From 8f84ef66bb4f77c04bdfc1c100459f227cc8e742 Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Wed, 13 Apr 2022 21:35:07 -0400 Subject: [PATCH] Update Mesh and Ingress Gateway CRDs for 1.12 (#1168) - Rearrange spec fields in CRDs to match order in Consul structs. - Update controller-gen from 0.6.0 to 0.8.0 and update generate command accordingly. - Update to latest Consul API and SDK version - Update files that were autogenerated --- CHANGELOG.md | 1 + Makefile | 4 +- .../templates/crd-exportedservices.yaml | 4 +- .../consul/templates/crd-ingressgateways.yaml | 137 +++++++++---- charts/consul/templates/crd-meshes.yaml | 76 ++++++- .../consul/templates/crd-proxydefaults.yaml | 4 +- .../consul/templates/crd-servicedefaults.yaml | 4 +- .../templates/crd-serviceintentions.yaml | 4 +- .../templates/crd-serviceresolvers.yaml | 4 +- .../consul/templates/crd-servicerouters.yaml | 4 +- .../templates/crd-servicesplitters.yaml | 4 +- .../templates/crd-terminatinggateways.yaml | 6 +- .../api/v1alpha1/exportedservices_types.go | 2 - .../api/v1alpha1/ingressgateway_types.go | 54 +++-- .../api/v1alpha1/ingressgateway_types_test.go | 127 ++++++++++++ control-plane/api/v1alpha1/mesh_types.go | 93 +++++++++ control-plane/api/v1alpha1/mesh_types_test.go | 193 ++++++++++++++++++ .../api/v1alpha1/proxydefaults_types.go | 24 +-- .../api/v1alpha1/servicedefaults_types.go | 22 +- .../api/v1alpha1/zz_generated.deepcopy.go | 91 +++++++-- ...consul.hashicorp.com_exportedservices.yaml | 5 +- .../consul.hashicorp.com_ingressgateways.yaml | 138 +++++++++---- .../bases/consul.hashicorp.com_meshes.yaml | 77 ++++++- .../consul.hashicorp.com_proxydefaults.yaml | 5 +- .../consul.hashicorp.com_servicedefaults.yaml | 5 +- ...onsul.hashicorp.com_serviceintentions.yaml | 5 +- ...consul.hashicorp.com_serviceresolvers.yaml | 5 +- .../consul.hashicorp.com_servicerouters.yaml | 5 +- ...consul.hashicorp.com_servicesplitters.yaml | 5 +- ...sul.hashicorp.com_terminatinggateways.yaml | 7 +- control-plane/config/rbac/role.yaml | 1 - control-plane/config/webhook/manifests.yaml | 1 - control-plane/go.mod | 4 +- control-plane/go.sum | 8 +- 34 files changed, 935 insertions(+), 194 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90db449a61..cd4d4796eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ IMPROVEMENTS: * Helm * API Gateway: Allow controller to read ReferencePolicy in order to determine if route is allowed for backend in different namespace. [[GH-1148](https://github.com/hashicorp/consul-k8s/pull/1148)] * Allow `consul` to be a destination namespace. [[GH-1163](https://github.com/hashicorp/consul-k8s/pull/1163)] + * CRDs: Update Mesh and Ingress Gateway CRDs to support TLS config. [[GH-1168](https://github.com/hashicorp/consul-k8s/pull/1168)] ## 0.42.0 (April 04, 2022) diff --git a/Makefile b/Makefile index 93e0db1ab8..f0c52a190b 100644 --- a/Makefile +++ b/Makefile @@ -82,7 +82,7 @@ ifeq (, $(shell which controller-gen)) CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\ cd $$CONTROLLER_GEN_TMP_DIR ;\ go mod init tmp ;\ - go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.6.0 ;\ + go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0 ;\ rm -rf $$CONTROLLER_GEN_TMP_DIR ;\ } CONTROLLER_GEN=$(shell go env GOPATH)/bin/controller-gen @@ -109,4 +109,4 @@ DEV_IMAGE?=consul-k8s-control-plane-dev GIT_COMMIT?=$(shell git rev-parse --short HEAD) GIT_DIRTY?=$(shell test -n "`git status --porcelain`" && echo "+CHANGES" || true) GIT_DESCRIBE?=$(shell git describe --tags --always) -CRD_OPTIONS ?= "crd:trivialVersions=true,allowDangerousTypes=true" +CRD_OPTIONS ?= "crd:allowDangerousTypes=true" diff --git a/charts/consul/templates/crd-exportedservices.yaml b/charts/consul/templates/crd-exportedservices.yaml index 9ddb7d3053..caebe485ef 100644 --- a/charts/consul/templates/crd-exportedservices.yaml +++ b/charts/consul/templates/crd-exportedservices.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: exportedservices.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: ExportedServicesSpec defines the desired state of ExportedServices + description: ExportedServicesSpec defines the desired state of ExportedServices. properties: services: description: Services is a list of services to be exported and the diff --git a/charts/consul/templates/crd-ingressgateways.yaml b/charts/consul/templates/crd-ingressgateways.yaml index 4ff360456e..f14789e83d 100644 --- a/charts/consul/templates/crd-ingressgateways.yaml +++ b/charts/consul/templates/crd-ingressgateways.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: ingressgateways.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: IngressGatewaySpec defines the desired state of IngressGateway + description: IngressGatewaySpec defines the desired state of IngressGateway. properties: listeners: description: Listeners declares what ports the ingress gateway should @@ -64,25 +64,6 @@ spec: description: IngressListener manages the configuration for a listener on a specific port. properties: - tls: - description: TLS config for this listener. - properties: - enabled: - description: Indicates that TLS should be enabled for this - gateway service. - type: boolean - sds: - description: SDS allows configuring TLS certificate from - an SDS service. - properties: - certResource: - type: string - clusterName: - type: string - type: object - required: - - enabled - type: object port: description: Port declares the port on which the ingress gateway should listen for traffic. @@ -95,28 +76,14 @@ spec: values are: (tcp | http | http2 | grpc).' type: string services: - description: "Services declares the set of services to which - the listener forwards traffic. \n For \"tcp\" protocol listeners, - only a single service is allowed. For \"http\" listeners, - multiple services can be declared." + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. items: description: IngressService manages configuration for services that are exposed to ingress traffic. properties: - tls: - description: TLS allows specifying some TLS configuration - per listener. - properties: - sds: - description: SDS allows configuring TLS certificate - from an SDS service. - properties: - certResource: - type: string - clusterName: - type: string - type: object - type: object hosts: description: "Hosts is a list of hostnames which should be associated to this service on the defined listener. @@ -201,13 +168,86 @@ spec: any existing header values of the same name. type: object type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object type: object type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object type: object type: array tls: description: TLS holds the TLS configuration for this gateway. properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array enabled: description: Indicates that TLS should be enabled for this gateway service. @@ -217,10 +257,29 @@ spec: service. properties: certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. type: string clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. type: string type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string required: - enabled type: object diff --git a/charts/consul/templates/crd-meshes.yaml b/charts/consul/templates/crd-meshes.yaml index 7083951612..565799d394 100644 --- a/charts/consul/templates/crd-meshes.yaml +++ b/charts/consul/templates/crd-meshes.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: meshes.consul.hashicorp.com labels: @@ -53,10 +53,80 @@ spec: metadata: type: object spec: - description: MeshSpec defines the desired state of Mesh + description: MeshSpec defines the desired state of Mesh. properties: + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object transparentProxy: - description: TransparentProxyMeshConfig controls configuration specific + description: TransparentProxy controls the configuration specific to proxies in "transparent" mode. Added in v1.10.0. properties: meshDestinationsOnly: diff --git a/charts/consul/templates/crd-proxydefaults.yaml b/charts/consul/templates/crd-proxydefaults.yaml index 6e21c89480..947bdc8856 100644 --- a/charts/consul/templates/crd-proxydefaults.yaml +++ b/charts/consul/templates/crd-proxydefaults.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: proxydefaults.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: ProxyDefaultsSpec defines the desired state of ProxyDefaults + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. properties: config: description: Config is an arbitrary map of configuration values used diff --git a/charts/consul/templates/crd-servicedefaults.yaml b/charts/consul/templates/crd-servicedefaults.yaml index ab356836d2..923aaf757b 100644 --- a/charts/consul/templates/crd-servicedefaults.yaml +++ b/charts/consul/templates/crd-servicedefaults.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicedefaults.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: ServiceDefaultsSpec defines the desired state of ServiceDefaults + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. properties: expose: description: Expose controls the default expose path configuration diff --git a/charts/consul/templates/crd-serviceintentions.yaml b/charts/consul/templates/crd-serviceintentions.yaml index ffcd44ae5c..2d1ca29285 100644 --- a/charts/consul/templates/crd-serviceintentions.yaml +++ b/charts/consul/templates/crd-serviceintentions.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: serviceintentions.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: ServiceIntentionsSpec defines the desired state of ServiceIntentions + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. properties: destination: description: Destination is the intention destination that will have diff --git a/charts/consul/templates/crd-serviceresolvers.yaml b/charts/consul/templates/crd-serviceresolvers.yaml index 1023b9127f..c06063f318 100644 --- a/charts/consul/templates/crd-serviceresolvers.yaml +++ b/charts/consul/templates/crd-serviceresolvers.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: serviceresolvers.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: ServiceResolverSpec defines the desired state of ServiceResolver + description: ServiceResolverSpec defines the desired state of ServiceResolver. properties: connectTimeout: description: ConnectTimeout is the timeout for establishing new network diff --git a/charts/consul/templates/crd-servicerouters.yaml b/charts/consul/templates/crd-servicerouters.yaml index 15b15e7f6b..3d6aa58dae 100644 --- a/charts/consul/templates/crd-servicerouters.yaml +++ b/charts/consul/templates/crd-servicerouters.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicerouters.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: ServiceRouterSpec defines the desired state of ServiceRouter + description: ServiceRouterSpec defines the desired state of ServiceRouter. properties: routes: description: Routes are the list of routes to consider when processing diff --git a/charts/consul/templates/crd-servicesplitters.yaml b/charts/consul/templates/crd-servicesplitters.yaml index 05b5548ce9..532ca209be 100644 --- a/charts/consul/templates/crd-servicesplitters.yaml +++ b/charts/consul/templates/crd-servicesplitters.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicesplitters.consul.hashicorp.com labels: @@ -55,7 +55,7 @@ spec: metadata: type: object spec: - description: ServiceSplitterSpec defines the desired state of ServiceSplitter + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. properties: splits: description: Splits defines how much traffic to send to which set diff --git a/charts/consul/templates/crd-terminatinggateways.yaml b/charts/consul/templates/crd-terminatinggateways.yaml index 3db27d2bce..50f3d8b673 100644 --- a/charts/consul/templates/crd-terminatinggateways.yaml +++ b/charts/consul/templates/crd-terminatinggateways.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: terminatinggateways.consul.hashicorp.com labels: @@ -56,14 +56,14 @@ spec: metadata: type: object spec: - description: TerminatingGatewaySpec defines the desired state of TerminatingGateway + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. properties: services: description: Services is a list of service names represented by the terminating gateway. items: description: A LinkedService is a service represented by a terminating - gateway + gateway. properties: caFile: description: CAFile is the optional path to a CA certificate diff --git a/control-plane/api/v1alpha1/exportedservices_types.go b/control-plane/api/v1alpha1/exportedservices_types.go index 01c54dbe17..779a3abf95 100644 --- a/control-plane/api/v1alpha1/exportedservices_types.go +++ b/control-plane/api/v1alpha1/exportedservices_types.go @@ -59,10 +59,8 @@ type ExportedServicesSpec struct { type ExportedService struct { // Name is the name of the service to be exported. Name string `json:"name,omitempty"` - // Namespace is the namespace to export the service from. Namespace string `json:"namespace,omitempty"` - // Consumers is a list of downstream consumers of the service to be exported. Consumers []ServiceConsumer `json:"consumers,omitempty"` } diff --git a/control-plane/api/v1alpha1/ingressgateway_types.go b/control-plane/api/v1alpha1/ingressgateway_types.go index aef9917b49..7251608223 100644 --- a/control-plane/api/v1alpha1/ingressgateway_types.go +++ b/control-plane/api/v1alpha1/ingressgateway_types.go @@ -62,9 +62,20 @@ type IngressGatewaySpec struct { type GatewayTLSConfig struct { // Indicates that TLS should be enabled for this gateway service. Enabled bool `json:"enabled"` - // SDS allows configuring TLS certificate from an SDS service. SDS *GatewayTLSSDSConfig `json:"sds,omitempty"` + // TLSMinVersion sets the default minimum TLS version supported. + // One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + // If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + // while older releases of Envoy default to TLS 1.0. + TLSMinVersion string `json:"tlsMinVersion,omitempty"` + // TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. + // One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + // If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. + TLSMaxVersion string `json:"tlsMaxVersion,omitempty"` + // Define a subset of cipher suites to restrict + // Only applicable to connections negotiated via TLS 1.2 or earlier. + CipherSuites []string `json:"cipherSuites,omitempty"` } type GatewayServiceTLSConfig struct { @@ -73,7 +84,10 @@ type GatewayServiceTLSConfig struct { } type GatewayTLSSDSConfig struct { - ClusterName string `json:"clusterName,omitempty"` + // ClusterName is the SDS cluster name to connect to, to retrieve certificates. + // This cluster must be specified in the Gateway's bootstrap configuration. + ClusterName string `json:"clusterName,omitempty"` + // CertResource is the SDS resource name to request when fetching the certificate from the SDS service. CertResource string `json:"certResource,omitempty"` } @@ -81,19 +95,15 @@ type GatewayTLSSDSConfig struct { type IngressListener struct { // Port declares the port on which the ingress gateway should listen for traffic. Port int `json:"port,omitempty"` - // Protocol declares what type of traffic this listener is expected to // receive. Depending on the protocol, a listener might support multiplexing // services over a single port, or additional discovery chain features. The // current supported values are: (tcp | http | http2 | grpc). Protocol string `json:"protocol,omitempty"` - // TLS config for this listener. TLS *GatewayTLSConfig `json:"tls,omitempty"` - // Services declares the set of services to which the listener forwards // traffic. - // // For "tcp" protocol listeners, only a single service is allowed. // For "http" listeners, multiple services can be declared. Services []IngressService `json:"services,omitempty"` @@ -111,7 +121,6 @@ type IngressService struct { // A name can be specified on multiple listeners, and will be exposed on both // of the listeners. Name string `json:"name,omitempty"` - // Hosts is a list of hostnames which should be associated to this service on // the defined listener. Only allowed on layer 7 protocols, this will be used // to route traffic to the service by matching the Host header of the HTTP @@ -124,18 +133,14 @@ type IngressService struct { // This cannot be specified when using the wildcard specifier, "*", or when // using a "tcp" listener. Hosts []string `json:"hosts,omitempty"` - // Namespace is the namespace where the service is located. // Namespacing is a Consul Enterprise feature. Namespace string `json:"namespace,omitempty"` - // Partition is the admin-partition where the service is located. // Partitioning is a Consul Enterprise feature. Partition string `json:"partition,omitempty"` - // TLS allows specifying some TLS configuration per listener. TLS *GatewayServiceTLSConfig `json:"tls,omitempty"` - // Allow HTTP header manipulation to be configured. RequestHeaders *HTTPHeaderModifiers `json:"requestHeaders,omitempty"` ResponseHeaders *HTTPHeaderModifiers `json:"responseHeaders,omitempty"` @@ -246,6 +251,8 @@ func (in *IngressGateway) Validate(consulMeta common.ConsulMeta) error { var errs field.ErrorList path := field.NewPath("spec") + errs = append(errs, in.Spec.TLS.validate(path.Child("tls"))...) + for i, v := range in.Spec.Listeners { errs = append(errs, v.validate(path.Child("listeners").Index(i), consulMeta)...) } @@ -282,11 +289,30 @@ func (in *GatewayTLSConfig) toConsul() *capi.GatewayTLSConfig { return nil } return &capi.GatewayTLSConfig{ - Enabled: in.Enabled, - SDS: in.SDS.toConsul(), + Enabled: in.Enabled, + SDS: in.SDS.toConsul(), + TLSMaxVersion: in.TLSMaxVersion, + TLSMinVersion: in.TLSMinVersion, + CipherSuites: in.CipherSuites, } } +func (in *GatewayTLSConfig) validate(path *field.Path) field.ErrorList { + if in == nil { + return nil + } + var errs field.ErrorList + versions := []string{"TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""} + + if !sliceContains(versions, in.TLSMaxVersion) { + errs = append(errs, field.Invalid(path.Child("tlsMaxVersion"), in.TLSMaxVersion, notInSliceMessage(versions))) + } + if !sliceContains(versions, in.TLSMinVersion) { + errs = append(errs, field.Invalid(path.Child("tlsMinVersion"), in.TLSMinVersion, notInSliceMessage(versions))) + } + return errs +} + func (in IngressListener) toConsul() capi.IngressListener { var services []capi.IngressService for _, s := range in.Services { @@ -348,6 +374,8 @@ func (in IngressListener) validate(path *field.Path, consulMeta common.ConsulMet fmt.Sprintf("if protocol is \"tcp\", only a single service is allowed, found %d", len(in.Services)))) } + errs = append(errs, in.TLS.validate(path.Child("tls"))...) + for i, svc := range in.Services { if svc.Name == wildcardServiceName && in.Protocol != "http" { errs = append(errs, field.Invalid(path.Child("services").Index(i).Child("name"), diff --git a/control-plane/api/v1alpha1/ingressgateway_types_test.go b/control-plane/api/v1alpha1/ingressgateway_types_test.go index 4260b39871..2585614519 100644 --- a/control-plane/api/v1alpha1/ingressgateway_types_test.go +++ b/control-plane/api/v1alpha1/ingressgateway_types_test.go @@ -50,6 +50,9 @@ func TestIngressGateway_MatchesConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Listeners: []IngressListener{ { @@ -61,6 +64,9 @@ func TestIngressGateway_MatchesConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Services: []IngressService{ { @@ -134,6 +140,9 @@ func TestIngressGateway_MatchesConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Listeners: []capi.IngressListener{ { @@ -145,6 +154,9 @@ func TestIngressGateway_MatchesConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Services: []capi.IngressService{ { @@ -273,6 +285,9 @@ func TestIngressGateway_ToConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Listeners: []IngressListener{ { @@ -284,6 +299,9 @@ func TestIngressGateway_ToConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Services: []IngressService{ { @@ -356,6 +374,9 @@ func TestIngressGateway_ToConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Listeners: []capi.IngressListener{ { @@ -367,6 +388,9 @@ func TestIngressGateway_ToConsul(t *testing.T) { ClusterName: "cluster1", CertResource: "cert1", }, + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, }, Services: []capi.IngressService{ { @@ -453,6 +477,38 @@ func TestIngressGateway_Validate(t *testing.T) { partitionEnabled bool expectedErrMsgs []string }{ + "tls.minTLSVersion invalid": { + input: &IngressGateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: IngressGatewaySpec{ + TLS: GatewayTLSConfig{ + TLSMinVersion: "foo", + }, + }, + }, + namespacesEnabled: false, + expectedErrMsgs: []string{ + `spec.tls.tlsMinVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, + "tls.maxTLSVersion invalid": { + input: &IngressGateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: IngressGatewaySpec{ + TLS: GatewayTLSConfig{ + TLSMaxVersion: "foo", + }, + }, + }, + namespacesEnabled: false, + expectedErrMsgs: []string{ + `spec.tls.tlsMaxVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, "listener.protocol invalid": { input: &IngressGateway{ ObjectMeta: metav1.ObjectMeta{ @@ -568,6 +624,46 @@ func TestIngressGateway_Validate(t *testing.T) { `spec.listeners[0].services[0].hosts: Invalid value: "[\"host1\",\"host2\"]": hosts must be empty if protocol is "tcp"`, }, }, + "listeners.tls.minTLSVersion invalid": { + input: &IngressGateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: IngressGatewaySpec{ + Listeners: []IngressListener{ + { + Protocol: "tcp", + TLS: &GatewayTLSConfig{ + TLSMinVersion: "foo", + }, + }, + }, + }, + }, + expectedErrMsgs: []string{ + `spec.listeners[0].tls.tlsMinVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, + "listeners.tls.maxTLSVersion invalid": { + input: &IngressGateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: IngressGatewaySpec{ + Listeners: []IngressListener{ + { + Protocol: "tcp", + TLS: &GatewayTLSConfig{ + TLSMaxVersion: "foo", + }, + }, + }, + }, + }, + expectedErrMsgs: []string{ + `spec.listeners[0].tls.tlsMaxVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, "service.namespace set when namespaces disabled": { input: &IngressGateway{ ObjectMeta: metav1.ObjectMeta{ @@ -613,6 +709,37 @@ func TestIngressGateway_Validate(t *testing.T) { }, namespacesEnabled: true, }, + "tls valid": { + input: &IngressGateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: IngressGatewaySpec{ + TLS: GatewayTLSConfig{ + TLSMinVersion: "TLS_AUTO", + TLSMaxVersion: "TLS_AUTO", + }, + }, + }, + }, + "listeners.tls valid": { + input: &IngressGateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + Spec: IngressGatewaySpec{ + Listeners: []IngressListener{ + { + Protocol: "tcp", + TLS: &GatewayTLSConfig{ + TLSMinVersion: "TLS_AUTO", + TLSMaxVersion: "TLS_AUTO", + }, + }, + }, + }, + }, + }, "service.partition set when partitions disabled": { input: &IngressGateway{ ObjectMeta: metav1.ObjectMeta{ diff --git a/control-plane/api/v1alpha1/mesh_types.go b/control-plane/api/v1alpha1/mesh_types.go index 057ba9f071..7c55fe96d9 100644 --- a/control-plane/api/v1alpha1/mesh_types.go +++ b/control-plane/api/v1alpha1/mesh_types.go @@ -6,7 +6,10 @@ import ( "github.com/hashicorp/consul-k8s/control-plane/api/common" capi "github.com/hashicorp/consul/api" corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/validation/field" ) const ( @@ -43,7 +46,10 @@ type MeshList struct { // MeshSpec defines the desired state of Mesh. type MeshSpec struct { + // TransparentProxy controls the configuration specific to proxies in "transparent" mode. Added in v1.10.0. TransparentProxy TransparentProxyMeshConfig `json:"transparentProxy,omitempty"` + // TLS defines the TLS configuration for the service mesh. + TLS *MeshTLSConfig `json:"tls,omitempty"` } // TransparentProxyMeshConfig controls configuration specific to proxies in "transparent" mode. Added in v1.10.0. @@ -54,6 +60,33 @@ type TransparentProxyMeshConfig struct { MeshDestinationsOnly bool `json:"meshDestinationsOnly,omitempty"` } +type MeshTLSConfig struct { + // Incoming defines the TLS configuration for inbound mTLS connections targeting + // the public listener on Connect and TerminatingGateway proxy kinds. + Incoming *MeshDirectionalTLSConfig `json:"incoming,omitempty"` + // Outgoing defines the TLS configuration for outbound mTLS connections dialing upstreams + // from Connect and IngressGateway proxy kinds. + Outgoing *MeshDirectionalTLSConfig `json:"outgoing,omitempty"` +} + +type MeshDirectionalTLSConfig struct { + // TLSMinVersion sets the default minimum TLS version supported. + // One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + // If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, + // while older releases of Envoy default to TLS 1.0. + TLSMinVersion string `json:"tlsMinVersion,omitempty"` + // TLSMaxVersion sets the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. + // One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + // If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections. + TLSMaxVersion string `json:"tlsMaxVersion,omitempty"` + // CipherSuites sets the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. + // If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can be seen in + // https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 and is dependent on underlying support in Envoy. + // Future releases of Envoy may remove currently-supported but insecure cipher suites, + // and future releases of Consul may add new supported cipher suites if any are added to Envoy. + CipherSuites []string `json:"cipherSuites,omitempty"` +} + func (in *TransparentProxyMeshConfig) toConsul() capi.TransparentProxyMeshConfig { return capi.TransparentProxyMeshConfig{MeshDestinationsOnly: in.MeshDestinationsOnly} } @@ -140,6 +173,7 @@ func (in *Mesh) SetLastSyncedTime(time *metav1.Time) { func (in *Mesh) ToConsul(datacenter string) capi.ConfigEntry { return &capi.MeshConfigEntry{ TransparentProxy: in.Spec.TransparentProxy.toConsul(), + TLS: in.Spec.TLS.toConsul(), Meta: meta(datacenter), } } @@ -154,9 +188,68 @@ func (in *Mesh) MatchesConsul(candidate capi.ConfigEntry) bool { } func (in *Mesh) Validate(_ common.ConsulMeta) error { + var errs field.ErrorList + path := field.NewPath("spec") + + errs = append(errs, in.Spec.TLS.validate(path.Child("tls"))...) + + if len(errs) > 0 { + return apierrors.NewInvalid( + schema.GroupKind{Group: ConsulHashicorpGroup, Kind: MeshKubeKind}, + in.KubernetesName(), errs) + } return nil } +func (in *MeshTLSConfig) toConsul() *capi.MeshTLSConfig { + if in == nil { + return nil + } + return &capi.MeshTLSConfig{ + Incoming: in.Incoming.toConsul(), + Outgoing: in.Outgoing.toConsul(), + } +} + +func (in *MeshTLSConfig) validate(path *field.Path) field.ErrorList { + if in == nil { + return nil + } + + var errs field.ErrorList + errs = append(errs, in.Incoming.validate(path.Child("incoming"))...) + errs = append(errs, in.Outgoing.validate(path.Child("outgoing"))...) + return errs +} + +func (in *MeshDirectionalTLSConfig) validate(path *field.Path) field.ErrorList { + if in == nil { + return nil + } + + var errs field.ErrorList + versions := []string{"TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""} + + if !sliceContains(versions, in.TLSMaxVersion) { + errs = append(errs, field.Invalid(path.Child("tlsMaxVersion"), in.TLSMaxVersion, notInSliceMessage(versions))) + } + if !sliceContains(versions, in.TLSMinVersion) { + errs = append(errs, field.Invalid(path.Child("tlsMinVersion"), in.TLSMinVersion, notInSliceMessage(versions))) + } + return errs +} + +func (in *MeshDirectionalTLSConfig) toConsul() *capi.MeshDirectionalTLSConfig { + if in == nil { + return nil + } + return &capi.MeshDirectionalTLSConfig{ + TLSMinVersion: in.TLSMinVersion, + TLSMaxVersion: in.TLSMaxVersion, + CipherSuites: in.CipherSuites, + } +} + // DefaultNamespaceFields has no behaviour here as meshes have no namespace specific fields. func (in *Mesh) DefaultNamespaceFields(_ common.ConsulMeta) { } diff --git a/control-plane/api/v1alpha1/mesh_types_test.go b/control-plane/api/v1alpha1/mesh_types_test.go index da51918841..933232d8fc 100644 --- a/control-plane/api/v1alpha1/mesh_types_test.go +++ b/control-plane/api/v1alpha1/mesh_types_test.go @@ -45,12 +45,36 @@ func TestMesh_MatchesConsul(t *testing.T) { TransparentProxy: TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + TLS: &MeshTLSConfig{ + Incoming: &MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + Outgoing: &MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + }, }, }, Theirs: &capi.MeshConfigEntry{ TransparentProxy: capi.TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + TLS: &capi.MeshTLSConfig{ + Incoming: &capi.MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + Outgoing: &capi.MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + }, CreateIndex: 1, ModifyIndex: 2, Meta: map[string]string{ @@ -109,12 +133,36 @@ func TestMesh_ToConsul(t *testing.T) { TransparentProxy: TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + TLS: &MeshTLSConfig{ + Incoming: &MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + Outgoing: &MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + }, }, }, Exp: &capi.MeshConfigEntry{ TransparentProxy: capi.TransparentProxyMeshConfig{ MeshDestinationsOnly: true, }, + TLS: &capi.MeshTLSConfig{ + Incoming: &capi.MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + Outgoing: &capi.MeshDirectionalTLSConfig{ + TLSMinVersion: "TLSv1_0", + TLSMaxVersion: "TLSv1_1", + CipherSuites: []string{"ECDHE-ECDSA-AES128-GCM-SHA256", "AES128-SHA"}, + }, + }, Namespace: "", Meta: map[string]string{ common.SourceKey: common.SourceValue, @@ -133,6 +181,151 @@ func TestMesh_ToConsul(t *testing.T) { } } +func TestMesh_Validate(t *testing.T) { + cases := map[string]struct { + input *Mesh + expectedErrMsgs []string + }{ + "tls.incoming.minTLSVersion invalid": { + input: &Mesh{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + }, + Spec: MeshSpec{ + TLS: &MeshTLSConfig{ + Incoming: &MeshDirectionalTLSConfig{ + TLSMinVersion: "foo", + }, + }, + }, + }, + expectedErrMsgs: []string{ + `spec.tls.incoming.tlsMinVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, + "incoming.maxTLSVersion invalid": { + input: &Mesh{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + }, + Spec: MeshSpec{ + TLS: &MeshTLSConfig{ + Incoming: &MeshDirectionalTLSConfig{ + TLSMaxVersion: "foo", + }, + }, + }, + }, + expectedErrMsgs: []string{ + `spec.tls.incoming.tlsMaxVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, + "outgoing.minTLSVersion invalid": { + input: &Mesh{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + }, + Spec: MeshSpec{ + TLS: &MeshTLSConfig{ + Outgoing: &MeshDirectionalTLSConfig{ + TLSMinVersion: "foo", + }, + }, + }, + }, + expectedErrMsgs: []string{ + `spec.tls.outgoing.tlsMinVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, + "outgoing.maxTLSVersion invalid": { + input: &Mesh{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + }, + Spec: MeshSpec{ + TLS: &MeshTLSConfig{ + Outgoing: &MeshDirectionalTLSConfig{ + TLSMaxVersion: "foo", + }, + }, + }, + }, + expectedErrMsgs: []string{ + `spec.tls.outgoing.tlsMaxVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, + "tls.incoming valid": { + input: &Mesh{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + }, + Spec: MeshSpec{ + TLS: &MeshTLSConfig{ + Incoming: &MeshDirectionalTLSConfig{ + TLSMinVersion: "TLS_AUTO", + TLSMaxVersion: "TLS_AUTO", + }, + }, + }, + }, + }, + "tls.outgoing valid": { + input: &Mesh{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + }, + Spec: MeshSpec{ + TLS: &MeshTLSConfig{ + Outgoing: &MeshDirectionalTLSConfig{ + TLSMinVersion: "TLS_AUTO", + TLSMaxVersion: "TLS_AUTO", + }, + }, + }, + }, + }, + "multiple errors": { + input: &Mesh{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + }, + Spec: MeshSpec{ + TLS: &MeshTLSConfig{ + Incoming: &MeshDirectionalTLSConfig{ + TLSMinVersion: "foo", + TLSMaxVersion: "bar", + }, + Outgoing: &MeshDirectionalTLSConfig{ + TLSMinVersion: "foo", + TLSMaxVersion: "bar", + }, + }, + }, + }, + expectedErrMsgs: []string{ + `spec.tls.incoming.tlsMinVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + `spec.tls.incoming.tlsMaxVersion: Invalid value: "bar": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + `spec.tls.outgoing.tlsMinVersion: Invalid value: "foo": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + `spec.tls.outgoing.tlsMaxVersion: Invalid value: "bar": must be one of "TLS_AUTO", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3", ""`, + }, + }, + } + + for name, testCase := range cases { + t.Run(name, func(t *testing.T) { + err := testCase.input.Validate(common.ConsulMeta{}) + if len(testCase.expectedErrMsgs) != 0 { + require.Error(t, err) + for _, s := range testCase.expectedErrMsgs { + require.Contains(t, err.Error(), s) + } + } else { + require.NoError(t, err) + } + }) + } +} + func TestMesh_AddFinalizer(t *testing.T) { mesh := &Mesh{} mesh.AddFinalizer("finalizer") diff --git a/control-plane/api/v1alpha1/proxydefaults_types.go b/control-plane/api/v1alpha1/proxydefaults_types.go index 22f498cf8e..215ec708ff 100644 --- a/control-plane/api/v1alpha1/proxydefaults_types.go +++ b/control-plane/api/v1alpha1/proxydefaults_types.go @@ -52,6 +52,18 @@ type ProxyDefaultsList struct { // ProxyDefaultsSpec defines the desired state of ProxyDefaults. type ProxyDefaultsSpec struct { + // Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound + // application traffic is being captured and redirected through the proxy. This mode does not + // enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if + // traffic is already being redirected. "direct" represents that the proxy's listeners must be + // dialed directly by the local application and other proxies. + // Note: This cannot be set using the CRD and should be set using annotations on the + // services that are part of the mesh. + Mode *ProxyMode `json:"mode,omitempty"` + // TransparentProxy controls configuration specific to proxies in transparent mode. + // Note: This cannot be set using the CRD and should be set using annotations on the + // services that are part of the mesh. + TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"` // Config is an arbitrary map of configuration values used by Connect proxies. // Any values that your proxy allows can be configured globally here. // Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting @@ -63,18 +75,6 @@ type ProxyDefaultsSpec struct { MeshGateway MeshGateway `json:"meshGateway,omitempty"` // Expose controls the default expose path configuration for Envoy. Expose Expose `json:"expose,omitempty"` - // TransparentProxy controls configuration specific to proxies in transparent mode. - // Note: This cannot be set using the CRD and should be set using annotations on the - // services that are part of the mesh. - TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"` - // Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound - // application traffic is being captured and redirected through the proxy. This mode does not - // enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if - // traffic is already being redirected. "direct" represents that the proxy's listeners must be - // dialed directly by the local application and other proxies. - // Note: This cannot be set using the CRD and should be set using annotations on the - // services that are part of the mesh. - Mode *ProxyMode `json:"mode,omitempty"` } func (in *ProxyDefaults) GetObjectMeta() metav1.ObjectMeta { diff --git a/control-plane/api/v1alpha1/servicedefaults_types.go b/control-plane/api/v1alpha1/servicedefaults_types.go index fe4b85c755..f615f68616 100644 --- a/control-plane/api/v1alpha1/servicedefaults_types.go +++ b/control-plane/api/v1alpha1/servicedefaults_types.go @@ -52,17 +52,6 @@ type ServiceDefaultsSpec struct { // things like observability features and to unlock usage of the // service-splitter and service-router config entries for a service. Protocol string `json:"protocol,omitempty"` - // MeshGateway controls the default mesh gateway configuration for this service. - MeshGateway MeshGateway `json:"meshGateway,omitempty"` - // Expose controls the default expose path configuration for Envoy. - Expose Expose `json:"expose,omitempty"` - // ExternalSNI is an optional setting that allows for the TLS SNI value - // to be changed to a non-connect value when federating with an external system. - ExternalSNI string `json:"externalSNI,omitempty"` - // TransparentProxy controls configuration specific to proxies in transparent mode. - // Note: This cannot be set using the CRD and should be set using annotations on the - // services that are part of the mesh. - TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"` // Mode can be one of "direct" or "transparent". "transparent" represents that inbound and outbound // application traffic is being captured and redirected through the proxy. This mode does not // enable the traffic redirection itself. Instead it signals Consul to configure Envoy as if @@ -71,6 +60,17 @@ type ServiceDefaultsSpec struct { // Note: This cannot be set using the CRD and should be set using annotations on the // services that are part of the mesh. Mode *ProxyMode `json:"mode,omitempty"` + // TransparentProxy controls configuration specific to proxies in transparent mode. + // Note: This cannot be set using the CRD and should be set using annotations on the + // services that are part of the mesh. + TransparentProxy *TransparentProxy `json:"transparentProxy,omitempty"` + // MeshGateway controls the default mesh gateway configuration for this service. + MeshGateway MeshGateway `json:"meshGateway,omitempty"` + // Expose controls the default expose path configuration for Envoy. + Expose Expose `json:"expose,omitempty"` + // ExternalSNI is an optional setting that allows for the TLS SNI value + // to be changed to a non-connect value when federating with an external system. + ExternalSNI string `json:"externalSNI,omitempty"` // UpstreamConfig controls default configuration settings that apply across all upstreams, // and per-upstream configuration overrides. Note that per-upstream configuration applies // across all federated datacenters to the pairing of source and upstream destination services. diff --git a/control-plane/api/v1alpha1/zz_generated.deepcopy.go b/control-plane/api/v1alpha1/zz_generated.deepcopy.go index 2fc836ebe8..b990f99e94 100644 --- a/control-plane/api/v1alpha1/zz_generated.deepcopy.go +++ b/control-plane/api/v1alpha1/zz_generated.deepcopy.go @@ -242,6 +242,11 @@ func (in *GatewayTLSConfig) DeepCopyInto(out *GatewayTLSConfig) { *out = new(GatewayTLSSDSConfig) **out = **in } + if in.CipherSuites != nil { + in, out := &in.CipherSuites, &out.CipherSuites + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayTLSConfig. @@ -638,7 +643,7 @@ func (in *Mesh) DeepCopyInto(out *Mesh) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) in.Status.DeepCopyInto(&out.Status) } @@ -660,6 +665,26 @@ func (in *Mesh) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MeshDirectionalTLSConfig) DeepCopyInto(out *MeshDirectionalTLSConfig) { + *out = *in + if in.CipherSuites != nil { + in, out := &in.CipherSuites, &out.CipherSuites + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshDirectionalTLSConfig. +func (in *MeshDirectionalTLSConfig) DeepCopy() *MeshDirectionalTLSConfig { + if in == nil { + return nil + } + out := new(MeshDirectionalTLSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MeshGateway) DeepCopyInto(out *MeshGateway) { *out = *in @@ -711,6 +736,11 @@ func (in *MeshList) DeepCopyObject() runtime.Object { func (in *MeshSpec) DeepCopyInto(out *MeshSpec) { *out = *in out.TransparentProxy = in.TransparentProxy + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(MeshTLSConfig) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshSpec. @@ -723,6 +753,31 @@ func (in *MeshSpec) DeepCopy() *MeshSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MeshTLSConfig) DeepCopyInto(out *MeshTLSConfig) { + *out = *in + if in.Incoming != nil { + in, out := &in.Incoming, &out.Incoming + *out = new(MeshDirectionalTLSConfig) + (*in).DeepCopyInto(*out) + } + if in.Outgoing != nil { + in, out := &in.Outgoing, &out.Outgoing + *out = new(MeshDirectionalTLSConfig) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshTLSConfig. +func (in *MeshTLSConfig) DeepCopy() *MeshTLSConfig { + if in == nil { + return nil + } + out := new(MeshTLSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PassiveHealthCheck) DeepCopyInto(out *PassiveHealthCheck) { *out = *in @@ -801,23 +856,23 @@ func (in *ProxyDefaultsList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyDefaultsSpec) DeepCopyInto(out *ProxyDefaultsSpec) { *out = *in - if in.Config != nil { - in, out := &in.Config, &out.Config - *out = make(json.RawMessage, len(*in)) - copy(*out, *in) + if in.Mode != nil { + in, out := &in.Mode, &out.Mode + *out = new(ProxyMode) + **out = **in } - out.MeshGateway = in.MeshGateway - in.Expose.DeepCopyInto(&out.Expose) if in.TransparentProxy != nil { in, out := &in.TransparentProxy, &out.TransparentProxy *out = new(TransparentProxy) **out = **in } - if in.Mode != nil { - in, out := &in.Mode, &out.Mode - *out = new(ProxyMode) - **out = **in + if in.Config != nil { + in, out := &in.Config, &out.Config + *out = make(json.RawMessage, len(*in)) + copy(*out, *in) } + out.MeshGateway = in.MeshGateway + in.Expose.DeepCopyInto(&out.Expose) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyDefaultsSpec. @@ -922,18 +977,18 @@ func (in *ServiceDefaultsList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceDefaultsSpec) DeepCopyInto(out *ServiceDefaultsSpec) { *out = *in - out.MeshGateway = in.MeshGateway - in.Expose.DeepCopyInto(&out.Expose) - if in.TransparentProxy != nil { - in, out := &in.TransparentProxy, &out.TransparentProxy - *out = new(TransparentProxy) - **out = **in - } if in.Mode != nil { in, out := &in.Mode, &out.Mode *out = new(ProxyMode) **out = **in } + if in.TransparentProxy != nil { + in, out := &in.TransparentProxy, &out.TransparentProxy + *out = new(TransparentProxy) + **out = **in + } + out.MeshGateway = in.MeshGateway + in.Expose.DeepCopyInto(&out.Expose) if in.UpstreamConfig != nil { in, out := &in.UpstreamConfig, &out.UpstreamConfig *out = new(Upstreams) diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml index c8e10c6f09..f8ea7d05ab 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_exportedservices.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: exportedservices.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: ExportedServicesSpec defines the desired state of ExportedServices + description: ExportedServicesSpec defines the desired state of ExportedServices. properties: services: description: Services is a list of services to be exported and the diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml index 7ea78b875b..6378ee4213 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_ingressgateways.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: ingressgateways.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: IngressGatewaySpec defines the desired state of IngressGateway + description: IngressGatewaySpec defines the desired state of IngressGateway. properties: listeners: description: Listeners declares what ports the ingress gateway should @@ -58,25 +57,6 @@ spec: description: IngressListener manages the configuration for a listener on a specific port. properties: - tls: - description: TLS config for this listener. - properties: - enabled: - description: Indicates that TLS should be enabled for this - gateway service. - type: boolean - sds: - description: SDS allows configuring TLS certificate from - an SDS service. - properties: - certResource: - type: string - clusterName: - type: string - type: object - required: - - enabled - type: object port: description: Port declares the port on which the ingress gateway should listen for traffic. @@ -89,28 +69,14 @@ spec: values are: (tcp | http | http2 | grpc).' type: string services: - description: "Services declares the set of services to which - the listener forwards traffic. \n For \"tcp\" protocol listeners, - only a single service is allowed. For \"http\" listeners, - multiple services can be declared." + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. items: description: IngressService manages configuration for services that are exposed to ingress traffic. properties: - tls: - description: TLS allows specifying some TLS configuration - per listener. - properties: - sds: - description: SDS allows configuring TLS certificate - from an SDS service. - properties: - certResource: - type: string - clusterName: - type: string - type: object - type: object hosts: description: "Hosts is a list of hostnames which should be associated to this service on the defined listener. @@ -195,13 +161,86 @@ spec: any existing header values of the same name. type: object type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object type: object type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object type: object type: array tls: description: TLS holds the TLS configuration for this gateway. properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array enabled: description: Indicates that TLS should be enabled for this gateway service. @@ -211,10 +250,29 @@ spec: service. properties: certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. type: string clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. type: string type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string required: - enabled type: object diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml index 7e8f4d6761..7700d480b5 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_meshes.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: meshes.consul.hashicorp.com spec: @@ -47,10 +46,80 @@ spec: metadata: type: object spec: - description: MeshSpec defines the desired state of Mesh + description: MeshSpec defines the desired state of Mesh. properties: + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object transparentProxy: - description: TransparentProxyMeshConfig controls configuration specific + description: TransparentProxy controls the configuration specific to proxies in "transparent" mode. Added in v1.10.0. properties: meshDestinationsOnly: diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml index 520fe95443..6b9628cd74 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_proxydefaults.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: proxydefaults.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: ProxyDefaultsSpec defines the desired state of ProxyDefaults + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. properties: config: description: Config is an arbitrary map of configuration values used diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml index b29905b01a..e0fff822e9 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicedefaults.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: ServiceDefaultsSpec defines the desired state of ServiceDefaults + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. properties: expose: description: Expose controls the default expose path configuration diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml index 1593fc86fd..3018796e4f 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: serviceintentions.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: ServiceIntentionsSpec defines the desired state of ServiceIntentions + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. properties: destination: description: Destination is the intention destination that will have diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml index c170465322..1793f36e28 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_serviceresolvers.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: serviceresolvers.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: ServiceResolverSpec defines the desired state of ServiceResolver + description: ServiceResolverSpec defines the desired state of ServiceResolver. properties: connectTimeout: description: ConnectTimeout is the timeout for establishing new network diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml index 77707c0770..de071bd0ef 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_servicerouters.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicerouters.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: ServiceRouterSpec defines the desired state of ServiceRouter + description: ServiceRouterSpec defines the desired state of ServiceRouter. properties: routes: description: Routes are the list of routes to consider when processing diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml index 204179c000..df8bbbfbdf 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_servicesplitters.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicesplitters.consul.hashicorp.com spec: @@ -49,7 +48,7 @@ spec: metadata: type: object spec: - description: ServiceSplitterSpec defines the desired state of ServiceSplitter + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. properties: splits: description: Splits defines how much traffic to send to which set diff --git a/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml b/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml index 716f22e4ef..8e6c449ef8 100644 --- a/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml +++ b/control-plane/config/crd/bases/consul.hashicorp.com_terminatinggateways.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: terminatinggateways.consul.hashicorp.com spec: @@ -50,14 +49,14 @@ spec: metadata: type: object spec: - description: TerminatingGatewaySpec defines the desired state of TerminatingGateway + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. properties: services: description: Services is a list of service names represented by the terminating gateway. items: description: A LinkedService is a service represented by a terminating - gateway + gateway. properties: caFile: description: CAFile is the optional path to a CA certificate diff --git a/control-plane/config/rbac/role.yaml b/control-plane/config/rbac/role.yaml index 6009210f4b..c1ade51c74 100644 --- a/control-plane/config/rbac/role.yaml +++ b/control-plane/config/rbac/role.yaml @@ -1,4 +1,3 @@ - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/control-plane/config/webhook/manifests.yaml b/control-plane/config/webhook/manifests.yaml index ae0eb15fc5..013ec87f80 100644 --- a/control-plane/config/webhook/manifests.yaml +++ b/control-plane/config/webhook/manifests.yaml @@ -1,4 +1,3 @@ - --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration diff --git a/control-plane/go.mod b/control-plane/go.mod index e8842f4643..a40df00f1f 100644 --- a/control-plane/go.mod +++ b/control-plane/go.mod @@ -6,7 +6,7 @@ require ( github.com/go-logr/logr v0.4.0 github.com/google/go-cmp v0.5.6 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 - github.com/hashicorp/consul/api v1.12.0 + github.com/hashicorp/consul/api v1.10.1-0.20220407215821-25ba9c147aa4 github.com/hashicorp/consul/sdk v0.9.0 github.com/hashicorp/go-discover v0.0.0-20200812215701-c4b85f6ed31f github.com/hashicorp/go-hclog v0.16.1 @@ -129,6 +129,6 @@ require ( sigs.k8s.io/yaml v1.2.0 // indirect ) -replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8 +replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220214194852-80dfcb1bcd68 go 1.17 diff --git a/control-plane/go.sum b/control-plane/go.sum index 42ee98bb0f..f32fd751a2 100644 --- a/control-plane/go.sum +++ b/control-plane/go.sum @@ -297,11 +297,11 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= -github.com/hashicorp/consul/api v1.12.0 h1:k3y1FYv6nuKyNTqj6w9gXOx5r5CfLj/k/euUeBXj1OY= -github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0= +github.com/hashicorp/consul/api v1.10.1-0.20220407215821-25ba9c147aa4 h1:+YYyaJaM1nMV2f+oBHvxA/eDXxGDJqJWee+QT4osygQ= +github.com/hashicorp/consul/api v1.10.1-0.20220407215821-25ba9c147aa4/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8 h1:1O/CANaJGcL6urr47PLoPZ0oQcGLUlGpYoRLYAYFSDs= -github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= +github.com/hashicorp/consul/sdk v0.4.1-0.20220214194852-80dfcb1bcd68 h1:yw3OXf1OUgfnitE8rwnr+zaT9VluSgvrCHQGwSvA7V4= +github.com/hashicorp/consul/sdk v0.4.1-0.20220214194852-80dfcb1bcd68/go.mod h1:K9S7H8bLBwkBb2I4hq0Ddm4LCVGuhtenfzSTx2Y36RM= github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=