Backport of feat: Add HCP Observability ClientID and ClientSecret into release/1.2.x #2972
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Add FIPS builds for linux amd64 * add version check * fix CI labels and add local dev commands * fix ci version tagging * switch to ubuntu 20.04 * add CLI version tag * add gcompat for alpine glibc cgo compatibility * remove FIPS version check from connect-init * address comments
- making this trigger nightly until after 1.2.0 GA - leaving 0.49.x active until after 1.2.0 GA
* first run through, needs help * still need to make secure pass * left something uncommented * it works and also cleanup * fix acceptance tests
* [API Gateway] Add acceptance test for cluster peering * Fix linter * Fix random unrelated linter errors to get CI to run: revert later? * one more linter fix to later probably revert * more linter fixes * Revert "more linter fixes" This reverts commit 6210dff. * Revert "one more linter fix to later probably revert" This reverts commit 030c563. * Revert "Fix random unrelated linter errors to get CI to run: revert later?" This reverts commit fdeccab.
…ersion of kind and k8s 1.27 (#2304) * update cloud tests to use 1.24, 1.25 and 1.26 version of kubernetes for more coverage * updated readme for supported kubernetes versions * added changelog
* [API Gateway] WAN Federation test and fixes * Fix unit tests
* Fix when gateways are deleted before we get services populated into cache * a bit of cleanup
…assConfig are obeyed (#2272) * Add unit tests verifying that scaling parameters on GatewayClassConfig are obeyed * Add test case for scaling w/ no min or max configured
* Rename GatewayClassController to prevent name collision * Use gateway instead of gatewayclass in name * Use the constant in ownership checks * Change GatewayClass name to "consul" * Change GatewayClass name in cases * Change ApiGatewayClass back
* Fix SupportedKinds array to be what Conformance test expects * Fix cert validation status condition for listeners * Add programmed condition for listeners * Fix unit test --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* first pass at halting: got httproute and api-gateway done * clean up test * Handle all set for infinite reconcile check * Add table tests for minimal setup * Added some odd field names to test normalization is handled correctly * Use funky casing http routes
* Added helm inputs for managing audit logs * Remove unwanted changes from values
* fix: use correct flag when translating namespaces * Use non-normalized namespace when deregistering services * Guard against namespace queries when namespaces not enabled in cache
* added imagePullPolicy for images in values.yaml * fix: renamed pullPolicy key according to image * fixed dafault always in tmpl * changed structure of image in yaml * revert changes * added global imagePullPolicy * fixed typo * added changelog file
This brings consul-k8s in line with consul. Most importantly, the backport assistant was updated to automatically assign created PRs to the author of the PR that is being backported.
* update changelog based on changes made to 1.2.x * fixed test cases - enterprise cases were in the OSS test cases
* trigger conformance tests nightly, squash * remove extra line * Update nightly-api-gateway-conformance.yml
making scripts more robust and removing changing helm chart
* Fix cache and service deletion issue * Add comments * add in acceptance test * Fix indentation * Fix unit test for deleting gateway w/ consul services * Remove redundant service deregistration code * Exit loop early once registration is found for service * Fix import blocking * Set status on pods added to test * Apply suggestions from code review * Reduce count of test gateways to 10 from 100 --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
* Adding support for weighted k8s service * Adding changelog * if per-app weight is 0 then pull the weight to 1 * Addressing review comments * Addressing review comments * Addressing review comments * Comment update * Comment update * Parameterized table test * Parameterized table test * fixing linting issue * fixing linting issue --------- Co-authored-by: srahul3 <rahulsharma@hashicorp.com>
* Bumping go-discover to the lastest version
Update Go version to 1.20.8 This resolves several CVEs (see changelog entry).
* mesh webhook v2
…nsul config entry (#2904) * Translate response header modifier(s) from HTTPRoute onto Consul config entry * Update dependency pins to include response filter changes in consul modules * Add changelog entry * Account for response filters when determining whether an HTTPRoute change requires a sync * Stop setting empty header modifier in Consul when not present in HTTPRoute * Remove unnecessary len check * Make comments more robust for replace directives Also use same pin for `sdk` that we're using for `api` and `proto-public`
* feat: v2 mesh-init command * bugfix mesh-init test * add mesh-init args to webhook * fix: remove v2 flags from partition-init * update telemetry-collector with v2 flags * Apply suggestions from code review Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * PR feedback Part II * bugfix test * fix: endpoints v2 selector stability --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
* feat: add node controller * lint fix * Apply suggestions from code review Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com> * PR feedback Part II --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>
* GKE Autopilot support
Limit v2 Service port registration to L4 TCP ports Ignore non-TCP L4 ports in K8s services. This is expected behavior and also prevents unintended duplication of Service port values registered to Consul (which is not supported) when ports have multiplexed L4 traffic.
* NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added validating webhook for gateway policy (#2912) * Added validating webhook for gateway policy * Change denied message to provide more information to the operator * [APIGW] Add comparison of gateway policies to diffing logic (#2939) * Fix bug in comparison of gateway policies * fix fmting * Added gateway equal test * Finished adding tests and refactored to use slices convencience functions * Reconcile Route Auth Filter changes (#2954) * Group indices by resource * Add index for HTTPRoutes referencing RouteAuthFilters * Add watch for HTTPRoutes referencing RouteAuthFilters * Add permissions to connect-inject clusterrole * Compare JWT filters for equality * Add RouteAuthFilter to resource translator * [NET-5017] APIGW Status Conditions for Gateway for JWT/Reconcile on JWTProvider Changes (#2950) * Added watches and status condition on gateway listeners for JWT validation * Only append errors if they're non-nil * Added tests for validating jwt on listener and for adding/retrieving jwt from resource map * fix fmting * Clean up from PR review * Use two value form of map access * Rename function * clean up from PR review * [NET-5017] APIGW Status Conditions for Gateway Policies (#2955) * Adding status conditions for gw policy * Fixed issue where status was not being propagated for policies * Moved code to correct places * Revert formatting * Cleaned up error creation, added validation tests * Added results tests, updated binding test * Updates from PR review: clean up comments/appends, use correct conditions for defaults * [NET-5017] APIGW Status Conditions for RouteAuthFilter and Routes wrt JWT (#2961) * NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added status conditions for JWT for auth filters and for routes * Extract function * Use more generic error for invalid filter * Re-run ctrl-manifests with correct controller-generate version * Clean up from pr review * gofmt --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added changelog * clean up some renames from httprouteauthfilter -> routeauthfilter * Fix broken webhook test, added new test --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
feat: add v2 service account controller Implement the basic requirements of a new Service Account controller that registers Workload Identities via Consul's V2 API. Also lightly refactor some of the shared controller data in V2. Further tests and TODOs will be addressed in follow-up changes.
We are currently registering all services in k8s regardless of whether they represent mesh-injected workloads. This is both creating "junk" registrations for Consul and k8s components, but additionally can create issues in Consul core when generating routes with TProxy enabled, since these services will not have endpoints. To solve for both of these issues, selectively sync k8s services to Consul in the v2 Endpoints controller only when at least one of its pods is injected. Follow-up work will address edge cases where we want to maintain a service entry even without workloads, such as when the global inject flag is set, and when a service temporarily loses endpoints but is already registered and part of the mesh.
hc-github-team-consul-core
force-pushed
the
backport/clly/observability-credentials/violently-mature-eel
branch
from
6faf41f
to
a68fb38
Compare
hc-github-team-consul-core
force-pushed
the
backport/clly/observability-credentials/violently-mature-eel
branch
from
a186375
to
1db8ad3
Compare
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 23 out of 24 committers have signed the CLA.
Paul Glass seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
|
Closing, it was manually backported in : #2973 |
auto-merge was automatically disabled
February 13, 2024 00:56
Pull request was closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #2958 to be assessed for backporting due to the inclusion of the label backport/1.2.x.
The below text is copied from the body of the original PR.
Changes proposed in this PR:
How I've tested this PR:
How I expect reviewers to test this PR:
Checklist:
Overview of commits