Commit Graph

15153 Commits (0a3ded7dccad36f61603a1fd63a1077d43e7053e)

Author SHA1 Message Date
trujillo-adam ec7526caaa
Update website/content/docs/connect/proxies/envoy.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-09 13:36:28 -07:00
trujillo-adam 7d00adb824
Update website/content/docs/connect/proxies/envoy.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-09 13:36:07 -07:00
trujillo-adam 3fabe18acd docs: adding env var info, resolves #7926 2021-08-09 13:14:02 -07:00
Blake Covarrubias 6a68bfc5e1
cli: Test API access using /status/leader in consul watch (#10795)
Replace call to /agent/self with /status/leader to verify agent
reachability before initializing a watch. This endpoint is not guarded
by ACLs, and as such can be queried by any API client regardless of
their permissions.

Fixes #9353
2021-08-09 09:00:33 -07:00
Daniel Nephin 67fc97522f server: remove defaulting of PrimaryDatacenter
The constructor for Server is not at all the appropriate place to be setting default
values for a config struct that was passed in.

In production this value is always set from agent/config. In tests we should set the
default in a test helper.
2021-08-06 18:45:24 -04:00
Daniel Nephin d3325b0253
Merge pull request #10612 from bigmikes/acl-replication-fix
acl: acl replication routine to report the last error message
2021-08-06 18:29:51 -04:00
Daniel Nephin 7160f7a614 acl: remove ACLDatacenter
This field has been unnecessary for a while now. It was always set to the same value
as PrimaryDatacenter. So we can remove the duplicate field and use PrimaryDatacenter
directly.

This change was made by GoLand refactor, which did most of the work for me.
2021-08-06 18:27:00 -04:00
Giulio Micheloni d4a3fe33e8 String type instead of error type and changelog. 2021-08-06 22:35:27 +01:00
Mike Morris cbab337803
changelog: add 1.10.1, 1.9.8 and 1.8.14 2021-08-05 18:09:57 -04:00
Daniel Nephin 5c7589c84a
Merge pull request #10743 from hashicorp/dnephin/acl-resolver-2
acl: decouple filtering from ACLResolver and remove a couple methods
2021-08-05 15:47:05 -04:00
Daniel Nephin e1f04e8c96
Merge pull request #10742 from hashicorp/dnephin/acl-resolver
acl: move agent/consul vet functions
2021-08-05 15:36:49 -04:00
Daniel Nephin b837ba35a0 acl: remove Server.ResolveTokenIdentityAndDefaultMeta
This method suffered from similar naming to a couple other methods on Server, and had not great
re-use (2 callers). By copying a few of the lines into one of the callers we can move the
implementation into the second caller.

Once moved, we can see that ResolveTokenAndDefaultMeta is identical in both Client and Server, and
likely should be further refactored, possibly into ACLResolver.

This change is being made to make ACL resolution easier to trace.
2021-08-05 15:20:13 -04:00
Daniel Nephin 6cf6e7c5fe acl: remove Server.ResolveTokenToIdentityAndAuthorizer
This method was an alias for ACLResolver.ResolveTokenToIdentityAndAuthorizer. By removing the
method that does nothing the code becomes easier to trace.
2021-08-05 15:20:13 -04:00
Daniel Nephin cc4f155801 acl: recouple acl filtering from ACLResolver
ACL filtering only needs an authorizer and a logger. We can decouple filtering from
the ACLResolver by passing in the necessary logger.

This change is being made in preparation for moving the ACLResolver into an acl package
2021-08-05 15:20:13 -04:00
Daniel Nephin 111f3620a8 acl: remove unused error return
filterACLWithAuthorizer could never return an error. This change moves us a little bit
closer to being able to enable errcheck and catch problems caused by unhandled error
return values.
2021-08-05 15:20:13 -04:00
Daniel Nephin c0100543d0 acl: rename acl.Authorizer vars to authz
For consistency
2021-08-05 15:19:47 -04:00
Daniel Nephin 4f5477ccfa acl: move vet functions
These functions are moved to the one place they are called to improve code locality.

They are being moved out of agent/consul/acl.go in preparation for moving
ACLResolver to an acl package.
2021-08-05 15:19:24 -04:00
Daniel Nephin c4eadb6b96 acl: move vetRegisterWithACL and vetDeregisterWithACL
These functions are used in only one place. Move the functions next to their one caller
to improve code locality.

This change is being made in preparation for moving the ACLResolver into an
acl package. The moved functions were previously in the same file as the ACLResolver.
By moving them out of that file we may be able to move the entire file
with fewer modifications.
2021-08-05 15:17:54 -04:00
Daniel Nephin 1deba421c7
Merge pull request #10770 from hashicorp/dnephin/log-cert-expiration
telemetry: add log message when certs are about to expire
2021-08-05 15:17:20 -04:00
Daniel Nephin 0c42b38c92
Merge pull request #10793 from hashicorp/dnephin/acl-intentions
acl: small cleanup of a couple Authorization flows
2021-08-05 15:16:49 -04:00
Dhia Ayachi b495036823
defer setting the state before returning to avoid stuck in `INITIALIZING` state (#10630)
* defer setting the state before returning to avoid being stuck in `INITIALIZING` state

* add changelog

* move comment with the right if statement

* ca: report state transition error from setSTate

* update comment to reflect state transition

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-05 14:51:19 -04:00
sridhar 8b4672f644
Update website/content/docs/k8s/connect/ingress-gateways.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-04 16:25:36 -07:00
Daniel Nephin e94016872a
Merge pull request #10768 from hashicorp/dnephin/agent-tls-cert-expiration-metric
telemetry: add Agent TLS Certificate expiration metric
2021-08-04 18:42:02 -04:00
Daniel Nephin c718de730b acl: remove special handling of services in txn_endpoint
Follow up to: https://github.com/hashicorp/consul/pull/10738#discussion_r680190210

Previously we were passing an Authorizer that would always allow the
operation, then later checking the authorization using vetServiceTxnOp.

On the surface this seemed strange, but I think it was actually masking
a bug as well. Over time `servicePreApply` was changed to add additional
authorization for `service.Proxy.DestinationServiceName`, but because
we were passing a nil Authorizer, that authorization was not handled on
the txn_endpoint.

`TxnServiceOp.FillAuthzContext` has some special handling in enterprise,
so we need to make sure to continue to use that from the Txn endpoint.

This commit removes the `vetServiceTxnOp` function, and passes in the
`FillAuthzContext` function so that `servicePreApply` can be used by
both the catalog and txn endpoints. This should be much less error prone
and prevent bugs like this in the future.
2021-08-04 18:32:20 -04:00
hc-github-team-consul-core af9acf4943 auto-updated agent/uiserver/bindata_assetfs.go from commit bcd53e73a 2021-08-04 22:27:44 +00:00
Kenia bcd53e73a2
ui: Add Vault as a Service External Source (#10769) 2021-08-04 18:22:43 -04:00
Daniel Nephin 5b2e5882b4 acl: move check for Intention.DestinationName into Authorizer
Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445

Move the check for the Intention.DestinationName into the Authorizer to remove the
need to check what kind of Authorizer is being used.

It sounds like this check is only for legacy ACLs, so is probably just a safeguard
.
2021-08-04 18:06:44 -04:00
Daniel Nephin bbce192b4d
Merge pull request #10738 from hashicorp/dnephin/remove-authorizer-nil-checks-2
acl: remove the last of the authz == nil checks
2021-08-04 17:41:40 -04:00
Daniel Nephin 9cdd823ffc
Merge pull request #10737 from hashicorp/dnephin/remove-authorizer-nil-checks
acl: remove authz == nil checks
2021-08-04 17:39:34 -04:00
trujillo-adam c5824a834b
Merge pull request #10763 from hashicorp/docs-proxy-integration-improvements
general language and readability improvements to proxy integration docs
2021-08-04 14:36:47 -07:00
Daniel Nephin 4979b712b5
Merge pull request #10727 from hashicorp/dependabot-configuration
Add initial Dependabot configuration
2021-08-04 17:09:17 -04:00
trujillo-adam 5913aca502 Applying more feedback from @black and @karl-cardenas-coding 2021-08-04 14:02:42 -07:00
trujillo-adam 8ec29432d2 Applying feedback from @blake 2021-08-04 11:29:21 -07:00
Daniel Nephin 0e58e1ac4b telemetry: add log message when certs are about to expire 2021-08-04 14:18:59 -04:00
Daniel Nephin 9420506fae telemetry: fix a couple bugs in cert expiry metrics
1. do not emit the metric if Query fails
2. properly check for PrimaryUsersIntermediate, the logic was inverted

Also improve the logging by including the metric name in the log message
2021-08-04 13:51:44 -04:00
Daniel Nephin 8c575445da telemetry: add a metric for agent TLS cert expiry 2021-08-04 13:51:44 -04:00
trujillo-adam ee1de179ed
Update website/content/docs/connect/proxies/integrate.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-04 10:44:06 -07:00
Dhia Ayachi cfa9cf6d84
fix state index for `CAOpSetRootsAndConfig` op (#10675)
* fix state index for `CAOpSetRootsAndConfig` op

* add changelog

* Update changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* remove the change log as it's not needed

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-04 13:07:49 -04:00
hc-github-team-consul-core 2f6c95011b auto-updated agent/uiserver/bindata_assetfs.go from commit 8ad1ab9c0 2021-08-04 16:47:13 +00:00
Kenia 8ad1ab9c08
ui: Fix Health Checks in K/V form Lock Sessions Info section (#10767) 2021-08-04 12:41:41 -04:00
trujillo-adam 31b9058602 general language and readability improvements to proxy integration docs 2021-08-03 15:56:56 -07:00
Evan Culver 710bd90ef7
checks: Add Interval and Timeout to API response (#10717) 2021-08-03 15:26:49 -07:00
Daniel Nephin 8ecf26af6e
Merge pull request #10601 from hashicorp/joshwolfer-patch-1
docs: link to config entries from enable_central_service_config
2021-08-03 16:35:23 -04:00
joshwolfer 63a650028e Update options.mdx
add service config link to description of enable_central_service_config.
2021-08-03 15:36:51 -04:00
Blake Covarrubias 370a76ff3e
docs: Fix service checks docs on session endpoint (#10759)
The ServiceChecks parameter was incorrectly documented in e515c9d44 to
state that it accepted a list of string values, when actually the API
requires an array of ServiceCheck objects.

This commit updates the docs for the parameter to correctly reflect
the fields required by the API.

Resolves #10752
2021-08-03 09:57:31 -07:00
Matt Explosion 06f27fa088 Updated link to repo for native Scala Consul client Helm 2021-08-02 22:01:05 -07:00
Blake Covarrubias 734fd1949f
docs: Note proxy-defaults can globally set service protocol (#10649)
Add a note to the docs for the service defaults config entry which
informs users that the service protocol can be configured for all
services using the proxy defaults config entry.

Resolves #8279

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-08-02 13:23:58 -07:00
Blake Covarrubias 17e18df81e
docs: Document supported `consul connect` env vars (#10667)
Document the ability to specify `-sidecar-for` and `-proxy-id` flags
via environment variables.
2021-08-02 12:50:51 -07:00
Blake Covarrubias e1c4088ba3 website: Add redirect for /connect/ingress-gateways
Add redirect /docs/connect/ingress-gateways, which currently returns
404, to /docs/connect/gateways/ingress-gateway.

Fixes #10748
2021-08-02 11:58:49 -07:00
Blake Covarrubias 46b1de8467
docs: Add namespace parameter to additional HTTP endpoints (#10731)
Document the namespace parameter can be specified on HTTP Check,
Connect CA leaf, and Discovery Chain API endpoints.

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-08-02 11:55:23 -07:00