Matt Keeler
677d6dac80
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Matt Keeler
163fe11101
Make sure we omit the Kind value in JSON if empty
2018-06-25 12:26:10 -07:00
Jack Pearkes
105c4763dc
update UI to latest
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
3baa67cdef
connect/ca: pull the cluster ID from config during a rotation
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
8c2c9705d9
connect/ca: use weak type decoding in the Vault config parsing
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
b4ef7bb64d
connect/ca: leave blank root key/cert out of the default config (unnecessary)
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
050da22473
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
914d9e5e20
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
bc997688e3
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
8a70ea64a6
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
6a2fc00997
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
226a59215d
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
1a8ac686b2
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
51fc48e8a6
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
e33bfe249e
Note leadership issues in comments
2018-06-25 12:25:41 -07:00
Paul Banks
b5f24a21cb
Fix test broken by final telemetry PR change!
2018-06-25 12:25:40 -07:00
Paul Banks
e514570dfa
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
Matt Keeler
e22b9c8e15
Output the service Kind in the /v1/internal/ui/services endpoint
2018-06-25 12:25:40 -07:00
Paul Banks
17789d4fe3
register TCP check for managed proxies
2018-06-25 12:25:40 -07:00
Paul Banks
280f14d64c
Make proxy only listen after initial certs are fetched
2018-06-25 12:25:40 -07:00
Paul Banks
420ae3df69
Limit proxy telemetry config to only be visible with authenticated with a proxy token
2018-06-25 12:25:39 -07:00
Paul Banks
597e55e8e2
Misc test fixes
2018-06-25 12:25:39 -07:00
Paul Banks
c6ef6a61c9
Refactor to use embedded struct.
2018-06-25 12:25:39 -07:00
Paul Banks
9f559da913
Revert telemetry config changes ready for cleaner approach
2018-06-25 12:25:39 -07:00
Paul Banks
38405bd4a9
Allow user override of proxy telemetry config
2018-06-25 12:25:38 -07:00
Paul Banks
7649d630c6
Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about
2018-06-25 12:25:38 -07:00
Paul Banks
d83f2e8e21
Expose telemetry config from RuntimeConfig to proxy config endpoint
2018-06-25 12:25:38 -07:00
Paul Banks
8aeb7bd206
Disable TestAgent proxy execution properly
2018-06-25 12:25:38 -07:00
Paul Banks
2e223ea2b7
Fix hot loop in cache for RPC returning zero index.
2018-06-25 12:25:37 -07:00
Paul Banks
43b48bc06b
Get agent cache tests passing without global hit count (which is racy).
...
Few other fixes in here just to get a clean run locally - they are all also fixed in other PRs but shouldn't conflict.
This should be robust to timing between goroutines now.
2018-06-25 12:25:37 -07:00
Mitchell Hashimoto
155bb67c52
Update UI for beta3
2018-06-25 12:25:16 -07:00
Mitchell Hashimoto
6b1e0a3003
agent/cache: always schedule the refresh
2018-06-25 12:25:14 -07:00
Mitchell Hashimoto
7cbbac43a3
agent: clarify comment
2018-06-25 12:25:14 -07:00
Mitchell Hashimoto
a08faf5a11
agent: add additional assertion to test
2018-06-25 12:25:13 -07:00
Paul Banks
2c21ead80e
More test tweaks
2018-06-25 12:25:13 -07:00
Paul Banks
05a8097c5d
Fix misc test failures (some from other PRs)
2018-06-25 12:25:13 -07:00
Paul Banks
382ce8f98a
Only set precedence on write path
2018-06-25 12:25:13 -07:00
Paul Banks
4a54f8f7e3
Fix some tests failures caused by the sorting change and some cuased by previous UpdatePrecedence() change
2018-06-25 12:25:13 -07:00
Paul Banks
bf7a62e0e0
Sort intention list by precedence
2018-06-25 12:25:13 -07:00
Mitchell Hashimoto
181fbcc9b9
agent: intention update/delete responess match ACL/KV behavior
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
3c17144fb5
agent/structs: JSON marshal the configuration for a managed proxy
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
e9e6514c9b
agent: disallow deregistering a managed proxy directly
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
66a573e496
agent: deregister service deregisters the proxy along with it
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
a82726f0b8
agent: RemoveProxy also removes the proxy service
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
e2653bec02
Fix broken tests from PR merge related to proxy secure defaults
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
cf9b377c78
agent/cache: always fetch with minimum index of 1 at least
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
6a438c25d0
agent/proxy: remove debug println
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
0d6dcbd2f1
agent: disallow API registration with managed proxy if not enabled
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
f7fc026e18
agent/config: AllowManagedAPIRegistration
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
ed98d65c2b
agent/proxy: AllowRoot to disable executing managed proxies when root
2018-06-25 12:25:11 -07:00