Commit Graph

14516 Commits (3dde24d8c96347d87b39756144e8781351a26eb7)

Author SHA1 Message Date
Dhia Ayachi 3dde24d8c9 config raft apply silent error (#10657)
* return an error when the index is not valid

* check response as bool when applying `CAOpSetConfig`

* remove check for bool response

* fix error message and add check to test

* fix comment

* add changelog
2021-07-22 14:33:12 +00:00
Blake Covarrubias b5b5c21654 Merge pull request #10462 from hashicorp/docs/add-ns-agent-services-9710
docs: Add namespace parameters to /agent/service* endpoints
2021-07-21 18:17:40 +00:00
Blake Covarrubias c792f3738a docs: Update responses for /v1/session/ endpoints post 1.7
Update output for /v1/session/ endpoints to match output post Consul
1.7.0.

Documents new `NodeChecks` and `ServiceChecks` parameters which were
added in that release.

Resolves #7341, resolves #10095
2021-07-21 15:28:33 +00:00
Freddy c9349e353b Avoid panic on concurrent writes to cached service config map (#10647)
If multiple instances of a service are co-located on the same node then
their proxies will all share a cache entry for their resolved service
configuration. This is because the cache key contains the name of the
watched service but does not take into account the ID of the watching
proxies.

This means that there will be multiple agent service manager watches
that can wake up on the same cache update. These watchers then
concurrently modify the value in the cache when merging the resolved
config into the local proxy definitions.

To avoid this concurrent map write we will only delete the key from
opaque config in the local proxy definition after the merge, rather
than from the cached value before the merge.
2021-07-20 16:10:37 +00:00
Blake Covarrubias 2e044acd90 website: Fix circular redirect with TLS on existing cluster
Fix an issue where /docs/k8s/operations/tls-on-existing-cluster would
never load when navigating directly to the URL because of a circular
redirect.
2021-07-20 15:43:27 +00:00
Blake Covarrubias c469c701fe docs: Add intentions to ACL System docs (#10323)
Adds mention of `intentions` rules to ACL System and ACL Rules pages.

Resolves #9790
2021-07-19 22:32:24 +00:00
Blake Covarrubias c8393cb25f docs: Fix spelling errors across website 2021-07-19 21:30:41 +00:00
Daniel Nephin 91962e7495 Merge pull request #10009 from hashicorp/dnephin/trim-dns-response-with-edns
dns: properly trim response when EDNS is used
2021-07-16 22:10:03 +00:00
hc-github-team-consul-core c800094210 Putting source back into Dev Mode 2021-07-15 19:33:15 +00:00
hc-github-team-consul-core db839f18ba
Release v1.10.1 2021-07-15 18:49:34 +00:00
hc-github-team-consul-core 40ac83c9d3
update bindata_assetfs.go 2021-07-15 18:49:33 +00:00
Dhia Ayachi fc38e8fba9 add changelogs for 1.10.1 2021-07-15 13:30:29 -04:00
Freddy e3e31375c8
Merge pull request #10622 from hashicorp/vuln/validate-sans-1.10 2021-07-15 10:05:06 -06:00
freddygv 803df59268 Fixup prepared query ns defaulting 2021-07-15 09:37:37 -06:00
freddygv 066e950b7d Add changelog entry 2021-07-15 09:31:43 -06:00
Daniel Nephin d808d7897a Merge pull request #10617 from hashicorp/dnephin/config-add-missing-docs
docs: add config options that were missing
2021-07-15 15:24:28 +00:00
R.B. Boyer 104ee65e17 xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619) 2021-07-15 15:09:48 +00:00
John Cowen e92b9e8e82 ui: [BUGFIX] Ensure we use the ns query param name when requesting permissions (#10608)
Previously when namespaces were enabled, we weren't requesting permission for the actively selected namespace, and instead always checking the permissions for the default namespace.

This commit ensures we request permissions for the actively selected namespace.
2021-07-15 11:19:55 +00:00
John Cowen 15f6b10e4a ui: [BUGFIX] Ensure in-folder KVs are created in the correct folder (#10569)
When clicking to create a KV within folder name, would would be viewing a form that was a form for creating a KV in the root, which when the user clicked to save, saved the KV in the root.

For the moment at least I've removed the code that strips double slashes, and whilst this isn't ideal, it looks like we've picked up one of those bugs that turns into a 'feature', and completely reworking KV to not rely on the double slashes is not really an option right now.
2021-07-15 09:38:23 +00:00
freddygv 0bf181ae55 Update golden files 2021-07-14 22:41:51 -06:00
freddygv 8e4ca495d5 Validate SANs for passthrough clusters and failovers 2021-07-14 22:41:51 -06:00
freddygv faac20cd40 Update golden files to account for SAN validation 2021-07-14 22:41:02 -06:00
freddygv bdacb71d22 Validate Subject Alternative Name for upstreams
These changes ensure that the identity of services dialed is
cryptographically verified.

For all upstreams we validate against SPIFFE IDs in the format used by
Consul's service mesh:

spiffe://<trust-domain>/ns/<namespace>/dc/<datacenter>/svc/<service>
2021-07-14 22:41:02 -06:00
John Cowen 70f29c2312 ui: [BUGFIX] Fix KV Code Editor syntax loading (#10605)
This commit adds a bit of string wrangling to avoid the keys in our javascript source file also being transformed. Additionally, whilst looking at this we decided that Maps are a better dictionary than javascript objects, so we moved to use those here also (but this doesn't affect the issue)
2021-07-14 17:56:18 +00:00
John Cowen 6a0d4358e6 ui: Show the correct 'ACLs Disabled' page when ACLs are disabled (#10604)
Adds 'can access ACLs' which means one of two things

1. When ACLs are disabled I can access the 'please enable ACLs' page
2. When ACLs are enabled, its the same as canRead
2021-07-14 17:52:50 +00:00
Melissa Kam 7d0a1effd6 Merge pull request #10614 from hashicorp/nia/docs-0.2.1
nia/docs 0.2.1
2021-07-14 17:04:06 +00:00
David Yu 0324727dce docs: Add link to learn guide on migrating ACL tokens (#10609)
* docs: Add link to learn guide on migrating ACL tokens
2021-07-13 21:03:39 +00:00
Iryna Shustava ae767d9cfc cli/sdk: Allow applying redirect-traffic rules in a provided Linux namespace (#10564) 2021-07-13 16:06:25 +00:00
Daniel Nephin ca788e089e Merge pull request #10579 from hashicorp/dnephin/improve-config-docs-tls
docs: Improve TLS user documentation
2021-07-12 23:09:57 +00:00
Noel Quiles 9a35e47dda Bump hashi-stack-menu (#10599) 2021-07-12 22:28:38 +00:00
Curt Marker 1c86eae663 Fixed a typo that broke the example static-server deployment (#10582)
The service account was typo'd and needs to be fixed
2021-07-12 20:33:59 +00:00
mrspanishviking 9bae67dff5 Merge pull request #10586 from hashicorp/docs-consult-license
docs: changing license faq title to align with Nomad and Vault faq pages
2021-07-09 23:33:45 +00:00
Evan Culver 940419aef0 Add support for returning ACL secret IDs for accessors with acl:write (#10546) 2021-07-08 22:13:45 +00:00
Daniel Nephin fe76dc7068 Merge pull request #10552 from hashicorp/dnephin/ca-remove-rotation-period
ca: remove unused RotationPeriod field
2021-07-08 20:56:43 +00:00
David Yu 3fb24c9cd4 docs: Update docs to reflect limitation in TProxy when using single Consul DC deployment with multiple k8s clusters (#10549)
* docs: Update to reflect single Consul DC deployment with multiple k8s clusters
2021-07-08 17:48:25 +00:00
John Cowen 75c7491224 ui: Don't default to the default namespace, use the token default namespace instead (#10503)
The default namespace, and the tokens default namespace (or its origin namespace) is slightly more complicated than other things we deal with in the UI, there's plenty of info/docs on this that I've added in this PR.

Previously:

When a namespace was not specified in the URL, we used to default to the default namespace. When you logged in using a token we automatically forward you the namespace URL that your token originates from, so you are then using the namespace for your token by default. You can of course then edit the URL to remove the namespace portion, or perhaps revisit the UI at the root path with you token already set. In these latter cases we would show you information from the default namespace. So if you had no namespace segment/portion in the URL, we would assume default, perform actions against the default namespace and highlight the default namespace in the namespace selector menu. If you wanted to perform actions in your tokens origin namespace you would have to manually select it from the namespace selector menu.

This PR:

Now, when you have no namespace segment/portion in the URL, we use the token's origin namespace instead (and if you don't have a token, we then use the default namespace like it was previously)

Notes/thoughts:

I originally thought we were showing an incorrectly selected namespace in the namespace selector, but it also matched up with what we were doing with the API, so it was in fact correct. The issue was more that we weren't selecting the origin namespace of the token for the user when a namespace segment was omitted from the URL. Seeing as we automatically forward you to the tokens origin namespace when you log in, and we were correctly showing the namespace we were acting on when you had no namespace segment in the URL (in the previous case default), I'm not entirely sure how much of an issue this actually was.

This characteristic of namespace+token+namespace is a little weird and its easy to miss a subtlety or two so I tried to add some documentation in here for future me/someone else (including some in depth code comment around one of the API endpoints where this is very subtle and very hard to miss). I'm not the greatest at words, so would be great to get some edits there if it doesn't seem clear to folks.

The fact that we used to save your previous datacenter and namespace into local storage for reasons also meant the interaction here was slightly more complicated than it needed to be, so whilst we were here we rejigged things slightly to satisfy said reasons still but not use local storage (we try and grab the info from higher up). A lot of the related code here is from before we had our Routlets which I think could probably make all of this a lot less complicated, but I didn't want to do a wholesale replacement in this PR, we can save that for a separate PR on its own at some point.
2021-07-07 10:47:24 +00:00
John Cowen 7550bb2c65
ui: Add intl debug helpers (#10513) (#10561)
This commit adds a couple of debug utilities to help us to continue slowly adding i18n support:

- We've added a CONSUL_INTL_DEBUG env/cookie variable to turn off variable interpolation within the t helper so you can see which variables are being interpolated.
- We've added a CONSUL_INTL_LOCALE env/cookie which currently supports two 'pseudo-locales' - la-fk (fake latin) and - (just dashes) either of which will make it easier to see what has not been localized until we can add prettier rules to prevent adding any copy into templates at all. I would guess if we ever translated the app we would use this for looking at things whilst developing also - but as yet I've not adding anything for that here seeing as we don't translate anything.
Both variables are dev-time only and all code for this is removed from the production build.
2021-07-07 10:26:12 +01:00
Luke Kysow 4b71eaa312 Add headings to Helm docs (#10562) 2021-07-06 18:23:49 +00:00
John Cowen bd0dfc31b3 ui: CopyButton amends (#10511)
* ui: Add with-copyable modifier

* Use with-copyable modifier for our own CopyButton

* Move copy-button styling and remove most of `copy-btn`
2021-07-06 16:43:31 +00:00
John Cowen 1d5e17d3cc ui: Allow disabling of sourcemaps via env var (#10491) 2021-07-06 15:58:30 +00:00
John Cowen db4ba43398 ui: Fixup definition-table + copy-button margin (#10512) 2021-07-06 15:58:04 +00:00
Daniel Nephin c8bba8bd60
Merge pull request #10539 from hashicorp/dnephin/backport-to-1.10.x
[1.10.x] Backport main branch rename, and fix 32bit panic
2021-07-05 12:35:56 -04:00
hc-github-team-consul-core 7addc6f353 Putting source back into Dev Mode 2021-07-01 19:39:43 +00:00
hc-github-team-consul-core 2aae8d13b2
Release v1.10.1-beta1 2021-07-01 18:46:30 +00:00
hc-github-team-consul-core bd6a6bf8b8
update bindata_assetfs.go 2021-07-01 18:46:29 +00:00
Mike Morris 5573a3d491 changelog: add unreleased entries for 1.10.1-beta1 2021-07-01 14:41:04 -04:00
David Yu 395100ae83 docs: Formatting for Ingress Controllers example repos (#10542)
* docs: Formatting for Ingress Controllers example repos
* Update ingress-controllers.mdx
2021-07-01 17:49:22 +00:00
Kyle Schochenmaier 9dfc900255 docs: Ingress controllers configurations (#10495)
Add high level documentation on how to enable ingress controllers in consul on k8s.

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
2021-07-01 16:29:42 +00:00
Dhia Ayachi 543928d707 Format certificates properly (rfc7468) with a trailing new line (#10411)
* trim carriage return from certificates when inserting rootCA in the inMemDB

* format rootCA properly when returning the CA on the connect CA endpoint

* Fix linter warnings

* Fix providers to trim certs before returning it

* trim newlines on write when possible

* add changelog

* make sure all provider return a trailing newline after the root and intermediate certs

* Fix endpoint to return trailing new line

* Fix failing test with vault provider

* make test more robust

* make sure all provider return a trailing newline after the leaf certs

* Check for suffix before removing newline and use function

* Add comment to consul provider

* Update change log

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* fix typo

* simplify code callflow

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* extract requireNewLine as shared func

* remove dependency to testify in testing file

* remove extra newline in vault provider

* Add cert newline fix to envoy xds

* remove new line from mock provider

* Remove adding a new line from provider and fix it when the cert is read

* Add a comment to explain the fix

* Add missing for leaf certs

* fix missing new line

* fix missing new line in leaf certs

* remove extra new line in test

* updage changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* fix in vault provider and when reading cache (RPC call)

* fix AWS provider

* fix failing test in the provider

* remove comments and empty lines

* add check for empty cert in test

* fix linter warnings

* add new line for leaf and private key

* use string concat instead of Sprintf

* fix new lines for leaf signing

* preallocate slice and remove append

* Add new line to `SignIntermediate` and `CrossSignCA`

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-07-01 00:49:03 +00:00
trujillo-adam 567aee1a63 docs: fixed instance of incorrect grammar usage 2021-06-30 19:12:08 -04:00