Merge branch 'main' into docs/reformat-service-splitters-conf-entry

hashicorp · Feb 15, 2023 · 826930b · 826930b
2 parents 9ad4c6d + 514fb25
commit 826930b
Show file tree

Hide file tree

Showing 24 changed files with 1,394 additions and 1,211 deletions.
diff --git a/.changelog/16274.txt b/.changelog/16274.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Bump Envoy 1.22.5 to 1.22.7, 1.23.2 to 1.23.4, 1.24.0 to 1.24.2, add 1.25.1, remove 1.21.5
+```
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -23,10 +23,10 @@ references:
     BASH_ENV: .circleci/bash_env.sh
     GO_VERSION: 1.19.4
   envoy-versions: &supported_envoy_versions
-    - &default_envoy_version "1.21.5"
-    - "1.22.5"
-    - "1.23.2"
-    - "1.24.0"
+    - &default_envoy_version "1.22.7"
+    - "1.23.4"
+    - "1.24.2"
+    - "1.25.1"
   nomad-versions: &supported_nomad_versions
     - &default_nomad_version "1.3.3"
     - "1.2.10"

diff --git a/agent/proxycfg/api_gateway.go b/agent/proxycfg/api_gateway.go
@@ -73,6 +73,7 @@ func (h *handlerAPIGateway) initialize(ctx context.Context) (ConfigSnapshot, err
 	snap.APIGateway.WatchedDiscoveryChains = make(map[UpstreamID]context.CancelFunc)
 	snap.APIGateway.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc)
 	snap.APIGateway.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
+	snap.APIGateway.WatchedLocalGWEndpoints = watch.NewMap[string, structs.CheckServiceNodes]()
 	snap.APIGateway.WatchedUpstreams = make(map[UpstreamID]map[string]context.CancelFunc)
 	snap.APIGateway.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
 

diff --git a/agent/proxycfg/ingress_gateway.go b/agent/proxycfg/ingress_gateway.go
@@ -67,6 +67,7 @@ func (s *handlerIngressGateway) initialize(ctx context.Context) (ConfigSnapshot,
 	snap.IngressGateway.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
 	snap.IngressGateway.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc)
 	snap.IngressGateway.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
+	snap.IngressGateway.WatchedLocalGWEndpoints = watch.NewMap[string, structs.CheckServiceNodes]()
 	snap.IngressGateway.Listeners = make(map[IngressListenerKey]structs.IngressListener)
 	snap.IngressGateway.UpstreamPeerTrustBundles = watch.NewMap[string, *pbpeering.PeeringTrustBundle]()
 	snap.IngressGateway.PeerUpstreamEndpoints = watch.NewMap[UpstreamID, structs.CheckServiceNodes]()

diff --git a/agent/proxycfg/manager.go b/agent/proxycfg/manager.go
@@ -2,6 +2,7 @@ package proxycfg
 
 import (
 	"errors"
+	"runtime/debug"
 	"sync"
 
 	"github.com/hashicorp/go-hclog"
@@ -142,6 +143,20 @@ func (m *Manager) Register(id ProxyID, ns *structs.NodeService, source ProxySour
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
+	defer func() {
+		if r := recover(); r != nil {
+			m.Logger.Error("unexpected panic during service manager registration",
+				"node", id.NodeName,
+				"service", id.ServiceID,
+				"message", r,
+				"stacktrace", string(debug.Stack()),
+			)
+		}
+	}()
+	return m.register(id, ns, source, token, overwrite)
+}
+
+func (m *Manager) register(id ProxyID, ns *structs.NodeService, source ProxySource, token string, overwrite bool) error {
 	state, ok := m.proxies[id]
 	if ok {
 		if state.source != source && !overwrite {

diff --git a/agent/proxycfg/state.go b/agent/proxycfg/state.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net"
 	"reflect"
+	"runtime/debug"
 	"sync/atomic"
 	"time"
 
@@ -298,6 +299,21 @@ func newConfigSnapshotFromServiceInstance(s serviceInstance, config stateConfig)
 }
 
 func (s *state) run(ctx context.Context, snap *ConfigSnapshot) {
+	// Add a recover here so than any panics do not make their way up
+	// into the server / agent.
+	defer func() {
+		if r := recover(); r != nil {
+			s.logger.Error("unexpected panic while running proxycfg",
+				"node", s.serviceInstance.proxyID.NodeName,
+				"service", s.serviceInstance.proxyID.ServiceID,
+				"message", r,
+				"stacktrace", string(debug.Stack()))
+		}
+	}()
+	s.unsafeRun(ctx, snap)
+}
+
+func (s *state) unsafeRun(ctx context.Context, snap *ConfigSnapshot) {
 	// Close the channel we return from Watch when we stop so consumers can stop
 	// watching and clean up their goroutines. It's important we do this here and
 	// not in Close since this routine sends on this chan and so might panic if it

diff --git a/agent/structs/config_entry_inline_certificate.go b/agent/structs/config_entry_inline_certificate.go
@@ -29,17 +29,14 @@ type InlineCertificateConfigEntry struct {
 	RaftIndex
 }
 
-func (e *InlineCertificateConfigEntry) GetKind() string {
-	return InlineCertificate
-}
-
-func (e *InlineCertificateConfigEntry) GetName() string {
-	return e.Name
-}
-
-func (e *InlineCertificateConfigEntry) Normalize() error {
-	return nil
+func (e *InlineCertificateConfigEntry) GetKind() string            { return InlineCertificate }
+func (e *InlineCertificateConfigEntry) GetName() string            { return e.Name }
+func (e *InlineCertificateConfigEntry) Normalize() error           { return nil }
+func (e *InlineCertificateConfigEntry) GetMeta() map[string]string { return e.Meta }
+func (e *InlineCertificateConfigEntry) GetEnterpriseMeta() *acl.EnterpriseMeta {
+	return &e.EnterpriseMeta
 }
+func (e *InlineCertificateConfigEntry) GetRaftIndex() *RaftIndex { return &e.RaftIndex }
 
 func (e *InlineCertificateConfigEntry) Validate() error {
 	privateKeyBlock, _ := pem.Decode([]byte(e.PrivateKey))
@@ -78,24 +75,3 @@ func (e *InlineCertificateConfigEntry) CanWrite(authz acl.Authorizer) error {
 	e.FillAuthzContext(&authzContext)
 	return authz.ToAllowAuthorizer().MeshWriteAllowed(&authzContext)
 }
-
-func (e *InlineCertificateConfigEntry) GetMeta() map[string]string {
-	if e == nil {
-		return nil
-	}
-	return e.Meta
-}
-
-func (e *InlineCertificateConfigEntry) GetEnterpriseMeta() *acl.EnterpriseMeta {
-	if e == nil {
-		return nil
-	}
-	return &e.EnterpriseMeta
-}
-
-func (e *InlineCertificateConfigEntry) GetRaftIndex() *RaftIndex {
-	if e == nil {
-		return &RaftIndex{}
-	}
-	return &e.RaftIndex
-}
diff --git a/api/config_entry_inline_certificate.go b/api/config_entry_inline_certificate.go
@@ -12,7 +12,7 @@ type InlineCertificateConfigEntry struct {
 	// Certificate is the public certificate component of an x509 key pair encoded in raw PEM format.
 	Certificate string
 	// PrivateKey is the private key component of an x509 key pair encoded in raw PEM format.
-	PrivateKey string
+	PrivateKey string `alias:"private_key"`
 
 	Meta map[string]string `json:",omitempty"`
 
@@ -34,42 +34,10 @@ type InlineCertificateConfigEntry struct {
 	Namespace string `json:",omitempty"`
 }
 
-func (a *InlineCertificateConfigEntry) GetKind() string {
-	return InlineCertificate
-}
-
-func (a *InlineCertificateConfigEntry) GetName() string {
-	if a != nil {
-		return ""
-	}
-	return a.Name
-}
-
-func (a *InlineCertificateConfigEntry) GetPartition() string {
-	if a != nil {
-		return ""
-	}
-	return a.Partition
-}
-
-func (a *InlineCertificateConfigEntry) GetNamespace() string {
-	if a != nil {
-		return ""
-	}
-	return a.GetNamespace()
-}
-
-func (a *InlineCertificateConfigEntry) GetMeta() map[string]string {
-	if a != nil {
-		return nil
-	}
-	return a.GetMeta()
-}
-
-func (a *InlineCertificateConfigEntry) GetCreateIndex() uint64 {
-	return a.CreateIndex
-}
-
-func (a *InlineCertificateConfigEntry) GetModifyIndex() uint64 {
-	return a.ModifyIndex
-}
+func (a *InlineCertificateConfigEntry) GetKind() string            { return InlineCertificate }
+func (a *InlineCertificateConfigEntry) GetName() string            { return a.Name }
+func (a *InlineCertificateConfigEntry) GetPartition() string       { return a.Partition }
+func (a *InlineCertificateConfigEntry) GetNamespace() string       { return a.Namespace }
+func (a *InlineCertificateConfigEntry) GetMeta() map[string]string { return a.Meta }
+func (a *InlineCertificateConfigEntry) GetCreateIndex() uint64     { return a.CreateIndex }
+func (a *InlineCertificateConfigEntry) GetModifyIndex() uint64     { return a.ModifyIndex }
diff --git a/api/config_entry_inline_certificate_test.go b/api/config_entry_inline_certificate_test.go
@@ -0,0 +1,122 @@
+package api
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	// generated via openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout private.key -out certificate.crt
+	validPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAx95Opa6t4lGEpiTUogEBptqOdam2ch4BHQGhNhX/MrDwwuZQ
+httBwMfngQ/wd9NmYEPAwj0dumUoAITIq6i2jQlhqTodElkbsd5vWY8R/bxJWQSo
+NvVE12TlzECxGpJEiHt4W0r8pGffk+rvpljiUyCfnT1kGF3znOSjK1hRMTn6RKWC
+yYaBvXQiB4SGilfLgJcEpOJKtISIxmZ+S409g9X5VU88/Bmmrz4cMyxce86Kc2ug
+5/MOv0CjWDJwlrv8njneV2zvraQ61DDwQftrXOvuCbO5IBRHMOBHiHTZ4rtGuhMa
+Ir21V4vb6n8c4YzXiFvhUYcyX7rltGZzVd+WmQIDAQABAoIBACYvceUzp2MK4gYA
+GWPOP2uKbBdM0l+hHeNV0WAM+dHMfmMuL4pkT36ucqt0ySOLjw6rQyOZG5nmA6t9
+sv0g4ae2eCMlyDIeNi1Yavu4Wt6YX4cTXbQKThm83C6W2X9THKbauBbxD621bsDK
+7PhiGPN60yPue7YwFQAPqqD4YaK+s22HFIzk9gwM/rkvAUNwRv7SyHMiFe4Igc1C
+Eev7iHWzvj5Heoz6XfF+XNF9DU+TieSUAdjd56VyUb8XL4+uBTOhHwLiXvAmfaMR
+HvpcxeKnYZusS6NaOxcUHiJnsLNWrxmJj9WEGgQzuLxcLjTe4vVmELVZD8t3QUKj
+PAxu8tUCgYEA7KIWVn9dfVpokReorFym+J8FzLwSktP9RZYEMonJo00i8aii3K9s
+u/aSwRWQSCzmON1ZcxZzWhwQF9usz6kGCk//9+4hlVW90GtNK0RD+j7sp4aT2JI8
+9eLEjTG+xSXa7XWe98QncjjL9lu/yrRncSTxHs13q/XP198nn2aYuQ8CgYEA2Dnt
+sRBzv0fFEvzzFv7G/5f85mouN38TUYvxNRTjBLCXl9DeKjDkOVZ2b6qlfQnYXIru
+H+W+v+AZEb6fySXc8FRab7lkgTMrwE+aeI4rkW7asVwtclv01QJ5wMnyT84AgDD/
+Dgt/RThFaHgtU9TW5GOZveL+l9fVPn7vKFdTJdcCgYEArJ99zjHxwJ1whNAOk1av
+09UmRPm6TvRo4heTDk8oEoIWCNatoHI0z1YMLuENNSnT9Q280FFDayvnrY/qnD7A
+kktT/sjwJOG8q8trKzIMqQS4XWm2dxoPcIyyOBJfCbEY6XuRsUuePxwh5qF942EB
+yS9a2s6nC4Ix0lgPrqAIr48CgYBgS/Q6riwOXSU8nqCYdiEkBYlhCJrKpnJxF9T1
+ofa0yPzKZP/8ZEfP7VzTwHjxJehQ1qLUW9pG08P2biH1UEKEWdzo8vT6wVJT1F/k
+HtTycR8+a+Hlk2SHVRHqNUYQGpuIe8mrdJ1as4Pd0d/F/P0zO9Rlh+mAsGPM8HUM
+T0+9gwKBgHDoerX7NTskg0H0t8O+iSMevdxpEWp34ZYa9gHiftTQGyrRgERCa7Gj
+nZPAxKb2JoWyfnu3v7G5gZ8fhDFsiOxLbZv6UZJBbUIh1MjJISpXrForDrC2QNLX
+kHrHfwBFDB3KMudhQknsJzEJKCL/KmFH6o0MvsoaT9yzEl3K+ah/
+-----END RSA PRIVATE KEY-----`
+	validCertificate = `-----BEGIN CERTIFICATE-----
+MIICljCCAX4CCQCQMDsYO8FrPjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJV
+UzAeFw0yMjEyMjAxNzUwMjVaFw0yNzEyMTkxNzUwMjVaMA0xCzAJBgNVBAYTAlVT
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx95Opa6t4lGEpiTUogEB
+ptqOdam2ch4BHQGhNhX/MrDwwuZQhttBwMfngQ/wd9NmYEPAwj0dumUoAITIq6i2
+jQlhqTodElkbsd5vWY8R/bxJWQSoNvVE12TlzECxGpJEiHt4W0r8pGffk+rvplji
+UyCfnT1kGF3znOSjK1hRMTn6RKWCyYaBvXQiB4SGilfLgJcEpOJKtISIxmZ+S409
+g9X5VU88/Bmmrz4cMyxce86Kc2ug5/MOv0CjWDJwlrv8njneV2zvraQ61DDwQftr
+XOvuCbO5IBRHMOBHiHTZ4rtGuhMaIr21V4vb6n8c4YzXiFvhUYcyX7rltGZzVd+W
+mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBfCqoUIdPf/HGSbOorPyZWbyizNtHJ
+GL7x9cAeIYxpI5Y/WcO1o5v94lvrgm3FNfJoGKbV66+JxOge731FrfMpHplhar1Z
+RahYIzNLRBTLrwadLAZkApUpZvB8qDK4knsTWFYujNsylCww2A6ajzIMFNU4GkUK
+NtyHRuD+KYRmjXtyX1yHNqfGN3vOQmwavHq2R8wHYuBSc6LAHHV9vG+j0VsgMELO
+qwxn8SmLkSKbf2+MsQVzLCXXN5u+D8Yv+4py+oKP4EQ5aFZuDEx+r/G/31rTthww
+AAJAMaoXmoYVdgXV+CPuBb2M4XCpuzLu3bcA2PXm5ipSyIgntMKwXV7r
+-----END CERTIFICATE-----`
+)
+
+func TestAPI_ConfigEntries_InlineCertificate(t *testing.T) {
+	t.Parallel()
+	c, s := makeClient(t)
+	defer s.Stop()
+
+	configEntries := c.ConfigEntries()
+
+	cert1 := &InlineCertificateConfigEntry{
+		Kind:        InlineCertificate,
+		Name:        "cert1",
+		Meta:        map[string]string{"foo": "bar"},
+		Certificate: validCertificate,
+		PrivateKey:  validPrivateKey,
+	}
+
+	// set it
+	_, wm, err := configEntries.Set(cert1, nil)
+	require.NoError(t, err)
+	assert.NotNil(t, wm)
+
+	// get it
+	entry, qm, err := configEntries.Get(InlineCertificate, "cert1", nil)
+	require.NoError(t, err)
+	require.NotNil(t, qm)
+	assert.NotEqual(t, 0, qm.RequestTime)
+
+	readCert, ok := entry.(*InlineCertificateConfigEntry)
+	require.True(t, ok)
+	assert.Equal(t, cert1.Kind, readCert.Kind)
+	assert.Equal(t, cert1.Name, readCert.Name)
+	assert.Equal(t, cert1.Meta, readCert.Meta)
+	assert.Equal(t, cert1.Meta, readCert.GetMeta())
+
+	// update it
+	cert1.Meta["bar"] = "baz"
+	written, wm, err := configEntries.CAS(cert1, readCert.ModifyIndex, nil)
+	require.NoError(t, err)
+	require.NotNil(t, wm)
+	assert.NotEqual(t, 0, wm.RequestTime)
+	assert.True(t, written)
+
+	// list it
+	entries, qm, err := configEntries.List(InlineCertificate, nil)
+	require.NoError(t, err)
+	require.NotNil(t, qm)
+	assert.NotEqual(t, 0, qm.RequestTime)
+
+	require.Len(t, entries, 1)
+	assert.Equal(t, cert1.Kind, entries[0].GetKind())
+	assert.Equal(t, cert1.Name, entries[0].GetName())
+
+	readCert, ok = entries[0].(*InlineCertificateConfigEntry)
+	require.True(t, ok)
+	assert.Equal(t, cert1.Certificate, readCert.Certificate)
+	assert.Equal(t, cert1.Meta, readCert.Meta)
+
+	// delete it
+	wm, err = configEntries.Delete(InlineCertificate, cert1.Name, nil)
+	require.NoError(t, err)
+	require.NotNil(t, wm)
+	assert.NotEqual(t, 0, wm.RequestTime)
+
+	// try to get it
+	_, _, err = configEntries.Get(InlineCertificate, cert1.Name, nil)
+	assert.Error(t, err)
+}
diff --git a/envoyextensions/xdscommon/envoy_versioning_test.go b/envoyextensions/xdscommon/envoy_versioning_test.go
@@ -121,6 +121,7 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 		"1.18.6": {expectErr: "Envoy 1.18.6 " + errTooOld},
 		"1.19.5": {expectErr: "Envoy 1.19.5 " + errTooOld},
 		"1.20.7": {expectErr: "Envoy 1.20.7 " + errTooOld},
+		"1.21.5": {expectErr: "Envoy 1.21.5 " + errTooOld},
 	}
 
 	// Insert a bunch of valid versions.
@@ -135,10 +136,10 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 	}
 	*/
 	for _, v := range []string{
-		"1.21.0", "1.21.1", "1.21.2", "1.21.3", "1.21.4", "1.21.5",
 		"1.22.0", "1.22.1", "1.22.2", "1.22.3", "1.22.4", "1.22.5",
-		"1.23.0", "1.23.1", "1.23.2",
-		"1.24.0",
+		"1.23.0", "1.23.1", "1.23.2", "1.23.3", "1.23.4",
+		"1.24.0", "1.24.1", "1.24.2",
+		"1.25.0", "1.25.1",
 	} {
 		cases[v] = testcase{expect: SupportedProxyFeatures{}}
 	}

diff --git a/envoyextensions/xdscommon/proxysupport.go b/envoyextensions/xdscommon/proxysupport.go
@@ -9,10 +9,10 @@ import "strings"
 //
 // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
 var EnvoyVersions = []string{
-	"1.24.0",
-	"1.23.2",
+	"1.25.1",
+	"1.24.2",
+	"1.23.4",
 	"1.22.5",
-	"1.21.5",
 }
 
 // UnsupportedEnvoyVersions lists any unsupported Envoy versions (mainly minor versions) that fall

diff --git a/proto/pbconfigentry/config_entry.go b/proto/pbconfigentry/config_entry.go
@@ -81,6 +81,14 @@ func ConfigEntryToStructs(s *ConfigEntry) structs.ConfigEntry {
 		pbcommon.RaftIndexToStructs(s.RaftIndex, &target.RaftIndex)
 		pbcommon.EnterpriseMetaToStructs(s.EnterpriseMeta, &target.EnterpriseMeta)
 		return &target
+	case Kind_KindInlineCertificate:
+		var target structs.InlineCertificateConfigEntry
+		target.Name = s.Name
+
+		InlineCertificateToStructs(s.GetInlineCertificate(), &target)
+		pbcommon.RaftIndexToStructs(s.RaftIndex, &target.RaftIndex)
+		pbcommon.EnterpriseMetaToStructs(s.EnterpriseMeta, &target.EnterpriseMeta)
+		return &target
 	case Kind_KindServiceDefaults:
 		var target structs.ServiceConfigEntry
 		target.Name = s.Name
@@ -177,6 +185,14 @@ func ConfigEntryFromStructs(s structs.ConfigEntry) *ConfigEntry {
 		configEntry.Entry = &ConfigEntry_HTTPRoute{
 			HTTPRoute: &route,
 		}
+	case *structs.InlineCertificateConfigEntry:
+		var cert InlineCertificate
+		InlineCertificateFromStructs(v, &cert)
+
+		configEntry.Kind = Kind_KindInlineCertificate
+		configEntry.Entry = &ConfigEntry_InlineCertificate{
+			InlineCertificate: &cert,
+		}
 	default:
 		panic(fmt.Sprintf("unable to convert %T to proto", s))
 	}