Commit Graph

51 Commits (282c8dccf075cbdfcd7a638507a94912db884e5f)

Author SHA1 Message Date
Daniel Nephin a631378008
Merge pull request #11468 from hashicorp/dnephin/acl-docs-namespace-rules
docs: update docs about namespace default policy/role
2021-11-26 14:00:30 -05:00
Daniel Nephin 7bfe50a914 docs: update docs about namespace default policy/role
To include details about the permissions the ACL token must have to perform the request.
2021-11-26 13:47:45 -05:00
trujillo-adam 3ffa05495e
Merge pull request #11307 from hashicorp/docs/admin-partitions-cli-v1.11.0
admin partition docs part 1 - cli
2021-11-02 14:44:43 -07:00
Daniel Upton d47b7311b8
Support Check-And-Set deletion of config entries (#11419)
Implements #11372
2021-11-01 16:42:01 +00:00
trujillo-adam 138f9f31e6
Apply suggestions from code review
fixed typos

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-11-01 08:08:04 -07:00
Chris S. Kim ff6a33511e
docs: Document datacenter limitations for admin partitions (#11425) 2021-10-26 15:35:39 -04:00
Karl Cardenas 8e1bfbae56
docs: added deprecation message to CLI command intentions overview page 2021-10-21 10:29:23 -07:00
trujillo-adam 12473899c7 applying cfeedback left in comments 2021-10-19 16:19:40 -07:00
trujillo-adam b1d73bee0a
Apply suggestions from code review
Applying some of the feedback from review

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
2021-10-19 15:27:23 -07:00
trujillo-adam 44fd6b6638
Update website/content/commands/admin-partition.mdx
Co-authored-by: David Yu <dyu@hashicorp.com>
2021-10-19 13:36:43 -07:00
trujillo-adam d3e3d70fbd admin partition docs part 1 - cli 2021-10-13 15:37:01 -07:00
Evan Culver df4bc6a924
Update default version in command docs 2021-10-01 11:13:34 -07:00
Freddy 8d83d27674
connect: update envoy supported versions to latest patch release
(#10961)

Relevant advisory: 
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h
2021-08-31 10:39:18 -06:00
Daniel Nephin 26ef0df458 docs: update CLI reference docs for debug
the cluster target was renamed to members.
2021-08-18 12:29:34 -04:00
Blake Covarrubias 8aa89c2c12
docs: Clarify ingress gateway's -address flag (#10810)
Clarify the function of `-address` flag when instantiating an ingress
gateway.

Resolves #9849

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-08-12 14:56:07 -07:00
Mark Anderson d3cebbd32c
Fixup to support unix domain socket via command line (#10758)
Missed the need to add support for unix domain socket config via
api/command line. This is a variant of the problems described in
it is easy to drop one.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-08-12 10:05:22 -07:00
Blake Covarrubias 99b1d8ed8c docs: Update code blocks across website
* Use CodeTabs for examples in multiple formats.
* Ensure correct language on code fences.
* Use CodeBlockConfig for examples with filenames, or which need
highlighted content.
2021-08-11 13:20:03 -07:00
Blake Covarrubias 17e18df81e
docs: Document supported `consul connect` env vars (#10667)
Document the ability to specify `-sidecar-for` and `-proxy-id` flags
via environment variables.
2021-08-02 12:50:51 -07:00
Blake Covarrubias 26738ac65e docs: Add version callout for `kv import -prefix`
Add a sentence stating the version of Consul that introduced the
`-prefix` option for `consul kv import`.

Resolves #10172
2021-07-26 09:45:24 -07:00
Blake Covarrubias 832896ed11 docs: Fix spelling errors across website 2021-07-19 14:29:54 -07:00
Iryna Shustava 95305881ce
cli/sdk: Allow applying redirect-traffic rules in a provided Linux namespace (#10564) 2021-07-13 10:05:48 -06:00
Matt Keeler 76857dd682
Update 1.10 enterprise upgrade docs. (#10446)
Co-authored-by: Paul Banks <banks@banksco.de>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
2021-06-22 14:39:11 -04:00
Dhia Ayachi 005ad9e46d
generate a single debug file for a long duration capture (#10279)
* debug: remove the CLI check for debug_enabled

The API allows collecting profiles even debug_enabled=false as long as
ACLs are enabled. Remove this check from the CLI so that users do not
need to set debug_enabled=true for no reason.

Also:
- fix the API client to return errors on non-200 status codes for debug
  endpoints
- improve the failure messages when pprof data can not be collected

Co-Authored-By: Dhia Ayachi <dhia@hashicorp.com>

* remove parallel test runs

parallel runs create a race condition that fail the debug tests

* snapshot the timestamp at the beginning of the capture

- timestamp used to create the capture sub folder is snapshot only at the beginning of the capture and reused for subsequent captures
- capture append to the file if it already exist

* Revert "snapshot the timestamp at the beginning of the capture"

This reverts commit c2d03346

* Refactor captureDynamic to extract capture logic for each item in a different func

* snapshot the timestamp at the beginning of the capture

- timestamp used to create the capture sub folder is snapshot only at the beginning of the capture and reused for subsequent captures
- capture append to the file if it already exist

* Revert "snapshot the timestamp at the beginning of the capture"

This reverts commit c2d03346

* Refactor captureDynamic to extract capture logic for each item in a different func

* extract wait group outside the go routine to avoid a race condition

* capture pprof in a separate go routine

* perform a single capture for pprof data for the whole duration

* add missing vendor dependency

* add a change log and fix documentation to reflect the change

* create function for timestamp dir creation and simplify error handling

* use error groups and ticker to simplify interval capture loop

* Logs, profile and traces are captured for the full duration. Metrics, Heap and Go routines are captured every interval

* refactor Logs capture routine and add log capture specific test

* improve error reporting when log test fail

* change test duration to 1s

* make time parsing in log line more robust

* refactor log time format in a const

* test on log line empty the earliest possible and return

Co-authored-by: Freddy <freddygv@users.noreply.github.com>

* rename function to captureShortLived

* more specific changelog

Co-authored-by: Paul Banks <banks@banksco.de>

* update documentation to reflect current implementation

* add test for behavior when invalid param is passed to the command

* fix argument line in test

* a more detailed description of the new behaviour

Co-authored-by: Paul Banks <banks@banksco.de>

* print success right after the capture is done

* remove an unnecessary error check

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* upgraded github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57 => v0.0.0-20210601050228-01bbb1931b22

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
Co-authored-by: Paul Banks <banks@banksco.de>
2021-06-07 13:00:51 -04:00
Matt Keeler af3ffdf4c8
Add license inspect command documentation and changelog (#10351)
Also reformatted another changelog entry.
2021-06-04 14:33:13 -04:00
Matt Keeler c5dc729dda
Follow on to PR 10336 (#10343)
There was some PR feedback that came in just after I merged that other PR. This addresses that feedback.
2021-06-03 12:29:41 -04:00
Matt Keeler 4222242f1c Add licensing information to snapshot agent docs. 2021-06-03 10:48:16 -04:00
Matt Keeler aeaeec15e8 Add deprecation/removal notices regarding the APIs/CLI commands for licensing that are going away.
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-06-03 10:48:16 -04:00
Blake Covarrubias 2196262eab docs: Clarify set-agent-token token persistence behavior
Clarify that tokens configured via `set-agent-token` will not be
persisted if `acl.enable_token_persistence` is `false`.
2021-05-31 16:08:43 -07:00
Dhia Ayachi e527c191ae docs: Add example ACL policy for snapshot agent
Co-Authored-By: Blake Covarrubias <blake@covarrubi.as>
2021-05-20 14:41:29 -04:00
R.B. Boyer 3b50a55533
connect: update supported envoy versions to 1.18.3, 1.17.3, 1.16.4, and 1.15.5 (#10231) 2021-05-12 14:06:06 -05:00
Daniel Nephin 2628974692
Update website/content/commands/config/delete.mdx
Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com>
2021-05-06 14:04:26 -04:00
Daniel Nephin 583850e9d4 docs: remove name field from Mesh config entry
Also document the name of these config entries in the API docs, so that
users know how to query for them.

And fix the name of mesh on the index page.
2021-05-06 13:25:32 -04:00
R.B. Boyer abc1dc0fe9
connect: update supported envoy versions to 1.18.2, 1.17.2, 1.16.3, and 1.15.4 (#10101)
The only thing that needed fixing up pertained to this section of the 1.18.x release notes:

> grpc_stats: the default value for stats_for_all_methods is switched from true to false, in order to avoid possible memory exhaustion due to an untrusted downstream sending a large number of unique method names. The previous default value was deprecated in version 1.14.0. This only changes the behavior when the value is not set. The previous behavior can be used by setting the value to true. This behavior change by be overridden by setting runtime feature envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default.

For now to maintain status-quo I'm explicitly setting `stats_for_all_methods=true` in all versions to avoid relying upon the default.

Additionally the naming of the emitted metrics for these gRPC requests changed slightly so the integration test assertions for `case-grpc` needed adjusting.
2021-04-29 15:22:03 -05:00
Iryna Shustava 8dffb89131
Implement traffic redirection exclusion based on proxy config and user-provided values (#10134)
* Use proxy outbound port from TransparentProxyConfig if provided
* If -proxy-id is provided to the redirect-traffic command, exclude any listener ports
  from inbound traffic redirection. This includes envoy_prometheus_bind_addr,
  envoy_stats_bind_addr, and the ListenerPort from the Expose configuration.
* Allow users to provide additional inbound and outbound ports, outbound CIDRs
  and additional user IDs to be excluded from traffic redirection.
  This affects both the traffic-redirect command and the iptables SDK package.
2021-04-29 09:21:15 -07:00
Paul Banks d717d2cdc4
CLI: Allow snapshot inspect to work on internal raft snapshots directly. (#10089)
* CLI: Add support for reading internal raft snapshots to snapshot inspect

* Add snapshot inspect test for raw state files

* Add changelog entry

* Update .changelog/10089.txt
2021-04-23 16:17:08 +01:00
Freddy 8b8c3c1992
Add docs for transparent proxy mode and config (#10038)
Add docs for transparent proxy mode and config

Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
2021-04-16 12:50:02 -07:00
Iryna Shustava 5755c97bc7
cli: Add new `consul connect redirect-traffic` command for applying traffic redirection rules when Transparent Proxy is enabled. (#9910)
* Add new consul connect redirect-traffic command for applying traffic redirection rules when Transparent Proxy is enabled.
* Add new iptables package for applying traffic redirection rules with iptables.
2021-04-09 11:48:10 -07:00
Zachary Shilton 8671762474
website: implement mktg 032 (#9953)
* website: migrate to new nav-data format

* website: clean up unused intro content

* website: remove deprecated sidebar_title from frontmatter

* website: add react-content to fix global style import issue
2021-04-07 15:50:38 -04:00
Ranjandas 7857c5746f Document agent token policy requirement for rexec
The Agent token policy when using rexec should have `write` on "_rexec"
key prefix. Updated the exec command documentation to explicitly state
this requirement.
2021-03-23 15:51:56 +11:00
Kyle Havlovitz 1e87c7183a
Merge pull request #9672 from hashicorp/ca-force-skip-xc
connect/ca: Allow ForceWithoutCrossSigning for all providers
2021-03-11 11:49:15 -08:00
Kyle Havlovitz d62565f368
Merge pull request #9792 from dzeban/kv-import-prefix
command/kv: Add prefix option to kv import command
2021-03-11 09:47:53 -08:00
Nitya Dhanushkodi 15e8b13891
Add flags to consul connect envoy for metrics merging. (#9768)
Allows setting -prometheus-backend-port to configure the cluster
envoy_prometheus_bind_addr points to.

Allows setting -prometheus-scrape-path to configure which path
envoy_prometheus_bind_addr exposes metrics on.

-prometheus-backend-port is used by the consul-k8s metrics merging feature, to
configure envoy_prometheus_bind_addr to point to the merged metrics
endpoint that combines Envoy and service metrics so that one set of
annotations on a Pod can scrape metrics from the service and it's Envoy
sidecar.

-prometheus-scrape-path is used to allow configurability of the path
where prometheus metrics are exposed on envoy_prometheus_bind_addr.
2021-03-04 16:15:47 -06:00
R.B. Boyer 398b766532
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658)
- Also add support for envoy 1.17.0
2021-02-26 16:23:15 -06:00
Alex Dzyoba 098fd1797b command/kv: Add prefix option to kv import command
Currently when data is imported via `consul kv import` it overwrites
keys under the root key. Since `consul kv export` can retrieve data for
the given prefix, i.e. part of the KV tree, importing it under root may
be not what users want.

To mirror prefix behavior from export this PR adds prefix feature to the
import command that adds prefix to all keys that are imported.
2021-02-19 14:07:25 +03:00
Preetha 4174bc4330
Add docs section on regenerating expired CA certificates (#9709)
* Updated docs on regenerating built in CA

* review feedback

* Add sentence about expected behavior after update CA endpoint is used.
2021-02-11 15:38:12 -06:00
R.B. Boyer 6eeccc93ce
connect: update supported envoy point releases to 1.16.2, 1.15.3, 1.14.6, 1.13.7 (#9737) 2021-02-10 13:11:15 -06:00
Kyle Havlovitz 7dac583863 connect/ca: Allow ForceWithoutCrossSigning for all providers
This allows setting ForceWithoutCrossSigning when reconfiguring the CA
for any provider, in order to forcibly move to a new root in cases where
the old provider isn't reachable or able to cross-sign for whatever
reason.
2021-01-29 13:38:11 -08:00
Luke Kysow b6d7bf1243
Move cfg entry docs to under connect from agent (#9533)
Since all config entries are currently related to service mesh it's a
much more natural place to look for them under Service Mesh than under
Agent.
2021-01-13 12:48:48 -08:00
Michael Hofer 3c3b67288d
cli: Add consul intention list command (based on PR #6825) (#9468)
This PR is based on the previous work by @snuggie12 in PR #6825. It adds the command consul intention list to list all available intentions. The list functionality for intentions seems a bit overdue as it's just very handy. The web UI cannot list intentions outside of the default namespace, and using the API is sometimes not the friendliest option. ;)

I cherry picked snuggie12's commits who did most of the heavy lifting (thanks again @snuggie12 for your great work!). The changes in the original commit mostly still worked on the current HEAD. On top of that I added support for namespaces and fixed the docs as they are managed differently today. Also the requested changes related to the "Connect" references in the original PRs have been addressed.

Fixes #5652

Co-authored-by: Matt Hoey <mhoey05@jcu.edu>
2021-01-12 21:14:31 +01:00
Joel Watson ca265e1890 docs: add note about TMPDIR for snapshots 2021-01-06 12:56:40 -06:00