consul

Commit Graph

Author	SHA1	Message	Date
Dan Upton	7298967070	Restructure gRPC server setup (#12586 ) OSS sync of enterprise changes at 0b44395e	3 years ago
Dan Upton	b36d4e16b6	Support per-listener TLS configuration ⚙️ (#12504 ) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.	3 years ago
Eric	cf3e517d0e	Create and wire up the serverless patcher	3 years ago
Evan Culver	602e08ada7	checks: populate interval and timeout when registering services (#11138 )	3 years ago
Dhia Ayachi	4f0a71d7b4	fix race when starting a service while the agent `serviceManager` is … (#12302 ) * fix race when starting a service while the agent `serviceManager` is stopping * add changelog	3 years ago
Daniel Nephin	edca8d61a3	acl: remove ResolveTokenToIdentity By exposing the AccessorID from the primary ResolveToken method we can remove this duplication.	3 years ago
Daniel Nephin	a5e8af79c3	acl: return a resposne from ResolveToken that includes the ACLIdentity So that we can duplicate duplicate methods.	3 years ago
Dan Upton	ca3aca92c4	[OSS] Remove remaining references to master (#11827 )	3 years ago
Dan Upton	7fe81171d9	Rename `ACLMasterToken` => `ACLInitialManagementToken` (#11746 )	3 years ago
Freddy	e246defb6c	Merge pull request #11720 from hashicorp/bbolt	3 years ago
R.B. Boyer	c46f9f9f31	agent: add variation of force-leave that exclusively works on the WAN (#11722 ) Fixes #6548	3 years ago
Daniel Nephin	e47cecc653	config: add NoFreelistSync option # Conflicts: # agent/config/testdata/TestRuntimeConfig_Sanitize-enterprise.golden # agent/consul/server.go	3 years ago
R.B. Boyer	dd4a59db8e	agent: purge service/check registration files for incorrect partitions on reload (#11607 )	3 years ago
R.B. Boyer	eb21649f82	partitions: various refactors to support partitioning the serf LAN pool (#11568 )	3 years ago
R.B. Boyer	44c023a302	segments: ensure that the serf_lan_allowed_cidrs applies to network segments (#11495 )	3 years ago
Mark Anderson	7e8228a20b	Remove some usage of md5 from the system (#11491 ) * Remove some usage of md5 from the system OSS side of https://github.com/hashicorp/consul-enterprise/pull/1253 This is a potential security issue because an attacker could conceivably manipulate inputs to cause persistence files to collide, effectively deleting the persistence file for one of the colliding elements. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Daniel Nephin	51d8417545	Merge pull request #10690 from tarat44/h2c-support-in-ping-checks add support for h2c in h2 ping health checks	3 years ago
Daniel Nephin	b57cae94de	Merge pull request #10771 from hashicorp/dnephin/emit-telemetry-metrics-immediately telemetry: improve cert expiry metrics	3 years ago
R.B. Boyer	af9ffc214d	agent: add a clone function for duplicating the serf lan configuration (#11443 )	3 years ago
Daniel Nephin	a8e2e1c365	agent: move agent tls metric monitor to a more appropriate place And add a test for it	3 years ago
Daniel Nephin	c92513ec16	telemetry: set cert expiry metrics to NaN on start So that followers do not report 0, which would make alerting difficult.	3 years ago
freddygv	954d21c6ba	Register the ExportingPartitions cache type	3 years ago
R.B. Boyer	ef559dfdd4	agent: refactor the agent delegate interface to be partition friendly (#11429 )	3 years ago
Chris S. Kim	fa293362be	agent: Ensure partition is considered in agent endpoints (#11427 )	3 years ago
tarat44	c1ed3a9a94	change config option to H2PingUseTLS	3 years ago
tarat44	3c9f5a73d9	add support for h2c in h2 ping health checks	3 years ago
Daniel Nephin	d12dd48c61	acl: remove ACL upgrading from Clients As part of removing the legacy ACL system ACL upgrading and the flag for legacy ACLs is removed from Clients. This commit also removes the 'acls' serf tag from client nodes. The tag is only ever read from server nodes. This commit also introduces a constant for the acl serf tag, to make it easier to track where it is used.	3 years ago
Daniel Nephin	cc310224aa	command/envoy: stop using the DebugConfig from Self endpoint The DebugConfig in the self endpoint can change at any time. It's not a stable API. This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read this new field. It includes support for the old API as well, in case a newer CLI is used with an older API, and adds a test for both cases.	3 years ago
Daniel Nephin	1502547e38	Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc" This reverts commit `74fb650b6b`, reversing changes made to `58bd817336`.	3 years ago
Chris S. Kim	e3248c20c9	agent: Clean up unused built-in proxy config (#11165 )	3 years ago
Daniel Nephin	1f9479603c	Add failures_before_warning to checks (#10969 ) Signed-off-by: Jakub Sokołowski <jakub@status.im> * agent: add failures_before_warning setting The new setting allows users to specify the number of check failures that have to happen before a service status us updated to be `warning`. This allows for more visibility for detected issues without creating alerts and pinging administrators. Unlike the previous behavior, which caused the service status to not update until it reached the configured `failures_before_critical` setting, now Consul updates the Web UI view with the `warning` state and the output of the service check when `failures_before_warning` is breached. The default value of `FailuresBeforeWarning` is the same as the value of `FailuresBeforeCritical`, which allows for retaining the previous default behavior of not triggering a warning. When `FailuresBeforeWarning` is set to a value higher than that of `FailuresBeforeCritical it has no effect as `FailuresBeforeCritical` takes precedence. Resolves: https://github.com/hashicorp/consul/issues/10680 Signed-off-by: Jakub Sokołowski <jakub@status.im> Co-authored-by: Jakub Sokołowski <jakub@status.im>	3 years ago
R.B. Boyer	097e1645e3	agent: ensure that most agent behavior correctly respects partition configuration (#10880 )	3 years ago
Daniel Nephin	17841248dd	config: remove ACLResolver settings from RuntimeConfig	3 years ago
Daniel Nephin	31e034215f	acl: remove ACLResolver config fields from consul.Config	3 years ago
Daniel Nephin	c85c62dffb	Merge pull request #10807 from hashicorp/dnephin/remove-acl-datacenter config: remove ACLDatacenter	3 years ago
Daniel Nephin	0575498d0d	proxycfg: Lookup the agent token as a default When no ACL token is provided with the service registration.	3 years ago
Daniel Nephin	7160f7a614	acl: remove ACLDatacenter This field has been unnecessary for a while now. It was always set to the same value as PrimaryDatacenter. So we can remove the duplicate field and use PrimaryDatacenter directly. This change was made by GoLand refactor, which did most of the work for me.	3 years ago
Daniel Nephin	8c575445da	telemetry: add a metric for agent TLS cert expiry	3 years ago
Daniel Nephin	242b3a2dc5	streaming: set a default timeout The blocking query backend sets the default value on the server side. The streaming backend does not using blocking queries, so we must set the timeout on the client.	3 years ago
R.B. Boyer	188e8dc51f	agent/structs: add a bunch more EnterpriseMeta helper functions to help with partitioning (#10669 )	3 years ago
Daniel Nephin	74fb650b6b	Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc config: rename `ports.grpc` to `ports.xds`	3 years ago
Daniel Nephin	be8c675942	config: remove misleading UseTLS field This field was documented as enabling TLS for outgoing RPC, but that was not the case. All this field did was set the use_tls serf tag. Instead of setting this field in a place far from where it is used, move the logic to where the serf tag is set, so that the code is much more obvious.	3 years ago
Daniel Nephin	70770db345	config: remove duplicate TLSConfig fields from agent/consul.Config tlsutil.Config already presents an excellent structure for this configuration. Copying the runtime config fields to agent/consul.Config makes code harder to trace, and provides no advantage. Instead of copying the fields around, use the tlsutil.Config struct directly instead. This is one small step in removing the many layers of duplicate configuration.	3 years ago
Daniel Nephin	895bf9adec	config: update GRPCPort and addr in runtime config	3 years ago
Daniel Nephin	7d73fd7ae5	rename GRPC->XDS where appropriate	3 years ago
Daniel Nephin	c78391797d	streaming: fix enable of streaming in the client And add checks to all the tests that explicitly use streaming.	3 years ago
Matt Keeler	da31e0449e	Move some things around to allow for license updating via config reload The bulk of this commit is moving the LeaderRoutineManager from the agent/consul package into its own package: lib/gort. It also got a renaming and its Start method now requires a context. Requiring that context required updating a whole bunch of other places in the code.	4 years ago
Matt Keeler	caafc02449	hcs-1936: Prepare for adding license auto-retrieval to auto-config in enterprise	4 years ago
Matt Keeler	234d0a3c2a	Preparation for changing where license management is done.	4 years ago
Iryna Shustava	d7d44f6ae7	Save exposed ports in agent's store and expose them via API (#10173 ) * Save exposed HTTP or GRPC ports to the agent's store * Add those the health checks API so we can retrieve them from the API * Change redirect-traffic command to also exclude those ports from inbound traffic redirection when expose.checks is set to true.	4 years ago
Paul Banks	3ad754ca7b	Make Raft trailing logs and snapshot timing reloadable (#10129 ) * WIP reloadable raft config * Pre-define new raft gauges * Update go-metrics to change gauge reset behaviour * Update raft to pull in new metric and reloadable config * Add snapshot persistance timing and installSnapshot to our 'protected' list as they can be infrequent but are important * Update telemetry docs * Update config and telemetry docs * Add note to oldestLogAge on when it is visible * Add changelog entry * Update website/content/docs/agent/options.mdx Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>	4 years ago
R.B. Boyer	71d45a3460	Support Incremental xDS mode (#9855 ) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time	4 years ago
Daniel Nephin	10ec9c2be3	rpcclient: close the grpc.ClientConn on shutdown	4 years ago
Daniel Nephin	e229b877d8	health: create health.Client in Agent.New	4 years ago
Daniel Nephin	0558586dbd	health: use blocking queries for near query parameter	4 years ago
Daniel Nephin	2a26085b2c	connect: do not set QuerySource.Node Setting this field to a value is equivalent to using the 'near' query paramter. The intent is to sort the results by proximity to the node requesting them. However with connect we send the results to envoy, which doesn't care about the order, so setting this field is increasing the work performed for no gain. It is necessary to unset this field now because we would like connect to use streaming, but streaming does not support sorting by proximity.	4 years ago
Matt Keeler	bbf5993534	Move static token resolution into the ACLResolver (#10013 )	4 years ago
Tara Tufano	9deb52e868	add http2 ping health checks (#8431 ) * add http2 ping checks * fix test issue * add h2ping check to config resources * add new test and docs for h2ping * fix grammatical inconsistency in H2PING documentation * resolve rebase conflicts, add test for h2ping tls verification failure * api documentation for h2ping * update test config data with H2PING * add H2PING to protocol buffers and update changelog * fix typo in changelog entry	4 years ago
R.B. Boyer	e494313e7b	api: ensure v1/health/ingress/:service endpoint works properly when streaming is enabled (#9967 ) The streaming cache type for service health has no way to handle v1/health/ingress/:service queries as there is no equivalent topic that would return the appropriate data. Ensure that attempts to use this endpoint will use the old cache-type for now so that they return appropriate data when streaming is enabled.	4 years ago
freddygv	f4f45af6d0	Merge master and fix upstream config protocol defaulting	4 years ago
freddygv	a54d6a9010	Update proxycfg for transparent proxy	4 years ago
Christopher Broglie	f0307c73e5	Add support for configuring TLS ServerName for health checks Some TLS servers require SNI, but the Golang HTTP client doesn't include it in the ClientHello when connecting to an IP address. This change adds a new TLSServerName field to health check definitions to optionally set it. This fixes #9473.	4 years ago
Daniel Nephin	f40b76af2d	proxycfg: use rpcclient/health.Client instead of passing around cache name This should allow us to swap out the implementation with something other than `agent/cache` without making further code changes.	4 years ago
Daniel Nephin	906834ce8e	proxycfg: Use streaming in connect state	4 years ago
Daniel Nephin	1a764553c0	rpcclient: use streaming for connect health	4 years ago
freddygv	acec711a6a	Update server-side config resolution and client-side merging	4 years ago
Daniel Nephin	8c45f2c1fe	agent: use the new lib/mutex for stateLock Previously the ServiceManager had to run a separate goroutine so that it could block on a channel send/receive instead of a lock. Using this mutex with TryLock allows us to cancel the lock when the serviceConfigWatch is stopped. Without this change removing the ServiceManager.Start goroutine would not be possible because when AddService is called it acquires the stateLock. While that lock is held, if there are existing watches for the service, the old watch will be stopped, and the goroutine holding the lock will attempt to wait for that watcher goroutine to exit. If the goroutine is handling an update (serviceConfigWatch.handleUpdate) then it can block on acquiring the stateLock and deadlock the agent. With this change the context is cancelled as and the goroutine will exit instead of waiting on the stateLock.	4 years ago
Daniel Nephin	4e42b8f1d4	agent: remove ServiceManager goroutine The ServiceManager.Start goroutine was used to serialize calls to agent.addServiceInternal. All the goroutines which sent events to the channel would block waiting for a response from that same goroutine, which is effectively the same as a synchronous call without any channels. This commit removes the goroutine and channels, and instead calls addServiceInternal directly. Since all of these goroutines will need to take the agent.stateLock, the mutex handles the serializing of calls.	4 years ago
Daniel Nephin	8b67231e8c	agent: update godoc for AddServiceRequest	4 years ago
Daniel Nephin	f34703fc63	agent: move checkStateSnapshot Move the field into the struct for addServiceLocked. Also don't require setting a default value, so that the callers can leave it as nil if they don't already have a snapshot.	4 years ago
Daniel Nephin	1495291054	agent: move two fields off of AddServiceRequest	4 years ago
Daniel Nephin	60c6a1c220	agent: Replace two fields on AddServiceRequest with a func field The two previous fields were mutually exclusive. They can be represented with a single function which provides the value.	4 years ago
Daniel Nephin	5f9930a9be	agent: remove an a branch in the AddService flow Handle the decision to use ServiceManager in a single place. Instead of calling ServiceManager.AddService, then calling back into addServiceInternal, only call ServiceManager.AddService if we are going to use it. This change removes some small duplication and removes a branch from the AddService flow.	4 years ago
Daniel Nephin	4da0718c57	agent: use fields directly, not temp variables The temprorary variables make it much harder to trace where and how struct fields are used. If a field is only used a small number of times than refer to the field directly.	4 years ago
Daniel Nephin	5b6f806f4f	agent: addServiceIternalRequest Move fields that are only relevant for addServiceInternal onto a new struct and embed AddServiceRequest.	4 years ago
Daniel Nephin	3d39359bcb	agent: move deprecated AddServiceFromSource to a test file The method is only used in tests, and only exists for legacy calls. There was one other package which used this method in tests. Export the AddServiceRequest and a couple of its fields so the new function can be used in those tests.	4 years ago
Daniel Nephin	e44fd1cb92	agent: use a single method for Agent.AddService	4 years ago
Daniel Nephin	6757231b82	agent: rename AddService->AddServiceFromSource In preparation for extracting a single AddService func that accepts a request struct.	4 years ago
Daniel Nephin	e66af1a559	agent/consuk: Rename RPCRate -> RPCRateLimit so that the field name is consistent across config structs.	4 years ago
Daniel Nephin	5684223e36	agent/consul: make Client/Server config reloading more obvious I believe this commit also fixes a bug. Previously RPCMaxConnsPerClient was not being re-read from the RuntimeConfig, so passing it to Server.ReloadConfig was never changing the value. Also improve the test runtime by not doing a lot of unnecessary work.	4 years ago
Daniel Nephin	a04cefaa28	Remove an unnecessary else	4 years ago
Daniel Nephin	4b8b2a4291	xds: remove Server.Initialize Requiring a call to initialize to set a single field is not really substantially different from having to set that field to a value.	4 years ago
Daniel Nephin	375aed5ed6	xds: Pass in logger small cleanup in tests	4 years ago
Daniel Nephin	d64425d2e4	Merge pull request #9213 from hashicorp/dnephin/resolve-tokens-take-2 acl: Remove some unused things and document delegate method	4 years ago
Michael Montgomery	e4f603dfae	Merge branch 'master' into 6074-allow-config-MaxHeaderBytes	4 years ago
Kenia	27f6899ec8	Create consul version metric with version label (#9350 ) * create consul version metric with version label * agent/agent.go: add pre-release Version as well as label Co-Authored-By: Radha13 <kumari.radha3@gmail.com> * verion and pre-release version labels. * hyphen/- breaks prometheus * Add Prometheus gauge defintion for version metric * Add new metric to telemetry docs Co-authored-by: Radha Kumari <kumari.radha3@gmail.com> Co-authored-by: Aestek <thib.gilles@gmail.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>	4 years ago
Michael Montgomery	585c84e9ff	Merge branch 'master' into 6074-allow-config-MaxHeaderBytes	4 years ago
Daniel Nephin	738bf9efdc	agent: fix bug with multiple listeners Previously the listener was being passed to a closure in a loop without capturing the loop variable. The result is only the last listener is used, so the http/https servers only listen on one address. This problem is fixed by capturing the variable by passing it into a function.	4 years ago
Daniel Nephin	0ee86935f0	Remove two unused delegate methods	4 years ago
Matt Keeler	66fd23d67f	Refactor to call non-voting servers read replicas (#9191 ) Co-authored-by: Kit Patella <kit@jepsen.io>	4 years ago
Michael Montgomery	5b6ac035ff	Resolves #6074 . Adds new option to configure HTTP Server's MaxHeaderBytes with option `-http-max-header-bytes` Adds tests for behavior	4 years ago
Daniel Nephin	bd44952c2e	streaming: disable streaming when requesting connect events Until the correct events are created for terminating gateways.	4 years ago
Daniel Nephin	853667e7d8	health: change the name of UseStreamingBackend config Remove it from the cache section, and update the docs.	4 years ago
Daniel Nephin	3a55c30a05	Merge pull request #8924 from ShimmerGlass/fix-sidecar-deregister-after-restart Fix: service LocallyRegisteredAsSidecar property is not persisted	4 years ago
Mathilde Gilles	1c8369b3c3	Fix: service LocallyRegisteredAsSidecar property is not persisted When a service is deregistered, we check whever matching services were registered as sidecar along with it and deregister them as well. To determine if a service is indeed a sidecar we check the structs.ServiceNode.LocallyRegisteredAsSidecar property. However, to avoid interal API leakage, it is excluded from JSON serialization, meaning it is not persisted to disk either. When the agent is restarted, this property lost and sidecars are no longer deregistered along with their parent service. To fix this, we now specifically save this property in the persisted service file.	4 years ago
Daniel Nephin	ea77eccb14	Merge pull request #8825 from hashicorp/streaming/add-config streaming: add config and docs	4 years ago
Daniel Nephin	e7d505dc33	config: add field for enabling streaming in the client agent: register the new streaming cache-type	4 years ago
Kit Patella	adeabf2399	Merge pull request #8877 from hashicorp/mkcp/telemetry/consul.api.http Add flag for disabling 1.9 metrics backwards compatibility and warnings when set to default	4 years ago
Matt Keeler	38f5ddce2a	Add per-agent reconnect timeouts (#8781 ) This allows for client agent to be run in a more stateless manner where they may be abruptly terminated and not expected to come back. If advertising a per-agent reconnect timeout using the advertise_reconnect_timeout configuration when that agent leaves, other agents will wait only that amount of time for the agent to come back before reaping it. This has the advantageous side effect of causing servers to deregister the node/services/checks for that agent sooner than if the global reconnect_timeout was used.	4 years ago
Daniel Nephin	b93577c94f	config: add field for enabling streaming RPC endpoint	4 years ago
Kit Patella	7fe2f80b4b	add config flag to disable 1.9 metrics backwards compatibility. Add warnings on start and reload on default value	4 years ago
Daniel Nephin	529f252d5c	rpcclient: Add health.Client and use it in http and dns This new package provides a client agent implementation of an interface for fetching the health of services. This approach has a number of benefits: 1. It provides a much more explicit interface. Instead of everything dependency on `RPC()` and `Cache.Get()` for many unrelated things they can depend on a type that are named according to the behaviour it provides. 2. It gives us a single place to vary the behaviour and migrate to a new form of RPC (gRPC). The current implementation has two options (cache, or direct RPC), and in the future we will have more. It is also a great opporunity to start adding `context.Context` args to these operations, which in the future will allow us to cancel the operations. 3. As a concequence of the first, in the Server agent where we make these calls we can replace the current in-memory RPC calls with a thin adapter for the real method. This removes the `net/rpc` machinery from the call in places where it is not needed. This new package is quite small right now, but I think we can expect it to grow to a more reasonable size as other RPC calls are replaced. This change also happens to replace two very similar implementations with a single implementation.	4 years ago
Paul Banks	e4db845246	Refactor uiserver to separate package, cleaner Reloading	4 years ago
Paul Banks	f6d55e1d25	Fix reload test; address other PR feedback	4 years ago
Paul Banks	526bab6164	Add config changes for UI metrics	4 years ago
R.B. Boyer	7eef25daf5	agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747 ) Likely introduced when #7345 landed.	4 years ago
Daniel Nephin	c18516ad7d	Merge pull request #8680 from hashicorp/dnephin/replace-consul-opts-with-base-deps agent: Repalce ConsulOptions with a new struct from agent.BaseDeps	4 years ago
Daniel Nephin	282fbdfa75	api: rename HTTPServer to HTTPHandlers Resolves a TODO about naming. This type is a set of handlers for an http.Server, it is not itself a Server. It provides http.Handler functions.	4 years ago
Daniel Nephin	cdd392d77f	agent/consul: pass dependencies directly from agent In an upcoming change we will need to pass a grpc.ClientConnPool from BaseDeps into Server. While looking at that change I noticed all of the existing consulOption fields are already on BaseDeps. Instead of duplicating the fields, we can create a struct used by agent/consul, and use that struct in BaseDeps. This allows us to pass along dependencies without translating them into different representations. I also looked at moving all of BaseDeps in agent/consul, however that created some circular imports. Resolving those cycles wouldn't be too bad (it was only an error in agent/consul being imported from cache-types), however this change seems a little better by starting to introduce some structure to BaseDeps. This change is also a small step in reducing the scope of Agent. Also remove some constants that were only used by tests, and move the relevant comment to where the live configuration is set. Removed some validation from NewServer and NewClient, as these are not really runtime errors. They would be code errors, which will cause a panic anyway, so no reason to handle them specially here.	4 years ago
Daniel Nephin	4c9ed41eab	Merge pull request #8554 from hashicorp/dnephin/agent-setup-persisted-tokens agent: move token persistence from agent into token.Store	4 years ago
Daniel Nephin	6ca45e1a61	agent: add apiServers type for managing HTTP servers Remove Server field from HTTPServer. The field is no longer used.	4 years ago
Daniel Nephin	330be5b740	agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.	4 years ago
Matt Keeler	91d680b830	Merge of auto-config and auto-encrypt code (#8523 ) auto-encrypt is now handled as a special case of auto-config. This also is moving all the cert-monitor code into the auto-config package.	4 years ago
Daniel Nephin	72bf350069	Merge pull request #8552 from pierresouchay/reload_cache_throttling_config Ensure that Cache options are reloaded when `consul reload` is performed	4 years ago
R.B. Boyer	74d5df7c7a	xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569 )	4 years ago
Matt Keeler	f97cc0445a	Move RPC router from Client/Server and into BaseDeps (#8559 ) This will allow it to be a shared component which is needed for AutoConfig	4 years ago
Pierre Souchay	d2be9d38da	Ensure that Cache options are reloaded when `consul reload` is performed. This will apply cache throttling parameters are properly applied: * cache.EntryFetchMaxBurst * cache.EntryFetchRate When values are updated, a log is displayed in info.	4 years ago
Daniel Nephin	e16375216d	config: use logging.Config in RuntimeConfig To add structure to RuntimeConfig, and remove the need to translate into a third type.	4 years ago
Daniel Nephin	f2373a5575	logging: move init of grpclog This line initializes global state. Moving it out of the constructor and closer to where logging is setup helps keep related things together.	4 years ago
Daniel Nephin	63bad36de7	testing: disable global metrics sink in tests This might be better handled by allowing configuration for the InMemSink interval and retail, and disabling the global. For now this is a smaller change to remove the goroutine leak caused by tests because go-metrics does not provide any way of shutting down the global goroutine.	4 years ago
Daniel Nephin	5d4df54296	agent: extract dependency creation from New With this change, Agent.New() accepts many of the dependencies instead of creating them in New. Accepting fully constructed dependencies from a constructor makes the type easier to test, and easier to change. There are still a number of dependencies created in Start() which can be addressed in a follow up.	4 years ago
Daniel Nephin	35f1ecee0b	config: Move remote-script-checks warning to config Previously it was done in Agent.Start, but it can be done much earlier	4 years ago
Daniel Nephin	27b36bfc4e	config: move NodeName validation to config validation Previsouly it was done in Agent.Start, which is much later then it needs to be. The new 'dns' package was required, because otherwise there would be an import cycle. In the future we should move more of the dns server into the dns package.	4 years ago
Daniel Nephin	399c77dfb6	agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg.	4 years ago
Daniel Nephin	7b5b170a0d	agent: Move setupKeyring functions to keyring.go There are a couple reasons for this change: 1. agent.go is way too big. Smaller files makes code eaasier to read because tools that show usage also include filename which can give a lot more context to someone trying to understand which functions call other functions. 2. these two functions call into a large number of functions already in keyring.go.	4 years ago
Daniel Nephin	9919e5dfa5	agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent.	4 years ago
Daniel Nephin	8f596f5551	Fix conflict in merged PRs One PR renamed the var from config->cfg, and another used the old name config, which caused the build to fail on master.	4 years ago
Daniel Nephin	190fcc14a3	Merge pull request #8463 from hashicorp/dnephin/unmethod-make-node-id agent: convert NodeID methods to functions	4 years ago
Daniel Nephin	37eacf8192	auto-config: reduce awareness of config This is a small step to allowing Agent to accept its dependencies instead of creating them in New. There were two fields in autoconfig.Config that were used exclusively to load config. These were replaced with a single function, allowing us to move LoadConfig back to the config package. Also removed the WithX functions for building a Config. Since these were simple assignment, it appeared we were not getting much value from them.	4 years ago
Daniel Nephin	875d8bde42	agent: convert NodeID methods to functions Making these functions allows us to cleanup how an agent is initialized. They only make use of a config and a logger, so they do not need to be agent methods. Also cleanup the testing to use t.Run and require.	4 years ago
Daniel Nephin	0738eb8596	Extract nodeID functions to a different file In preparation for turning them into functions. To reduce the scope of Agent, and refactor how Agent is created and started.	4 years ago
Daniel Nephin	38980ebb4c	config: Make Source an interface This will allow us to accept config from auto-config without needing to go through a serialziation cycle.	4 years ago
Daniel Nephin	3b82ad0955	Rename NewClient/NewServer Now that duplicate constructors have been removed we can use the shorter names for the single constructor.	4 years ago
Daniel Nephin	0420d91cdd	Remove LogOutput from Agent Now that it is no longer used, we can remove this unnecessary field. This is a pre-step in cleanup up RuntimeConfig->Consul.Config, which is a pre-step to adding a gRPCHandler component to Server for streaming. Removing this field also allows us to remove one of the return values from logging.Setup.	4 years ago
Daniel Nephin	5acf01ceeb	Remove LogOutput from Server	4 years ago
Daniel Nephin	e8ee2cf2f7	Pass a logger to ConnPool and yamux, instead of an io.Writer Allowing us to remove the LogOutput field from config.	4 years ago
Daniel Nephin	ed8210fe4d	api: Use a Logger instead of an io.Writer in api.Watch So that we can pass around only a Logger, not a LogOutput	4 years ago
Daniel Nephin	1e17a0c3e1	config: Remove unused field	4 years ago
Matt Keeler	1a78cf9b4c	Ensure certificates retrieved through the cache get persisted with auto-config (#8409 )	4 years ago
Matt Keeler	34034b76f5	Agent Auto Config: Implement Certificate Generation (#8360 ) Most of the groundwork was laid in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server. This also refactors the auto-config package a bit to split things out into multiple files.	4 years ago
Pierre Souchay	505de6dc29	Added ratelimit to handle throtling cache (#8226 ) This implements a solution for #7863 It does: Add a new config cache.entry_fetch_rate to limit the number of calls/s for a given cache entry, default value = rate.Inf Add cache.entry_fetch_max_burst size of rate limit (default value = 2) The new configuration now supports the following syntax for instance to allow 1 query every 3s: command line HCL: -hcl 'cache = { entry_fetch_rate = 0.333}' in JSON { "cache": { "entry_fetch_rate": 0.333 } }	4 years ago
Matt Keeler	2ee9fe0a4d	Move generation of the CA Configuration from the agent code into a method on the RuntimeConfig (#8363 ) This allows this to be reused elsewhere.	4 years ago
Matt Keeler	9da8c51ac5	Fix issue with changing the agent token causing failure to renew the auto-encrypt certificate The fallback method would still work but it would get into a state where it would let the certificate expire for 10s before getting a new one. And the new one used the less secure RPC endpoint. This is also a pretty large refactoring of the auto encrypt code. I was going to write some tests around the certificate monitoring but it was going to be impossible to get a TestAgent configured in such a way that I could write a test that ran in less than an hour or two to exercise the functionality. Moving the certificate monitoring into its own package will allow for dependency injection and in particular mocking the cache types to control how it hands back certificates and how long those certificates should live. This will allow for exercising the main loop more than would be possible with it coupled so tightly with the Agent.	4 years ago
Daniel Nephin	653c938edc	watch: extract makeWatchPlan to facilitate testing There is a bug in here now that slices in opaque config are unsliced. But to test that bug fix we need a function that can be easily tested.	4 years ago
Daniel Nephin	f22f3d300d	Merge pull request #8231 from hashicorp/dnephin/unembed-HTTPServer-Server agent/http: un-embed the http.Server	4 years ago
Daniel Nephin	df4088291c	agent/http: Update TestSetupHTTPServer_HTTP2 To remove the need to store the http.Server. This will allow us to remove the http.Server field from the HTTPServer struct.	4 years ago
Daniel Nephin	5247ef4c70	Remove ACLsEnabled from delegate interface In all cases (oss/ent, client/server) this method was returning a value from config. Since the value is consistent, it doesn't need to be part of the delegate interface.	4 years ago
Pierre Souchay	20d1ea7d2d	Upgrade go-connlimit to v0.3.0 / return http 429 on too many connections (#8221 ) Fixes #7527 I want to highlight this and explain what I think the implications are and make sure we are aware: * `HTTPConnStateFunc` closes the connection when it is beyond the limit. `Close` does not block. * `HTTPConnStateFuncWithDefault429Handler(10 * time.Millisecond)` blocks until the following is done (worst case): 1) `conn.SetDeadline(10*time.Millisecond)` so that 2) `conn.Write(429error)` is guaranteed to timeout after 10ms, so that the http 429 can be written and 3) `conn.Close` can happen The implication of this change is that accepting any new connection is worst case delayed by 10ms. But only after a client reached the limit already.	4 years ago
Daniel Nephin	a5e45defb1	agent/http: un-embed the HTTPServer The embedded HTTPServer struct is not used by the large HTTPServer struct. It is used by tests and the agent. This change is a small first step in the process of removing that field. The eventual goal is to reduce the scope of HTTPServer making it easier to test, and split into separate packages.	4 years ago
Matt Keeler	a5a9560bbd	Initialize the agent leaf cert cache result with a state to prevent unnecessary second certificate signing	4 years ago
Matt Keeler	39b567a55a	Fix auto_encrypt IP/DNS SANs The initial auto encrypt CSR wasn’t containing the user supplied IP and DNS SANs. This fixes that. Also We were configuring a default :: IP SAN. This should be ::1 instead and was fixed.	4 years ago
Daniel Nephin	a891ee8428	Merge pull request #8176 from hashicorp/dnephin/add-linter-unparam-1 lint: add unparam linter and fix some of the issues	4 years ago
Matt Keeler	25a4f3c83b	Allow cancelling blocking queries in response to shutting down.	4 years ago
Daniel Nephin	010a609912	Fix a bunch of unparam lint issues	4 years ago
Matt Keeler	e2cfa93f02	Don’t leak metrics go routines in tests (#8182 )	4 years ago
Matt Keeler	d6e05482ab	Allow cancelling startup when performing auto-config (#8157 ) Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>	5 years ago
Matt Keeler	3dbbd2d37d	Implement Client Agent Auto Config There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.	5 years ago
Matt Keeler	8b7d669a27	Allow the Agent its its child Client/Server to share a connection pool This is needed so that we can make an AutoConfig RPC at the Agent level prior to creating the Client/Server.	5 years ago
Matt Keeler	51c3a605ad	Merge pull request #8035 from hashicorp/feature/auto-config/server-rpc	5 years ago
Matt Keeler	9b01f9423c	Implement the insecure version of the Cluster.AutoConfig RPC endpoint Right now this is only hooked into the insecure RPC server and requires JWT authorization. If no JWT authorizer is setup in the configuration then we inject a disabled “authorizer” to always report that JWT authorization is disabled.	5 years ago
Daniel Nephin	d345cd8d30	ci: Add ineffsign linter And fix an additional ineffective assignment that was not caught by staticcheck	5 years ago
R.B. Boyer	ffb9c7d6f7	acl: remove the deprecated `acl_enforce_version_8` option (#7991 ) Fixes #7292	5 years ago
Jono Sosulska	c554ba9e10	Replace whitelist/blacklist terminology with allowlist/denylist (#7971 ) * Replace whitelist/blacklist terminology with allowlist/denylist	5 years ago
Daniel Nephin	c88fae0aac	ci: Add staticcheck and fix most errors Three of the checks are temporarily disabled to limit the size of the diff, and allow us to enable all the other checks in CI. In a follow up we can fix the issues reported by the other checks one at a time, and enable them.	5 years ago
Pierre Souchay	d6649e42af	Stop all watches before shuting down anything dring shutdown. (#7526 ) This will prevent watches from being triggered. ```changelog * fix(agent): stop all watches before shuting down ```	5 years ago
Pierre Souchay	e9d176db2a	Allow to restrict servers that can join a given Serf Consul cluster. (#7628 ) Based on work done in https://github.com/hashicorp/memberlist/pull/196 this allows to restrict the IP ranges that can join a given Serf cluster and be a member of the cluster. Restrictions on IPs can be done separatly using 2 new differents flags and config options to restrict IPs for LAN and WAN Serf.	5 years ago
Matt Keeler	acccdbe45c	Fix identity resolution on clients and in secondary dcs (#7862 ) Previously this happened to be using the method on the Server/Client that was meant to allow the ACLResolver to locally resolve tokens. On Servers that had tokens (primary or secondary dc + token replication) this function would lookup the token from raft and return the ACLIdentity. On clients this was always a noop. We inadvertently used this function instead of creating a new one when we added logging accessor ids for permission denied RPC requests. With this commit, a new method is used for resolving the identity properly via the ACLResolver which may still resolve locally in the case of being on a server with tokens but also supports remote token resolution.	5 years ago
Kyle Havlovitz	f14c54e25e	Add TLS option and DNS SAN support to ingress config xds: Only set TLS context for ingress listener when requested	5 years ago
Matt Keeler	7a4c73acaf	Updates to allow for using an enterprise specific token as the agents token This is needed to allow for managed Consul instances to register themselves in the catalog with one of the managed service provider tokens.	5 years ago
Matt Keeler	bec3fb7c18	Some boilerplate to allow for ACL Bootstrap disabling configurability	5 years ago
Kit Patella	e2467f4b2c	Merge pull request #7656 from hashicorp/feature/audit/oss-merge agent: stub out auditing functionality in OSS	5 years ago
Kit Patella	3b105435b8	agent,config: port enterprise only fields to embedded enterprise structs	5 years ago
Daniel Nephin	5fe7043439	agent/cache: Make all cache options RegisterOptions Previously the SupportsBlocking option was specified by a method on the type, and all the other options were specified from RegisterOptions. This change moves RegisterOptions to a method on the type, and moves SupportsBlocking into the options struct. Currently there are only 2 cache-types. So all cache-types can implement this method by embedding a struct with those predefined values. In the future if a cache type needs to be registered more than once with different options it can remove the embedded type and implement the method in a way that allows for paramaterization.	5 years ago
Kit Patella	927f584761	agent: stub out auditing functionality in OSS	5 years ago
Kyle Havlovitz	e9e8c0e730	Ingress Gateways for TCP services (#7509 ) * Implements a simple, tcp ingress gateway workflow This adds a new type of gateway for allowing Ingress traffic into Connect from external services. Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>	5 years ago
Daniel Nephin	f46d1b5c94	agent/structs: Remove ServiceID.Init and CheckID.Init The Init method provided the same functionality as the New constructor. The constructor is both more widely used, and more idiomatic, so remove the Init method. This change is in preparation for fixing printing of these IDs.	5 years ago
Daniel Nephin	329d76fd0e	Remove SnapshotRPC passthrough The caller has access to the delegate, so we do not gain anything by wrapping the call in Agent.	5 years ago
Pierre Souchay	2a8bf45e38	agent: show warning when enable_script_checks is enabled without safty net (#7437 ) In order to enforce a bit security on Consul agents, add a new method in agent to highlight possible security issues. This does not return an error for now, but might in the future. For now, it detects issues such as: https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations/ This would display this kind of messages: ``` 2020-03-11T18:27:49.873+0100 [ERROR] agent: [SECURITY] issue: error="using enable-script-checks without ACLs and without allow_write_http_from is DANGEROUS, use enable-local-script-checks instead see https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations/" ```	5 years ago
Andy Lindeman	fb0a990e4d	agent: rewrite checks with proxy address, not local service address (#7518 ) Exposing checks is supposed to allow a Consul agent bound to a different IP address (e.g., in a different Kubernetes pod) to access healthchecks through the proxy while the underlying service binds to localhost. This is an important security feature that makes sure no external traffic reaches the service except through the proxy. However, as far as I can tell, this is subtly broken in the case where the Consul agent cannot reach the proxy over localhost. If a proxy is configured with: `{ LocalServiceAddress: "127.0.0.1", Checks: true }`, as is typical with a sidecar proxy, the Consul checks are currently rewritten to `127.0.0.1:<random port>`. A Consul agent that does not share the loopback address cannot reach this address. Just to make sure I was not misunderstanding, I tried configuring the proxy with `{ LocalServiceAddress: "<pod ip>", Checks: true }`. In this case, while the checks are rewritten as expected and the agent can reach the dynamic port, the proxy can no longer reach its backend because the traffic is no longer on the loopback interface. I think rewriting the checks to use `proxy.Address`, the proxy's own address, is more correct in this case. That is the IP where the proxy can be reached, both by other proxies and by a Consul agent running on a different IP. The local service address should continue to use `127.0.0.1` in most cases.	5 years ago
Shaker Islam	ac309d55f4	docs: document exported functions in agent.go (closes #7101 ) (#7366 ) and fix one linter error	5 years ago
Daniel Nephin	231c99f7b4	Document Agent.LogOutput	5 years ago
Daniel Nephin	bb8833a2d5	agent: Remove unused Encrypted from interface It appears to be unused. It looks like it has been around a while, I geuss at some point we stopped using this method.	5 years ago
Daniel Nephin	266bdf7465	agent: Remove xdsServer field The field is only referenced from a single method, it can be a local var	5 years ago
R.B. Boyer	6adad71125	wan federation via mesh gateways (#6884 ) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the agent and the results of that operation for primary mesh gateways are needed in the server there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.	5 years ago
Pierre Souchay	864f7efffa	agent: configuration reload preserves check's statuses for services (#7345 ) This fixes issue #7318 Between versions 1.5.2 and 1.5.3, a regression has been introduced regarding health of services. A patch #6144 had been issued for HealthChecks of nodes, but not for healthchecks of services. What happened when a reload was: 1. save all healthcheck statuses 2. cleanup everything 3. add new services with healthchecks In step 3, the state of healthchecks was taken into account locally, so at step 3, but since we cleaned up at step 2, state was lost. This PR introduces the snap parameter, so step 3 can use information from step 1	5 years ago
Hans Hasselberg	315d57bfb1	agent: sensible keyring error (#7272 ) Fixes #7231. Before an agent would always emit a warning when there is an encrypt key in the configuration and an existing keyring stored, which is happening on restart. Now it only emits that warning when the encrypt key from the configuration is not part of the keyring.	5 years ago
Akshay Ganeshen	8beb716414	feat: support sending body in HTTP checks (#6602 )	5 years ago
Freddy	cb77fc6d01	Add managed service provider token (#7218 ) Stubs for enterprise-only ACL token to be used by managed service providers.	5 years ago
Hans Hasselberg	5531678e9e	Security fixes (#7182 ) * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>	5 years ago
R.B. Boyer	d78b5008ce	various tweaks on top of the hclog work (#7165 )	5 years ago
Chris Piraino	401221de58	Allow users to configure either unstructured or JSON logging (#7130 ) * hclog Allow users to choose between unstructured and JSON logging	5 years ago
Kit Patella	0d336edb65	Add accessorID of token when ops are denied by ACL system (#7117 ) * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>	5 years ago
Matt Keeler	c09693e545	Updates to Config Entries and Connect for Namespaces (#7116 )	5 years ago
Hans Hasselberg	11a571de95	agent: setup grpc server with auto_encrypt certs and add -https-port (#7086 ) * setup grpc server with TLS config used across consul. * add -https-port flag	5 years ago
Aestek	8fc736038a	agent: remove service sidecars in Agent.cleanupRegistration (#7022 ) Sidecar proxies were left behind when cleaning up after an unsuccessful registration. There are now also removed when the service is cleanup up.	5 years ago
Hans Hasselberg	87f32c8ba6	auto_encrypt: set dns and ip san for k8s and provide configuration (#6944 ) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR	5 years ago
Aestek	ba8fd8296f	Add support for dual stack IPv4/IPv6 network (#6640 ) * Use consts for well known tagged adress keys * Add ipv4 and ipv6 tagged addresses for node lan and wan * Add ipv4 and ipv6 tagged addresses for service lan and wan * Use IPv4 and IPv6 address in DNS	5 years ago
Matej Urbas	ce023359fe	agent: configurable MaxQueryTime and DefaultQueryTime. (#3777 )	5 years ago
Matt Keeler	a78f7d7a34	OSS changes for implementing token based namespace inferencing remove debug log	5 years ago
Matt Keeler	5934f803bf	Sync of OSS changes to support namespaces (#6909 )	5 years ago

... 2 3 4 5 6 ...

615 Commits (6662e48363905f32cc3e1bc7dddda31307038de2)