Commit Graph

3245 Commits (62c8746911fbc7b972268aa5800a8b09b2128cf5)

Author SHA1 Message Date
hc-github-team-consul-core 40ac83c9d3
update bindata_assetfs.go 2021-07-15 18:49:33 +00:00
Freddy e3e31375c8
Merge pull request #10622 from hashicorp/vuln/validate-sans-1.10 2021-07-15 10:05:06 -06:00
freddygv 803df59268 Fixup prepared query ns defaulting 2021-07-15 09:37:37 -06:00
R.B. Boyer 104ee65e17 xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619) 2021-07-15 15:09:48 +00:00
freddygv 0bf181ae55 Update golden files 2021-07-14 22:41:51 -06:00
freddygv 8e4ca495d5 Validate SANs for passthrough clusters and failovers 2021-07-14 22:41:51 -06:00
freddygv faac20cd40 Update golden files to account for SAN validation 2021-07-14 22:41:02 -06:00
freddygv bdacb71d22 Validate Subject Alternative Name for upstreams
These changes ensure that the identity of services dialed is
cryptographically verified.

For all upstreams we validate against SPIFFE IDs in the format used by
Consul's service mesh:

spiffe://<trust-domain>/ns/<namespace>/dc/<datacenter>/svc/<service>
2021-07-14 22:41:02 -06:00
Evan Culver 940419aef0 Add support for returning ACL secret IDs for accessors with acl:write (#10546) 2021-07-08 22:13:45 +00:00
Daniel Nephin fe76dc7068 Merge pull request #10552 from hashicorp/dnephin/ca-remove-rotation-period
ca: remove unused RotationPeriod field
2021-07-08 20:56:43 +00:00
Daniel Nephin c8bba8bd60
Merge pull request #10539 from hashicorp/dnephin/backport-to-1.10.x
[1.10.x] Backport main branch rename, and fix 32bit panic
2021-07-05 12:35:56 -04:00
hc-github-team-consul-core bd6a6bf8b8
update bindata_assetfs.go 2021-07-01 18:46:29 +00:00
Dhia Ayachi 543928d707 Format certificates properly (rfc7468) with a trailing new line (#10411)
* trim carriage return from certificates when inserting rootCA in the inMemDB

* format rootCA properly when returning the CA on the connect CA endpoint

* Fix linter warnings

* Fix providers to trim certs before returning it

* trim newlines on write when possible

* add changelog

* make sure all provider return a trailing newline after the root and intermediate certs

* Fix endpoint to return trailing new line

* Fix failing test with vault provider

* make test more robust

* make sure all provider return a trailing newline after the leaf certs

* Check for suffix before removing newline and use function

* Add comment to consul provider

* Update change log

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* fix typo

* simplify code callflow

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* extract requireNewLine as shared func

* remove dependency to testify in testing file

* remove extra newline in vault provider

* Add cert newline fix to envoy xds

* remove new line from mock provider

* Remove adding a new line from provider and fix it when the cert is read

* Add a comment to explain the fix

* Add missing for leaf certs

* fix missing new line

* fix missing new line in leaf certs

* remove extra new line in test

* updage changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* fix in vault provider and when reading cache (RPC call)

* fix AWS provider

* fix failing test in the provider

* remove comments and empty lines

* add check for empty cert in test

* fix linter warnings

* add new line for leaf and private key

* use string concat instead of Sprintf

* fix new lines for leaf signing

* preallocate slice and remove append

* Add new line to `SignIntermediate` and `CrossSignCA`

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-07-01 00:49:03 +00:00
Daniel Nephin f81b371bc1 Merge pull request #10515 from hashicorp/dnephin/fix-arm32-atomic-aligment
Fix panic on 32-bit platforms

Conflicts in tlsutil/config.go were resolved by dropping those changes.
The issue that was fixed in that file is not in 1.10.x.
2021-06-30 18:01:33 -04:00
Daniel Nephin 2dbd8231d8 Merge pull request #10514 from hashicorp/dnephin/actually-enable-streaming
streaming: fix not being able to enable streaming
2021-06-29 16:50:02 -04:00
Daniel Nephin d106120762 Merge pull request #10506 from hashicorp/dnephin/docs-rpc-query-metrics
docs: correct some misleading telemetry docs
2021-06-28 16:34:37 +00:00
R.B. Boyer 2293ccfeca structs: prevent service-defaults upstream configs from using wildcard names or namespaces (#10475) 2021-06-23 20:49:34 +00:00
R.B. Boyer d75c06c9d7 structs: add some missing config entry validation and clean up tests (#10465)
Affects kinds: service-defaults, ingress-gateway, terminating-gateway
2021-06-23 19:16:58 +00:00
hc-github-team-consul-core 39f3c09e00
update bindata_assetfs.go 2021-06-22 17:21:14 +00:00
hc-github-team-consul-core 5d9ff1df92
update bindata_assetfs.go 2021-06-17 21:45:27 +00:00
Freddy 89748d805a Merge pull request #10423 from hashicorp/fix-map 2021-06-17 19:56:26 +00:00
hc-github-team-consul-core b2331f599d
update bindata_assetfs.go 2021-06-16 22:24:01 +00:00
R.B. Boyer 6441b4b2c7 xds: fix flaky protocol tests (#10410) 2021-06-16 16:58:34 +00:00
Freddy fc86420955 Merge pull request #10404 from hashicorp/ingress-stats 2021-06-15 20:28:43 +00:00
R.B. Boyer 0958f1dc3c xds: adding more delta protocol tests (#10398)
Fixes #10125
2021-06-15 20:21:42 +00:00
Freddy f300a1fadb Omit empty tproxy config in JSON responses (#10402) 2021-06-15 19:54:11 +00:00
Nitya Dhanushkodi c9e5177b35 proxycfg: Ensure that endpoints for explicit upstreams in other datacenters are watched in transparent mode (#10391)
Co-authored-by: Freddy Vallenilla <freddy@hashicorp.com>
2021-06-15 18:03:52 +00:00
Dhia Ayachi d4aa152850 improve monitor performance (#10368)
* remove flush for each write to http response in the agent monitor endpoint

* fix race condition when we stop and start monitor multiple times, the doneCh is closed and never recover.

* start log reading goroutine before adding the sink to avoid filling the log channel before getting a chance of reading from it

* flush every 500ms to optimize log writing in the http server side.

* add changelog file

* add issue url to changelog

* fix changelog url

* Update changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* use ticker to flush and avoid race condition when flushing in a different goroutine

* stop the ticker when done

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Revert "fix race condition when we stop and start monitor multiple times, the doneCh is closed and never recover."

This reverts commit 1eeddf7a

* wait for log consumer loop to start before registering the sink

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-06-15 16:23:20 +00:00
R.B. Boyer f72774618d xds: ensure that dependent xDS resources are reconfigured during primary type warming (#10381)
Updates to a cluster will clear the associated endpoints, and updates to
a listener will clear the associated routes. Update the incremental xDS
logic to account for this implicit cleanup so that we can finish warming
the clusters and listeners.

Fixes #10379
2021-06-14 22:21:04 +00:00
Freddy 645e406ca0 Rename CatalogDestinationsOnly (#10397)
CatalogDestinationsOnly is a passthrough that would enable dialing
addresses outside of Consul's catalog. However, when this flag is set to
true only _connect_ endpoints for services can be dialed.

This flag is being renamed to signal that non-Connect endpoints can't be
dialed by transparent proxies when the value is set to true.
2021-06-14 20:15:58 +00:00
Freddy f6e32892dc Relax validation for expose.paths config (#10394)
Previously we would return an error if duplicate paths were specified.
This could lead to problems in cases where a user has the same path,
say /healthz, on two different ports.

This validation was added to signal a potential misconfiguration.
Instead we will only check for duplicate listener ports, since that is
what would lead to ambiguity issues when generating xDS config.

In the future we could look into using a single listener and creating
distinct filter chains for each path/port.
2021-06-14 20:04:50 +00:00
Daniel Nephin a5524f26c0 Merge pull request #10378 from hashicorp/dnephin/agent-self-primary-dc
http: add PrimaryDatacenter to the /v1/agent/self  response
2021-06-11 17:45:04 +00:00
hc-github-team-consul-core d4bfdafff4
update bindata_assetfs.go 2021-06-10 00:14:47 +00:00
Freddy 168073c4dc Add flag for transparent proxies to dial individual instances (#10329) 2021-06-09 20:39:37 +00:00
Daniel Nephin e5baf32f22 Merge pull request #10367 from hashicorp/dnephin/submatview-store-get-tests
submatview: add test cases for store.Get with timeout and no index
2021-06-09 15:54:22 +00:00
Daniel Nephin 1ed213470c Merge pull request #10364 from hashicorp/dnephin/streaming-e2e-test
submatview: and Store integration test with stream backend
2021-06-08 20:14:25 +00:00
Freddy f0fe3cf4a6 Revert "Avoid adding original_dst filter when not needed" (#10365) 2021-06-08 19:19:31 +00:00
Daniel Nephin 6327c3fb3f Merge pull request #10348 from hashicorp/dnephin/fix-submatview-store-bug
submatview: fix a bug with Store.Get
2021-06-04 16:06:56 +00:00
Paul Ewing a9c2f6a741 usagemetrics: add cluster members to metrics API (#10340)
This PR adds cluster members to the metrics API. The number of members per
segment are reported as well as the total number of members.

Tested by running a multi-node cluster locally and ensuring the numbers were
correct. Also added unit test coverage to add the new expected gauges to
existing test cases.
2021-06-03 15:26:35 +00:00
Daniel Nephin 749a0b01c3 Merge pull request #10334 from hashicorp/dnephin/grpc-fix-resolver-data-race
grpc: fix resolver data race
2021-06-02 17:24:05 +00:00
Daniel Nephin cab82ca5a0 Merge pull request #9556 from hashicorp/dnephin/add-more-cache-key-completness-tests
structs: Add more cache key completeness tests
2021-06-01 15:28:34 +00:00
Dhia Ayachi db23df862c debug: remove the CLI check for debug_enabled (#10273)
* debug: remove the CLI check for debug_enabled

The API allows collecting profiles even debug_enabled=false as long as
ACLs are enabled. Remove this check from the CLI so that users do not
need to set debug_enabled=true for no reason.

Also:
- fix the API client to return errors on non-200 status codes for debug
  endpoints
- improve the failure messages when pprof data can not be collected

Co-Authored-By: Dhia Ayachi <dhia@hashicorp.com>

* remove parallel test runs

parallel runs create a race condition that fail the debug tests

* Add changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-05-31 18:46:42 +00:00
hc-github-team-consul-core 6efc5751ca
update bindata_assetfs.go 2021-05-27 15:01:08 +00:00
Freddy f1ab78757e Ensure passthrough clusters can be created (#10301) 2021-05-26 21:05:55 +00:00
Freddy a2dcb9621d Avoid adding original_dst filter when not needed (#10302) 2021-05-26 21:05:24 +00:00
Matt Keeler f054099e84 Move some things around to allow for license updating via config reload
The bulk of this commit is moving the LeaderRoutineManager from the agent/consul package into its own package: lib/gort. It also got a renaming and its Start method now requires a context. Requiring that context required updating a whole bunch of other places in the code.
2021-05-25 13:58:35 +00:00
Matt Keeler c87ed75400 hcs-1936: Prepare for adding license auto-retrieval to auto-config in enterprise 2021-05-24 17:21:08 +00:00
Matt Keeler c6377111f5 Preparation for changing where license management is done. 2021-05-24 14:22:27 +00:00
Daniel Nephin 4a6b53fa22 Merge pull request #10272 from hashicorp/dnephin/backport-namespace-license-fix
Backport some ent changes for serf tags
2021-05-21 16:35:30 +00:00
Matt Keeler d80ae8baa8 Add OSS bits for supporting specifying the enterprise license via config 2021-05-20 20:12:05 +00:00