consul

Commit Graph

Author	SHA1	Message	Date
Matt Keeler	e231d62bc9	Make the config entry and leaf cert cache types ns aware (#7256 )	5 years ago
Hans Hasselberg	6739fe6e83	connect: add validations around intermediate cert ttl (#7213 )	5 years ago
R.B. Boyer	73ba5d9990	make the TestRPC_RPCMaxConnsPerClient test less flaky (#7255 )	5 years ago
Sarah Christoff	6678c8898a	Fix flaky TestAutopilot_BootstrapExpect (#7242 )	5 years ago
Kit Patella	55f19a9eb2	rpc: measure blocking queries (#7224 ) * agent: measure blocking queries * agent.rpc: update docs to mention we only record blocking queries * agent.rpc: make go fmt happy * agent.rpc: fix non-atomic read and decrement with bitwise xor of uint64 0 * agent.rpc: clarify review question * agent.rpc: today I learned that one must declare all variables before interacting with goto labels * Update agent/consul/server.go agent.rpc: more precise comment on `Server.queriesBlocking` Co-Authored-By: Paul Banks <banks@banksco.de> * Update website/source/docs/agent/telemetry.html.md agent.rpc: improve queries_blocking description Co-Authored-By: Paul Banks <banks@banksco.de> * agent.rpc: fix some bugs found in review * add a note about the updated counter behavior to telemetry.md * docs: add upgrade-specific note on consul.rpc.quer{y,ies_blocking} behavior Co-authored-by: Paul Banks <banks@banksco.de>	5 years ago
Akshay Ganeshen	8beb716414	feat: support sending body in HTTP checks (#6602 )	5 years ago
Matt Keeler	4f21bbdb4e	OSS Changes for agent local state namespace testing (#7250 )	5 years ago
Matt Keeler	d0cd092e3b	Catalog + Namespace OSS changes. (#7219 ) * Various Prepared Query + Namespace things * Last round of OSS changes for a namespaced catalog	5 years ago
R.B. Boyer	8c596953b0	agent: ensure that we always use the same settings for msgpack (#7245 ) We set RawToString=true so that []uint8 => string when decoding an interface{}. We set the MapType so that map[interface{}]interface{} decodes to map[string]interface{}. Add tests to ensure that this doesn't break existing usages. Fixes #7223	5 years ago
Freddy	01855d8579	Remove outdated TODO (#7244 )	5 years ago
Matt Keeler	444517080b	Fix a bug with ACL enforcement of reads on namespaced config entries. (#7239 )	5 years ago
Kit Patella	9a220f3010	agent/consul server: fix LeaderTest_ChangeNodeID (#7236 ) * fix LeaderTest_ChangeNodeID to use StatusLeft and add waitForAnyLANLeave * unextract the waitFor... fn, simplify, and provide a more descriptive error	5 years ago
Matt Keeler	9e5fd7f925	OSS Changes for various config entry namespacing bugs (#7226 )	5 years ago
Hans Hasselberg	6a18f01b42	agent: ensure node info sync and full sync. (#7189 ) This fixes #7020. There are two problems this PR solves: * if the node info changes it is highly likely to get service and check registration permission errors unless those service tokens have node:write. Hopefully services you register don’t have this permission. * the timer for a full sync gets reset for every partial sync which means that many partial syncs are preventing a full sync from happening Instead of syncing node info last, after services and checks, and possibly saving one RPC because it is included in every service sync, I am syncing node info first. It is only ever going to be a single RPC that we are only doing when node info has changed. This way we are guaranteed to sync node info even when something goes wrong with services or checks which is more likely because there are more syncs happening for them.	5 years ago
R.B. Boyer	0ecb4538c1	agent: differentiate wan vs lan loggers in memberlist and serf (#7205 ) This should be a helpful change until memberlist and serf can be properly switched to native hclog.	5 years ago
Matt Keeler	dceb107325	Fix disco chain graph validation for namespaces (#7217 ) Previously this happened to be validating only the chains in the default namespace. Now it will validate all chains in all namespaces when the global proxy-defaults is changed.	5 years ago
Matt Keeler	228da48f5d	Minor Non-Functional Updates (#7215 ) * Cleanup the discovery chain compilation route handling Nothing functionally should be different here. The real difference is that when creating new targets or handling route destinations we use the router config entries name and namespace instead of that of the top level request. Today they SHOULD always be the same but that may not always be the case. This hopefully also makes it easier to understand how the router entries are handled. * Refactor a small bit of the service manager tests in oss We used to use the stringHash function to compute part of the filename where things would get persisted to. This has been changed in the core code to calling the StringHash method on the ServiceID type. It just so happens that the new method will output the same value for anything in the default namespace (by design actually). However, logically this filename computation in the test should do the same thing as the core code itself so I updated it here. Also of note is that newer enterprise-only tests for the service manager cannot use the old stringHash function at all because it will produce incorrect results for non-default namespaces.	5 years ago
Freddy	cb77fc6d01	Add managed service provider token (#7218 ) Stubs for enterprise-only ACL token to be used by managed service providers.	5 years ago
Hans Hasselberg	f6ec8ed92b	agent: increase watchLimit to 8192. (#7200 ) The previous value was too conservative and users with many instances were having problems because of it. This change increases the limit to 8192 which reportedly fixed most of the issues with that. Related: #4984, #4986, #5050.	5 years ago
Matt Keeler	dfb0177dbc	Testing updates to support namespaced testing of the agent/xds… (#7185 ) * Various testing updates to support namespaced testing of the agent/xds package * agent/proxycfg package updates to support better namespace testing	5 years ago
Davor Kapsa	3cb4def563	auto_encrypt: check previously ignored error (#6604 )	5 years ago
hashicorp-ci	1fcf4bfc10	update bindata_assetfs.go	5 years ago
Hans Hasselberg	5531678e9e	Security fixes (#7182 ) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>	5 years ago
Matt Keeler	d5f9268222	ACL enforcement for the agent/health/services endpoints (#7191 ) ACL enforcement for the agent/health/services endpoints	5 years ago
R.B. Boyer	cf29bd4dcf	cli: improve the file safety of 'consul tls' subcommands (#7186 ) - also fixing the signature of file.WriteAtomicWithPerms	5 years ago
Matt Keeler	d8c0be2c84	agent: add ACL enforcement to the v1/agent/health/service/* endpoints This adds acl enforcement to the two endpoints that were missing it. Note that in the case of getting a services health by its id, we still must first lookup the service so we still "leak" information about a service with that ID existing. There isn't really a way around it though as ACLs are meant to check service names.	5 years ago
Matt Keeler	6855a778c2	Updates to the Txn API for namespaces (#7172 ) * Updates to the Txn API for namespaces * Update agent/consul/txn_endpoint.go Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>	5 years ago
Matt Keeler	cf27dff62f	Add some better waits to prevent CA is nil test flakes (#7171 )	5 years ago
Matt Keeler	0be862fe46	Small refactoring to move meta parsing into the switch statement (#7170 )	5 years ago
Matt Keeler	bfc03ec587	Fix a couple bugs regarding intentions with namespaces (#7169 )	5 years ago
Matt Keeler	61d8778210	Sync some feature flag support from enterprise (#7167 )	5 years ago
R.B. Boyer	d78b5008ce	various tweaks on top of the hclog work (#7165 )	5 years ago
Chris Piraino	401221de58	Allow users to configure either unstructured or JSON logging (#7130 ) * hclog Allow users to choose between unstructured and JSON logging	5 years ago
Matt Keeler	848938ad48	Output proper HTTP status codes for Txn requests that are too large (#7157 )	5 years ago
Kit Patella	0d336edb65	Add accessorID of token when ops are denied by ACL system (#7117 ) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>	5 years ago
Anthony Scalisi	beb928f8de	fix spelling errors (#7135 )	5 years ago
hashicorp-ci	1194d2fbb7	update bindata_assetfs.go	5 years ago
Matt Keeler	c09693e545	Updates to Config Entries and Connect for Namespaces (#7116 )	5 years ago
Matt Keeler	bbc2eb1951	Add the v1/catalog/node-services/:node endpoint (#7115 ) The backing RPC already existed but the endpoint will be useful for other service syncing processes such as consul-k8s as this endpoint can return all services registered with a node regardless of namespacing.	5 years ago
Chris Piraino	59f1462801	Fix segfault when removing both a service and associated check (#7108 ) * Fix segfault when removing both a service and associated check updateSyncState creates entries in the services and checks maps for remote services/checks that are not found locally, so that we can then make sure to delete them in our reconciliation process. However, the values added to the map are missing key fields that the rest of the code expects to not be nil. * Add comment stating Check field can be nil	5 years ago
R.B. Boyer	0f44bcd3d8	agent: default the primary_datacenter to the datacenter if not configured (#7111 ) Something similar already happens inside of the server (agent/consul/server.go) but by doing it in the general config parsing for the agent we can have agent-level code rely on the PrimaryDatacenter field, too.	5 years ago
Hans Hasselberg	7d6ea82527	raft: increase raft notify buffer. (#6863 ) * Increase raft notify buffer. Fixes https://github.com/hashicorp/consul/issues/6852. Increasing the buffer helps recovering from leader flapping. It lowers the chances of the flapping leader to get into a deadlock situation like described in #6852.	5 years ago
Hans Hasselberg	11a571de95	agent: setup grpc server with auto_encrypt certs and add -https-port (#7086 ) * setup grpc server with TLS config used across consul. * add -https-port flag	5 years ago
Hans Hasselberg	82c556d1be	connect: use correct subject key id for leaf certificates. (#7091 )	5 years ago
R.B. Boyer	c91d0fa2c9	make TestCatalogNodes_Blocking less flaky (#7074 ) - Explicitly wait to start the test until the initial AE sync of the node. - Run the blocking query in the main goroutine to cut down on possible poor goroutine scheduling issues being to blame for delays. - If the blocking query is woken up with no index change, rerun the query. This may happen if the CI server is loaded and time dilation is happening.	5 years ago
R.B. Boyer	e2eb9f0585	test: ensure we don't ask vault to sign a leaf that outlives its CA when acting as a secondary (#7100 )	5 years ago
Hans Hasselberg	f0fc9aea7f	tests: fix autopilot test (#7092 )	5 years ago
Aestek	8fc736038a	agent: remove service sidecars in Agent.cleanupRegistration (#7022 ) Sidecar proxies were left behind when cleaning up after an unsuccessful registration. There are now also removed when the service is cleanup up.	5 years ago
Hans Hasselberg	9c1361c02b	raft: update raft to v1.1.2 (#7079 ) * update raft * use hclogger for raft.	5 years ago
Hans Hasselberg	804eb17094	connect: check if intermediate cert needs to be renewed. (#6835 ) Currently when using the built-in CA provider for Connect, root certificates are valid for 10 years, however secondary DCs get intermediates that are valid for only 1 year. There is no mechanism currently short of rotating the root in the primary that will cause the secondary DCs to renew their intermediates. This PR adds a check that renews the cert if it is half way through its validity period. In order to be able to test these changes, a new configuration option was added: IntermediateCertTTL which is set extremely low in the tests.	5 years ago
Hans Hasselberg	87f32c8ba6	auto_encrypt: set dns and ip san for k8s and provide configuration (#6944 ) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR	5 years ago
Aestek	ba8fd8296f	Add support for dual stack IPv4/IPv6 network (#6640 ) * Use consts for well known tagged adress keys * Add ipv4 and ipv6 tagged addresses for node lan and wan * Add ipv4 and ipv6 tagged addresses for service lan and wan * Use IPv4 and IPv6 address in DNS	5 years ago
Aestek	5dc8875bd3	agent: do not deregister service checks twice (#6168 ) Deregistering a service from the catalog automatically deregisters its checks, however the agent still performs a deregister call for each service checks even after the service has been deregistered. With ACLs enabled this results in logs like: "message:consul: "Catalog.Deregister" RPC failed to server server_ip:8300: rpc error making call: rpc error making call: Unknown check 'check_id'" This change removes associated checks from the agent state when deregistering a service, which results in less calls to the servers and supresses the error logs.	5 years ago
Matej Urbas	ce023359fe	agent: configurable MaxQueryTime and DefaultQueryTime. (#3777 )	5 years ago
Freddy	e635b24215	Update force-leave ACL requirement to operator:write (#7033 )	5 years ago
Matt Keeler	663cf1e9a8	AuthMethod updates to support alternate namespace logins (#7029 )	5 years ago
Matt Keeler	8bd34e126f	Intentions ACL enforcement updates (#7028 ) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.	5 years ago
Pierre Souchay	3bf2e640c7	rpc: log method when a server/server RPC call fails (#4548 ) Sometimes, we have lots of errors in cross calls between DCs (several hundreds / sec) Enrich the log in order to help diagnose the root cause of issue.	5 years ago
Matt Keeler	27f49eede9	Move where the service-resolver watch is done so that it happen… (#7025 ) Before we were issuing 1 watch for every service in the services listing which would have caused the agent to process many more identical events simultaneously.	5 years ago
R.B. Boyer	10f04a8c4a	connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index (#7011 )	5 years ago
R.B. Boyer	50c879923c	connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison (#7012 ) Fixes #6886	5 years ago
Matt Keeler	fa2003d7cb	Move Session.CheckIDs into OSS only code. (#6993 )	5 years ago
hashicorp-ci	5e45e3470b	update bindata_assetfs.go	5 years ago
R.B. Boyer	abb1603a86	Restore a few more service-kind index updates so blocking in ServiceDump works in more cases (#6948 ) Restore a few more service-kind index updates so blocking in ServiceDump works in more cases Namely one omission was that check updates for dumped services were not unblocking. Also adds a ServiceDump state store test and also fix a watch bug with the normal dump. Follow-on from #6916	5 years ago
Matt Keeler	a78f7d7a34	OSS changes for implementing token based namespace inferencing remove debug log	5 years ago
Matt Keeler	be9ba707ba	Unflake the TestACLEndpoint_TokenList test In order to do this I added a waitForLeaderEstablishment helper which does the right thing to ensure that leader establishment has finished. fixup	5 years ago
Matt Keeler	80d13d500b	Miscellaneous acl package cleanup • Renamed EnterpriseACLConfig to just Config • Removed chained_authorizer_oss.go as it was empty • Renamed acl.go to errors.go to more closely describe its contents	5 years ago
Matt Keeler	0b346616e9	Rename EnterpriseAuthorizerContext -> AuthorizerContext	5 years ago
Matt Keeler	3faee222f2	OSS changes to allow for parsing the enterprise DNS config prop… (#6959 )	5 years ago
Preetha	c47dbffe1c	autopilot: fix dead server removal condition to use correct failure tolerance (#4017 ) * Make dead server removal condition in autopilot use correct failure tolerance rules * Introduce func with explanation	5 years ago
Wim	4f5d5020b8	dns: fix memoryleak by upgrading outdated miekg/dns (#6748 ) * Add updated github.com/miekg/dns to go modules * Add updated github.com/miekg/dns to vendor * Fix github.com/miekg/dns api breakage * Decrease size when trimming UDP packets Need more room for the header(?), if we don't decrease the size we get an "overflow unpacking uint32" from the dns library * Fix dns truncate tests with api changes * Make windows build working again. Upgrade x/sys and x/crypto and vendor This upgrade is needed because of API breakage in x/sys introduced by the minimal x/sys dependency of miekg/dns This API breakage has been fixed in commit `855e68c859`	5 years ago
Hans Hasselberg	7d0f72c60a	acl: use constant time comparing to check token (#6943 )	5 years ago
Matt Keeler	9d801d1dc2	ui: feature support templating for index.html (#6921 )	5 years ago
hashicorp-ci	aca92ad58f	update bindata_assetfs.go	5 years ago
Matt Keeler	e81e338260	Fix blocking for ServiceDumping by kind (#6919 )	5 years ago
Matt Keeler	5934f803bf	Sync of OSS changes to support namespaces (#6909 )	5 years ago
rerorero	34649b8820	[ci] fix: go-fmt fails on master branch (#6906 )	5 years ago
Matt Keeler	2343413bf0	Fix the TestAPI_CatalogRegistration test	5 years ago
Hans Hasselberg	9ff69194a2	tls: auto_encrypt and verify_incoming (#6811 ) (#6899 ) * relax requirements for auto_encrypt on server * better error message when auto_encrypt and verify_incoming on * docs: explain verify_incoming on Consul clients.	5 years ago
Hans Hasselberg	2ad0831b34	agent: fewer file local differences between enterprise and oss (#6820 ) (#6898 ) * Increase number to test ignore. Consul Enterprise has more flags and since we are trying to reduce the differences between both code bases, we are increasing the number in oss. The semantics don't change, it is just a cosmetic thing. * Introduce agent.initEnterprise for enterprise related hooks. * Sync test with ent version. * Fix import order. * revert error wording.	5 years ago
Matt Keeler	8f0ab0129e	Miscellaneous Fixes (#6896 ) Ensure we close the Sentinel Evaluator so as not to leak go routines Fix a bunch of test logging so that various warnings when starting a test agent go to the ltest logger and not straight to stdout. Various canned ent meta types always return a valid pointer (no more nils). This allows us to blindly deref + assign in various places. Update ACL index tracking to ensure oss -> ent upgrades will work as expected. Update ent meta parsing to include function to disallow wildcarding.	5 years ago
Matt Keeler	a704ebe639	Add Namespace support to the API module and the CLI commands (#6874 ) Also update the Docs and fixup the HTTP API to return proper errors when someone attempts to use Namespaces with an OSS agent. Add Namespace HTTP API docs Make all API endpoints disallow unknown fields	5 years ago
Matt Keeler	deb91f3d3c	[Feature] API: Add a internal endpoint to query for ACL authori… (#6888 ) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.	5 years ago
Matt Keeler	c05ab15485	Fix the TestLeader_SecondaryCA_IntermediateRefresh test flakine… (#6885 ) Fix the TestLeader_SecondaryCA_IntermediateRefresh test flakiness	5 years ago
Hans Hasselberg	f457cfa965	tests: increase TLSHandshakeTimeout to help slow tests (#6864 ) Fixes https://github.com/hashicorp/consul/issues/6858.	5 years ago
Matt Keeler	71b1c9cc3c	Fix the TestLeader_SecondaryCA_IntermediateRefresh test flakiness	5 years ago
Mike Morris	66b8c20990	Bump go-discover to support EC2 Metadata Service v2 (#6865 ) Refs https://github.com/hashicorp/go-discover/pull/128 * deps: add replace directive for gocheck Transitive dep, source at https://launchpad.net/gocheck indicates project moved. This also avoids a dependency on bzr when fetching modules. Refs https://github.com/hashicorp/consul/pull/6818 * deps: make update-vendor * test: update retry-join expected names from go-discover	5 years ago
Chris Piraino	f3b54fa535	Allow configuration of upstream connection limits in Envoy (#6829 ) * Adds 'limits' field to the upstream configuration of a connect proxy This allows a user to configure the envoy connect proxy with 'max_connections', 'max_queued_requests', and 'max_concurrent_requests'. These values are defined in the local proxy on a per-service instance basis and should thus NOT be thought of as a global-level or even service-level value.	5 years ago
Matt Keeler	be8fd29052	Fix dns service SRV lookup when service address is a fqdn (#6792 ) Fix dns service SRV lookup when service address is a fqdn	5 years ago
Sarah Adams	aed5cb7669	give feedback to CLI user on forceleave command if node does not exist (#6841 )	5 years ago
R.B. Boyer	2011f3d7dc	xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply (#6787 ) This is the rest of the fix for #6543 that was incompletely fixed in #6576.	5 years ago
Matt Keeler	b069d6777b	OSS KV Modifications to Support Namespaces	5 years ago
Matt Keeler	7b471f6bf8	OSS Modifications necessary for sessions namespacing	5 years ago
Paul Banks	cd1b613352	connect: Add AWS PCA provider (#6795 ) * Update AWS SDK to use PCA features. * Add AWS PCA provider * Add plumbing for config, config validation tests, add test for inheriting existing CA resources created by user * Unparallel the tests so we don't exhaust PCA limits * Merge updates * More aggressive polling; rate limit pass through on sign; Timeout on Sign and CA create * Add AWS PCA docs * Fix Vault doc typo too * Doc typo * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Doc fixes; tests for erroring if State is modified via API * More review cleanup * Uncomment tests! * Minor suggested clean ups	5 years ago
Chris Piraino	7d4d416a4d	test: unflake two TestHealthServiceNode_* tests Replaces WaitForLeader with WaitForTestAgent. This waits to make sure that the node itself is correctly registered in the catalog before attempting additional registrations.	5 years ago
Chris Piraino	b437b53d55	test: unflake TestDNS_ServiceLookup_WanTranslation Use retry.R struct to check length of WANMembers so that retries can work appropriately.	5 years ago
Chris Piraino	3fb7101fa9	test: unflake TestCatalogServiceNodes_DistanceSort Remove a time.Sleep and replace with retry.Run around call to CatalogServiceNodes.	5 years ago
Paul Banks	d7329097b2	Change CA Configure struct to pass Datacenter through (#6775 ) * Change CA Configure struct to pass Datacenter through * Remove connect/ca/plugin as we don't have immediate plans to use it. We still intend to one day but there are likely to be several changes to the CA provider interface before we do so it's better to rebuild from history when we do that work properly. * Rename PrimaryDC; fix endpoint in secondary DCs	5 years ago
Matt Keeler	c343d90304	Finish the comment	5 years ago
Matt Keeler	8f1f15a827	Track the correct check id for idempotent service/check updates	5 years ago
Nicolas Benoit	0e9a2e5bd0	Fix dns service SRV lookup when service address is a fqdn Refactor dns to have same behavior between A and SRV. Current implementation returns the node name instead of the service address. With this fix when querying for SRV record service address is return in the SRV record. And when performing a simple dns lookup it returns a CNAME to the service address.	5 years ago
Paul Banks	b621910618	Support Connect CAs that can't cross sign (#6726 ) * Support Connect CAs that can't cross sign * revert spurios mod changes from make tools * Add log warning when forcing CA rotation * Fixup SupportsCrossSigning to report errors and work with Plugin interface (fixes tests) * Fix failing snake_case test * Remove misleading comment * Revert "Remove misleading comment" This reverts commit bc4db9cabed8ad5d0e39b30e1fe79196d248349c. * Remove misleading comment * Regen proto files messed up by rebase	5 years ago
Paul Banks	45d57ca601	connect: Allow CA Providers to store small amount of state (#6751 ) * pass logger through to provider * test for proper operation of NeedsLogger * remove public testServer function * Ooops actually set the logger in all the places we need it - CA config set wasn't and causing segfault * Fix all the other places in tests where we set the logger * Allow CA Providers to persist some state * Update CA provider plugin interface * Fix plugin stubs to match provider changes * Update agent/connect/ca/provider.go Co-Authored-By: R.B. Boyer <rb@hashicorp.com> * Cleanup review comments	5 years ago
Todd Radel	29b5253154	connect: Implement NeedsLogger interface for CA providers (#6556 ) * add NeedsLogger to Provider interface * implements NeedsLogger in default provider * pass logger through to provider * test for proper operation of NeedsLogger * remove public testServer function * Switch test to actually assert on logging output rather than reflection. --amend * Ooops actually set the logger in all the places we need it - CA config set wasn't and causing segfault * Fix all the other places in tests where we set the logger * Add TODO comment	5 years ago
Todd Radel	54f92e2924	Make all Connect Cert Common Names valid FQDNs (#6423 )	5 years ago
Matt Keeler	ff8157fb51	Fill the Authz Context with a Sentinel Scope (#6729 )	5 years ago
Matt Keeler	ab5a05f71d	Fix type name (#6728 )	5 years ago
Matt Keeler	825e19bc5f	Add DirEntry method to fill enterprise authz context	5 years ago
Matt Keeler	d491a3a9d5	Miscellaneous fixes (#6727 )	5 years ago
Ferenc Fabian	c90e838495	Case sensitive Authorization header with lower-cased scheme in… (#6724 )	5 years ago
Paul Banks	87699eca2f	Fix support for RSA CA keys in Connect. (#6638 ) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com>	5 years ago
Matt Keeler	5d687ce6a9	Fix the Synthetic Policy Tests (#6715 )	5 years ago
Matt Keeler	d554f77d0d	Add hook for validating the enterprise meta attached to a reque… (#6695 )	5 years ago
Matt Keeler	16c7ce8b4c	Add note about RPC multiplexing and TLS content type mutual exc… (#6698 )	5 years ago
Matt Keeler	8ac79d0b8b	PreVerify acl:read access for listing endpoints (#6696 ) We still will need to filter results based on the authorizer too but this helps to give an early 403.	5 years ago
Sarah Adams	78ad8203a4	Use encoding/json as JSON decoder instead of mapstructure (#6680 ) Fixes #6147	5 years ago
Sarah Christoff	5e1c6e907b	Set MinQuorum variable in Autopilot (#6654 ) * Add MinQuorum to Autopilot	5 years ago
Matt Keeler	66d138f35e	More Replication Abstractions (#6689 ) Also updated ACL replication to use a function to fill in the desired enterprise meta for all remote listing RPCs.	5 years ago
Matt Keeler	440f6ea17a	Ensure that cache entries for tokens are prefixed “token-secret… (#6688 ) This will be necessary once we store other types of identities in here.	5 years ago
Matt Keeler	79f78632e1	Update the ACL Resolver to allow for Consul Enterprise specific hooks. (#6687 )	5 years ago
Matt Keeler	e4ea9b0a96	Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675 ) Main Changes: • method signature updates everywhere to account for passing around enterprise meta. • populate the EnterpriseAuthorizerContext for all ACL related authorizations. • ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing. • Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation. Secondary Changes: • Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies. • Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure) • AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise. • Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally. • Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token. • Added a bunch of ACL test helpers for inserting ACL resource test data.	5 years ago
Sarah Adams	0c9487ae72	regression tests for existing agent/ decoding behavior (#6624 ) tests for existing JSON decoding behavior	5 years ago
rerorero	86c8e48dd9	fix: incorrect struct tag and WaitGroup usage (#6649 ) * remove duplicated json tag * fix: incorrect wait group usage	5 years ago
R.B. Boyer	97aa050c20	agent: allow mesh gateways to initialize even if there are no connect services registered yet (#6576 ) Fixes #6543 Also improved some of the proxycfg tests to cover snapshot validity better.	5 years ago
R.B. Boyer	8dcba472a2	xds: tcp services using the discovery chain should not assume RDS during LDS (#6623 ) Previously the logic for configuring RDS during LDS for L7 upstreams was overapplied to TCP proxies resulting in a cluster name of <emptystring> being used incorrectly. Fixes #6621	5 years ago
Freddy	60f6ec0c2f	Store check type in catalog (#6561 )	5 years ago
R.B. Boyer	de6ce5b1d9	server: ensure the primary dc and ACL dc match (#6634 ) This is mostly a sanity check for server tests that skip the normal config builder equivalent fixup.	5 years ago
R.B. Boyer	3aeb740430	unflake TestLeader_SecondaryCA_Initialize (#6631 )	5 years ago
R.B. Boyer	e6bfcb0ca8	fix flaky multidc acl tests that failed to wait for token replication (#6628 ) If acls have not yet replicated to the secondary then authz requests will be remotely resolved by the primary. Now these tests explicitly wait until replication has caught up first.	5 years ago
R.B. Boyer	040f47c46e	appease the retry linter (#6629 )	5 years ago
Paul Banks	d7aa425339	Allow time for secondary CA to initialize (#6627 )	5 years ago
Matt Keeler	973341a592	ACL Authorizer overhaul (#6620 ) * ACL Authorizer overhaul To account for upcoming features every Authorization function can now take an extra acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil. Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision. Include stub for extra enterprise rules in the global management policy * Allow for an upgrade of the global-management policy	5 years ago
PHBourquin	039615641e	Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739 ) A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.	5 years ago
Sarah Christoff	194f5740ce	ui_content_path config option fix (#6601 ) * fix ui-content-path config option	5 years ago
Hans Hasselberg	b6499fe6b8	Do not surface left servers (#6420 ) * do not surface left servers in catalog	5 years ago
R.B. Boyer	6439af86eb	agent: clients should only attempt to remove pruned nodes once per call (#6591 )	5 years ago
Sarah Christoff	5e26971864	Prune Unhealthy Agents (#6571 ) * Add -prune flag to ForceLeave	5 years ago
R.B. Boyer	06ca8cd2d7	agent: updates to the agent token trigger anti-entropy full syncs (#6577 )	5 years ago
Matt Keeler	d65bbbfd4e	Implement Leader Routine Management (#6580 ) * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually).	5 years ago
Matt Keeler	28221f66f2	Use encoding/json instead of jsonpb even for protobuf types (#6572 ) This only works so long as we use simplistic protobuf types. Constructs such as oneof or Any types that require type annotations for decoding properly will fail hard but that is by design. If/when we want to use any of that we will probably need to consider a v2 API.	5 years ago
Matt Keeler	fc4bcfd81f	Add EnterpriseConfig stubs (#6566 )	5 years ago
Matt Keeler	abed91d069	Generate JSON and Binary Marshalers for Protobuf Types (#6564 ) * Add JSON and Binary Marshaler Generators for Protobuf Types * Generate files with the correct version of gogo/protobuf I have pinned the version in the makefile so when you run make tools you get the right version. This pulls the version out of go.mod so it should remain up to date. The version at the time of this commit we are using is v1.2.1 * Fixup some shell output * Update how we determine the version of gogo This just greps the go.mod file instead of expecting the go mod cache to already be present * Fixup vendoring and remove no longer needed json encoder functions	5 years ago
John Cowen	b3b32dc0f6	ui: UI Release Merge (ui-staging merge) (#6527 ) ## HTTPAdapter (#5637) ## Ember upgrade 2.18 > 3.12 (#6448) ### Proxies can no longer get away with not calling _super This means that we can't use create anymore to define dynamic methods. Therefore we dynamically make 2 extended Proxies on demand, and then create from those. Therefore we can call _super in the init method of the extended Proxies. ### We aren't allowed to reset a service anymore We never actually need to now anyway, this is a remnant of the refactor from browser based confirmations. We fix it as simply as possible here but will revisit and remove the old browser confirm functionality at a later date ### Revert classes to use ES5 style to workaround babel transp. probs Using a mixture of ES6 classes (and hence super) and arrow functions means that when babel transpiles the arrow functions down to ES5, a reference to this is moved before the call to super, hence causing a js error. Furthermore, we the testing environment no longer lets use use apply/call on the constructor. These errors only manifests during testing (only in the testing environment), the application itself runs fine with no problems without this change. Using ES5 style class definitions give us freedom to do all of the above without causing any errors, so we reverted these classes back to ES5 class definitions ### Skip test that seems to have changed due to a change in RSVP timing This test tests a usecase/area of the API that will probably never ever be used, it was more testing out the API. We've skipped the test for now as this doesn't affect the application itself, but left a note to come back here later to investigate further ### Remove enumerableContentDidChange Initial testing looks like we don't need to call this function anymore, the function no longer exists ### Rework Changeset.isSaving to take into account new ember APIs Setting/hanging a computedProperty of an instantiated object no longer works. Move to setting it on the prototype/class definition instead ### Change how we detect whether something requires listening New ember API's have changed how you can detect whether something is a computedProperty or not. It's not immediately clear if its even possible now. Therefore we change how we detect whether something should be listened to or not by just looking for presence of `addEventListener` ### Potentially temporary change of ci test scripts to ensure deps exist All our tooling scripts run through a Makefile (for people familiar with only using those), which then call yarn scripts which can be called independently (for people familar with only using yarn). The Makefile targets always check to make sure all the dependencies are installed before running anything that requires them (building, testing etc). The CI scripts/targets didn't follow this same route and called the yarn scripts directly (usually CI builds a cache of the dependencies first). For some reason this cache isn't doing what it usually does, and it looks as though, in CI, ember isn't installed. This commit makes the CI scripts consistently use the same method as all of the other tooling scripts (Makefile target > Install Deps if required > call yarn script). This should install the dependencies if for some reason the CI cache building doesn't complete/isn't successful. Potentially this commit may be reverted if, the root of the problem is elsewhere, although consistency is always good, so it might be a good idea to leave this commit as is even if we need to debug and fix things elsewhere. ### Make test-parallel consistent with the rest of the tooling scripts As we are here making changes for CI purposes (making test-ci consistent), we spotted that test-parallel is also inconsistent and also the README manual instructions won't work without `ember` installed globally. This commit makes everything consistent and changes the manual instructions to use the local ember instance that gets installed via yarn ### Re-wrangle catchable to fit with new ember 3.12 APIs In the upgrade from ember 3.8 > 3.12 the public interfaces for ComputedProperties have changed slightly. `meta` is no longer a public property of ComputedProperty but of a ComputedDecoratorImpl mixin instead. `7e4ba1096e/packages/%40ember/-internals/metal/lib/computed.ts (L725)` There seems to be no way, by just using publically available methods, to replicate this behaviour so that we can create our own 'ComputedProperty` factory via injecting the ComputedProperty class as we did previously. `3f333bada1/ui-v2/app/utils/computed/factory.js (L1-L18)` Instead we dynamically hang our `Catchable` `catch` method off the instantiated ComputedProperty. In doing it like this `ComputedProperty` has already has its `meta` method mixed in so we don't have to manually mix it in ourselves (which doesn't seem possible) This functionality is only used during our work in trying to ensure our EventSource/BlockingQuery work was as 'ember-like' as possible (i.e. using the traditional Route.model hooks and ember-like Controller properties). Our ongoing/upcoming work on a componentized approach to data a.k.a `<DataSource />` means we will be able to remove the majority of the code involved here now that it seems to be under an amount of flux in ember. ### Build bindata_assetfs.go with new UI changes	5 years ago
Matt Keeler	923d8671a4	Add support for parameterizing the ACL config used with a TestA… (#6559 ) * Add support for parameterizing the ACL config used with a TestAgent Using tokens that are UUIDs will get rid of some warnings * Refactor to allow setting all tokens and change the template to ignore unset values.	5 years ago
R.B. Boyer	c4b92d5534	connect: connect CA Roots in secondary datacenters should use a SigningKeyID derived from their local intermediate (#6513 ) This fixes an issue where leaf certificates issued in secondary datacenters would be reissued very frequently (every ~20 seconds) because the logic meant to detect root rotation was errantly triggering because a hash of the ultimate root (in the primary) was being compared against a hash of the local intermediate root (in the secondary) and always failing.	5 years ago
R.B. Boyer	9566df524e	agent: cache notifications work after error if the underlying RPC returns index=1 (#6547 ) Fixes #6521 Ensure that initial failures to fetch an agent cache entry using the notify API where the underlying RPC returns a synthetic index of 1 correctly recovers when those RPCs resume working. The bug in the Cache.notifyBlockingQuery used to incorrectly "fix" the index for the next query from 0 to 1 for all queries, when it should have not done so for queries that errored. Also fixed some things that made debugging difficult: - config entry read/list endpoints send back QueryMeta headers - xds event loops don't swallow the cache notification errors	5 years ago
Matt Keeler	76cf54068b	Expand the QueryOptions and QueryMeta interfaces (#6545 ) In a previous PR I made it so that we had interfaces that would work enough to allow blockingQueries to work. However to complete this we need all fields to be settable and gettable. Notes: • If Go ever gets contracts/generics then we could get rid of all the Getters/Setters • protoc / protoc-gen-gogo are going to generate all the getters for us. • I copied all the getters/setters from the protobuf funcs into agent/structs/protobuf_compat.go • Also added JSON marshaling funcs that use jsonpb for protobuf types.	5 years ago
Freddy	fdd10dd8b8	Expose HTTP-based paths through Connect proxy (#6446 ) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.	5 years ago
R.B. Boyer	5882e21b2b	agent: tolerate more failure scenarios during service registration with central config enabled (#6472 ) Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.	5 years ago
Matt Keeler	100ebd63f9	Allow for enterprise only leader routines (#6533 ) Eventually I am thinking we may need a way to register these at different priority levels but for now sticking this here is fine	5 years ago
R.B. Boyer	af01d397a5	connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492 ) The fields in the certs are meant to hold the original binary representation of this data, not some ascii-encoded version. The only time we should be colon-hex-encoding fields is for display purposes or marshaling through non-TLS mediums (like RPC).	5 years ago
R.B. Boyer	796de297c8	connect: intermediate CA certs generated with the vault provider lack URI SANs (#6491 ) This only affects vault versions >=1.1.1 because the prior code accidentally relied upon a bug that was fixed in https://github.com/hashicorp/vault/pull/6505 The existing tests should have caught this, but they were using a vendored copy of vault version 0.10.3. This fixes the tests by running an actual copy of vault instead of an in-process copy. This has the added benefit of changing the dependency on vault to just vault/api. Also update VaultProvider to use similar SetIntermediate validation code as the ConsulProvider implementation.	5 years ago
Matt Keeler	51dcd126b7	Add support for implementing new requests with protobufs instea… (#6502 ) * Add build system support for protobuf generation This is done generically so that we don’t have to keep updating the makefile to add another proto generation. Note: anything not in the vendor directory and with a .proto extension will be run through protoc if the corresponding namespace.pb.go file is not up to date. If you want to rebuild just a single proto file you can do so with: make proto-rebuild PROTOFILES=<list of proto files to rebuild> Providing the PROTOFILES var will override the default behavior of finding all the .proto files. * Start adding types to the agent/proto package These will be needed for some other work and are by no means comprehensive. * Add ability to resolve/fixup the agentpb.ACLLinks structure in the state store. * Use protobuf marshalling of raft requests instead of msgpack for protoc generated types. This does not change any encoding of existing types. * Removed structs package automatically encoding with protobuf marshalling Instead the caller of raftApply that wants to opt-in to protobuf encoding will have to call `raftApplyProtobuf` * Run update-vendor to fixup modules.txt Nothing changed as far as dependencies go but the ordering of modules in that file depends on the time they are first seen and its not alphabetical. * Rename some things and implement the structs.RPCInfo interface bits agentpb.QueryOptions and agentpb.WriteRequest implement 3 of the 4 RPCInfo funcs and the new TargetDatacenter message type implements the fourth. * Use the right encoding function. * Renamed agent/proto package to agent/agentpb to prevent package name conflicts * Update modules.txt to fix ordering * Change blockingQuery to take in interfaces for the query options and meta * Add %T to error output. * Add/Update some comments	5 years ago
R.B. Boyer	f9496dc627	sdk: add freelist tracking and ephemeral port range skipping to freeport This should cut down on test flakiness. Problems handled: - If you had enough parallel test cases running, the former circular approach to handling the port block could hand out the same port to multiple cases before they each had a chance to bind them, leading to one of the two tests to fail. - The freeport library would allocate out of the ephemeral port range. This has been corrected for Linux (which should cover CI). - The library now waits until a formerly-in-use port is verified to be free before putting it back into circulation.	5 years ago
R.B. Boyer	7ccaa13514	fix typo of 'unknown' in log messages	5 years ago
R.B. Boyer	20eb0d3e94	cache: remove data race in agent cache In normal operations there is a read/write race related to request QueryOptions fields. An example race: WARNING: DATA RACE Read at 0x00c000836950 by goroutine 30: github.com/hashicorp/consul/agent/structs.(ServiceConfigRequest).CacheInfo() /go/src/github.com/hashicorp/consul/agent/structs/config_entry.go:506 +0x109 github.com/hashicorp/consul/agent/cache.(Cache).getWithIndex() /go/src/github.com/hashicorp/consul/agent/cache/cache.go:262 +0x5c github.com/hashicorp/consul/agent/cache.(Cache).notifyBlockingQuery() /go/src/github.com/hashicorp/consul/agent/cache/watch.go:89 +0xd7 Previous write at 0x00c000836950 by goroutine 147: github.com/hashicorp/consul/agent/cache-types.(ResolvedServiceConfig).Fetch() /go/src/github.com/hashicorp/consul/agent/cache-types/resolved_service_config.go:31 +0x219 github.com/hashicorp/consul/agent/cache.(*Cache).fetch.func1() /go/src/github.com/hashicorp/consul/agent/cache/cache.go:495 +0x112 This patch does a lightweight copy of the request struct so that the embedded QueryOptions fields that are mutated during Fetch() are scoped to just that one RPC.	5 years ago
hashicorp-ci	4f499a8044	update bindata_assetfs.go	5 years ago
Hans Hasselberg	4a20efda9b	agent: handleEnterpriseLeave (#6453 )	5 years ago
R.B. Boyer	a86e63f81e	test: actually wait for the TestAgent to be fully shutdown (#6441 )	5 years ago
Sarah Adams	001137e5e5	test: ensure all TestAgent constructions use a constructor (#6443 ) ensure all TestAgent constructions use a constructor to get start retries + test logs going to the right place Fixes #6435	5 years ago
Sarah Adams	74461406e0	remove funky panic/recover in agent tests (#6442 )	5 years ago
Sarah Adams	4ed5515fca	refactor & add better retry logic to NewTestAgent (#6363 ) Fixes #6361	5 years ago
Pierre Souchay	be50400c62	Distinguish between DC not existing and not being available (#6399 )	5 years ago
Aestek	7c7b7f24fd	Add option to register services and their checks idempotently (#4905 )	5 years ago
Sarah Adams	9f4b329b6d	txn: don't try to decode request bodies > raft.SuggestedMaxDataSize (#6422 ) txn: don't try to decode request bodies > raft.SuggestedMaxDataSize	5 years ago
Matt Keeler	42d608587f	Store primaries root in secondary after intermediate signature (#6333 ) * Store primaries root in secondary after intermediate signature This ensures that the intermediate exists within the CA root stored in raft and not just in the CA provider state. This has the very nice benefit of actually outputting the intermediate cert within the ca roots HTTP/RPC endpoints. This change means that if signing the intermediate fails it will not set the root within raft. So far I have not come up with a reason why that is bad. The secondary CA roots watch will pull the root again and go through all the motions. So as soon as getting an intermediate CA works the root will get set. * Make TestAgentAntiEntropy_Check_DeferSync less flaky I am not sure this is the full fix but it seems to help for me.	5 years ago
R.B. Boyer	7deaba63e1	test: ensure the node name is a valid dns name (#6424 ) The space in the node name was making every test emit a useless warning.	5 years ago
R.B. Boyer	3be88df207	test: explicitly run the pprof tests for 1s instead of the 30s default (#6421 )	5 years ago
R.B. Boyer	d979d8c239	test: add additional http status code assertions in coordinate HTTP API tests (#6410 ) When this test flakes sometimes this happens: --- FAIL: TestCoordinate_Node (1.69s) panic: interface conversion: interface {} is nil, not structs.Coordinates [recovered] FAIL github.com/hashicorp/consul/agent 19.999s Exit code: 1 panic: interface conversion: interface {} is nil, not structs.Coordinates [recovered] panic: interface conversion: interface {} is nil, not structs.Coordinates There is definitely a bug lurking, but the code seems to imply this can only return nil on 404. The tests previously were not checking the status code. The underlying cause of the flake is unknown, but this should turn the failure into a more normal test failure.	5 years ago
Pierre Souchay	58f04815d5	Display IPs of machines when node names conflict to ease troubleshooting When there is an node name conflicts, such messages are displayed within Consul: `consul.fsm: EnsureRegistration failed: failed inserting node: Error while renaming Node ID: "e1d456bc-f72d-98e5-ebb3-26ae80d785cf": Node name node001 is reserved by node 05f10209-1b9c-b90c-e3e2-059e64556d4a with name node001` While it is easy to find the node that has reserved the name, it is hard to find the node trying to aquire the name since it is not registered, because it is not part of `consul members` output This PR will display the IP of the offender and solve far more easily those issues.	5 years ago
Alvin Huang	c516fabfac	revert commits on master (#6413 )	5 years ago
tradel	5a22b77340	update tests to match new method signatures	5 years ago
tradel	1ff46f3f0a	confi\gure providers with DC and domain	5 years ago
tradel	5ba28a6a7b	create a common name for autoTLS agent certs	5 years ago
tradel	9b1ac4e7ef	add subject names to issued certs	5 years ago
tradel	7f36a5b676	construct a common name for each CSR	5 years ago
tradel	672e181399	add serviceID to leaf cert request	5 years ago
tradel	a4312d2e6e	add domain and nodeName to agent cert request	5 years ago
tradel	82ae7caf3e	Added DC and domain args to Configure method	5 years ago
R.B. Boyer	b962fe38cd	test: send testagent logs through testing.Logf (#6411 )	5 years ago
R.B. Boyer	91da908d2f	test: fix TestAgent.Start() to not segfault if the DNSServer cannot ListenAndServe (#6409 ) The embedded `Server` field on a `DNSServer` is only set inside of the `ListenAndServe` method. If that method fails for reasons like the address being in use and is not bindable, then the `Server` field will not be set and the overall `Agent.Start()` will fail. This will trigger the inner loop of `TestAgent.Start()` to invoke `ShutdownEndpoints` which will attempt to pretty print the DNS servers using fields on that inner `Server` field. Because it was never set, this causes a nil pointer dereference and crashes the test.	5 years ago
Alvin Huang	0be1531d80	add nil pointer check for pointer to ACLToken struct (#6407 )	5 years ago
Hans Hasselberg	d051342902	make sure auto_encrypt has private key type and bits (#6392 )	5 years ago
Hans Hasselberg	faa54ab989	auto_encrypt: verify_incoming_rpc is good enough for auto_encrypt.allow_tls (#6376 ) Previously `verify_incoming` was required when turning on `auto_encrypt.allow_tls`, but that doesn't work together with HTTPS UI in some scenarios. Adding `verify_incoming_rpc` to the allowed configurations.	5 years ago
R.B. Boyer	7bc941575c	test: don't leak agent goroutines in TestAgent_sidecarServiceFromNodeService (#6396 ) A goroutine dump using runtime.Stack() before/after shows a drop from 121 => 4.	5 years ago
Hans Hasselberg	f3def8c0d0	make sure auto_encrypt has private key type and bits	5 years ago
hashicorp-ci	3757cb6a96	update bindata_assetfs.go	5 years ago
R.B. Boyer	cc9a6f7993	Merge pull request #6388 from hashicorp/release/1-6 merging release/1-6 into master	5 years ago
Matt Keeler	cbd1857186	Secondary CA `establishLeadership` fix (#6383 ) This prevents ACL issues (or other issues) during intermediate CA cert signing from failing leader establishment.	5 years ago
Hans Hasselberg	3e46352ccb	auto_encrypt: use server-port (#6287 ) AutoEncrypt needs the server-port because it wants to talk via RPC. Information from gossip might not be available at that point and thats why the server-port is being used.	5 years ago
R.B. Boyer	dfcdc41ef8	connect: allow 'envoy_cluster_json' escape hatch to continue to function (#6378 )	5 years ago
R.B. Boyer	7a6faccf2f	docs: document how envoy escape hatches work with the discovery chain (#6350 ) - Bootstrap escape hatches are OK. - Public listener/cluster escape hatches are OK. - Upstream listener/cluster escape hatches are not supported. If an unsupported escape hatch is configured and the discovery chain is activated log a warning and act like it was not configured. Fixes #6160	5 years ago
Matt Keeler	0c3cf47266	Ensure that config entry writes are forwarded to the primary DC (#6339 )	5 years ago
R.B. Boyer	fd1c62ee8b	connect: ensure time.Duration fields retain their human readable forms in the API (#6348 ) This applies for both config entries and the compiled discovery chain. Also omit some other config entries fields when empty.	5 years ago
R.B. Boyer	561b2fe606	connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340 )	5 years ago
R.B. Boyer	ae79cdab1b	connect: introduce ExternalSNI field on service-defaults (#6324 ) Compiling this will set an optional SNI field on each DiscoveryTarget. When set this value should be used for TLS connections to the instances of the target. If not set the default should be used. Setting ExternalSNI will disable mesh gateway use for that target. It also disables several service-resolver features that do not make sense for an external service.	5 years ago
R.B. Boyer	1a485011d0	connect: updating a service-defaults config entry should leave an unset protocol alone (#6342 ) If the entry is updated for reasons other than protocol it is surprising that the value is explicitly persisted as 'tcp' rather than leaving it empty and letting it fall back dynamically on the proxy-defaults value.	5 years ago
Matt Keeler	318b9ebbe3	Filter out left/leaving serf members when determining if new AC… (#6332 )	5 years ago
R.B. Boyer	72207256b9	xds: improve how envoy metrics are emitted (#6312 ) Since generated envoy clusters all are named using (mostly) SNI syntax we can have envoy read the various fields out of that structure and emit it as stats labels to the various telemetry backends. I changed the delimiter for the 'customization hash' from ':' to '~' because ':' is always reencoded by envoy as '_' when generating metrics keys.	5 years ago
R.B. Boyer	3975cb89bf	agent: blocking central config RPCs iterations should not interfere with each other (#6316 )	5 years ago
hashicorp-ci	d7bb2bbee4	update bindata_assetfs.go	5 years ago
hashicorp-ci	5919c7c184	Merge Consul OSS branch 'master' at commit `8f7586b339`	5 years ago
Sarah Adams	8ff1f481fe	add flag to allow /operator/keyring requests to only hit local servers (#6279 ) Add parameter local-only to operator keyring list requests to force queries to only hit local servers (no WAN traffic). HTTP API: GET /operator/keyring?local-only=true CLI: consul keyring -list --local-only Sending the local-only flag with any non-GET/list request will result in an error.	5 years ago
Mike Morris	61206fdf42	snapshot: add TLS support to HalfCloser interface (#6216 ) Calls net.TCPConn.CloseWrite or mtls.Conn.CloseWrite, which was added in https://go-review.googlesource.com/c/go/+/31318/	5 years ago
Matt Keeler	6a1e0dfed8	Update the v1/agent/service/:service endpoint to output tagged… (#6304 )	5 years ago
R.B. Boyer	913d85ea5b	connect: allow mesh gateways to use central config (#6302 )	5 years ago
Mike Morris	65be58703c	connect: remove managed proxies (#6220 ) * connect: remove managed proxies implementation and all supporting config options and structs * connect: remove deprecated ProxyDestination * command: remove CONNECT_PROXY_TOKEN env var * agent: remove entire proxyprocess proxy manager * test: remove all managed proxy tests * test: remove irrelevant managed proxy note from TestService_ServerTLSConfig * test: update ContentHash to reflect managed proxy removal * test: remove deprecated ProxyDestination test * telemetry: remove managed proxy note * http: remove /v1/agent/connect/proxy endpoint * ci: remove deprecated test exclusion * website: update managed proxies deprecation page to note removal * website: remove managed proxy configuration API docs * website: remove managed proxy note from built-in proxy config * website: add note on removing proxy subdirectory of data_dir	5 years ago
R.B. Boyer	9bbbea1777	connect: ensure intention replication continues to work when the replication ACL token changes (#6288 )	5 years ago
hashicorp-ci	913784e1bf	Merge Consul OSS branch 'master' at commit `d84863799d`	5 years ago
Sarah Adams	d84863799d	fallback to proxy config global protocol when upstream services' protocol is unset (#6277 ) fallback to proxy config global protocol when upstream services' protocol is unset Fixes #5857	5 years ago
R.B. Boyer	8e22d80e35	connect: fix failover through a mesh gateway to a remote datacenter (#6259 ) Failover is pushed entirely down to the data plane by creating envoy clusters and putting each successive destination in a different load assignment priority band. For example this shows that normally requests go to 1.2.3.4:8080 but when that fails they go to 6.7.8.9:8080: - name: foo load_assignment: cluster_name: foo policy: overprovisioning_factor: 100000 endpoints: - priority: 0 lb_endpoints: - endpoint: address: socket_address: address: 1.2.3.4 port_value: 8080 - priority: 1 lb_endpoints: - endpoint: address: socket_address: address: 6.7.8.9 port_value: 8080 Mesh gateways route requests based solely on the SNI header tacked onto the TLS layer. Envoy currently only lets you configure the outbound SNI header at the cluster layer. If you try to failover through a mesh gateway you ideally would configure the SNI value per endpoint, but that's not possible in envoy today. This PR introduces a simpler way around the problem for now: 1. We identify any target of failover that will use mesh gateway mode local or remote and then further isolate any resolver node in the compiled discovery chain that has a failover destination set to one of those targets. 2. For each of these resolvers we will perform a small measurement of comparative healths of the endpoints that come back from the health API for the set of primary target and serial failover targets. We walk the list of targets in order and if any endpoint is healthy we return that target, otherwise we move on to the next target. 3. The CDS and EDS endpoints both perform the measurements in (2) for the affected resolver nodes. 4. For CDS this measurement selects which TLS SNI field to use for the cluster (note the cluster is always going to be named for the primary target) 5. For EDS this measurement selects which set of endpoints will populate the cluster. Priority tiered failover is ignored. One of the big downsides to this approach to failover is that the failover detection and correction is going to be controlled by consul rather than deferring that entirely to the data plane as with the prior version. This also means that we are bound to only failover using official health signals and cannot make use of data plane signals like outlier detection to affect failover. In this specific scenario the lack of data plane signals is ok because the effectiveness is already muted by the fact that the ultimate destination endpoints will have their data plane signals scrambled when they pass through the mesh gateway wrapper anyway so we're not losing much. Another related fix is that we now use the endpoint health from the underlying service, not the health of the gateway (regardless of failover mode).	5 years ago
R.B. Boyer	c395affc93	connect: expose an API endpoint to compile the discovery chain (#6248 ) In addition to exposing compilation over the API cleaned up the structures that would be exchanged to be cleaner and easier to support and understand. Also removed ability to configure the envoy OverprovisioningFactor.	5 years ago
Todd Radel	96be92f3b5	connect: generate intermediate at same time as root (#6272 ) Generate intermediate at same time as root Co-Authored-By: Freddy <freddygv@users.noreply.github.com>	5 years ago
R.B. Boyer	dcb609af83	connect: detect and prevent circular discovery chain references (#6246 )	5 years ago
R.B. Boyer	1d0efdc69e	server: if inserting bootstrap config entries fails don't silence the errors (#6256 )	5 years ago
R.B. Boyer	f02924fafe	connect: simplify the compiled discovery chain data structures (#6242 ) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.	5 years ago
R.B. Boyer	6393edba53	connect: reconcile how upstream configuration works with discovery chains (#6225 ) * connect: reconcile how upstream configuration works with discovery chains The following upstream config fields for connect sidecars sanely integrate into discovery chain resolution: - Destination Namespace/Datacenter: Compilation occurs locally but using different default values for namespaces and datacenters. The xDS clusters that are created are named as they normally would be. - Mesh Gateway Mode (single upstream): If set this value overrides any value computed for any resolver for the entire discovery chain. The xDS clusters that are created may be named differently (see below). - Mesh Gateway Mode (whole sidecar): If set this value overrides any value computed for any resolver for the entire discovery chain. If this is specifically overridden for a single upstream this value is ignored in that case. The xDS clusters that are created may be named differently (see below). - Protocol (in opaque config): If set this value overrides the value computed when evaluating the entire discovery chain. If the normal chain would be TCP or if this override is set to TCP then the result is that we explicitly disable L7 Routing and Splitting. The xDS clusters that are created may be named differently (see below). - Connect Timeout (in opaque config): If set this value overrides the value for any resolver in the entire discovery chain. The xDS clusters that are created may be named differently (see below). If any of the above overrides affect the actual result of compiling the discovery chain (i.e. "tcp" becomes "grpc" instead of being a no-op override to "tcp") then the relevant parameters are hashed and provided to the xDS layer as a prefix for use in naming the Clusters. This is to ensure that if one Upstream discovery chain has no overrides and tangentially needs a cluster named "api.default.XXX", and another Upstream does have overrides for "api.default.XXX" that they won't cross-pollinate against the operator's wishes. Fixes #6159	5 years ago
R.B. Boyer	8564b6bb38	connect: validate upstreams and prevent duplicates (#6224 ) * connect: validate upstreams and prevent duplicates * Actually run Upstream.Validate() instead of ignoring it as dead code. * Prevent two upstreams from declaring the same bind address and port. It wouldn't work anyway. * Prevent two upstreams from being declared that use the same type+name+namespace+datacenter. Due to how the Upstream.Identity() function worked this ended up mostly being enforced in xDS at use-time, but it should be enforced more clearly at register-time.	5 years ago
Paul Banks	e87cef2bb8	Revert "connect: support AWS PCA as a CA provider" (#6251 ) This reverts commit `3497b7c00d`.	5 years ago
Todd Radel	3497b7c00d	connect: support AWS PCA as a CA provider (#6189 ) Port AWS PCA provider from consul-ent	5 years ago
Todd Radel	2552f4a11a	connect: Support RSA keys in addition to ECDSA (#6055 ) Support RSA keys in addition to ECDSA	5 years ago
freddygv	1a14b94441	Update default gossip encryption key size to 32 bytes	5 years ago
hashicorp-ci	847b90288a	Merge Consul OSS branch 'master' at commit `a1725e6b52`	5 years ago
Matt Keeler	a1725e6b52	Fix flaky tests (#6229 )	5 years ago
Matt Keeler	fcc18c1675	Fix prepared query upstream endpoint generation (#6236 ) Use the correct SNI value for prepared query upstreams	5 years ago
hashicorp-ci	1527616c8c	update bindata_assetfs.go	5 years ago
Matt Keeler	35e67b1d1a	Fix CA Replication when ACLs are enabled (#6201 ) Secondary CA initialization steps are: • Wait until the primary will be capable of signing intermediate certs. We use serf metadata to check the versions of servers in the primary which avoids needing a token like the previous implementation that used RPCs. We require at least one alive server in the primary and the all alive servers meet the version requirement. • Initialize the secondary CA by getting the primary to sign an intermediate When a primary dc is configured, if no existing CA is initialized and for whatever reason we cannot initialize a secondary CA the secondary DC will remain without a CA. As soon as it can it will initialize the secondary CA by pulling the primaries roots and getting the primary to sign an intermediate. This also fixes a segfault that can happen during leadership revocation. There was a spot in the secondaryCARootsWatch that was getting the CA Provider and executing methods on it without nil checking. Under normal circumstances it wont be nil but during leadership revocation it gets nil'ed out. Therefore there is a period of time between closing the stop chan and when the go routine is actually stopped where it could read a nil provider and cause a segfault.	5 years ago
R.B. Boyer	c6c4a2251a	Merge Consul OSS branch master at commit `b3541c4f34`	5 years ago
hashicorp-ci	0c9c5bfa98	update bindata_assetfs.go	5 years ago
Jack Pearkes	4e0a16ab2d	config: correct limit to limits in config example (#6219 ) This isn't yet documented on the website, but wanted to update this to add the missing s.	5 years ago
Matt Keeler	8b54307be2	Allow forwarding of some status RPCs (#6198 ) * Allow forwarding of some status RPCs * Update docs * add comments about not using the regular forward	5 years ago
Jeff Mitchell	1ea7a34756	Make the chunking test multidimensional (#6212 ) This ensures that it's not just a single operation we restores successfully, but many. It's the same foundation, just with multiple going on at once.	5 years ago
Freddy	89158c7a76	auto-encrypt: Fix port resolution and fallback to default port (#6205 ) Auto-encrypt meant to fallback to the default port when it wasn't provided, but it hadn't been because of an issue with the error handling. We were checking against an incomplete error value: "missing port in address" vs "address $HOST: missing port in address" Additionally, all RPCs to AutoEncrypt.Sign were using a.config.ServerPort, so those were updated to use ports resolved by resolveAddrs, if they are available.	5 years ago
Jeff Mitchell	94c73d0c92	Chunking support (#6172 ) * Initial chunk support This uses the go-raft-middleware library to allow for chunked commits to the KV	5 years ago
Matt Keeler	3053342198	Envoy Mesh Gateway integration tests (#6187 ) * Allow setting the mesh gateway mode for an upstream in config files * Add envoy integration test for mesh gateways This necessitated many supporting changes in most of the other test cases. Add remote mode mesh gateways integration test	5 years ago
Freddy	199f6cc41d	Make new config when retrying testServer creation (#6204 )	5 years ago
R.B. Boyer	ad9e7b6ae9	connect: allow L7 routers to match on http methods (#6164 ) Fixes #6158	5 years ago
R.B. Boyer	85cf2706e6	connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. (#6163 ) This is a breaking change, but only in the context of the beta series.	5 years ago
R.B. Boyer	1dbd92e091	connect: validate and test more of the L7 config entries (#6156 )	5 years ago
R.B. Boyer	e039dfd7f8	connect: rework how the service resolver subset OnlyPassing flag works (#6173 ) The main change is that we no longer filter service instances by health, preferring instead to render all results down into EDS endpoints in envoy and merely label the endpoints as HEALTHY or UNHEALTHY. When OnlyPassing is set to true we will force consul checks in a 'warning' state to render as UNHEALTHY in envoy. Fixes #6171	5 years ago
Alvin Huang	ef6b80bab2	resolve circleci config conflicts	5 years ago
Freddy	d86efb83e5	Restore NotifyListen to avoid panic in newServer retry (#6200 )	5 years ago
Pierre Souchay	b4590fb8e8	Display nicely Networks (CIDR) in runtime configuration (#6029 ) * Display nicely Networks (CIDR) in runtime configuration CIDR mask is displayed in binary in configuration. This add support for nicely displaying CIDR in runtime configuration. Currently, if a configuration contains the following lines: "http_config": { "allow_write_http_from": [ "127.0.0.0/8", "::1/128" ] } A call to `/v1/agent/self?pretty` would display "AllowWriteHTTPFrom": [ { "IP": "127.0.0.0", "Mask": "/wAAAA==" }, { "IP": "::1", "Mask": "/////////////////////w==" } ] This PR fixes it and it will now display: "AllowWriteHTTPFrom": [ "127.0.0.0/8", "::1/128" ] * Added test for cidr nice rendering in `TestSanitize()`.	5 years ago
Matt Keeler	d7fe8befa9	Update go-bexpr (#6190 ) * Update go-bexpr to v0.1.1 This brings in: • `in`/`not in` operators to do substring matching • `matches` / `not matches` operators to perform regex string matching. * Add the capability to auto-generate the filtering selector ops tables for our docs	5 years ago
Paul Banks	f38da47c55	Allow raft TrailingLogs to be configured. (#6186 ) This fixes pathological cases where the write throughput and snapshot size are both so large that more than 10k log entries are written in the time it takes to restore the snapshot from disk. In this case followers that restart can never catch up with leader replication again and enter a loop of constantly downloading a full snapshot and restoring it only to find that snapshot is already out of date and the leader has truncated its logs so a new snapshot is sent etc. In general if you need to adjust this, you are probably abusing Consul for purposes outside its design envelope and should reconsider your usage to reduce data size and/or write volume.	5 years ago
Christian Muehlhaeuser	7753b97cc7	Simplified code in various places (#6176 ) All these changes should have no side-effects or change behavior: - Use bytes.Buffer's String() instead of a conversion - Use time.Since and time.Until where fitting - Drop unnecessary returns and assignment	5 years ago
hashicorp-ci	a4431da1cc	Merge Consul OSS branch 'master' at commit `ef257b084d`	5 years ago
javicrespo	b006060d4c	log rotation: limit count of rotated log files (#5831 )	5 years ago
Christian Muehlhaeuser	61ff1d20bf	Avoid unnecessary conversions (#6178 ) Those values already have the right type.	5 years ago
Christian Muehlhaeuser	1366bebf7f	Fixed typos in comments (#6175 ) Just a few nitpicky typo fixes.	5 years ago

... 3 4 5 6 7 ...

2004 Commits (57096f8410d4fbf1a9c361404e20b6179cb305f1)