Commit Graph

9892 Commits (2c4dd43692d51f5a6773741206633be976df3fa8)

Author SHA1 Message Date
Jack Pearkes 96b877f79e
website: fixed ca provider references (#5185)
Fixes https://github.com/hashicorp/consul/issues/5182.
2019-01-07 18:47:02 -08:00
Matt Keeler 62aa40872c
Update CHANGELOG.md 2019-01-07 16:55:14 -05:00
Pierre Souchay ae7f88f995 Avoid to have infinite recursion in DNS lookups when resolving CNAMEs (#4918)
* Avoid to have infinite recursion in DNS lookups when resolving CNAMEs

This will avoid killing Consul when a Service.Address is using CNAME
to a Consul CNAME that creates an infinite recursion.

This will fix https://github.com/hashicorp/consul/issues/4907

* Use maxRecursionLevel = 3 to allow several recursions
2019-01-07 16:53:54 -05:00
Paul Banks 88d239818c
Update CHANGELOG.md 2019-01-07 21:32:20 +00:00
Paul Banks b29bc906ee
bugfix: use ServiceTags to generate cache key hash (#4987)
* bugfix: use ServiceTags to generate cahce key hash

* update unit test

* update

* remote print log

* Update .gitignore

* Completely deprecate ServiceTag field internally for clarity

* Add explicit test for CacheInfo cases
2019-01-07 21:30:47 +00:00
R.B. Boyer 0f22706af5 Update CHANGELOG.md 2019-01-07 15:05:06 -06:00
R.B. Boyer b96391ecff
update github.com/hashicorp/{serf,memberlist,go-sockaddr} (#5189)
This activates large-cluster improvements in the gossip layer from
https://github.com/hashicorp/memberlist/pull/167
2019-01-07 15:00:47 -06:00
Matt Keeler d4f7a830a8
Update CHANGELOG.md 2019-01-07 13:56:08 -05:00
Aestek 8709213d6e Prevent status flap when re-registering a check (#4904)
Fixes point `#2` of: https://github.com/hashicorp/consul/issues/4903

When registering a service each healthcheck status is saved and restored (https://github.com/hashicorp/consul/blob/master/agent/agent.go#L1914) to avoid unnecessary flaps in health state.
This change extends this feature to single check registration by moving this protection in `AddCheck()` so that both `PUT /v1/agent/service/register` and `PUT /v1/agent/check/register` behave in the same idempotent way.

#### Steps to reproduce
1. Register a check :
```
curl -X PUT \
  http://127.0.0.1:8500/v1/agent/check/register \
  -H 'Content-Type: application/json' \
  -d '{
  "Name": "my_check",
  "ServiceID": "srv",
  "Interval": "10s",
  "Args": ["true"]
}'
```
2. The check will initialize and change to `passing`
3. Run the same request again
4. The check status will quickly go from `critical` to `passing` (the delay for this transission is determined by https://github.com/hashicorp/consul/blob/master/agent/checks/check.go#L95)
2019-01-07 13:53:03 -05:00
RJ Spiker 516ba47609 website: fix carousel bugs 2019-01-07 13:39:14 -05:00
Mitchell Hashimoto f76022fa63 CA Provider Plugins (#4751)
This adds the `agent/connect/ca/plugin` library for consuming/serving Connect CA providers as [go-plugin](https://github.com/hashicorp/go-plugin) plugins. This **does not** wire this up in any way to Consul itself, so this will not enable using these plugins yet. 

## Why?

We want to enable CA providers to be pluggable without modifying Consul so that any CA or PKI system can potentially back the Connect certificates. This CA system may also be used in the future for easier bootstrapping and internal cluster security.

### go-plugin

The benefit of `go-plugin` is that for the plugin consumer, the fact that the interface implementation is communicating over multi-process RPC is invisible. Internals of Consul will continue to just use `ca.Provider` interface implementations as if they're local. For plugin _authors_, they simply have to implement the interface. The network/transport/process management issues are handled by go-plugin itself.

The CA provider plugins support both `net/rpc` and gRPC transports. This enables easy authoring in any language. go-plugin handles the actual protocol handshake and connection. This is just a feature of go-plugin. 

`go-plugin` is already in production use for years by Packer, Terraform, Nomad, Vault, and Sentinel. We've shown stability for both desktop and server-side software. It is very mature.

## Implementation Details

### `map[string]interface{}`

The `Configure` method passes a `map[string]interface{}`. This map contains only Go primitives and containers of primitives (no funcs, chans, etc.). For `net/rpc` we encode as-is using Gob. For gRPC we marshal to JSON and transmit as a `bytes` type. This is the same approach we take with Vault and other software.

Note that this is just the transport protocol, the end software views it fully decoded.

### `x509.Certificate` and `CertificateRequest`

We transmit the raw ASN.1  bytes and decode on the other side. Unit tests are verifying we get the same cert/csrs across the wire.

### Testing

`go-plugin` exposes test helpers that enable testing the full plugin RPC over real loopback network connections. We test all endpoints for success and error for both `net/rpc` and gRPC.

### Vendoring

This PR doesn't introduce vendoring for two reasons:

  1. @banks's `f-envoy` branch introduces a lot of these and I didn't want conflict.
  2. The library isn't actually used yet so it doesn't introduce compile-time errors (it does introduce test errors).

## Next Steps

With this in place, we need to figure out the proper way to actually hook these up to Consul, load them, etc. This discussion can happen elsewhere, since regardless of approach this plugin library implementation is the exact same.
2019-01-07 12:48:44 -05:00
R.B. Boyer 3841e9e396
website: fix stray sentinel references using the old syntax (#5191)
[skip ci]
2019-01-07 09:59:17 -06:00
Matt Keeler 7fd03b3ba4
Update CHANGELOG.md 2019-01-07 09:56:31 -05:00
Grégoire Seux 4f62a3b528 Implement /v1/agent/health/service/<service name> endpoint (#3551)
This endpoint aggregates all checks related to <service id> on the agent
and return an appropriate http code + the string describing the worst
check.

This allows to cleanly expose service status to other component, hiding
complexity of multiple checks.
This is especially useful to use consul to feed a load balancer which
would delegate health checking to consul agent.

Exposing this endpoint on the agent is necessary to avoid a hit on
consul servers and avoid decreasing resiliency (this endpoint will work
even if there is no consul leader in the cluster).
2019-01-07 09:39:23 -05:00
Alvin Huang 067346e496
Merge pull request #5187 from hashicorp/add_ui_tests
Add ui tests
2019-01-04 12:13:08 -05:00
kaitlincarter-hc 9a976a40f3
Added the new monitoring guide (#5117) 2019-01-04 10:26:07 -06:00
Matt Keeler 57b5a1de0c
Update CHANGELOG.md 2019-01-04 10:03:29 -05:00
Aestek 5960974db1 [Fix] Services sometimes not being synced with acl_enforce_version_8 = false (#4771)
Fixes: https://github.com/hashicorp/consul/issues/3676

This fixes a bug were registering an agent with a non-existent ACL token can prevent other 
services registered with a good token from being synced to the server when using 
`acl_enforce_version_8 = false`.

## Background

When `acl_enforce_version_8` is off the agent does not check the ACL token validity before 
storing the service in its state.
When syncing a service registered with a missing ACL token we fall into the default error 
handling case (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1255)
and stop the sync (https://github.com/hashicorp/consul/blob/master/agent/local/state.go#L1082)
without setting its Synced property to true like in the permission denied case.
This means that the sync will always stop at the faulty service(s).
The order in which the services are synced is random since we iterate on a map. So eventually
all services with good ACL tokens will be synced, this can however take some time and is influenced 
by the cluster size, the bigger the slower because retries are less frequent.
Having a service in this state also prevent all further sync of checks as they are done after
the services.

## Changes 

This change modify the sync process to continue even if there is an error. 
This fixes the issue described above as well as making the sync more error tolerant: if the server repeatedly refuses
a service (the ACL token could have been deleted by the time the service is synced, the servers 
were upgraded to a newer version that has more strict checks on the service definition...). 
Then all services and check that can be synced will, and those that don't will be marked as errors in 
the logs instead of blocking the whole process.
2019-01-04 10:01:50 -05:00
Alvin Huang fde5d75c68
Merge pull request #5186 from hashicorp/add_codeowners
add codeowners for consul docs
2019-01-04 09:32:53 -05:00
Alvin Huang 5425a86058 add documentation on how to use ember-exam 2019-01-03 23:50:02 -05:00
Alvin Huang f623b9817e add test-parallel yarn command 2019-01-03 23:49:45 -05:00
Alvin Huang b92c34d568 refresh cache key and fix comments 2019-01-03 22:57:40 -05:00
Alvin Huang c4a837c7b5 change env to test 2019-01-03 22:27:17 -05:00
Alvin Huang 0b052ccc99 using build-ci target in circleci 2019-01-03 22:27:17 -05:00
Alvin Huang 3feb26f30d adding build-ci yarn target 2019-01-03 22:27:17 -05:00
Alvin Huang ddefaa2c2d test circleci 2019-01-03 22:27:02 -05:00
Alvin Huang a92fa407d5 output XML test results 2019-01-03 22:21:19 -05:00
Alvin Huang 93490c600b enable ember-exam 2019-01-03 22:21:20 -05:00
Alvin Huang 5b6ea377b4 update testem with newer conventions 2019-01-03 22:18:55 -05:00
Alvin Huang 45cf7dec4f adding ember-exam package 2019-01-03 16:59:30 -05:00
Alvin Huang 4233c0f821 add codeowners for consul docs 2019-01-03 15:01:16 -05:00
Junpei Tsuji 249babc244 website: Use secret id instead of policy id (#5049)
The document uses _the agent-token policy_ as agent token by mistake.
So I fixed it to use the secret id instead of it.
2019-01-03 10:45:01 -05:00
Matt Keeler 0577f02080
Update CHANGELOG.md 2019-01-03 10:41:33 -05:00
Boris Popovschi b4eca8fcd7 Fixed gziping function for debug archive (#5184) 2019-01-03 10:39:58 -05:00
Tayyab Talha 517fa5edd4 Fix Type in go integration (#5132)
Fix Typo in second example
From svc.ServeTLSConfig() to svc.ServerTLSConfig()
2019-01-03 10:39:23 -05:00
Hans Hasselberg 3d0b7850db
Update CHANGELOG.md 2019-01-03 12:47:40 +01:00
Rebecca Zanzig 199063759b
Merge pull request #5112 from hashicorp/docs/helm-resources-example
Add examples for helm chart multi-line strings
2018-12-20 15:33:33 -08:00
Paul Banks adc245ce85
Update CHANGELOG.md 2018-12-20 12:47:36 +00:00
kaitlincarter-hc 5bf14c58fa
removed an extra period that messed up formatting (#5120) 2018-12-19 18:12:43 -06:00
kaitlincarter-hc 395248dbe9
Adding the new backup guide (#5080)
* Adding the new backup guide

* Update website/source/docs/guides/backup.html.md

Looks good.

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/backup.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/backup.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/backup.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Updated the directions for the restore command.

* Update website/source/docs/guides/backup.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/backup.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* updated the token env

* Trying to make it extra clear where to run the commands.

* added not that list of backed up items isn't inclusive
2018-12-19 13:01:35 -06:00
kaitlincarter-hc 0b002f8560
Encryption Docs and New Guide (#5059)
* Added the new encryption guide, updated the encryption docs, updated the side-nav and index page for new guide.

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Making updates based on feedback

* Updating language

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Removing all reload mentions

* Updated the final remarks about TLS encryption to include a note about HTTP connections

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/agent-encryption.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* removed the mention of cfssl

* also removed the bit about cfssl in the doc

* updating cert names

* updated all cert values
2018-12-19 12:41:25 -06:00
Hans Hasselberg acc458d7a4
Builtin tls helper (#5078)
* command: add tls subcommand
* website: update docs and guide
2018-12-19 09:22:49 +01:00
Jack Pearkes 564288adcc
website: highlight how to use agent certs for tls checks (#5086)
Also clarifies that HTTP and gRPC checks both use the same
TLS configuration.
2018-12-18 16:47:52 -08:00
Rebecca Zanzig ce82de1965 Add examples for helm chart multi-line strings
There has been some confusion about the formating of multi-line
string variables in the Helm chart. This adds examples for these
situations, hopefully clarifying things for users.
2018-12-18 12:46:45 -08:00
Hans Hasselberg 0b4a879203
ui: serve /robots.txt when UI is enabled. (#5089)
* serve /robots.txt
* robots.txt: disallow everything
2018-12-17 19:35:03 +01:00
Hans Hasselberg 787f3f8aa6 agent: honor when ca is set but verify_outgoing is disabled (#4826)
* honor when verify_outgoing is false but ca is set

* Remove code that exists only for tests

* fix formatting
2018-12-17 09:56:18 -08:00
kaitlincarter-hc cb5524e1e9
Guide Update: Adding/Removing Server (#5095)
* first draft of updated content for consul leave

* Changed the consul leave/bootstrap_expect scenario into a note
2018-12-17 09:16:07 -06:00
David A. Stevenson 09c7484cab fix typo (#5099)
encourge -> encourage
2018-12-17 08:56:55 -06:00
Kyle Havlovitz 995e728ea0 txn: fix an issue with querying nodes by name instead of ID 2018-12-12 12:46:33 -08:00
Alvin Huang 87aea652f0
Merge pull request #5065 from hashicorp/clarify_separator_api
clarify how `separator` should be in CLI and API
2018-12-12 12:14:19 -08:00