Kyle Havlovitz
1a8ac686b2
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
51fc48e8a6
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
e33bfe249e
Note leadership issues in comments
2018-06-25 12:25:41 -07:00
Paul Banks
b5f24a21cb
Fix test broken by final telemetry PR change!
2018-06-25 12:25:40 -07:00
Paul Banks
e514570dfa
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
Matt Keeler
e22b9c8e15
Output the service Kind in the /v1/internal/ui/services endpoint
2018-06-25 12:25:40 -07:00
Paul Banks
17789d4fe3
register TCP check for managed proxies
2018-06-25 12:25:40 -07:00
Paul Banks
280f14d64c
Make proxy only listen after initial certs are fetched
2018-06-25 12:25:40 -07:00
Paul Banks
420ae3df69
Limit proxy telemetry config to only be visible with authenticated with a proxy token
2018-06-25 12:25:39 -07:00
Paul Banks
597e55e8e2
Misc test fixes
2018-06-25 12:25:39 -07:00
Paul Banks
c6ef6a61c9
Refactor to use embedded struct.
2018-06-25 12:25:39 -07:00
Paul Banks
9f559da913
Revert telemetry config changes ready for cleaner approach
2018-06-25 12:25:39 -07:00
Paul Banks
38405bd4a9
Allow user override of proxy telemetry config
2018-06-25 12:25:38 -07:00
Paul Banks
7649d630c6
Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about
2018-06-25 12:25:38 -07:00
Paul Banks
d83f2e8e21
Expose telemetry config from RuntimeConfig to proxy config endpoint
2018-06-25 12:25:38 -07:00
Paul Banks
8aeb7bd206
Disable TestAgent proxy execution properly
2018-06-25 12:25:38 -07:00
Paul Banks
2e223ea2b7
Fix hot loop in cache for RPC returning zero index.
2018-06-25 12:25:37 -07:00
Paul Banks
43b48bc06b
Get agent cache tests passing without global hit count (which is racy).
...
Few other fixes in here just to get a clean run locally - they are all also fixed in other PRs but shouldn't conflict.
This should be robust to timing between goroutines now.
2018-06-25 12:25:37 -07:00
Mitchell Hashimoto
155bb67c52
Update UI for beta3
2018-06-25 12:25:16 -07:00
Mitchell Hashimoto
6b1e0a3003
agent/cache: always schedule the refresh
2018-06-25 12:25:14 -07:00
Mitchell Hashimoto
7cbbac43a3
agent: clarify comment
2018-06-25 12:25:14 -07:00
Mitchell Hashimoto
a08faf5a11
agent: add additional assertion to test
2018-06-25 12:25:13 -07:00
Paul Banks
2c21ead80e
More test tweaks
2018-06-25 12:25:13 -07:00
Paul Banks
05a8097c5d
Fix misc test failures (some from other PRs)
2018-06-25 12:25:13 -07:00
Paul Banks
382ce8f98a
Only set precedence on write path
2018-06-25 12:25:13 -07:00
Paul Banks
4a54f8f7e3
Fix some tests failures caused by the sorting change and some cuased by previous UpdatePrecedence() change
2018-06-25 12:25:13 -07:00
Paul Banks
bf7a62e0e0
Sort intention list by precedence
2018-06-25 12:25:13 -07:00
Mitchell Hashimoto
181fbcc9b9
agent: intention update/delete responess match ACL/KV behavior
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
3c17144fb5
agent/structs: JSON marshal the configuration for a managed proxy
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
e9e6514c9b
agent: disallow deregistering a managed proxy directly
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
66a573e496
agent: deregister service deregisters the proxy along with it
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
a82726f0b8
agent: RemoveProxy also removes the proxy service
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
e2653bec02
Fix broken tests from PR merge related to proxy secure defaults
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
cf9b377c78
agent/cache: always fetch with minimum index of 1 at least
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
6a438c25d0
agent/proxy: remove debug println
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
0d6dcbd2f1
agent: disallow API registration with managed proxy if not enabled
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
f7fc026e18
agent/config: AllowManagedAPIRegistration
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
ed98d65c2b
agent/proxy: AllowRoot to disable executing managed proxies when root
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
5ae32837f7
agent/proxy: set the proper arguments so we only run the helper process
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
4897ca6545
agent/config: add AllowManagedRoot
2018-06-25 12:25:11 -07:00
Kyle Havlovitz
82a4b3c13f
connect: fix two CA tests that were broken in a previous PR ( #60 )
2018-06-25 12:25:10 -07:00
Paul Banks
41a29a469e
Fix roots race with CA setup hammering bug and defensive nil check hit during obscure upgrade scenario
2018-06-25 12:25:10 -07:00
Kyle Havlovitz
aafa3ca64a
agent: format all CA config fields
2018-06-25 12:25:09 -07:00
Kyle Havlovitz
edbeeeb23c
agent: update accepted CA config fields and defaults
2018-06-25 12:25:09 -07:00
Mitchell Hashimoto
316bdbe010
agent/proxy: fix build on Windows
2018-06-25 12:24:18 -07:00
Paul Banks
0824d1df5f
Misc comment cleanups
2018-06-25 12:24:16 -07:00
Paul Banks
e57aa52ca6
Warn about killing proxies in dev mode
2018-06-25 12:24:16 -07:00
Mitchell Hashimoto
028aa78e83
agent/consul: set precedence value on struct itself
2018-06-25 12:24:16 -07:00
Mitchell Hashimoto
927b45bf91
agent/config: move ports to `ports` structure, update docs
2018-06-25 12:24:15 -07:00
Paul Banks
d1c67d90bc
Fixs a few issues that stopped this working in real life but not caught by tests:
...
- Dev mode assumed no persistence of services although proxy state is persisted which caused proxies to be killed on startup as their services were no longer registered. Fixed.
- Didn't snapshot the ProxyID which meant that proxies were adopted OK from snapshot but failed to restart if they died since there was no proxyID in the ENV on restart
- Dev mode with no persistence just kills all proxies on shutdown since it can't recover them later
- Naming things
2018-06-25 12:24:14 -07:00
Paul Banks
85d6502ab3
Don't kill proxies on agent shutdown; backport manager close fix
2018-06-25 12:24:13 -07:00
Paul Banks
b2ff583392
Test for adopted process Stop race and fix
2018-06-25 12:24:13 -07:00
Mitchell Hashimoto
62d4aaa33e
agent: accept connect param for execute
2018-06-25 12:24:12 -07:00
Mitchell Hashimoto
daf46c9cfa
agent/consul: support a Connect option on prepared query request
2018-06-25 12:24:12 -07:00
Mitchell Hashimoto
440b1b2d97
agent/consul: prepared query supports "Connect" field
2018-06-25 12:24:11 -07:00
Mitchell Hashimoto
8bcadddda7
agent: intention create returns 500 for bad body
2018-06-25 12:24:10 -07:00
Mitchell Hashimoto
1830c6b308
agent: switch ConnectNative to an embedded struct
2018-06-25 12:24:10 -07:00
Paul Banks
df2cb30b01
Make tests pass and clean proxy persistence. No detached child changes yet.
...
This is a good state for persistence stuff to re-start the detached child work that got mixed up last time.
2018-06-25 12:24:10 -07:00
Paul Banks
cdc7cfaa36
Abandon daemonize for simpler solution (preserving history):
...
Reverts:
- bdb274852ae469c89092d6050697c0ff97178465
- 2c689179c4f61c11f0016214c0fc127a0b813bfe
- d62e25c4a7ab753914b6baccd66f88ffd10949a3
- c727ffbcc98e3e0bf41e1a7bdd40169bd2d22191
- 31b4d18933fd0acbe157e28d03ad59c2abf9a1fb
- 85c3f8df3eabc00f490cd392213c3b928a85aa44
2018-06-25 12:24:10 -07:00
Paul Banks
a2fe604191
WIP
2018-06-25 12:24:09 -07:00
Paul Banks
8cf4b3a6eb
Sanity check that we are never trying to self-exec a test binary. Add daemonize bypass for TestAgent so that we don't have to jump through ridiculous self-execution hooks for every package that might possibly invoke a managed proxy
2018-06-25 12:24:09 -07:00
Mitchell Hashimoto
827b671d4a
agent/proxy: Manager.Close also has to stop all proxy watchers
2018-06-25 12:24:09 -07:00
Paul Banks
ef9c40643e
Fix import tooling fail
2018-06-25 12:24:09 -07:00
Paul Banks
ba0fb58a72
Make daemoinze an option on test binary without hacks. Misc fixes for racey or broken tests. Still failing on several though.
2018-06-25 12:24:09 -07:00
Paul Banks
2b377dc624
Run daemon processes as a detached child.
...
This turns out to have a lot more subtelty than we accounted for. The test suite is especially prone to races now we can only poll the child and many extra levels of indirectoin are needed to correctly run daemon process without it becoming a Zombie.
I ran this test suite in a loop with parallel enabled to verify for races (-race doesn't find any as they are logical inter-process ones not actual data races). I made it through ~50 runs before hitting an error due to timing which is much better than before. I want to go back and see if we can do better though. Just getting this up.
2018-06-25 12:24:08 -07:00
Paul Banks
e21723a891
Persist proxy state through agent restart
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
eb3fcb39b3
agent/consul/state: support querying by Connect native
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
6b745964c4
agent/cache: update comment from PR review to clarify
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
424272361d
agent: agent service registration supports Connect native services
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
d6a823ad0d
agent/consul: support catalog registration with Connect native
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
d609ad216b
agent/cache: update comments
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
839d3c323d
agent/cache: correct test name
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
45e49f31de
agent/cache: change behavior to return error rather than retry
...
The cache behavior should not be to mask errors and retry. Instead, it
should aim to return errors as quickly as possible. We do that here.
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
311d503fb0
agent/cache: perform backoffs on error retries on blocking queries
2018-06-25 12:24:06 -07:00
Matt Keeler
3afa4f9c7e
Merge pull request #4234 from hashicorp/feature/default-new-ui
...
Switch over to defaulting to the new UI
2018-06-20 09:10:08 -04:00
Matt Keeler
af910bda39
Merge pull request #4216 from hashicorp/rpc-limiting
...
Make RPC limits reloadable
2018-06-20 09:05:28 -04:00
Matt Keeler
0d4e8676d1
Merge pull request #4215 from hashicorp/feature/config-node-meta-dns-txt
...
Add configuration entry to control including TXT records for node meta in DNS responses
2018-06-20 08:53:04 -04:00
Matt Keeler
7f7c703118
Update the runtime tests
2018-06-19 13:59:26 -04:00
Matt Keeler
8216816e3f
Make filtering out TXT RRs only apply when they would end up in Additional section
...
ANY queries are no longer affected.
2018-06-19 10:08:16 -04:00
Matt Keeler
197e2f69d5
Switch over to defaulting to the new UI
2018-06-15 09:20:13 -04:00
Kyle Havlovitz
ab4a9a94f4
Re-use uint8ToString
2018-06-14 09:42:23 -07:00
Kyle Havlovitz
5683d628c4
Support giving the duration as a string in CA config
2018-06-14 09:42:22 -07:00
Mitchell Hashimoto
eb2a6952ba
address comment feedback
2018-06-14 09:42:22 -07:00
Mitchell Hashimoto
cd39f09693
agent: leaf endpoint accepts name, not service ID
...
This change is important so that requests can made representing a
service that may not be registered with the same local agent.
2018-06-14 09:42:20 -07:00
Mitchell Hashimoto
1906fe1c0d
agent: address feedback
2018-06-14 09:42:20 -07:00
Mitchell Hashimoto
0accfc1628
agent: rename test to check
2018-06-14 09:42:18 -07:00
Mitchell Hashimoto
d1c21a8629
agent: implement HTTP endpoint
2018-06-14 09:42:18 -07:00
Mitchell Hashimoto
2a29679e9d
agent/consul: forward request if necessary
2018-06-14 09:42:17 -07:00
Mitchell Hashimoto
54ac5adb08
agent: comments to point to differing logic
2018-06-14 09:42:17 -07:00
Mitchell Hashimoto
d68462fca6
agent/consul: implement Intention.Test endpoint
2018-06-14 09:42:17 -07:00
Paul Banks
a80559e439
Make invalid clusterID be fatal
2018-06-14 09:42:17 -07:00
Paul Banks
140f3f5a44
Fix logical conflicts with CA refactor
2018-06-14 09:42:17 -07:00
Paul Banks
c58d47ba59
Fix broken api test for service Meta (logical conflict rom OSS). Add test that would make this much easier to catch in future.
2018-06-14 09:42:17 -07:00
Paul Banks
f4b8e8c96d
Add default CA config back - I didn't add it and causes nil panics
2018-06-14 09:42:17 -07:00
Paul Banks
1228a5839a
Ooops remove the CA stuff from actual server defaults and make it test server only
2018-06-14 09:42:16 -07:00
Paul Banks
4aeab3897c
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.
2018-06-14 09:42:16 -07:00
Paul Banks
bc07ff4983
Comment cleanup
2018-06-14 09:42:16 -07:00
Paul Banks
1722734313
Verify trust domain on /authorize calls
2018-06-14 09:42:16 -07:00
Paul Banks
b4803eca59
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
622a475eb1
Add CSR signing verification of service ACL, trust domain and datacenter.
2018-06-14 09:42:16 -07:00
Paul Banks
c1f2025d96
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
e00088e8ee
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
6e9f1f8acb
Add more metadata to structs.CARoot
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
627aa80d5a
Use provider state table for a global serial index
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
988510f53c
Add test for ca config http endpoint
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
de72834b8c
Move connect CA provider to separate package
2018-06-14 09:42:15 -07:00
Mitchell Hashimoto
4f3b5647e5
agent/cache: change uint8 to uint
2018-06-14 09:42:15 -07:00
Mitchell Hashimoto
fc5508f8a3
agent/cache: string through attempt rather than storing on the entry
2018-06-14 09:42:15 -07:00
Mitchell Hashimoto
cfcd733609
agent/cache: implement refresh backoff
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
bc605a1576
agent/consul: change provider wait from goto to a loop
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
c8b65217c3
agent/consul: check nil on getCAProvider result
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
9b3495dddb
agent/consul: retry reading provider a few times
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
e54e69d11f
agent: verify local proxy tokens for CA leaf + tests
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
a099c27b07
agent: verify proxy token for ProxyConfig endpoint + tests
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
6e386ba6be
agent/proxy: pass proxy ID as an env var
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
37dde6d64a
agent/config: add managed proxy upstreams config to skip
...
agent/config will turn [{}] into {} (single element maps into a single
map) to work around HCL issues. These are resolved in HCL2 which I'm
sure Consul will switch to eventually.
This breaks the connect proxy configuration in service definition FILES
since we call this patch function. For now, let's just special-case skip
this. In the future we maybe Consul will adopt HCL2 and fix it, or we
can do something else if we want. This works and is tested.
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
965a902474
agent/structs: validate service definitions, port required for proxy
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
9a62bce03b
agent/config: default connect enabled in dev mode
...
This enables `consul agent -dev` to begin using Connect features with
the built-in CA. I think this is expected behavior since you can imagine
that new users would want to try.
There is no real downside since we're just using the built-in CA.
2018-06-14 09:42:13 -07:00
Paul Banks
d13be6b952
Make CSR work with jank domain
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
de3f49a880
agent/proxy: delete pid file on Stop
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
aaca1fbcf5
agent: increase timer for blocking cache endpoints
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
b4ba31c61b
agent/proxy: address PR feedback
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
f5e7993249
agent: clarify why we Kill still
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
2809203408
agent: restore proxy snapshot but still Kill proxies
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
718aabe35f
agent/proxy: check if process is alive in addition to Wait
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
f5ccc65295
agent: only set the proxy manager data dir if its set
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
1a32435a4d
agent/proxy: improve comments on snapshotting
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
e0bbe66427
agent/proxy: implement periodic snapshotting in the manager
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
13ff115436
agent/proxy: check if process is alive
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
0e8c0b7b48
agent/proxy: implement snapshotting for daemons
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
b7580f4fad
agent/proxy: manager configures the daemon pid path to write pids
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
1e7f253b53
agent/proxy: write pid file whenever the daemon process changes
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
09dcb0be98
agent/proxy: change LogDir to DataDir to reuse for other things
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
5e6bd8291c
agent/proxy: make the logs test a bit more robust by waiting for file
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
d00ff7cb58
agent/proxy: don't create the directory in newProxy
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
6cdacd1fd9
agent/proxy: send logs to the correct location for daemon proxies
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
ba00fa3548
agent: add additional tests for defaulting in AddProxy
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
171bf8d599
agent: clean up defaulting of proxy configuration
...
This cleans up and unifies how proxy settings defaults are applied.
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
3d3eee2f6e
agent: resolve some conflicts and fix tests
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
d9bd4ffebd
agent/local: clarify the non-risk of a full buffer
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
437689e83c
agent/local: remove outdated comment
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
6ae95d754c
agent: use os.Executable
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
39974df52a
agent/proxy: local state event coalescing
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
b0f377b519
agent/proxy: implement force kill of unresponsive proxy process
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
6539280f2a
agent: fix crash that could happen if proxy was nil on load
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
420edc4c1e
agent/proxy: pull exit status extraction to constrained file
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
1a2b28602c
agent: start proxy manager
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
7879e1d2ef
agent/proxy: detect config change to stop/start proxies
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
2d60684a8b
agent/proxy: test removing proxies and stopping them
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
fcd2ab2338
agent/proxy: manager and basic tests, not great coverage yet coming soon
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
2bd39a84a6
agent/local: add Notify mechanism for proxy changes
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
476ea7b04a
agent: start/stop proxies
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
fbfc6fce66
agent/proxy: clean up usage, can't be restarted
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
aaa2431350
agent: change connect command paths to be slices, not strings
...
This matches other executable configuration and allows us to cleanly
separate executable from arguments without trying to emulate shell
parsing.
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
7355a614fe
agent/local: store proxy on local state, wip, not working yet
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
ffd284de36
agent/proxy: exponential backoff on restarts
2018-06-14 09:42:07 -07:00
Mitchell Hashimoto
aa08a4cb46
agent/proxy: Daemon works, tests cover it too
2018-06-14 09:42:07 -07:00
Mitchell Hashimoto
e14fa850d8
wip
2018-06-14 09:42:07 -07:00
Paul Banks
e0e12e165b
TLS watching integrated into Service with some basic tests.
...
There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.
2018-06-14 09:42:07 -07:00
Paul Banks
90c574ebaa
Wire up agent leaf endpoint to cache framework to support blocking.
2018-06-14 09:42:07 -07:00
Kyle Havlovitz
a4d18f0eaa
Fill out connect CA rpc endpoint tests
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
b081c34255
Fix config tests
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
cce7f1cca1
Add tests for the built in CA's state store table
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
15fbc2fd97
Add more tests for built-in provider
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
edcfdb37af
Fix some inconsistencies around the CA provider code
2018-06-14 09:42:06 -07:00
Paul Banks
1b197d934a
Don't allow connect watches in agent/cli yet
2018-06-14 09:42:06 -07:00
Paul Banks
e8c510332c
Support legacy watch.HandlerFunc type for backward compat reduces impact of change
2018-06-14 09:42:05 -07:00
Paul Banks
cd88b2a351
Basic `watch` support for connect proxy config and certificate endpoints.
...
- Includes some bug fixes for previous `api` work and `agent` that weren't tested
- Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches.
- Integration into `connect` is partially done here but still WIP
2018-06-14 09:42:05 -07:00
Kyle Havlovitz
daa8dd1779
Add CA config to connect section of agent config
2018-06-14 09:42:05 -07:00
Kyle Havlovitz
32d1eae28b
Move ConsulCAProviderConfig into structs package
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
315b8bf594
Simplify the CAProvider.Sign method
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
c6e1b72ccb
Simplify the CA provider interface by moving some logic out
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
a325388939
Clarify some comments and names around CA bootstrapping
2018-06-14 09:42:04 -07:00
Mitchell Hashimoto
8c1d5a2cdc
agent: resolve flaky test by checking cache hits increase, rather than
...
exact
2018-06-14 09:42:04 -07:00
Mitchell Hashimoto
051f004683
agent: use helper/retry instead of timing related tests
2018-06-14 09:42:04 -07:00
Mitchell Hashimoto
bd3b8e042a
agent/cache: address PR feedback, lots of typos
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
02b20a0353
agent/cache: address feedback, clarify comments
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
af1d70b026
agent/cache: don't every block on NotifyCh
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
724b829104
agent/cache: unit tests for ExpiryHeap, found a bug!
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
194b256861
agent/cache: send the total entries count on eviction to go-metrics
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
e0d964188c
agent/cache: make edge case with prev/next idx == 0 handled better
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
3b550d2b72
agent/cache: rework how expiry data is stored to be more efficient
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
595193a781
agent/cache: initial TTL work
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
1df99514ca
agent/cache: send the RefreshTimeout into the backend fetch
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
db4c47df27
agent/cache: on error, return from Get immediately, don't block forever
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
cc2c98f961
agent/cache: lots of comment/doc updates
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
6c01e402e0
agent: augment /v1/connect/authorize to cache intentions
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
0f3f3d13ca
agent/cache-types: support intention match queries
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
e1c1b8812a
agent/cache: return the error as part of Get
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
00e7ab3cd5
agent/cache: integrate go-metrics so the cache is debuggable
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
9f3dbf7b2a
agent/structs: DCSpecificRequest sets all the proper fields for
...
CacheInfo
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
be873d2558
agent/cache-types/ca-leaf: proper result for timeout, race on setting CA
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
fcb15e15ae
agent/cache: support timeouts for cache reads and empty fetch results
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
e81942df7a
agent/cache-types: rename to separate root and leaf cache types
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
8e7c517db1
agent/cache-types: got basic CA leaf caching work, major problems still
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
917a9e63d5
agent: check cache hit count to verify CA root caching, background update
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
6902d721d6
agent: initialize the cache and cache the CA roots
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
c329b4cb34
agent/cache: partition by DC/ACL token
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
e3c1162881
agent/cache: Reorganize some files, RequestInfo struct, prepare for partitioning
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
b0db5657c4
agent/cache: ConnectCA roots caching type
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
975be337a9
agent/cache: blank cache key means to always fetch
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
1cfb0f1922
agent/cache: initial kind-of working cache
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
33418afd3c
Add cross-signing mechanism to root rotation
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
d83fbfc766
Add the root rotation mechanism to the CA config endpoint
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
f9d92d795e
Have the built in CA store its state in raft
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
30c1973e8b
Fix the testing endpoint's root set op
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
75f62e3117
Update the CA config endpoint to enable GETs
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
ab737ef0f8
Hook the CA RPC endpoint into the provider interface
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
1f6501895f
Add CA bootstrapping on establishing leadership
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
682f105c7c
Add the bootstrap config for the CA
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
9fc33d2a62
Add the CA provider interface and built-in provider
2018-06-14 09:41:58 -07:00
Kyle Havlovitz
1787f88618
Add CA config set to fsm operations
2018-06-14 09:41:58 -07:00
Kyle Havlovitz
6b3416e480
Add the Connect CA config to the state store
2018-06-14 09:41:58 -07:00
Paul Banks
36dbd878c9
Adds `api` client code and tests for new Proxy Config endpoint, registering with proxy and seeing proxy config in /agent/services list.
2018-06-14 09:41:58 -07:00
Paul Banks
730da74369
Fix various test failures and vet warnings.
...
Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix.
2018-06-14 09:41:58 -07:00
Paul Banks
1e72ad66f5
Refactor localBlockingQuery to use memdb.WatchSet. Much simpler and correct as a bonus!
2018-06-14 09:41:58 -07:00
Paul Banks
8d09381b96
Super ugly hack to get TeamCity build to work for this PR without adding a vendor that is being added elsewhere and will conflict...
2018-06-14 09:41:58 -07:00
Paul Banks
d73f079d0f
Add X-Consul-ContentHash header; implement removing all proxies; add load/unload test.
2018-06-14 09:41:57 -07:00
Paul Banks
2a69663448
Agent Connect Proxy config endpoint with hash-based blocking
2018-06-14 09:41:57 -07:00
Paul Banks
3e3f0e1f31
HTTP agent registration allows proxy to be defined.
2018-06-14 09:41:57 -07:00
Paul Banks
e6071051cf
Added connect proxy config and local agent state setup on boot.
2018-06-14 09:41:57 -07:00
Paul Banks
88541bba17
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works.
...
Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-06-14 09:41:57 -07:00
Paul Banks
ed9f07c361
Allow duplicate source or destination, but enforce uniqueness across all four.
2018-06-14 09:41:57 -07:00
Paul Banks
10db79c8ae
Rework connect/proxy and command/connect/proxy. End to end demo working again
2018-06-14 09:41:57 -07:00
Paul Banks
26e65f6bfd
connect.Service based implementation after review feedback.
2018-06-14 09:41:56 -07:00
Mitchell Hashimoto
95da20ffd7
agent: rename authorize param ClientID to ClientCertURI
2018-06-14 09:41:56 -07:00
Mitchell Hashimoto
6e57233913
agent: add TODO for verification
2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
5a47a53c70
acl: IntentionDefault => IntentionDefaultAllow
2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
ac72a0c5fd
agent: ACL checks for authorize, default behavior
2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
6dc2db94ea
agent/structs: String format for Intention, used for logging
2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
fb7bccc690
agent: bolster commenting for clearer understandability
2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
9a987d6452
agent: default deny on connect authorize endpoint
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
86a8ce45b9
agent: /v1/agent/connect/authorize is functional, with tests
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
3ef0b93159
agent/connect: Authorize for CertURI
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
70d1d5bf06
agent: get rid of method checks since they're done in the http layer
2018-06-14 09:41:54 -07:00
Paul Banks
9309422fd9
Add Connect agent, catalog and health endpoints to api Client
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
845f7cd8ad
agent/consul/state: ensure exactly one active CA exists when setting
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
ffe4cdfc15
agent/connect: support any values in the URL
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
75bf0e1638
agent/connect: support SpiffeIDSigning
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
17ca8ad083
agent/connect: rename SpiffeID to CertURI
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
0cbcb07d61
agent/connect: use proper keyusage fields for CA and leaf
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
73442ada5a
agent/connect: address PR feedback for the CA.go file
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
d28ee70a56
agent: implement an always-200 authorize endpoint
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
a54d1af421
agent/consul: encode issued cert serial number as hex encoded
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
4210003c86
agent/structs: hide some fields from JSON
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
63d674d07d
agent: /v1/connect/ca/configuration PUT for setting configuration
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
1c3dbc83ff
agent/consul/fsm,state: snapshot/restore for CA roots
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
90f423fd02
agent/consul/fsm,state: tests for CA root related changes
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
1c72639d60
agent/consul: set more fields on the issued cert
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
c2588262b7
agent: /v1/connect/ca/leaf/:service_id
2018-06-14 09:41:52 -07:00