* don't use matrix

Signed-off-by: Dan Bond <[email protected]>

* check-go-mod

Signed-off-by: Dan Bond <[email protected]>

* add notify slack script

Signed-off-by: Dan Bond <[email protected]>

* notify slack if failure

Signed-off-by: Dan Bond <[email protected]>

* rm notify slack script

Signed-off-by: Dan Bond <[email protected]>

* fix check-go-mod job

Signed-off-by: Dan Bond <[email protected]>

---------

Signed-off-by: Dan Bond <[email protected]>

* Update envoy extension docs, service-defaults, add multi-config example for lua (#16710)

* fix build workflow (#16719)

Signed-off-by: Dan Bond <[email protected]>

* Helm docs without developer.hashicorp.com prefix (#16711)

This was causing linter errors

* add extra resiliency to snapshot restore test (#16712)

* fix: gracefully fail on invalid port number (#16721)

* Copyright headers for config files git + circleci (#16703)

* Copyright headers for config files git + circleci

* Release folder copyright headers

* fix bug where pqs that failover to a cluster peer dont un-fail over (#16729)

* add enterprise xds tests (#16738)

* delete config when nil (#16690)

* delete config when nil

* fix mock interface implementation

* fix handler test to use the right assertion

* extract DeleteConfig as a separate API.

* fix mock limiter implementation to satisfy the new interface

* fix failing tests

* add test comments

* Changelog for audit logging fix. (#16700)

* Changelog for audit logging fix.

* Use GH issues type for edu board (#16750)

* fix: remove unused tenancy category from rate limit spec (#16740)

* Remove version bump from CRT workflow (#16728)

This bumps the version to reflect the next patch release; however, we use a specific branch for each patch release and so never wind up cutting a release directly from the `release/1.15.x` (for example) where this is intended to work.

* tests instantiating clients w/o shutting down (#16755)

noticed via their port still in use messages.

* RELENG-471: Remove obsolete load-test workflow (#16737)

* Remove obsolete load-test workflow

* remove load-tests from circleci config.

---------

Co-authored-by: John Murret <[email protected]>

* add failover policy to ProxyConfigEntry in api (#16759)

* add failover policy to ProxyConfigEntry in api

* update docs

* Fix broken links in Consul docs (#16640)

* Fix broken links in Consul docs

* more broken link fixes

* more 404 fixes

* 404 fixes

* broken link fix

---------

Co-authored-by: Tu Nguyen <[email protected]>

* Change partition for peers in discovery chain targets (#16769)

This commit swaps the partition field to the local partition for
discovery chains targeting peers. Prior to this change, peer upstreams
would always use a value of default regardless of which partition they
exist in. This caused several issues in xds / proxycfg because of id
mismatches.

Some prior fixes were made to deal with one-off id mismatches that this
PR also cleans up, since they are no longer needed.

* Docs/intentions refactor docs day 2022 (#16758)

* converted intentions conf entry to ref CT format

* set up intentions nav

* add page for intentions usage

* final intentions usage page

* final intentions overview page

* fixed old relative links

* updated diagram for overview

* updated links to intentions content

* fixed typo in updated links

* rename intentions overview page file to index

* rollback link updates to intentions overview

* fixed nav

* Updated custom HTML in API and CLI pages to MD

* applied suggestions from review to index page

* moved conf examples from usage to conf ref

* missed custom HTML section

* applied additional feedback

* Apply suggestions from code review

Co-authored-by: Tu Nguyen <[email protected]>

* updated headings in usage page

* renamed files and udpated nav

* updated links to new file names

* added redirects and final tweaks

* typo

---------

Co-authored-by: Tu Nguyen <[email protected]>

* Add storage backend interface and in-memory implementation (#16538)

Introduces `storage.Backend`, which will serve as the interface between the
Resource Service and the underlying storage system (Raft today, but in the
future, who knows!).

The primary design goal of this interface is to keep its surface area small,
and push as much functionality as possible into the layers above, so that new
implementations can be added with little effort, and easily proven to be
correct. To that end, we also provide a suite of "conformance" tests that can
be run against a backend implementation to check it behaves correctly.

In this commit, we introduce an initial in-memory storage backend, which is
suitable for tests and when running Consul in development mode. This backend is
a thin wrapper around the `Store` type, which implements a resource database
using go-memdb and our internal pub/sub system. `Store` will also be used to
handle reads in our Raft backend, and in the future, used as a local cache for
external storage systems.

* Fix bug in changelog checker where bash variable is not quoted (#16681)

* Read(...) endpoint for the resource service (#16655)

* Fix Edu Jira automation (#16778)

* Fix struct tags for TCPService enterprise meta (#16781)

* Fix struct tags for TCPService enterprise meta

* Add changelog

* Expand route flattening test for multiple namespaces (#16745)

* Exand route flattening test for multiple namespaces

* Add helper for checking http route config entry exists without checking for bound
status

* Fix port and hostname check for http route flattening test

* WatchList(..) endpoint for the resource service (#16726)

* Allocate virtual ip for resolver/router/splitter config entries (#16760)

* add ip rate limiter controller OSS parts (#16790)

* Resource service List(..) endpoint (#16753)

* changes to support new PQ enterprise fields (#16793)

* add scripts for testing locally consul-ui-toolkit (#16794)

* Update normalization of route refs (#16789)

* Use merge of enterprise meta's rather than new custom method

* Add merge logic for tcp routes

* Add changelog

* Normalize certificate refs on gateways

* Fix infinite call loop

* Explicitly call enterprise meta

* copyright headers for agent folder (#16704)

* copyright headers for agent folder

* Ignore test data files

* fix proto files and remove headers in agent/uiserver folder

* ignore deep-copy files

* Copyright headers for command folder (#16705)

* copyright headers for agent folder

* Ignore test data files

* fix proto files and remove headers in agent/uiserver folder

* ignore deep-copy files

* copyright headers for agent folder

* Copyright headers for command folder

* fix merge conflicts

* Add copyright headers for acl, api and bench folders (#16706)

* copyright headers for agent folder

* Ignore test data files

* fix proto files and remove headers in agent/uiserver folder

* ignore deep-copy files

* copyright headers for agent folder

* fix merge conflicts

* copyright headers for agent folder

* Ignore test data files

* fix proto files

* ignore agent/uiserver folder for now

* copyright headers for agent folder

* Add copyright headers for acl, api and bench folders

* Github Actions Migration - move go-tests workflows to GHA (#16761)

* go-tests workflow

* add test splitting to go-tests

* fix re-reun fails report path

* fix re-reun fails report path another place

* fixing tests for32bit and race

* use script file to generate runners

* fixing run path

* add checkout

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* passing runs-on

* setting up runs-on as a parameter to check-go-mod

* making on pull_request

* Update .github/scripts/rerun_fails_report.sh

Co-authored-by: Dan Bond <[email protected]>

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* make runs-on required

* removing go-version param that is not used.

* removing go-version param that is not used.

* Modify build-distros to use medium runners (#16773)

* go-tests workflow

* add test splitting to go-tests

* fix re-reun fails report path

* fix re-reun fails report path another place

* fixing tests for32bit and race

* use script file to generate runners

* fixing run path

* add checkout

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* passing runs-on

* setting up runs-on as a parameter to check-go-mod

* trying mediums

* adding in script

* fixing runs-on to be parameter

* fixing merge conflict

* changing to on push

* removing whitespace

* go-tests workflow

* add test splitting to go-tests

* fix re-reun fails report path

* fix re-reun fails report path another place

* fixing tests for32bit and race

* use script file to generate runners

* fixing run path

* add checkout

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* passing runs-on

* setting up runs-on as a parameter to check-go-mod

* changing back to on pull_request

---------

Co-authored-by: Dan Bond <[email protected]>

* Github Actions Migration - move verify-ci workflows to GHA (#16777)

* add verify-ci workflow

* adding comment and changing to on pull request.

* changing to pull_requests

* changing to pull_request

* Apply suggestions from code review

Co-authored-by: Dan Bond <[email protected]>

* [NET-3029] Migrate frontend to GHA (#16731)

* changing set up to a small

* using consuls own custom runner pool.

---------

Co-authored-by: Dan Bond <[email protected]>

* Copyright headers for missing files/folders (#16708)

* copyright headers for agent folder

* fix: export ReadWriteRatesConfig struct as it needs to referenced from consul-k8s (#16766)

* docs: Updates to support HCP Consul cluster peering release (#16774)

* New HCP Consul documentation section + links

* Establish cluster peering usage cross-link

* unrelated fix to backport to v1.15

* nav correction + fixes

* Tech specs fixes

* specifications for headers

* Tech specs fixes + alignments

* sprawl edits

* Tip -> note

* port ENT ingress gateway upgrade tests [NET-2294] [NET-2296] (#16804)

* [COMPLIANCE] Add Copyright and License Headers (#16807)

* [COMPLIANCE] Add Copyright and License Headers

* fix headers for generated files

* ignore dist folder

---------

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Co-authored-by: Ronald Ekambi <[email protected]>
Co-authored-by: Ronald <[email protected]>

* add order by locality failover to Consul enterprise (#16791)

* ci: changes resulting from running on consul-enterprise (#16816)

* changes resulting from running on consul-enterprise

* removing comment line

* port ENT upgrade tests flattening (#16824)

* docs: raise awareness of GH-16779 (#16823)

* updating command to reflect the additional package exclusions in CircleCI (#16829)

* storage: fix resource leak in Watch (#16817)

* Remove UI brand-loader copyright headers as they do not render appropriately (#16835)

* Add sameness-group to exported-services config entries (#16836)

This PR adds the sameness-group field to exported-service
config entries, which allows for services to be exported
to multiple destination partitions / peers easily.

* Add default resolvers to disco chains based on the default sameness group (#16837)

* [NET-3029] Migrate dev-* jobs to GHA (#16792)

* ci: add build-artifacts workflow

Signed-off-by: Dan Bond <[email protected]>

* makefile for gha dev-docker

Signed-off-by: Dan Bond <[email protected]>

* use docker actions instead of make

Signed-off-by: Dan Bond <[email protected]>

* Add context

Signed-off-by: Dan Bond <[email protected]>

* testing push

Signed-off-by: Dan Bond <[email protected]>

* set short sha

Signed-off-by: Dan Bond <[email protected]>

* upload to s3

Signed-off-by: Dan Bond <[email protected]>

* rm s3 upload

Signed-off-by: Dan Bond <[email protected]>

* use runner setup job

Signed-off-by: Dan Bond <[email protected]>

* on push

Signed-off-by: Dan Bond <[email protected]>

* testing

Signed-off-by: Dan Bond <[email protected]>

* on pr

Signed-off-by: Dan Bond <[email protected]>

* revert testing

Signed-off-by: Dan Bond <[email protected]>

* OSS/ENT logic

Signed-off-by: Dan Bond <[email protected]>

* add comments

Signed-off-by: Dan Bond <[email protected]>

* Update .github/workflows/build-artifacts.yml

Co-authored-by: John Murret <[email protected]>

---------

Signed-off-by: Dan Bond <[email protected]>
Co-authored-by: John Murret <[email protected]>

* add region field (#16825)

* add region field

* fix syntax error in test file

* go fmt

* go fmt

* remove test

* Connect CA Primary Provider refactor (#16749)

* Rename Intermediate cert references to LeafSigningCert

Within the Consul CA subsystem, the term "Intermediate"
is confusing because the meaning changes depending on
provider and datacenter (primary vs secondary). For
example, when using the Consul CA the "ActiveIntermediate"
may return the root certificate in a primary datacenter.

At a high level, we are interested in knowing which
CA is responsible for signing leaf certs, regardless of
its position in a certificate chain. This rename makes
the intent clearer.

* Move provider state check earlier

* Remove calls to GenerateLeafSigningCert

GenerateLeafSigningCert (formerly known
as GenerateIntermediate) is vestigial in
non-Vault providers, as it simply returns
the root certificate in primary
datacenters.

By folding Vault's intermediate cert logic
into `GenerateRoot` we can encapsulate
the intermediate cert handling within
`newCARoot`.

* Move GenerateLeafSigningCert out of PrimaryProvidder

Now that the Vault Provider calls
GenerateLeafSigningCert w…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Consul HTTPS unix socket binds HTTP instead
3 participants