consul

Commit Graph

Author	SHA1	Message	Date
Alejandro Guirao Rodríguez	9f33353c14	agent/config: Fix typo in comment (#5202 )	6 years ago
Paul Banks	bb7145f27d	agent: add default weights to service in local state to prevent AE churn (#5126 ) * Add default weights when adding a service with no weights to local state to prevent constant AE re-sync. This fix was contributed by @42wim in https://github.com/hashicorp/consul/pull/5096 but was merged against the wrong base. This adds it to master and adds a test to cover the behaviour. * Fix tests that broke due to comparing internal state which now has default weights	6 years ago
Paul Banks	0589525ae9	agent: Don't leave old errors around in cache (#5094 ) * Fixes #4480. Don't leave old errors around in cache that can be hit in specific circumstances. * Move error reset to cover extreme edge case of nil Value, nil err Fetch	6 years ago
Pierre Souchay	ae7f88f995	Avoid to have infinite recursion in DNS lookups when resolving CNAMEs (#4918 ) * Avoid to have infinite recursion in DNS lookups when resolving CNAMEs This will avoid killing Consul when a Service.Address is using CNAME to a Consul CNAME that creates an infinite recursion. This will fix https://github.com/hashicorp/consul/issues/4907 * Use maxRecursionLevel = 3 to allow several recursions	6 years ago
Paul Banks	b29bc906ee	bugfix: use ServiceTags to generate cache key hash (#4987 ) * bugfix: use ServiceTags to generate cahce key hash * update unit test * update * remote print log * Update .gitignore * Completely deprecate ServiceTag field internally for clarity * Add explicit test for CacheInfo cases	6 years ago
Aestek	8709213d6e	Prevent status flap when re-registering a check (#4904 ) Fixes point `#2` of: https://github.com/hashicorp/consul/issues/4903 When registering a service each healthcheck status is saved and restored (https://github.com/hashicorp/consul/blob/master/agent/agent.go#L1914) to avoid unnecessary flaps in health state. This change extends this feature to single check registration by moving this protection in `AddCheck()` so that both `PUT /v1/agent/service/register` and `PUT /v1/agent/check/register` behave in the same idempotent way. #### Steps to reproduce 1. Register a check : ``` curl -X PUT \ http://127.0.0.1:8500/v1/agent/check/register \ -H 'Content-Type: application/json' \ -d '{ "Name": "my_check", "ServiceID": "srv", "Interval": "10s", "Args": ["true"] }' ``` 2. The check will initialize and change to `passing` 3. Run the same request again 4. The check status will quickly go from `critical` to `passing` (the delay for this transission is determined by https://github.com/hashicorp/consul/blob/master/agent/checks/check.go#L95)	6 years ago
Mitchell Hashimoto	f76022fa63	CA Provider Plugins (#4751 ) This adds the `agent/connect/ca/plugin` library for consuming/serving Connect CA providers as [go-plugin](https://github.com/hashicorp/go-plugin) plugins. This does not wire this up in any way to Consul itself, so this will not enable using these plugins yet. ## Why? We want to enable CA providers to be pluggable without modifying Consul so that any CA or PKI system can potentially back the Connect certificates. This CA system may also be used in the future for easier bootstrapping and internal cluster security. ### go-plugin The benefit of `go-plugin` is that for the plugin consumer, the fact that the interface implementation is communicating over multi-process RPC is invisible. Internals of Consul will continue to just use `ca.Provider` interface implementations as if they're local. For plugin _authors_, they simply have to implement the interface. The network/transport/process management issues are handled by go-plugin itself. The CA provider plugins support both `net/rpc` and gRPC transports. This enables easy authoring in any language. go-plugin handles the actual protocol handshake and connection. This is just a feature of go-plugin. `go-plugin` is already in production use for years by Packer, Terraform, Nomad, Vault, and Sentinel. We've shown stability for both desktop and server-side software. It is very mature. ## Implementation Details ### `map[string]interface{}` The `Configure` method passes a `map[string]interface{}`. This map contains only Go primitives and containers of primitives (no funcs, chans, etc.). For `net/rpc` we encode as-is using Gob. For gRPC we marshal to JSON and transmit as a `bytes` type. This is the same approach we take with Vault and other software. Note that this is just the transport protocol, the end software views it fully decoded. ### `x509.Certificate` and `CertificateRequest` We transmit the raw ASN.1 bytes and decode on the other side. Unit tests are verifying we get the same cert/csrs across the wire. ### Testing `go-plugin` exposes test helpers that enable testing the full plugin RPC over real loopback network connections. We test all endpoints for success and error for both `net/rpc` and gRPC. ### Vendoring This PR doesn't introduce vendoring for two reasons: 1. @banks's `f-envoy` branch introduces a lot of these and I didn't want conflict. 2. The library isn't actually used yet so it doesn't introduce compile-time errors (it does introduce test errors). ## Next Steps With this in place, we need to figure out the proper way to actually hook these up to Consul, load them, etc. This discussion can happen elsewhere, since regardless of approach this plugin library implementation is the exact same.	6 years ago
Grégoire Seux	4f62a3b528	Implement /v1/agent/health/service/<service name> endpoint (#3551 ) This endpoint aggregates all checks related to <service id> on the agent and return an appropriate http code + the string describing the worst check. This allows to cleanly expose service status to other component, hiding complexity of multiple checks. This is especially useful to use consul to feed a load balancer which would delegate health checking to consul agent. Exposing this endpoint on the agent is necessary to avoid a hit on consul servers and avoid decreasing resiliency (this endpoint will work even if there is no consul leader in the cluster).	6 years ago
Aestek	5960974db1	[Fix] Services sometimes not being synced with acl_enforce_version_8 = false (#4771 ) Fixes: https://github.com/hashicorp/consul/issues/3676 This fixes a bug were registering an agent with a non-existent ACL token can prevent other services registered with a good token from being synced to the server when using `acl_enforce_version_8 = false`. ## Background When `acl_enforce_version_8` is off the agent does not check the ACL token validity before storing the service in its state. When syncing a service registered with a missing ACL token we fall into the default error handling case (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1255) and stop the sync (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1082) without setting its Synced property to true like in the permission denied case. This means that the sync will always stop at the faulty service(s). The order in which the services are synced is random since we iterate on a map. So eventually all services with good ACL tokens will be synced, this can however take some time and is influenced by the cluster size, the bigger the slower because retries are less frequent. Having a service in this state also prevent all further sync of checks as they are done after the services. ## Changes This change modify the sync process to continue even if there is an error. This fixes the issue described above as well as making the sync more error tolerant: if the server repeatedly refuses a service (the ACL token could have been deleted by the time the service is synced, the servers were upgraded to a newer version that has more strict checks on the service definition...). Then all services and check that can be synced will, and those that don't will be marked as errors in the logs instead of blocking the whole process.	6 years ago
Hans Hasselberg	0b4a879203	ui: serve /robots.txt when UI is enabled. (#5089 ) * serve /robots.txt * robots.txt: disallow everything	6 years ago
Kyle Havlovitz	995e728ea0	txn: fix an issue with querying nodes by name instead of ID	6 years ago
Pierre Souchay	f4dc8b42e0	[Travis][UnstableTests] Fixed unstable tests in travis (#5013 ) * [Travis][UnstableTests] Fixed unstable tests in travis as seen in https://travis-ci.org/hashicorp/consul/jobs/460824602 * Fixed unstable tests in https://travis-ci.org/hashicorp/consul/jobs/460857687	6 years ago
Kyle Havlovitz	67bac7a815	api: add support for new txn operations	6 years ago
Kyle Havlovitz	de4dbf583e	txn: add tests for RPC endpoint	6 years ago
Kyle Havlovitz	6a512e5c0f	txn: add ACL enforcement/validation to new txn ops	6 years ago
Kyle Havlovitz	9467067432	state: add tests for new txn ops	6 years ago
Kyle Havlovitz	7759e9ea8b	txn: add service operations	6 years ago
Kyle Havlovitz	ab58986ac3	txn: add node operations	6 years ago
Kyle Havlovitz	01e1b5b1df	txn: add pre-check operations to txn endpoint	6 years ago
Kyle Havlovitz	b371ea8783	Add check operations to transaction api	6 years ago
Kyle Havlovitz	c7e0d3b919	Merge pull request #5061 from hashicorp/blank-ca-fix connect/ca: prevent blank CA config in snapshot	6 years ago
Kyle Havlovitz	4f2715d4e2	connect/ca: prevent blank CA config in snapshot This PR both prevents a blank CA config from being written out to a snapshot and allows Consul to gracefully recover from a snapshot with an invalid CA config. Fixes #4954.	6 years ago
Jack Pearkes	b64e8b262f	Documentation and changes for `verify_server_hostname` (#5069 ) * verify_server_hostname implies verify_outgoing * mention CVE in the docs.	6 years ago
R.B. Boyer	c1eccfd1db	agent: remove some stray fmt.Print* calls (#5015 )	6 years ago
Pierre Souchay	c5ae9caa28	Fixed another list of unstable unit tests in travis (#4915 ) * Fixed another list of unstable unit tests in travis Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 * Fixed another list of unstable unit tests in travis. Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061	6 years ago
banks	0bddfa23a2	Release v1.4.0	6 years ago
Kyle Havlovitz	76f102a1e0	Merge pull request #4952 from hashicorp/test-version tests: Bump test server version to 1.4.0	6 years ago
R.B. Boyer	934fae659f	acl: add stub hooks to support some plumbing in enterprise (#4951 )	6 years ago
Kyle Havlovitz	269354c61d	oss: bump test server version to 1.4.0	6 years ago
Aestek	4942e66440	Fix catalog tag filter backward compat (#4944 ) Fix catalog service node filtering (ex /v1/catalog/service/srv?tag=tag1) between agent version <=v1.2.3 and server >=v1.3.0. New server version did not account for the old field when filtering hence request made from old agent were not tag-filtered.	6 years ago
Jack Pearkes	a90c29e60d	Doc changes for 1.4 Final (#4870 ) * website: add multi-dc enterprise landing page * website: switch all 1.4.0 alerts/RC warnings * website: connect product wording Co-Authored-By: pearkes <jackpearkes@gmail.com> * website: remove RC notification * commmand/acl: fix usage docs for ACL tokens * agent: remove comment, OperatorRead * website: improve multi-dc docs Still not happy with this but tried to make it slightly more informative. * website: put back acl guide warning for 1.4.0 * website: simplify multi-dc page and respond to feedback * Fix Multi-DC typos on connect index page. * Improve Multi-DC overview. A full guide is a WIP and will be added post-release. * Fixes typo avaiable > available	6 years ago
Paul Banks	54c2ff6aca	connect: remove additional trust-domain validation (#4934 ) * connct: Remove additional trust-domain validation * Comment typos * Update connect_ca.go	6 years ago
Kyle Havlovitz	4a73a59d70	Merge pull request #4917 from hashicorp/replication-token-cleanup Use acl replication_token for connect	6 years ago
Kyle Havlovitz	972177071d	update non-voting server test to fix enterprise diff	6 years ago
Kyle Havlovitz	643bd13aed	oss: do a proper check-and-set on the CA roots/config fsm operation	6 years ago
R.B. Boyer	e30cc73b1d	Update agent tests to wait a bit longer for the /v1/agent/self endpoint (#4937 )	6 years ago
R.B. Boyer	2afc2a3c3b	acl: fixes ACL replication for legacy tokens without AccessorIDs (#4885 )	6 years ago
Kyle Havlovitz	e8dd89359a	agent: fix formatting	6 years ago
Kyle Havlovitz	62691ebc82	config: remote connect replication_token	6 years ago
R.B. Boyer	9211d2701d	fix comment typos (#4890 )	6 years ago
Kyle Havlovitz	8337e3d8c0	Merge pull request #4872 from hashicorp/node-snapshot-fix Node ID/datacenter snapshot fix	6 years ago
Matt Keeler	db2cf01406	Adds documentation for the new ACL APIs (#4851 ) * Update the ACL API docs * Add a CreateTime to the anon token Also require acl:read permissions at least to perform rule translation. Don’t want someone DoSing the system with an open endpoint that actually does a bit of work. * Fix one place where I was referring to id instead of AccessorID * Add godocs for the API package additions. * Minor updates: removed some extra commas and updated the acl intro paragraph * minor tweaks * Updated the language to be clearer * Updated the language to be clearer for policy page * I was also confused by that! Your updates are much clearer. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Sounds much better. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Updated sidebar layout and deprecated warning	6 years ago
Matt Keeler	f9cf0eb36e	Remaining ACL Unit Tests (#4852 ) * Add leader token upgrade test and fix various ACL enablement bugs * Update the leader ACL initialization tests. * Add a StateStore ACL tests for ACLTokenSet and ACLTokenGetBy* functions * Advertise the agents acl support status with the agent/self endpoint. * Make batch token upsert CAS’able to prevent consistency issues with token auto-upgrade * Finish up the ACL state store token tests * Finish the ACL state store unit tests Also rename some things to make them more consistent. * Do as much ACL replication testing as I can.	6 years ago
Kyle Havlovitz	bd6d0e598f	fsm: update snapshot/restore test to include ID and datacenter	6 years ago
Kyle Havlovitz	6483356329	fsm: add missing ID/datacenter to persistNodes	6 years ago
Matt Keeler	d238cb181c	New ACL API Tests (#4848 ) * A few API mods and unit tests. * Update the unit tests to verify query/write metadata and to fix the rules endpoint tests. * Make sure the full information for the replication status is in the api packge	6 years ago
Matt Keeler	790cf90ee5	Fix the NonVoter Bootstrap test (#4786 )	6 years ago
banks	1757fbc0aa	Release v1.4.0-rc1	6 years ago
Kyle Havlovitz	819566f6b7	fsm: add Intention operations to transactions for internal use	6 years ago
Matt Keeler	34b53e7099	A few misc fixes found by go vet	6 years ago
Matt Keeler	18b29c45c4	New ACLs (#4791 ) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.	6 years ago
Pierre Souchay	fab55bee2b	dns: implements prefix lookups for DNS TTL (#4605 ) This will fix https://github.com/hashicorp/consul/issues/4509 and allow forinstance lb-* to match services lb-001 or lb-service-007.	6 years ago
Jack Pearkes	8c684db488	New command: consul debug (#4754 ) * agent/debug: add package for debugging, host info * api: add v1/agent/host endpoint * agent: add v1/agent/host endpoint * command/debug: implementation of static capture * command/debug: tests and only configured targets * agent/debug: add basic test for host metrics * command/debug: add methods for dynamic data capture * api: add debug/pprof endpoints * command/debug: add pprof * command/debug: timing, wg, logs to disk * vendor: add gopsutil/disk * command/debug: add a usage section * website: add docs for consul debug * agent/host: require operator:read * api/host: improve docs and no retry timing * command/debug: fail on extra arguments * command/debug: fixup file permissions to 0644 * command/debug: remove server flags * command/debug: improve clarity of usage section * api/debug: add Trace for profiling, fix profile * command/debug: capture profile and trace at the same time * command/debug: add index document * command/debug: use "clusters" in place of members * command/debug: remove address in output * command/debug: improve comment on metrics sleep * command/debug: clarify usage * agent: always register pprof handlers and protect This will allow us to avoid a restart of a target agent for profiling by always registering the pprof handlers. Given this is a potentially sensitive path, it is protected with an operator:read ACL and enable debug being set to true on the target agent. enable_debug still requires a restart. If ACLs are disabled, enable_debug is sufficient. * command/debug: use trace.out instead of .prof More in line with golang docs. * agent: fix comment wording * agent: wrap table driven tests in t.run()	6 years ago
Kyle Havlovitz	c617326470	re-add Connect multi-dc config changes This reverts commit `8bcfbaffb6`.	6 years ago
R.B. Boyer	307d91934c	fix some test hangs (#4785 ) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time.	6 years ago
banks	469768ae39	Release v1.3.0	6 years ago
Jack Pearkes	8bcfbaffb6	Revert "Connect multi-dc config" (#4784 )	6 years ago
Aestek	25f04fbd21	[Security] Add finer control over script checks (#4715 ) * Add -enable-local-script-checks options These options allow for a finer control over when script checks are enabled by giving the option to only allow them when they are declared from the local file system. * Add documentation for the new option * Nitpick doc wording	6 years ago
Paul Banks	298af6dca7	Quick fix for cache age flakiness in CI	6 years ago
Rebecca Zanzig	34e5516834	Support multiple tags for health and catalog http api endpoints (#4717 ) * Support multiple tags for health and catalog api endpoints Fixes #1781. Adds a `ServiceTags` field to the ServiceSpecificRequest to support multiple tags, updates the filter logic in the catalog store, and propagates these change through to the health and catalog endpoints. Note: Leaves `ServiceTag` in the struct, since it is being used as part of the DNS lookup, which in turn uses the health check. * Update the api package to support multiple tags Includes additional tests. * Update new tests to use the `require` library * Update HealthConnect check after a bad merge	6 years ago
Pierre Souchay	51b33ef015	[Performance On Large clusters] Reduce updates on large services (#4720 ) * [Performance On Large clusters] Checks do update services/nodes only when really modified to avoid too many updates on very large clusters In a large cluster, when having a few thousands of nodes, the anti-entropy mechanism performs lots of changes (several per seconds) while there is no real change. This patch wants to improve this in order to increase Consul scalability when using many blocking requests on health for instance. * [Performance for large clusters] Only updates index of service if service is really modified * [Performance for large clusters] Only updates index of nodes if node is really modified * Added comments / ensure IsSame() has clear semantics * Avoid having modified boolean, return nil directly if stutures are Same * Fixed unstable unit tests TestLeader_ChangeServerID * Rewrite TestNode_IsSame() for better readability as suggested by @banks * Rename ServiceNode.IsSame() into IsSameService() + added unit tests * Do not duplicate TestStructs_ServiceNode_Conversions() and increase test coverage of IsSameService * Clearer documentation in IsSameService * Take into account ServiceProxy into ServiceNode.IsSameService() * Fixed IsSameService() with all new structures	6 years ago
Paul Banks	51c0001aad	[WIP] Initial draft of Sidecar Service and Managed Proxy deprecation docs (#4752 ) * Initial draft of Sidecar Service and Managed Proxy deprecation docs * Service definition deprecation notices and sidecar service * gRPC and sidecar service config options; Deprecate managed proxy options * Envoy Docs: Basic envoy command; envoy getting started/intro * Remove change that snuck in * Envoy custom config example * Add agent/service API docs; deprecate proxy config endpoint * Misc grep cleanup for managed proxies; capitalize Envoy * Updates to getting started guide * Add missing link * Refactor Envoy guide into a separate guide and add bootstrap reference notes. * Add limitations to Envoy docs; Highlight no fixes for known managed proxy issues on deprecation page; clarify snake cae stuff; Sidecar Service lifecycle	6 years ago
Pierre Souchay	251156eb68	Added SOA configuration for DNS settings. (#4714 ) This will allow to fine TUNE SOA settings sent by Consul in DNS responses, for instance to be able to control negative ttl. Will fix: https://github.com/hashicorp/consul/issues/4713 # Example Override all settings: * min_ttl: 0 => 60s * retry: 600 (10m) => 300s (5 minutes), * expire: 86400 (24h) => 43200 (12h) * refresh: 3600 (1h) => 1800 (30 minutes) ``` consul agent -dev -hcl 'dns_config={soa={min_ttl=60,retry=300,expire=43200,refresh=1800}}' ``` Result: ``` dig +multiline @localhost -p 8600 service.consul ; <<>> DiG 9.12.1 <<>> +multiline @localhost -p 8600 service.consul ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36557 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;service.consul. IN A ;; AUTHORITY SECTION: consul. 0 IN SOA ns.consul. hostmaster.consul. ( 1537959133 ; serial 1800 ; refresh (30 minutes) 300 ; retry (5 minutes) 43200 ; expire (12 hours) 60 ; minimum (1 minute) ) ;; Query time: 4 msec ;; SERVER: 127.0.0.1#8600(127.0.0.1) ;; WHEN: Wed Sep 26 12:52:13 CEST 2018 ;; MSG SIZE rcvd: 93 ```	6 years ago
Kyle Havlovitz	e4349c5710	connect/ca: more OSS split for multi-dc	6 years ago
Kyle Havlovitz	0da4f2b2e8	connect/ca: split CA initialization logic between oss/enterprise	6 years ago
Kyle Havlovitz	56dc426227	agent: add primary_datacenter and connect replication config options	6 years ago
Kyle Havlovitz	98d95cfa80	connect: add ExternalTrustDomain to CARoot fields	6 years ago
Kyle Havlovitz	46c829b879	docs: deprecate acl_datacenter and replace it with primary_datacenter	6 years ago
Paul Banks	c9217c958e	merge feedback: fix typos; actually use deliverLatest added previously but not plumbed in	6 years ago
Paul Banks	161482d2cd	Fix up tests broken by master merge; add proxy tests to services command (and fix it!); actually run the proxycfg.Manager	6 years ago
Paul Banks	a28e4a33b2	Fix bug in leaf-cert cache type where multiple client tokens collide (#4736 ) * Fix bug in leaf-cert cache type where multiple clients with different tokens would share certs and block incorrectly * Use hash for issued certs key to avoid ambiguity concatenating	6 years ago
Paul Banks	dca1303d05	Connect Envoy Command (#4735 ) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review	6 years ago
Paul Banks	1909a95118	xDS Server Implementation (#4731 ) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos	6 years ago
Paul Banks	8336b5e6b9	XDS Server Config (#4730 ) * Config for the coming XDS server * Default gRPC to 8502 for -dev mode; Re-merge the command Info output that shows gRPC.	6 years ago
Paul Banks	0f27ffd163	Proxy Config Manager (#4729 ) * Proxy Config Manager This component watches for local state changes on the agent and ensures that each service registered locally with Kind == connect-proxy has it's state being actively populated in the cache. This serves two purposes: 1. For the built-in proxy, it ensures that the state needed to accept connections is available in RAM shortly after registration and likely before the proxy actually starts accepting traffic. 2. For (future - next PR) xDS server and other possible future proxies that require _push_ based config discovery, this provides a mechanism to subscribe and be notified about updates to a proxy instance's config including upstream service discovery results. * Address review comments * Better comments; Better delivery of latest snapshot for slow watchers; Embed Config * Comment typos * Add upstream Stringer for funsies	6 years ago
Paul Banks	96b9b95a19	Add cache.Notify to abstract watching for cache updates for types that support blocking semantics. (#4695 )	6 years ago
Paul Banks	e812f5516a	Add -sidecar-for and new /agent/service/:service_id endpoint (#4691 ) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - supports hash-based blocking and so; - replaces `/agent/connect/proxy/:proxy_id` as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical.	6 years ago
Paul Banks	1e7eace066	Add SidecarService Syntax sugar to Service Definition (#4686 ) * Added new Config for SidecarService in ServiceDefinitions. * WIP: all the code needed for SidecarService is written... none of it is tested other than config :). Need API updates too. * Test coverage for the new sidecarServiceFromNodeService method. * Test API registratrion with SidecarService * Recursive Key Translation 🤦 * Add tests for nested sidecar defintion arrays to ensure they are translated correctly * Use dedicated internal state rather than Service Meta for tracking sidecars for deregistration. Add tests for deregistration. * API struct for agent register. No other endpoint should be affected yet. * Additional test cases to cover updates to API registrations	6 years ago
Paul Banks	b83bbf248c	Add Proxy Upstreams to Service Definition (#4639 ) * Refactor Service Definition ProxyDestination. This includes: - Refactoring all internal structs used - Updated tests for both deprecated and new input for: - Agent Services endpoint response - Agent Service endpoint response - Agent Register endpoint - Unmanaged deprecated field - Unmanaged new fields - Managed deprecated upstreams - Managed new - Catalog Register - Unmanaged deprecated field - Unmanaged new fields - Managed deprecated upstreams - Managed new - Catalog Services endpoint response - Catalog Node endpoint response - Catalog Service endpoint response - Updated API tests for all of the above too (both deprecated and new forms of register) TODO: - config package changes for on-disk service definitions - proxy config endpoint - built-in proxy support for new fields * Agent proxy config endpoint updated with upstreams * Config file changes for upstreams. * Add upstream opaque config and update all tests to ensure it works everywhere. * Built in proxy working with new Upstreams config * Command fixes and deprecations * Fix key translation, upstream type defaults and a spate of other subtele bugs found with ned to end test scripts... TODO: tests still failing on one case that needs a fix. I think it's key translation for upstreams nested in Managed proxy struct. * Fix translated keys in API registration. ≈ * Fixes from docs - omit some empty undocumented fields in API - Bring back ServiceProxyDestination in Catalog responses to not break backwards compat - this was removed assuming it was only used internally. * Documentation updates for Upstreams in service definition * Fixes for tests broken by many refactors. * Enable travis on f-connect branch in this branch too. * Add consistent Deprecation comments to ProxyDestination uses * Update version number on deprecation notices, and correct upstream datacenter field with explanation in docs	6 years ago
Paul Banks	b06ddc9187	Rename proxy package (re-run of #4550 ) (#4638 ) * Rename agent/proxy package to reflect that it is limited to managed proxy processes Rationale: we have several other components of the agent that relate to Connect proxies for example the ProxyConfigManager component needed for Envoy work. Those things are pretty separate from the focus of this package so far which is only concerned with managing external proxy processes so it's nota good fit to put code for that in here, yet there is a naming clash if we have other packages related to proxy functionality that are not in the `agent/proxy` package. Happy to bikeshed the name. I started by calling it `managedproxy` but `managedproxy.Manager` is especially unpleasant. `proxyprocess` seems good in that it's more specific about purpose but less clearly connected with the concept of "managed proxies". The names in use are cleaner though e.g. `proxyprocess.Manager`. This rename was completed automatically using golang.org/x/tools/cmd/gomvpkg. Depends on #4541 * Fix missed windows tagged files	6 years ago
Paul Banks	88388d760d	Support Agent Caching for Service Discovery Results (#4541 ) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.	6 years ago
Igal Shprincis	e1fe3af37f	watch: don't set TLSConfig.Address explicitly (#4727 ) Don't set the value of TLSConfig.Address explicitly. This will make sure env vars like CONSUL_TLS_SERVER_NAME are taken into account for the connection. Fixes #4718.	6 years ago
Paul Banks	e8ba527f23	Add a Close method to cache that stops background goroutines. (#4746 ) In a real agent the `cache` instance is alive until the agent shuts down so this is not a real leak in production, however in out test suite, every testAgent that is started and stops leaks goroutines that never get cleaned up which accumulate consuming CPU and memory through subsequent test in the `agent` package which doesn't help our test flakiness. This adds a Close method that doesn't invalidate or clean up the cache, and still allows concurrent blocking queries to run (for up to 10 mins which might still affect tests). But at least it doesn't maintain them forever with background refresh and an expiry watcher routine. It would be nice to cancel any outstanding blocking requests as well when we close but that requires much more invasive surgery right into our RPC protocol since we don't have a way to cancel requests currently. Unscientifically this seems to make tests pass a bit quicker and more reliably locally but I can't really be sure of that!	6 years ago
Paul O'Connor	6b7f03911e	Fix prometheus error message (#4745 )	6 years ago
R.B. Boyer	491826ddbc	cli: forward SIGTERM to child process of 'lock' and 'watch' subcommands (#4737 ) cli: forward SIGTERM to child process of 'lock' and 'watch' subcommands on unix This also removes the signal handler for SIGKILL as it's impossible to receive these signals.	6 years ago
Alex Dadgar	43d0f96c42	do not bootstrap with non voters	6 years ago
Kyle Havlovitz	57deb28ade	connect/ca: tighten up the intermediate signing verification	6 years ago
Kyle Havlovitz	2919519665	connect/ca: add intermediate functions to Vault ca provider	6 years ago
Kyle Havlovitz	52e8652ac5	connect/ca: add intermediate functions to Consul CA provider	6 years ago
Kyle Havlovitz	d515d25856	Merge pull request #4644 from hashicorp/ca-refactor connect/ca: rework initialization/root generation in providers	6 years ago
mkeeler	48d287ef69	Release v1.2.3	6 years ago
Paul Banks	74f2a80a42	Fix CA pruning when CA config uses string durations. (#4669 ) * Fix CA pruning when CA config uses string durations. The tl;dr here is: - Configuring LeafCertTTL with a string like "72h" is how we do it by default and should be supported - Most of our tests managed to escape this by defining them as time.Duration directly - Out actual default value is a string - Since this is stored in a map[string]interface{} config, when it is written to Raft it goes through a msgpack encode/decode cycle (even though it's written from server not over RPC). - msgpack decode leaves the string as a `[]uint8` - Some of our parsers required string and failed - So after 1 hour, a default configured server would throw an error about pruning old CAs - If a new CA was configured that set LeafCertTTL as a time.Duration, things might be OK after that, but if a new CA was just configured from config file, intialization would cause same issue but always fail still so would never prune the old CA. - Mostly this is just a janky error that got passed tests due to many levels of complicated encoding/decoding. tl;dr of the tl;dr: Yay for type safety. Map[string]interface{} combined with msgpack always goes wrong but we somehow get bitten every time in a new way :D We already fixed this once! The main CA config had the same problem so @kyhavlov already wrote the mapstructure DecodeHook that fixes it. It wasn't used in several places it needed to be and one of those is notw in `structs` which caused a dependency cycle so I've moved them. This adds a whole new test thta explicitly tests the case that broke here. It also adds tests that would have failed in other places before (Consul and Vaul provider parsing functions). I'm not sure if they would ever be affected as it is now as we've not seen things broken with them but it seems better to explicitly test that and support it to not be bitten a third time! * Typo fix * Fix bad Uint8 usage	6 years ago
Hans Hasselberg	8e235a72b4	Allow disabling the HTTP API again. (#4655 ) If you provide an invalid HTTP configuration consul will still start again instead of failing. But if you do so the build-in proxy won't be able to start which you might need for connect.	6 years ago
Kyle Havlovitz	5c7fbc284d	connect/ca: hash the consul provider ID and include isRoot	6 years ago
Pierre Souchay	1a906ef34e	Fix more unstable tests in agent and command	6 years ago
Kyle Havlovitz	c112a72880	connect/ca: some cleanup and reorganizing of the new methods	6 years ago
Pierre Souchay	2fe728c7bd	Ensure that Proxies ARE always cleaned up, event with DeregisterCriticalServiceAfter (#4649 ) This fixes https://github.com/hashicorp/consul/issues/4648	6 years ago
Matt Keeler	d3ee66eed4	Add ECS option to EDNS responses where appropriate (#4647 ) This implements parts of RFC 7871 where Consul is acting as an authoritative name server (or forwarding resolver when recursors are configured) If ECS opt is present in the request we will mirror it back and return a response with a scope of 0 (global) or with the same prefix length as the request (indicating its valid specifically for that subnet). We only mirror the prefix-length (non-global) for prepared queries as those could potentially use nearness checks that could be affected by the subnet. In the future we could get more sophisticated with determining the scope bits and allow for better caching of prepared queries that don’t rely on nearness checks. The other thing this does not do is implement the part of the ECS RFC related to originating ECS headers when acting as a intermediate DNS server (forwarding resolver). That would take a quite a bit more effort and in general provide very little value. Consul will currently forward the ECS headers between recursors and the clients transparently, we just don't originate them for non-ECS clients to get potentially more accurate "location aware" results.	6 years ago
Pierre Souchay	22500f242e	Fix unstable tests in agent, api, and command/watch	6 years ago
Mitchell Hashimoto	49b165965d	Merge pull request #4642 from hashicorp/f-ui-meta agent: aggregate service instance meta for UI purposes	6 years ago
Mitchell Hashimoto	b95348c4b1	agent: ExternalSources instead of Meta	6 years ago
Matt Keeler	cc8327ed9a	Ensure that errors setting up the DNS servers get propagated back to the shell (#4598 ) Fixes: #4578 Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.	6 years ago
Pierre Souchay	eddcf228ea	Implementation of Weights Data structures (#4468 ) * Implementation of Weights Data structures Adding this datastructure will allow us to resolve the issues #1088 and #4198 This new structure defaults to values: ``` { Passing: 1, Warning: 0 } ``` Which means, use weight of 0 for a Service in Warning State while use Weight 1 for a Healthy Service. Thus it remains compatible with previous Consul versions. * Implemented weights for DNS SRV Records * DNS properly support agents with weight support while server does not (backwards compatibility) * Use Warning value of Weights of 1 by default When using DNS interface with only_passing = false, all nodes with non-Critical healthcheck used to have a weight value of 1. While having weight.Warning = 0 as default value, this is probably a bad idea as it breaks ascending compatibility. Thus, we put a default value of 1 to be consistent with existing behaviour. * Added documentation for new weight field in service description * Better documentation about weights as suggested by @banks * Return weight = 1 for unknown Check states as suggested by @banks * Fixed typo (of -> or) in error message as requested by @mkeeler * Fixed unstable unit test TestRetryJoin * Fixed unstable tests * Fixed wrong Fatalf format in `testrpc/wait.go` * Added notes regarding DNS SRV lookup limitations regarding number of instances * Documentation fixes and clarification regarding SRV records with weights as requested by @banks * Rephrase docs	6 years ago
Kyle Havlovitz	546bdf8663	connect/ca: add Configure/GenerateRoot to provider interface	6 years ago
Mitchell Hashimoto	e9ea190df0	agent: aggregate service instance meta for UI purposes	6 years ago
Mitchell Hashimoto	99eb154f6f	agent: configure k8s go-discover	6 years ago
Martin	feb3ce4ee0	Use target service name instead of ID as connect proxy service name (#4620 )	6 years ago
Pierre Souchay	9a2ae6e8eb	Fixed more flaky tests in ./agent/consul (#4617 )	6 years ago
Pierre Souchay	92acdaa94c	Fixed flaky tests (#4626 )	6 years ago
Siva Prasad	ca35d04472	Adds a new command line flag -log-file for file based logging. (#4581 ) * Added log-file flag to capture Consul logs in a user specified file * Refactored code. * Refactored code. Added flags to rotate logs based on bytes and duration * Added the flags for log file and log rotation on the webpage * Fixed TestSantize from failing due to the addition of 3 flags * Introduced changes : mutex, data-dir log writes, rotation logic * Added test for logfile and updated the default log destination for docs * Log name now uses UnixNano * TestLogFile is now uses t.Parallel() * Removed unnecessary int64Val function * Updated docs to reflect default log name for log-file * No longer writes to data-dir and adds .log if the filename has no extension	6 years ago
Freddy	d7a404f2ee	Bugfix: Use "%#v" when formatting structs (#4600 )	6 years ago
Siva Prasad	b1a34f899f	TestAgentAntiEntropy: Wait until Consul service is up on the agent. (#4591 ) * Anti-Entropy test wait for Consul service added * Reverted some tests back to using WaitForLeader	6 years ago
Pierre Souchay	5e0218ccf4	Fix unit test TestOperatorAutopilotGetConfigCommand (#4594 )	6 years ago
Pierre Souchay	aea31d3c5d	Fixed unstable test TestUiNodeInfo (#4586 )	6 years ago
Pierre Souchay	b898131723	[BUGFIX] Avoid returning empty data on startup of a non-leader server (#4554 ) Ensure that DB is properly initialized when performing stale queries Addresses: - https://github.com/hashicorp/consul-replicate/issues/82 - https://github.com/hashicorp/consul/issues/3975 - https://github.com/hashicorp/consul-template/issues/1131	6 years ago
Miroslav Bagljas	3c23979afd	Fixes #4483 : Add support for Authorization: Bearer token Header (#4502 ) Added Authorization Bearer token support as per RFC6750 * appended Authorization header token parsing after X-Consul-Token * added test cases * updated website documentation to mention Authorization header * improve tests, improve Bearer parsing	6 years ago
Matt Keeler	e81c85c051	Fix #4515 : Segfault when serf_wan port was -1 but reconnect_time_wan was set (#4531 ) Fixes #4515 This just slightly refactors the logic to only attempt to set the serf wan reconnect timeout when the rest of the serf wan settings are configured - thus avoiding a segfault.	6 years ago
Kyle Havlovitz	e5e1f867e5	Merge branch 'master' into ca-snapshot-fix	6 years ago
Kyle Havlovitz	f186edc42c	fsm: add connect service config to snapshot/restore test	6 years ago
nickmy9729	beddf03b26	Added code to allow snapshot inclusion of NodeMeta (#4527 )	6 years ago
Kyle Havlovitz	b51d76f469	fsm: add missing CA config to snapshot/restore logic	6 years ago
Kyle Havlovitz	4b35d877ca	autopilot: don't follow the normal server removal rules for nonvoters	6 years ago
Kyle Havlovitz	ea14482376	Fix stats fetcher healthcheck RPCs not being independent	6 years ago
Pierre Souchay	0d6de257a2	Display more information about check being not properly added when it fails (#4405 ) * Display more information about check being not properly added when it fails It follows an incident where we add lots of error messages: [WARN] consul.fsm: EnsureRegistration failed: failed inserting check: Missing service registration That seems related to Consul failing to restart on respective agents. Having Node information as well as service information would help diagnose the issue. * Renamed ensureCheckIfNodeMatches() as requested by @banks	6 years ago
Freddy	6d43d24edb	Improve reliability of tests with TestAgent (#4525 ) - Add WaitForTestAgent to tests flaky due to missing serfHealth registration - Fix bug in retries calling Fatalf with *testing.T - Convert TestLockCommand_ChildExitCode to table driven test	6 years ago
Pierre Souchay	ef3b81ab13	Allow to rename nodes with IDs, will fix #3974 and #4413 (#4415 ) * Allow to rename nodes with IDs, will fix #3974 and #4413 This change allow to rename any well behaving recent agent with an ID to be renamed safely, ie: without taking the name of another one with case insensitive comparison. Deprecated behaviour warning ---------------------------- Due to asceding compatibility, it is still possible however to "take" the name of another name by not providing any ID. Note that when not providing any ID, it is possible to have 2 nodes having similar names with case differences, ie: myNode and mynode which might lead to DB corruption on Consul server side and lead to server not properly restarting. See #3983 and #4399 for Context about this change. Disabling registration of nodes without IDs as specified in #4414 should probably be the way to go eventually. * Removed the case-insensitive search when adding a node within the else block since it breaks the test TestAgentAntiEntropy_Services While the else case is probably legit, it will be fixed with #4414 in a later release. * Added again the test in the else to avoid duplicated names, but enforce this test only for nodes having IDs. Thus most tests without any ID will work, and allows us fixing * Added more tests regarding request with/without IDs. `TestStateStore_EnsureNode` now test registration and renaming with IDs `TestStateStore_EnsureNodeDeprecated` tests registration without IDs and tests removing an ID from a node as well as updated a node without its ID (deprecated behaviour kept for backwards compatibility) * Do not allow renaming in case of conflict, including when other node has no ID * Fixed function GetNodeID that was not working due to wrong type when searching node from its ID Thus, all tests about renaming were not working properly. Added the full test cas that allowed me to detect it. * Better error messages, more tests when nodeID is not a valid UUID in GetNodeID() * Added separate TestStateStore_GetNodeID to test GetNodeID. More complete test coverage for GetNodeID * Added new unit test `TestStateStore_ensureNoNodeWithSimilarNameTxn` Also fixed comments to be clearer after remarks from @banks * Fixed error message in unit test to match test case * Use uuid.ParseUUID to parse Node.ID as requested by @mkeeler	6 years ago
Siva Prasad	c88900aaa9	PR to fix TestAgent_IndexChurn and TestPreparedQuery_Wrapper. (#4512 ) * Fixes TestAgent_IndexChurn * Fixes TestPreparedQuery_Wrapper * Increased sleep in agent_test for IndexChurn to 500ms * Made the comment about joinWAN operation much less of a cliffhanger	6 years ago
Armon Dadgar	4f1fd34e9e	consul: Update buffer sizes	6 years ago
Siva Prasad	288d350a73	Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix." (#4497 ) * Revert "BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472)" This reverts commit `cec5d72396`. * Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix. (#4493)" This reverts commit `589b589b53`.	6 years ago
Pierre Souchay	cec5d72396	BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472 ) - Improve resilience of testrpc.WaitForLeader() - Add additionall retry to CI - Increase "go test" timeout to 8m - Add wait for cluster leader to several tests in the agent package - Add retry to some tests in the api and command packages	6 years ago
Siva Prasad	589b589b53	CA initialization while boostrapping and TestLeader_ChangeServerID fix. (#4493 ) * connect: fix an issue with Consul CA bootstrapping being interrupted * streamline change server id test	6 years ago
Siva Prasad	865068a358	DNS : Fixes recursors answering the DNS query to properly return the correct response. (#4461 ) * Fixes the DNS recursor properly resolving the requests * Added a test case for the recursor bug * Refactored code && added a test case for all failing recursors * Inner indentation moved into else if check	6 years ago
Paul Banks	71dd3b408a	Fixes memory leak when blocking on /event/list (#4482 )	6 years ago
mkeeler	e716d1b5f8	Release v1.2.2	6 years ago
Matt Keeler	870a6ad6a8	Handle resolving proxy tokens when parsing HTTP requests (#4453 ) Fixes: #4441 This fixes the issue with Connect Managed Proxies + ACLs being broken. The underlying problem was that the token parsed for most http endpoints was sent untouched to the servers via the RPC request. These changes make it so that at the HTTP endpoint when parsing the token we additionally attempt to convert potential proxy tokens into regular tokens before sending to the RPC endpoint. Proxy tokens are only valid on the agent with the managed proxy so the resolution has to happen before it gets forwarded anywhere.	6 years ago
Matt Keeler	0e0227792b	Gossip tuneables (#4444 ) Expose a few gossip tuneables for both lan and wan interfaces gossip_nodes gossip_interval probe_timeout probe_interval retransmit_mult suspicion_mult	6 years ago
Kyle Havlovitz	fa0d8aff33	fix inconsistency in TestConnectCAConfig_GetSet	6 years ago
Paul Banks	8dd50d5b2d	Add config option to disable HTTP printable char path check (#4442 )	6 years ago
Kyle Havlovitz	ed87949385	Merge pull request #4400 from hashicorp/leaf-cert-ttl Add configurable leaf cert TTL to Connect CA	6 years ago
Kyle Havlovitz	f67a4d59c0	connect/ca: simplify passing of leaf cert TTL	6 years ago
Siva Prasad	f4a1c381a5	Vendoring update for go-discover. (#4412 ) * New Providers added and updated vendoring for go-discover * Vendor.json formatted using make vendorfmt * Docs/Agent/auto-join: Added documentation for the new providers introduced in this PR * Updated the golang.org/x/sys/unix in the vendor directory * Agent: TestGoDiscoverRegistration updated to reflect the addition of new providers * Deleted terraform.tfstate from vendor. * Deleted terraform.tfstate.backup Deleted terraform state file artifacts from unknown runs. * Updated x/sys/windows vendor for Windows binary compilation	6 years ago
Paul Banks	8cbeb29e73	Fixes #4421 : General solution to stop blocking queries with index 0 (#4437 ) * Fix theoretical cache collision bug if/when we use more cache types with same result type * Generalized fix for blocking query handling when state store methods return zero index * Refactor test retry to only affect CI * Undo make file merge * Add hint to error message returned to end-user requests if Connect is not enabled when they try to request cert * Explicit error for Roots endpoint if connect is disabled * Fix tests that were asserting old behaviour	6 years ago
Paul Banks	5635227fa6	Allow config-file based Service Definitions for unmanaged proxies and Connect-natice apps. (#4443 )	6 years ago
Paul Banks	d5e934f9ff	Ooops that was meant to be to a branch no master... EMORECOFFEE Revert "Add config option to disable HTTP printable char path check" This reverts commit `eebe45a47b`.	6 years ago
Paul Banks	eebe45a47b	Add config option to disable HTTP printable char path check	6 years ago
Paul Banks	e954450dec	Merge pull request #4353 from azam/add-serf-lan-wan-port-args Make RPC, Serf LAN, Serf WAN port configurable from CLI	6 years ago
Kyle Havlovitz	ce10de036e	connect/ca: check LeafCertTTL when rotating expired roots	6 years ago
Mitchell Hashimoto	7fa6bb022f	Merge pull request #4320 from hashicorp/f-alias-check Add "Alias" Check Type	6 years ago
azam	342bcb1c24	Make Serf LAN & WAN port configurable from CLI Make RPC port accessible to CLI Add tests and documentation for server-port, serf-lan-port, serf-wan-port CLI arguments	6 years ago
Mitchell Hashimoto	b3854fdd28	agent/local: silly spacing on select statements	6 years ago
Mitchell Hashimoto	8c72bb0cdf	agent/local: address remaining test feedback	6 years ago
Matt Keeler	560c9c26f7	Use the agent logger instead of log module	6 years ago
Matt Keeler	ca5851318d	Update a couple erroneous tests.	6 years ago
Mitchell Hashimoto	9f128e40d6	agent/local: don't use time.After in test since notify is instant	6 years ago
Matt Keeler	3fe5f566f2	Persist proxies from config files Also change how loadProxies works. Now it will load all persisted proxies into a map, then when loading config file proxies will look up the previous proxy token in that map.	6 years ago
Kyle Havlovitz	d6ca015a42	connect/ca: add configurable leaf cert TTL	6 years ago
Matt Keeler	c891e264ca	Fix issue with choosing a client addr that is 0.0.0.0 or ::	6 years ago
Mitchell Hashimoto	9a90400821	agent/checks: prevent overflow of backoff	6 years ago
Mitchell Hashimoto	d6ecd97d1d	agent: use the correct ACL token for alias checks	6 years ago
Mitchell Hashimoto	f97bfd5be8	agent: address some basic feedback	6 years ago
Mitchell Hashimoto	19ced12668	agent: alias checks have no interval	6 years ago
Mitchell Hashimoto	5bc27feb0b	agent/structs: check is alias if node is empty	6 years ago
Mitchell Hashimoto	36e330941a	agent/checks: support node-only checks	6 years ago
Mitchell Hashimoto	1e9233eec1	agent/checks: set critical if RPC fails	6 years ago
Mitchell Hashimoto	e9914ee71c	agent/checks: use local state for local services	6 years ago
Mitchell Hashimoto	7543d270e2	agent/local: support local alias checks	6 years ago
Mitchell Hashimoto	4a67beb734	agent: run alias checks	6 years ago
Mitchell Hashimoto	60c75b88da	agent/checks: reflect node failure as alias check failure	6 years ago
Mitchell Hashimoto	f0658a0ede	agent/config: support configuring alias check	6 years ago
Mitchell Hashimoto	632e4a2c69	agent/checks: add Alias check type	6 years ago
mkeeler	39f93f011e	Release v1.2.1	6 years ago
Matt Keeler	63d5c069fc	Merge pull request #4379 from hashicorp/persist-intermediates connect: persist intermediate CAs on leader change	6 years ago
Paul Banks	9015cd62ab	Merge pull request #4381 from hashicorp/proxy-check-default Proxy check default	6 years ago
Matt Keeler	0e83059d1f	Revert "Allow changing Node names since Node now have IDs"	6 years ago
Matt Keeler	91150cca59	Fixup formatting	6 years ago
Matt Keeler	3807e04de9	Revert PR 4294 - Catalog Register: Generate UUID for services registered without one UUID auto-generation here causes trouble in a few cases. The biggest being older nodes reregistering will fail when the UUIDs are different and the names match This reverts commit `0f70034082`. This reverts commit `d1a8f9cb3f`. This reverts commit `cf69ec42a4`.	6 years ago
Matt Keeler	7572ca0f37	Merge pull request #4374 from hashicorp/feature/proxy-env-vars Setup managed proxy environment with API client env vars	6 years ago
Paul Banks	8405b41f2b	Update proxy config docs and add test for ipv6	6 years ago
Paul Banks	bb9a5c703b	Default managed proxy TCP check address sanely when proxy is bound to 0.0.0.0. This also provides a mechanism to configure custom address or disable the check entirely from managed proxy config.	6 years ago
Matt Keeler	0f56ed2d01	Set api.Config’s InsecureSkipVerify to the value of !RuntimeConfig.VerifyOutgoing	6 years ago
Matt Keeler	22e4058893	Use type switch instead of .Network for more reliably detecting UnixAddrs	6 years ago
Matt Keeler	700a275ddf	Look specifically for tcp instead of unix Add runtime -> api.Config tests	6 years ago
Matt Keeler	c8df4b824c	Update proxy manager test - test passing ProxyEnv vars	6 years ago
Kyle Havlovitz	f95c6807e7	connect: use reflect.DeepEqual instead for test	6 years ago
Matt Keeler	98ead2a8f8	Merge pull request #3983 from pierresouchay/node_renaming Allow changing Node names since Node now have IDs	6 years ago
Kyle Havlovitz	4e5fb6bc19	connect: add provider state to snapshots	6 years ago
Kyle Havlovitz	462ace4867	connect: update leader initializeCA comment	6 years ago
Kyle Havlovitz	1d3f4b5099	connect: persist intermediate CAs on leader change	6 years ago
Matt Keeler	c54b43bef3	PR Updates Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.	6 years ago
Matt Keeler	4d1ead10b3	Merge pull request #4371 from hashicorp/bugfix/gh-4358 Remove https://prefix from TLSConfig.Address	6 years ago
Pierre Souchay	fecae3de21	When renaming a node, ensure the name is not taken by another node. Since DNS is case insensitive and DB as issues when similar names with different cases are added, check for unicity based on case insensitivity. Following another big incident we had in our cluster, we also validate that adding/renaming a not does not conflicts with case insensitive matches. We had the following error once: - one node called: mymachine.MYDC.mydomain was shut off - another node (different ID) was added with name: mymachine.mydc.mydomain before 72 hours When restarting the consul server of domain, the consul server restarted failed to start since it detected an issue in RAFT database because mymachine.MYDC.mydomain and mymachine.mydc.mydomain had the same names. Checking at registration time with case insensitivity should definitly fix those issues and avoid Consul DB corruption.	6 years ago
Matt Keeler	bd76a34002	Merge pull request #4365 from pierresouchay/fix_test_warning Fixed compilation warning about wrong type	6 years ago
Matt Keeler	3b6eef8ec6	Pass around an API Config object and convert to env vars for the managed proxy	6 years ago
Pierre Souchay	7d2e4b77ec	Use %q, not %s as it used to	6 years ago
Matt Keeler	0fd7e97c2d	Merge remote-tracking branch 'origin/master' into bugfix/prevent-multi-cname	6 years ago
Matt Keeler	d19c7d8882	Merge pull request #4303 from pierresouchay/non_blocking_acl Only send one single ACL cache refresh across network when TTL is over	6 years ago
Matt Keeler	d066fb7b18	Merge pull request #4362 from hashicorp/bugfix/gh-4354 Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries	6 years ago
Pierre Souchay	b112bdd52d	Fixed compilation warning about wrong type It fixes the following warnings: agent/config/builder.go:1201: Errorf format %q has arg s of wrong type string agent/config/builder.go:1240: Errorf format %q has arg s of wrong type string	6 years ago
Paul Banks	41c3a4ac8e	Merge pull request #4038 from pierresouchay/ACL_additional_info Track calls blocked by ACLs using metrics	6 years ago
MagnumOpus21	371f0c3d5f	Tests/Proxy : Changed function name to match the system being tested.	6 years ago
MagnumOpus21	9d57b72e81	Resolved merge conflicts	6 years ago
MagnumOpus21	300330e24b	Agent/Proxy: Formatting and test cases fix	6 years ago
Matt Keeler	962f6a1816	Remove https://prefix from TLSConfig.Address	6 years ago
Matt Keeler	cbf8f14451	Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries This also changes where the enforcement of the enable_additional_node_meta_txt configuration gets applied. formatNodeRecord returns the main RRs and the meta/TXT RRs in separate slices. Its then up to the caller to add to the appropriate sections or not.	6 years ago
MagnumOpus21	94e8ff55cf	Proxy/Tests: Added test cases to check env variables	6 years ago
MagnumOpus21	6cecf2961d	Agent/Proxy : Properly passes env variables to child	6 years ago
Pierre Souchay	ff53648df2	Merge remote-tracking branch 'origin/master' into ACL_additional_info	7 years ago
Pierre Souchay	0e4e451a56	Fixed indentation in test	7 years ago
Kyle Havlovitz	401b206a2e	Store the time CARoot is rotated out instead of when to prune	7 years ago
MagnumOpus21	1cd1b55682	Agent/Proxy : Properly passes env variables to child	7 years ago
Matt Keeler	e3783a75e7	Refactor to make this much less confusing	7 years ago
Matt Keeler	554035974e	Add a bunch of comments about preventing multi-cname Hopefully this a bit clearer as to the reasoning	7 years ago
Matt Keeler	22c2be5bf1	Fix some edge cases and add some tests.	7 years ago
Matt Keeler	9a8500412b	Only allow 1 CNAME when querying for a service. This just makes sure that if multiple services are registered with unique service addresses that we don’t blast back multiple CNAMEs for the same service DNS name and keeps us within the DNS specs.	7 years ago
Kyle Havlovitz	1492243e0a	connect/ca: add logic for pruning old stale RootCA entries	7 years ago
Matt Keeler	8a12d803fd	Merge pull request #4315 from hashicorp/bugfix/fix-server-enterprise Move starting enterprise functionality	7 years ago
Pierre Souchay	bd023f352e	Updated swith case to use same branch for async-cache and extend-cache	7 years ago
Pierre Souchay	1e7665c0d5	Updated documentation and adding more test case for async-cache	7 years ago
Pierre Souchay	abde81a3e7	Added async-cache with similar behaviour as extend-cache but asynchronously	7 years ago
Pierre Souchay	9406ca1c95	Only send one single ACL cache refresh across network when TTL is over It will allow the following: * when connectivity is limited (saturated linnks between DCs), only one single request to refresh an ACL will be sent to ACL master DC instead of statcking ACL refresh queries * when extend-cache is used for ACL, do not wait for result, but refresh the ACL asynchronously, so no delay is not impacting slave DC * When extend-cache is not used, keep the existing blocking mechanism, but only send a single refresh request. This will fix https://github.com/hashicorp/consul/issues/3524	7 years ago
Abhishek Chanda	36306c0076	Change bind_port to an int	7 years ago
Matt Keeler	22b7b688a3	Move starting enterprise functionality	7 years ago
Mitchell Hashimoto	6ef28dece0	agent/config: parse upstreams with multiple service definitions	7 years ago
Mitchell Hashimoto	e155d58b19	Merge pull request #4297 from hashicorp/b-intention-500-2 agent: 400 error on invalid UUID format, api handles errors properly	7 years ago
Matt Keeler	0f70034082	Move default uuid test into the consul package	7 years ago
Matt Keeler	d1a8f9cb3f	go fmt changes	7 years ago
Mitchell Hashimoto	1c3e9af316	agent: 400 error on invalid UUID format, api handles errors properly	7 years ago
Matt Keeler	cf69ec42a4	Make sure to generate UUIDs when services are registered without one This makes the behavior line up with the docs and expected behavior	7 years ago
mkeeler	28141971f9	Release v1.2.0	7 years ago
mkeeler	6813a99081	Merge remote-tracking branch 'connect/f-connect'	7 years ago
Kyle Havlovitz	162daca4d7	revert go changes to hide rotation config	7 years ago
Kyle Havlovitz	c20bbf8760	connect/ca: hide the RotationPeriod config field since it isn't used yet	7 years ago
Mitchell Hashimoto	a76f652fd2	agent: convert the proxy bind_port to int if it is a float	7 years ago
Matt Keeler	677d6dac80	Remove x509 name constraints These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.	7 years ago
Matt Keeler	163fe11101	Make sure we omit the Kind value in JSON if empty	7 years ago
Jack Pearkes	105c4763dc	update UI to latest	7 years ago
Kyle Havlovitz	3baa67cdef	connect/ca: pull the cluster ID from config during a rotation	7 years ago
Kyle Havlovitz	8c2c9705d9	connect/ca: use weak type decoding in the Vault config parsing	7 years ago
Kyle Havlovitz	b4ef7bb64d	connect/ca: leave blank root key/cert out of the default config (unnecessary)	7 years ago
Kyle Havlovitz	050da22473	connect/ca: undo the interface changes and use sign-self-issued in Vault	7 years ago
Kyle Havlovitz	914d9e5e20	connect/ca: add leaf verify check to cross-signing tests	7 years ago
Kyle Havlovitz	bc997688e3	connect/ca: update Consul provider to use new cross-sign CSR method	7 years ago
Kyle Havlovitz	8a70ea64a6	connect/ca: update Vault provider to add cross-signing methods	7 years ago
Kyle Havlovitz	6a2fc00997	connect/ca: add URI SAN support to the Vault provider	7 years ago
Kyle Havlovitz	226a59215d	connect/ca: fix vault provider URI SANs and test	7 years ago
Kyle Havlovitz	1a8ac686b2	connect/ca: add the Vault CA provider	7 years ago
Paul Banks	51fc48e8a6	Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift	7 years ago
Paul Banks	e33bfe249e	Note leadership issues in comments	7 years ago
Paul Banks	b5f24a21cb	Fix test broken by final telemetry PR change!	7 years ago
Paul Banks	e514570dfa	Actually return Intermediate certificates bundled with a leaf!	7 years ago
Matt Keeler	e22b9c8e15	Output the service Kind in the /v1/internal/ui/services endpoint	7 years ago
Paul Banks	17789d4fe3	register TCP check for managed proxies	7 years ago
Paul Banks	280f14d64c	Make proxy only listen after initial certs are fetched	7 years ago
Paul Banks	420ae3df69	Limit proxy telemetry config to only be visible with authenticated with a proxy token	7 years ago
Paul Banks	597e55e8e2	Misc test fixes	7 years ago
Paul Banks	c6ef6a61c9	Refactor to use embedded struct.	7 years ago
Paul Banks	9f559da913	Revert telemetry config changes ready for cleaner approach	7 years ago
Paul Banks	38405bd4a9	Allow user override of proxy telemetry config	7 years ago
Paul Banks	7649d630c6	Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about	7 years ago
Paul Banks	d83f2e8e21	Expose telemetry config from RuntimeConfig to proxy config endpoint	7 years ago
Paul Banks	8aeb7bd206	Disable TestAgent proxy execution properly	7 years ago
Paul Banks	2e223ea2b7	Fix hot loop in cache for RPC returning zero index.	7 years ago
Paul Banks	43b48bc06b	Get agent cache tests passing without global hit count (which is racy). Few other fixes in here just to get a clean run locally - they are all also fixed in other PRs but shouldn't conflict. This should be robust to timing between goroutines now.	7 years ago
Mitchell Hashimoto	155bb67c52	Update UI for beta3	7 years ago
Mitchell Hashimoto	6b1e0a3003	agent/cache: always schedule the refresh	7 years ago
Mitchell Hashimoto	7cbbac43a3	agent: clarify comment	7 years ago
Mitchell Hashimoto	a08faf5a11	agent: add additional assertion to test	7 years ago
Paul Banks	2c21ead80e	More test tweaks	7 years ago
Paul Banks	05a8097c5d	Fix misc test failures (some from other PRs)	7 years ago
Paul Banks	382ce8f98a	Only set precedence on write path	7 years ago
Paul Banks	4a54f8f7e3	Fix some tests failures caused by the sorting change and some cuased by previous UpdatePrecedence() change	7 years ago
Paul Banks	bf7a62e0e0	Sort intention list by precedence	7 years ago
Mitchell Hashimoto	181fbcc9b9	agent: intention update/delete responess match ACL/KV behavior	7 years ago
Mitchell Hashimoto	3c17144fb5	agent/structs: JSON marshal the configuration for a managed proxy	7 years ago
Mitchell Hashimoto	e9e6514c9b	agent: disallow deregistering a managed proxy directly	7 years ago
Mitchell Hashimoto	66a573e496	agent: deregister service deregisters the proxy along with it	7 years ago
Mitchell Hashimoto	a82726f0b8	agent: RemoveProxy also removes the proxy service	7 years ago
Mitchell Hashimoto	e2653bec02	Fix broken tests from PR merge related to proxy secure defaults	7 years ago
Mitchell Hashimoto	cf9b377c78	agent/cache: always fetch with minimum index of 1 at least	7 years ago
Mitchell Hashimoto	6a438c25d0	agent/proxy: remove debug println	7 years ago
Mitchell Hashimoto	0d6dcbd2f1	agent: disallow API registration with managed proxy if not enabled	7 years ago
Mitchell Hashimoto	f7fc026e18	agent/config: AllowManagedAPIRegistration	7 years ago
Mitchell Hashimoto	ed98d65c2b	agent/proxy: AllowRoot to disable executing managed proxies when root	7 years ago
Mitchell Hashimoto	5ae32837f7	agent/proxy: set the proper arguments so we only run the helper process	7 years ago
Mitchell Hashimoto	4897ca6545	agent/config: add AllowManagedRoot	7 years ago
Kyle Havlovitz	82a4b3c13f	connect: fix two CA tests that were broken in a previous PR (#60 )	7 years ago
Paul Banks	41a29a469e	Fix roots race with CA setup hammering bug and defensive nil check hit during obscure upgrade scenario	7 years ago
Kyle Havlovitz	aafa3ca64a	agent: format all CA config fields	7 years ago
Kyle Havlovitz	edbeeeb23c	agent: update accepted CA config fields and defaults	7 years ago
Mitchell Hashimoto	316bdbe010	agent/proxy: fix build on Windows	7 years ago
Paul Banks	0824d1df5f	Misc comment cleanups	7 years ago
Paul Banks	e57aa52ca6	Warn about killing proxies in dev mode	7 years ago
Mitchell Hashimoto	028aa78e83	agent/consul: set precedence value on struct itself	7 years ago
Mitchell Hashimoto	927b45bf91	agent/config: move ports to `ports` structure, update docs	7 years ago
Paul Banks	d1c67d90bc	Fixs a few issues that stopped this working in real life but not caught by tests: - Dev mode assumed no persistence of services although proxy state is persisted which caused proxies to be killed on startup as their services were no longer registered. Fixed. - Didn't snapshot the ProxyID which meant that proxies were adopted OK from snapshot but failed to restart if they died since there was no proxyID in the ENV on restart - Dev mode with no persistence just kills all proxies on shutdown since it can't recover them later - Naming things	7 years ago
Paul Banks	85d6502ab3	Don't kill proxies on agent shutdown; backport manager close fix	7 years ago
Paul Banks	b2ff583392	Test for adopted process Stop race and fix	7 years ago
Mitchell Hashimoto	62d4aaa33e	agent: accept connect param for execute	7 years ago
Mitchell Hashimoto	daf46c9cfa	agent/consul: support a Connect option on prepared query request	7 years ago
Mitchell Hashimoto	440b1b2d97	agent/consul: prepared query supports "Connect" field	7 years ago
Mitchell Hashimoto	8bcadddda7	agent: intention create returns 500 for bad body	7 years ago
Mitchell Hashimoto	1830c6b308	agent: switch ConnectNative to an embedded struct	7 years ago
Paul Banks	df2cb30b01	Make tests pass and clean proxy persistence. No detached child changes yet. This is a good state for persistence stuff to re-start the detached child work that got mixed up last time.	7 years ago
Paul Banks	cdc7cfaa36	Abandon daemonize for simpler solution (preserving history): Reverts: - bdb274852ae469c89092d6050697c0ff97178465 - 2c689179c4f61c11f0016214c0fc127a0b813bfe - d62e25c4a7ab753914b6baccd66f88ffd10949a3 - c727ffbcc98e3e0bf41e1a7bdd40169bd2d22191 - 31b4d18933fd0acbe157e28d03ad59c2abf9a1fb - 85c3f8df3eabc00f490cd392213c3b928a85aa44	7 years ago
Paul Banks	a2fe604191	WIP	7 years ago
Paul Banks	8cf4b3a6eb	Sanity check that we are never trying to self-exec a test binary. Add daemonize bypass for TestAgent so that we don't have to jump through ridiculous self-execution hooks for every package that might possibly invoke a managed proxy	7 years ago
Mitchell Hashimoto	827b671d4a	agent/proxy: Manager.Close also has to stop all proxy watchers	7 years ago
Paul Banks	ef9c40643e	Fix import tooling fail	7 years ago
Paul Banks	ba0fb58a72	Make daemoinze an option on test binary without hacks. Misc fixes for racey or broken tests. Still failing on several though.	7 years ago
Paul Banks	2b377dc624	Run daemon processes as a detached child. This turns out to have a lot more subtelty than we accounted for. The test suite is especially prone to races now we can only poll the child and many extra levels of indirectoin are needed to correctly run daemon process without it becoming a Zombie. I ran this test suite in a loop with parallel enabled to verify for races (-race doesn't find any as they are logical inter-process ones not actual data races). I made it through ~50 runs before hitting an error due to timing which is much better than before. I want to go back and see if we can do better though. Just getting this up.	7 years ago
Paul Banks	e21723a891	Persist proxy state through agent restart	7 years ago
Mitchell Hashimoto	eb3fcb39b3	agent/consul/state: support querying by Connect native	7 years ago
Mitchell Hashimoto	6b745964c4	agent/cache: update comment from PR review to clarify	7 years ago
Mitchell Hashimoto	424272361d	agent: agent service registration supports Connect native services	7 years ago
Mitchell Hashimoto	d6a823ad0d	agent/consul: support catalog registration with Connect native	7 years ago
Mitchell Hashimoto	d609ad216b	agent/cache: update comments	7 years ago
Mitchell Hashimoto	839d3c323d	agent/cache: correct test name	7 years ago
Mitchell Hashimoto	45e49f31de	agent/cache: change behavior to return error rather than retry The cache behavior should not be to mask errors and retry. Instead, it should aim to return errors as quickly as possible. We do that here.	7 years ago
Mitchell Hashimoto	311d503fb0	agent/cache: perform backoffs on error retries on blocking queries	7 years ago
Matt Keeler	3afa4f9c7e	Merge pull request #4234 from hashicorp/feature/default-new-ui Switch over to defaulting to the new UI	7 years ago
Matt Keeler	af910bda39	Merge pull request #4216 from hashicorp/rpc-limiting Make RPC limits reloadable	7 years ago
Matt Keeler	0d4e8676d1	Merge pull request #4215 from hashicorp/feature/config-node-meta-dns-txt Add configuration entry to control including TXT records for node meta in DNS responses	7 years ago
Matt Keeler	7f7c703118	Update the runtime tests	7 years ago
Matt Keeler	8216816e3f	Make filtering out TXT RRs only apply when they would end up in Additional section ANY queries are no longer affected.	7 years ago
Matt Keeler	197e2f69d5	Switch over to defaulting to the new UI	7 years ago
Kyle Havlovitz	ab4a9a94f4	Re-use uint8ToString	7 years ago
Kyle Havlovitz	5683d628c4	Support giving the duration as a string in CA config	7 years ago
Mitchell Hashimoto	eb2a6952ba	address comment feedback	7 years ago
Mitchell Hashimoto	cd39f09693	agent: leaf endpoint accepts name, not service ID This change is important so that requests can made representing a service that may not be registered with the same local agent.	7 years ago
Mitchell Hashimoto	1906fe1c0d	agent: address feedback	7 years ago
Mitchell Hashimoto	0accfc1628	agent: rename test to check	7 years ago
Mitchell Hashimoto	d1c21a8629	agent: implement HTTP endpoint	7 years ago
Mitchell Hashimoto	2a29679e9d	agent/consul: forward request if necessary	7 years ago
Mitchell Hashimoto	54ac5adb08	agent: comments to point to differing logic	7 years ago
Mitchell Hashimoto	d68462fca6	agent/consul: implement Intention.Test endpoint	7 years ago
Paul Banks	a80559e439	Make invalid clusterID be fatal	7 years ago
Paul Banks	140f3f5a44	Fix logical conflicts with CA refactor	7 years ago
Paul Banks	c58d47ba59	Fix broken api test for service Meta (logical conflict rom OSS). Add test that would make this much easier to catch in future.	7 years ago
Paul Banks	f4b8e8c96d	Add default CA config back - I didn't add it and causes nil panics	7 years ago
Paul Banks	1228a5839a	Ooops remove the CA stuff from actual server defaults and make it test server only	7 years ago
Paul Banks	4aeab3897c	Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.	7 years ago
Paul Banks	bc07ff4983	Comment cleanup	7 years ago
Paul Banks	1722734313	Verify trust domain on /authorize calls	7 years ago
Paul Banks	b4803eca59	Generate CSR using real trust-domain	7 years ago
Paul Banks	622a475eb1	Add CSR signing verification of service ACL, trust domain and datacenter.	7 years ago
Paul Banks	c1f2025d96	Return TrustDomain from CARoots RPC	7 years ago
Kyle Havlovitz	e00088e8ee	Rename some of the CA structs/files	7 years ago
Kyle Havlovitz	6e9f1f8acb	Add more metadata to structs.CARoot	7 years ago
Kyle Havlovitz	627aa80d5a	Use provider state table for a global serial index	7 years ago
Kyle Havlovitz	988510f53c	Add test for ca config http endpoint	7 years ago
Kyle Havlovitz	de72834b8c	Move connect CA provider to separate package	7 years ago
Mitchell Hashimoto	4f3b5647e5	agent/cache: change uint8 to uint	7 years ago
Mitchell Hashimoto	fc5508f8a3	agent/cache: string through attempt rather than storing on the entry	7 years ago
Mitchell Hashimoto	cfcd733609	agent/cache: implement refresh backoff	7 years ago
Mitchell Hashimoto	bc605a1576	agent/consul: change provider wait from goto to a loop	7 years ago
Mitchell Hashimoto	c8b65217c3	agent/consul: check nil on getCAProvider result	7 years ago
Mitchell Hashimoto	9b3495dddb	agent/consul: retry reading provider a few times	7 years ago
Mitchell Hashimoto	e54e69d11f	agent: verify local proxy tokens for CA leaf + tests	7 years ago
Mitchell Hashimoto	a099c27b07	agent: verify proxy token for ProxyConfig endpoint + tests	7 years ago
Mitchell Hashimoto	6e386ba6be	agent/proxy: pass proxy ID as an env var	7 years ago
Mitchell Hashimoto	37dde6d64a	agent/config: add managed proxy upstreams config to skip agent/config will turn [{}] into {} (single element maps into a single map) to work around HCL issues. These are resolved in HCL2 which I'm sure Consul will switch to eventually. This breaks the connect proxy configuration in service definition FILES since we call this patch function. For now, let's just special-case skip this. In the future we maybe Consul will adopt HCL2 and fix it, or we can do something else if we want. This works and is tested.	7 years ago
Mitchell Hashimoto	965a902474	agent/structs: validate service definitions, port required for proxy	7 years ago
Mitchell Hashimoto	9a62bce03b	agent/config: default connect enabled in dev mode This enables `consul agent -dev` to begin using Connect features with the built-in CA. I think this is expected behavior since you can imagine that new users would want to try. There is no real downside since we're just using the built-in CA.	7 years ago
Paul Banks	d13be6b952	Make CSR work with jank domain	7 years ago
Mitchell Hashimoto	de3f49a880	agent/proxy: delete pid file on Stop	7 years ago
Mitchell Hashimoto	aaca1fbcf5	agent: increase timer for blocking cache endpoints	7 years ago
Mitchell Hashimoto	b4ba31c61b	agent/proxy: address PR feedback	7 years ago
Mitchell Hashimoto	f5e7993249	agent: clarify why we Kill still	7 years ago
Mitchell Hashimoto	2809203408	agent: restore proxy snapshot but still Kill proxies	7 years ago
Mitchell Hashimoto	718aabe35f	agent/proxy: check if process is alive in addition to Wait	7 years ago
Mitchell Hashimoto	f5ccc65295	agent: only set the proxy manager data dir if its set	7 years ago
Mitchell Hashimoto	1a32435a4d	agent/proxy: improve comments on snapshotting	7 years ago
Mitchell Hashimoto	e0bbe66427	agent/proxy: implement periodic snapshotting in the manager	7 years ago
Mitchell Hashimoto	13ff115436	agent/proxy: check if process is alive	7 years ago
Mitchell Hashimoto	0e8c0b7b48	agent/proxy: implement snapshotting for daemons	7 years ago
Mitchell Hashimoto	b7580f4fad	agent/proxy: manager configures the daemon pid path to write pids	7 years ago
Mitchell Hashimoto	1e7f253b53	agent/proxy: write pid file whenever the daemon process changes	7 years ago
Mitchell Hashimoto	09dcb0be98	agent/proxy: change LogDir to DataDir to reuse for other things	7 years ago
Mitchell Hashimoto	5e6bd8291c	agent/proxy: make the logs test a bit more robust by waiting for file	7 years ago
Mitchell Hashimoto	d00ff7cb58	agent/proxy: don't create the directory in newProxy	7 years ago
Mitchell Hashimoto	6cdacd1fd9	agent/proxy: send logs to the correct location for daemon proxies	7 years ago
Mitchell Hashimoto	ba00fa3548	agent: add additional tests for defaulting in AddProxy	7 years ago
Mitchell Hashimoto	171bf8d599	agent: clean up defaulting of proxy configuration This cleans up and unifies how proxy settings defaults are applied.	7 years ago
Mitchell Hashimoto	3d3eee2f6e	agent: resolve some conflicts and fix tests	7 years ago
Mitchell Hashimoto	d9bd4ffebd	agent/local: clarify the non-risk of a full buffer	7 years ago
Mitchell Hashimoto	437689e83c	agent/local: remove outdated comment	7 years ago
Mitchell Hashimoto	6ae95d754c	agent: use os.Executable	7 years ago
Mitchell Hashimoto	39974df52a	agent/proxy: local state event coalescing	7 years ago
Mitchell Hashimoto	b0f377b519	agent/proxy: implement force kill of unresponsive proxy process	7 years ago
Mitchell Hashimoto	6539280f2a	agent: fix crash that could happen if proxy was nil on load	7 years ago
Mitchell Hashimoto	420edc4c1e	agent/proxy: pull exit status extraction to constrained file	7 years ago
Mitchell Hashimoto	1a2b28602c	agent: start proxy manager	7 years ago
Mitchell Hashimoto	7879e1d2ef	agent/proxy: detect config change to stop/start proxies	7 years ago
Mitchell Hashimoto	2d60684a8b	agent/proxy: test removing proxies and stopping them	7 years ago
Mitchell Hashimoto	fcd2ab2338	agent/proxy: manager and basic tests, not great coverage yet coming soon	7 years ago
Mitchell Hashimoto	2bd39a84a6	agent/local: add Notify mechanism for proxy changes	7 years ago
Mitchell Hashimoto	476ea7b04a	agent: start/stop proxies	7 years ago
Mitchell Hashimoto	fbfc6fce66	agent/proxy: clean up usage, can't be restarted	7 years ago
Mitchell Hashimoto	aaa2431350	agent: change connect command paths to be slices, not strings This matches other executable configuration and allows us to cleanly separate executable from arguments without trying to emulate shell parsing.	7 years ago
Mitchell Hashimoto	7355a614fe	agent/local: store proxy on local state, wip, not working yet	7 years ago
Mitchell Hashimoto	ffd284de36	agent/proxy: exponential backoff on restarts	7 years ago
Mitchell Hashimoto	aa08a4cb46	agent/proxy: Daemon works, tests cover it too	7 years ago
Mitchell Hashimoto	e14fa850d8	wip	7 years ago
Paul Banks	e0e12e165b	TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.	7 years ago
Paul Banks	90c574ebaa	Wire up agent leaf endpoint to cache framework to support blocking.	7 years ago
Kyle Havlovitz	a4d18f0eaa	Fill out connect CA rpc endpoint tests	7 years ago
Kyle Havlovitz	b081c34255	Fix config tests	7 years ago
Kyle Havlovitz	cce7f1cca1	Add tests for the built in CA's state store table	7 years ago
Kyle Havlovitz	15fbc2fd97	Add more tests for built-in provider	7 years ago
Kyle Havlovitz	edcfdb37af	Fix some inconsistencies around the CA provider code	7 years ago
Paul Banks	1b197d934a	Don't allow connect watches in agent/cli yet	7 years ago
Paul Banks	e8c510332c	Support legacy watch.HandlerFunc type for backward compat reduces impact of change	7 years ago
Paul Banks	cd88b2a351	Basic `watch` support for connect proxy config and certificate endpoints. - Includes some bug fixes for previous `api` work and `agent` that weren't tested - Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches. - Integration into `connect` is partially done here but still WIP	7 years ago
Kyle Havlovitz	daa8dd1779	Add CA config to connect section of agent config	7 years ago
Kyle Havlovitz	32d1eae28b	Move ConsulCAProviderConfig into structs package	7 years ago
Kyle Havlovitz	315b8bf594	Simplify the CAProvider.Sign method	7 years ago
Kyle Havlovitz	c6e1b72ccb	Simplify the CA provider interface by moving some logic out	7 years ago
Kyle Havlovitz	a325388939	Clarify some comments and names around CA bootstrapping	7 years ago
Mitchell Hashimoto	8c1d5a2cdc	agent: resolve flaky test by checking cache hits increase, rather than exact	7 years ago
Mitchell Hashimoto	051f004683	agent: use helper/retry instead of timing related tests	7 years ago
Mitchell Hashimoto	bd3b8e042a	agent/cache: address PR feedback, lots of typos	7 years ago
Mitchell Hashimoto	02b20a0353	agent/cache: address feedback, clarify comments	7 years ago
Mitchell Hashimoto	af1d70b026	agent/cache: don't every block on NotifyCh	7 years ago
Mitchell Hashimoto	724b829104	agent/cache: unit tests for ExpiryHeap, found a bug!	7 years ago
Mitchell Hashimoto	194b256861	agent/cache: send the total entries count on eviction to go-metrics	7 years ago
Mitchell Hashimoto	e0d964188c	agent/cache: make edge case with prev/next idx == 0 handled better	7 years ago
Mitchell Hashimoto	3b550d2b72	agent/cache: rework how expiry data is stored to be more efficient	7 years ago
Mitchell Hashimoto	595193a781	agent/cache: initial TTL work	7 years ago
Mitchell Hashimoto	1df99514ca	agent/cache: send the RefreshTimeout into the backend fetch	7 years ago
Mitchell Hashimoto	db4c47df27	agent/cache: on error, return from Get immediately, don't block forever	7 years ago
Mitchell Hashimoto	cc2c98f961	agent/cache: lots of comment/doc updates	7 years ago
Mitchell Hashimoto	6c01e402e0	agent: augment /v1/connect/authorize to cache intentions	7 years ago
Mitchell Hashimoto	0f3f3d13ca	agent/cache-types: support intention match queries	7 years ago
Mitchell Hashimoto	e1c1b8812a	agent/cache: return the error as part of Get	7 years ago
Mitchell Hashimoto	00e7ab3cd5	agent/cache: integrate go-metrics so the cache is debuggable	7 years ago
Mitchell Hashimoto	9f3dbf7b2a	agent/structs: DCSpecificRequest sets all the proper fields for CacheInfo	7 years ago
Mitchell Hashimoto	be873d2558	agent/cache-types/ca-leaf: proper result for timeout, race on setting CA	7 years ago
Mitchell Hashimoto	fcb15e15ae	agent/cache: support timeouts for cache reads and empty fetch results	7 years ago
Mitchell Hashimoto	e81942df7a	agent/cache-types: rename to separate root and leaf cache types	7 years ago
Mitchell Hashimoto	8e7c517db1	agent/cache-types: got basic CA leaf caching work, major problems still	7 years ago
Mitchell Hashimoto	917a9e63d5	agent: check cache hit count to verify CA root caching, background update	7 years ago
Mitchell Hashimoto	6902d721d6	agent: initialize the cache and cache the CA roots	7 years ago
Mitchell Hashimoto	c329b4cb34	agent/cache: partition by DC/ACL token	7 years ago
Mitchell Hashimoto	e3c1162881	agent/cache: Reorganize some files, RequestInfo struct, prepare for partitioning	7 years ago
Mitchell Hashimoto	b0db5657c4	agent/cache: ConnectCA roots caching type	7 years ago
Mitchell Hashimoto	975be337a9	agent/cache: blank cache key means to always fetch	7 years ago
Mitchell Hashimoto	1cfb0f1922	agent/cache: initial kind-of working cache	7 years ago
Kyle Havlovitz	33418afd3c	Add cross-signing mechanism to root rotation	7 years ago
Kyle Havlovitz	d83fbfc766	Add the root rotation mechanism to the CA config endpoint	7 years ago
Kyle Havlovitz	f9d92d795e	Have the built in CA store its state in raft	7 years ago

... 7 8 9 10 11 ...

1706 Commits (0687e2fe934e1313eb0bb0b4bc003b44fde2e762)