Commit Graph

9559 Commits (0f52a3ec800fc7a9dd0314debefec611f868f098)

Author SHA1 Message Date
kaitlincarter-hc 9b1bc8d96d
[Docs] Production Guide for ACLs (#5385)
* New guide for ACLs

* Fixing some formatting issues.

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Resolving PR comments.

* Closing the rest of the PR comments

* Updates for persistence.

* Updating commands.

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-03-06 10:46:07 -06:00
Chip Vaughn f658748a79
Merge pull request #5420 from hashicorp/f-catalog-changes
Catalog API Doc Changes
2019-03-06 11:00:37 -05:00
Chip Vaughn ea38ad18f1 Update to registering services via Catalog API 2019-03-06 09:41:12 -05:00
Chip Vaughn ad25767416 Update to registering services via Catalog API 2019-03-06 09:23:37 -05:00
Hans Hasselberg eb0895c5fb
tlsutil: don't use `server_name` config for RPC connections (#5394)
* server name only for outgoing https for checks
2019-03-05 21:35:43 +01:00
R.B. Boyer 2ffbea41c8 improve flaky LANReap tests by expliciting configuring the tombstone timeout
In TestServer_LANReap autopilot is running, so the alternate flow
through the serf reaping function is possible. In that situation the
ReconnectTimeout is not relevant so for parity also override the
TombstoneTimeout value as well.

For additional parity update the TestServer_WANReap and
TestClient_LANReap versions of this test in the same way even though
autopilot is irrelevant here .
2019-03-05 14:34:03 -06:00
R.B. Boyer 5bea49ecb0 tests: avoid leaking child processes from agent/proxyprocess package 2019-03-05 14:29:25 -06:00
R.B. Boyer a99f7aaa25 website: fix broken links 2019-03-05 14:24:33 -06:00
Hans Hasselberg feaece034b
website: fix gemfile.lock (#5429) 2019-03-05 20:55:04 +01:00
Matt Keeler a4e2fe67eb Putting source back into Dev Mode 2019-03-05 19:26:42 +00:00
Matt Keeler 9e7d0ff2d4 Merge branch 'master' of https://github.com/hashicorp/consul 2019-03-05 19:05:53 +00:00
novotnyr aa6a392489 [docs] Add IntelliJ Consul to the list of community tools (#5379) 2019-03-05 13:58:03 +01:00
Matt Keeler 567e41ff6b
Release v1.4.3 2019-03-04 19:21:20 +00:00
Matt Keeler 67f4633134 Update Changelog 2019-03-04 19:18:25 +00:00
Matt Keeler 90040f8bff Fixes for CVE-2019-8336
Fix error in detecting raft replication errors.

Detect redacted token secrets and prevent attempting to insert.

Add a Redacted field to the TokenBatchRead and TokenRead RPC endpoints

This will indicate whether token secrets have been redacted.

Ensure any token with a redacted secret in secondary datacenters is removed.

Test that redacted tokens cannot be replicated.
2019-03-04 19:13:24 +00:00
Chip Vaughn ae8f273a92 Update to registering services via Catalog API 2019-03-04 09:46:37 -05:00
Chip Vaughn 9e91906664 Update to registering services via Catalog API 2019-03-04 09:45:24 -05:00
Matt Keeler 59cca0b975
Update CHANGELOG.md 2019-03-04 09:43:51 -05:00
Hans Hasselberg d35824b1fa default to tls 1.2 as promised. (#5340) 2019-03-04 09:42:04 -05:00
Matt Keeler 7a418f70cf
Update CHANGELOG.md 2019-03-04 09:35:13 -05:00
Aestek 2aac4d5168 Register and deregisters services and their checks atomically in the local state (#5012)
Prevent race between register and deregister requests by saving them
together in the local state on registration.
Also adds more cleaning in case of failure when registering services
/ checks.
2019-03-04 09:34:05 -05:00
Matt Keeler 219e9f8297
Update CHANGELOG.md 2019-03-04 09:29:54 -05:00
Matt Keeler 6e6910ea11
Dont modify memdb owned token data for get/list requests of tokens (#5412)
Previously we were fixing up the token links directly on the *ACLToken returned by memdb. This invalidated some assumptions that a snapshot is immutable as well as potentially being able to cause a crash.

The fix here is to give the policy link fixing function copy on write semantics. When no fixes are necessary we can return the memdb object directly, otherwise we copy it and create a new list of links.

Eventually we might find a better way to keep those policy links in sync but for now this fixes the issue.
2019-03-04 09:28:46 -05:00
Aestek 02f991843f Fix race condition in DNS when using cache (#5398)
* Fix race condition in DNS when using cache

The healty node filtering was modifying the result from the cache, which
caused a crash when multiple queries were made to the same service
simultaneously.
We now copy the node slice before filtering to ensure we do not modify
the data stored in the cache.

* Fix wording in dns cache config doc

s/dns_max_age/cache_max_age/
2019-03-04 09:22:01 -05:00
Matt Keeler 767b8c22ea
Update CHANGELOG.md 2019-03-04 09:20:58 -05:00
Matt Keeler 200c0fb3e9
Call RemoveServer for reap events (#5317)
This ensures that servers are removed from RPC routing when they are reaped.
2019-03-04 09:19:35 -05:00
R.B. Boyer 409c901f8e test: fix concurrent map access when setting up test vault 2019-03-01 14:30:19 -06:00
R.B. Boyer 6955186239 fix ignored errors in state store internals as reported by errcheck 2019-03-01 14:18:00 -06:00
R.B. Boyer c7067645dd fix a few leap-year related clock math inaccuracies and failing tests 2019-03-01 13:51:49 -06:00
Hans Hasselberg e64c5c5899 typo (#5407) 2019-03-01 08:51:37 -06:00
Matt Keeler 4833c5dee5
Update CHANGELOG.md 2019-02-27 14:29:41 -05:00
Matt Keeler 118adbb123
ACL Token Persistence and Reloading (#5328)
This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

* Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
* Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. 
* Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents.
* Docs updated to reflect the API additions and to show using the new endpoints.
* Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 14:28:31 -05:00
Kyle Havlovitz f07e928afc
Merge pull request #5325 from hashicorp/consul-ca-panic
connect/ca: fix a potential panic in the Consul provider
2019-02-27 09:43:44 -08:00
Hans Hasselberg 80e7d63fc2
Centralise tls configuration part 2 (#5374)
This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually!

This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 10:14:59 +01:00
danielehc f3610df40b Add more details on SkipNodeUpdate option (#5345)
* Add more details on SkipNodeUpdate option

* Updating the language for the entire parameter.
2019-02-26 11:00:23 -06:00
Hans Hasselberg 786b3b1095
Centralise tls configuration part 1 (#5366)
In order to be able to reload the TLS configuration, we need one way to generate the different configurations.

This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`.

This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 16:52:07 +01:00
Jack Pearkes cce1c14fac
website: update bootstrap-saas depenency (#5387)
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
2019-02-25 11:52:00 -08:00
Matt Keeler 6645d714d7
Update CHANGELOG.md 2019-02-25 14:07:14 -05:00
Aestek f1cdfbe40e Allow DNS interface to use agent cache (#5300)
Adds two new configuration parameters "dns_config.use_cache" and
"dns_config.cache_max_age" controlling how DNS requests use the agent
cache when querying servers.
2019-02-25 14:06:01 -05:00
R.B. Boyer c2a30c5fdd fix incorrect body of TestACLEndpoint_PolicyBatchRead
Lifted from PR #5307 as it was an unrelated drive-by fix on that PR anyway.

s/token/policy/
2019-02-22 09:32:51 -06:00
Paul Banks 360e3acc7c Add common blocking implementation details to docs (#5358)
* Add common blocking implementation details to docs

These come up over and over again with blocking query loops in our own code and third-party's. #5333 is possibly a case (unconfirmed) where "badly behaved" blocking clients cause issues, however since we've never explicitly documented these things it's not reasonable for third-party clients to have guessed that they are needed!

This hopefully gives us something to point to for the future.

It's a little wordy - happy to consider breaking some of the blocking stuff out of this page if we think it's appropriate but just wanted to quickly plaster over this gap in our docs for now.

* Update index.html.md

* Apply suggestions from code review

Co-Authored-By: banks <banks@banksco.de>

* Update index.html.md

* Update index.html.md

* Clearified monotonically

* Fixing formating
2019-02-21 15:33:45 -06:00
R.B. Boyer 00aa50cfa2 website: fix errant mention of 'snapshot save' on docs for 'snapshot restore' 2019-02-21 13:48:20 -06:00
R.B. Boyer 1598c787ae
Merge pull request #5344 from hashicorp/test-no-log-buffer
testutil: Set the environment variable NOLOGBUFFER=1 to have test agent logs go straight to stdout
2019-02-21 10:35:45 -06:00
R.B. Boyer df19c8a889
Merge pull request #5361 from hashicorp/update-some-tests-to-new-tokens
update agent/agent_endpoint_test.go to use V2 tokens with attached policies
2019-02-21 10:35:28 -06:00
kaitlincarter-hc 193c0b727b
[Docs] Helm Chart (#5350)
* Updating the Helm chart to include ACL parameter and examples.

* Updates based on feedback.

* Update website/source/docs/platform/k8s/helm.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-02-20 18:27:28 -06:00
R.B. Boyer b569f222f9 update agent/agent_endpoint_test.go to use V2 tokens with attached policies 2019-02-20 11:11:47 -06:00
kaitlincarter-hc a093af320c
[docs] ACL reset procedure (#5334)
* Adding reset instructions.

* Added link to the boostrapping guide for the reset procedure.

* Update website/source/docs/guides/acl.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/acl.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/acl.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-02-19 10:45:23 -06:00
Paul Banks 07e5308206
Update CHANGELOG.md 2019-02-19 13:46:58 +00:00
Nicholas Jackson 99fe9dabce Envoy config cluster (#5308)
* Start adding tests for cluster override

* Refactor tests for clusters

* Passing tests for custom upstream cluster override

* Added capability to customise local app cluster

* Rename config for local cluster override
2019-02-19 13:45:33 +00:00
Paul Banks aa338f7d86
Update CHANGELOG.md 2019-02-19 11:46:38 +00:00