Commit Graph

3268 Commits (90b42c66fa61956cb7ce9d50595c3a9328e7e7d8)

Author SHA1 Message Date
hc-github-team-consul-core 8ab3884ae2
update bindata_assetfs.go 2021-08-27 19:44:04 +00:00
Evan Culver 3357e57dac
[1.10.x] rpc: authorize raft requests (#10931) 2021-08-26 15:25:08 -07:00
Chris S. Kim 7a635ff8e1
[1.10.x] Backport (#10811) and update vendor with new yamux version (#10929) 2021-08-26 14:35:38 -04:00
Chris S. Kim f7ce97d73c ent->oss test fix (#10926) 2021-08-26 18:07:32 +00:00
Chris S. Kim 358a26d4cf api: expose upstream routing configurations in topology view (#10811)
Some users are defining routing configurations that do not have associated services. This commit surfaces these configs in the topology visualization. Also fixes a minor internal bug with non-transparent proxy upstream/downstream references.
2021-08-25 19:21:41 +00:00
R.B. Boyer b42bd0f2df
[1.10.x] grpc: ensure that streaming gRPC requests work over mesh gateway based wan federation (#10908)
Backport of #10838 to 1.10.x
2021-08-25 09:26:08 -05:00
Freddy 14db6cd75c Merge pull request #10873 from hashicorp/fix/10825-pq-san-validation 2021-08-23 19:00:30 -06:00
Freddy 6db08dcf64
checks: Add Interval and Timeout to API response (#10717) (#10868)
Co-authored-by: Evan Culver <eculver@users.noreply.github.com>
2021-08-18 10:04:56 -06:00
Daniel Nephin f7c4d6b878
Merge pull request #10847 from hashicorp/dnephin/fix-relese-1.10.x
[1.10.x] Fix the build
2021-08-13 10:42:36 -04:00
Mike Morris dd3ff5a579
backport(1.10): deps: upgrade gogo-protobuf to v1.3.2 (#10839)
* deps: upgrade gogo-protobuf to v1.3.2 (#10813)

* go mod tidy using go 1.16

* proto: regen protobufs after upgrading gogo/protobuf

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* vendor: make update-vendor

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-12 17:51:10 -04:00
Daniel Nephin 36023900bd proxycfg: fix cherry-pick errors
The previous commit from main required some changes to get the tests passing.
2021-08-12 17:41:29 -04:00
Daniel Nephin b865e7c8a6 Merge pull request #10824 from hashicorp/dnephin/acl-token-bug
proxycfg: Use acl.tokens.default token as a default when there is no token in the registration
2021-08-12 21:01:14 +00:00
Mark Anderson 1140e508f3 Fixup to support unix domain socket via command line (#10758)
Missed the need to add support for unix domain socket config via
api/command line. This is a variant of the problems described in
it is easy to drop one.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-08-12 17:06:29 +00:00
Daniel Nephin 1186e38ac6 acl: remove special handling of services in txn_endpoint
Previously we were passing an Authorizer that would always allow the
operation, then later checking the authorization using vetServiceTxnOp.

On the surface this seemed strange, but I think it was actually masking
a bug as well. Over time `servicePreApply` was changed to add additional
authorization for `service.Proxy.DestinationServiceName`, but because
we were passing a nil Authorizer, that authorization was not handled on
the txn_endpoint.

`TxnServiceOp.FillAuthzContext` has some special handling in enterprise,
so we need to make sure to continue to use that from the Txn endpoint.

This commit removes the `vetServiceTxnOp` function, and passes in the
`FillAuthzContext` function so that `servicePreApply` can be used by
both the catalog and txn endpoints. This should be much less error prone
and prevent bugs like this in the future.
2021-08-05 15:41:56 -04:00
Dhia Ayachi fe1a2f5d9b defer setting the state before returning to avoid stuck in `INITIALIZING` state (#10630)
* defer setting the state before returning to avoid being stuck in `INITIALIZING` state

* add changelog

* move comment with the right if statement

* ca: report state transition error from setSTate

* update comment to reflect state transition

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-05 18:54:40 +00:00
Dhia Ayachi 2f5ce9950a fix state index for `CAOpSetRootsAndConfig` op (#10675)
* fix state index for `CAOpSetRootsAndConfig` op

* add changelog

* Update changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* remove the change log as it's not needed

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-04 17:08:51 +00:00
Daniel Nephin 789b6c1a30 Merge pull request #10707 from hashicorp/dnephin/streaming-setup-default-timeout
streaming: set default query timeout
2021-07-28 22:30:10 +00:00
Chris S. Kim 9a57ae9e9a
sync enterprise files with oss (#10705) (#10711)
(cherry picked from commit 9c3af1a429)
2021-07-28 15:41:15 -04:00
Chris S. Kim 74fa06f243
agent: update proxy upstreams to inherit namespace from service (#10688) (#10698)
(cherry picked from commit 91c90a672a)
2021-07-27 15:23:25 -04:00
Freddy 9265d20859 Log the correlation ID when blocking queries fire (#10689)
Knowing that blocking queries are firing does not provide much
information on its own. If we know the correlation IDs we can
piece together which parts of the snapshot have been populated.

Some of these responses might be empty from the blocking
query timing out. But if they're returning quickly I think we
can reasonably assume they contain data.
2021-07-23 22:38:03 +00:00
Dhia Ayachi 3dde24d8c9 config raft apply silent error (#10657)
* return an error when the index is not valid

* check response as bool when applying `CAOpSetConfig`

* remove check for bool response

* fix error message and add check to test

* fix comment

* add changelog
2021-07-22 14:33:12 +00:00
Freddy c9349e353b Avoid panic on concurrent writes to cached service config map (#10647)
If multiple instances of a service are co-located on the same node then
their proxies will all share a cache entry for their resolved service
configuration. This is because the cache key contains the name of the
watched service but does not take into account the ID of the watching
proxies.

This means that there will be multiple agent service manager watches
that can wake up on the same cache update. These watchers then
concurrently modify the value in the cache when merging the resolved
config into the local proxy definitions.

To avoid this concurrent map write we will only delete the key from
opaque config in the local proxy definition after the merge, rather
than from the cached value before the merge.
2021-07-20 16:10:37 +00:00
Daniel Nephin 91962e7495 Merge pull request #10009 from hashicorp/dnephin/trim-dns-response-with-edns
dns: properly trim response when EDNS is used
2021-07-16 22:10:03 +00:00
hc-github-team-consul-core 40ac83c9d3
update bindata_assetfs.go 2021-07-15 18:49:33 +00:00
Freddy e3e31375c8
Merge pull request #10622 from hashicorp/vuln/validate-sans-1.10 2021-07-15 10:05:06 -06:00
freddygv 803df59268 Fixup prepared query ns defaulting 2021-07-15 09:37:37 -06:00
R.B. Boyer 104ee65e17 xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619) 2021-07-15 15:09:48 +00:00
freddygv 0bf181ae55 Update golden files 2021-07-14 22:41:51 -06:00
freddygv 8e4ca495d5 Validate SANs for passthrough clusters and failovers 2021-07-14 22:41:51 -06:00
freddygv faac20cd40 Update golden files to account for SAN validation 2021-07-14 22:41:02 -06:00
freddygv bdacb71d22 Validate Subject Alternative Name for upstreams
These changes ensure that the identity of services dialed is
cryptographically verified.

For all upstreams we validate against SPIFFE IDs in the format used by
Consul's service mesh:

spiffe://<trust-domain>/ns/<namespace>/dc/<datacenter>/svc/<service>
2021-07-14 22:41:02 -06:00
Evan Culver 940419aef0 Add support for returning ACL secret IDs for accessors with acl:write (#10546) 2021-07-08 22:13:45 +00:00
Daniel Nephin fe76dc7068 Merge pull request #10552 from hashicorp/dnephin/ca-remove-rotation-period
ca: remove unused RotationPeriod field
2021-07-08 20:56:43 +00:00
Daniel Nephin c8bba8bd60
Merge pull request #10539 from hashicorp/dnephin/backport-to-1.10.x
[1.10.x] Backport main branch rename, and fix 32bit panic
2021-07-05 12:35:56 -04:00
hc-github-team-consul-core bd6a6bf8b8
update bindata_assetfs.go 2021-07-01 18:46:29 +00:00
Dhia Ayachi 543928d707 Format certificates properly (rfc7468) with a trailing new line (#10411)
* trim carriage return from certificates when inserting rootCA in the inMemDB

* format rootCA properly when returning the CA on the connect CA endpoint

* Fix linter warnings

* Fix providers to trim certs before returning it

* trim newlines on write when possible

* add changelog

* make sure all provider return a trailing newline after the root and intermediate certs

* Fix endpoint to return trailing new line

* Fix failing test with vault provider

* make test more robust

* make sure all provider return a trailing newline after the leaf certs

* Check for suffix before removing newline and use function

* Add comment to consul provider

* Update change log

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* fix typo

* simplify code callflow

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* extract requireNewLine as shared func

* remove dependency to testify in testing file

* remove extra newline in vault provider

* Add cert newline fix to envoy xds

* remove new line from mock provider

* Remove adding a new line from provider and fix it when the cert is read

* Add a comment to explain the fix

* Add missing for leaf certs

* fix missing new line

* fix missing new line in leaf certs

* remove extra new line in test

* updage changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* fix in vault provider and when reading cache (RPC call)

* fix AWS provider

* fix failing test in the provider

* remove comments and empty lines

* add check for empty cert in test

* fix linter warnings

* add new line for leaf and private key

* use string concat instead of Sprintf

* fix new lines for leaf signing

* preallocate slice and remove append

* Add new line to `SignIntermediate` and `CrossSignCA`

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-07-01 00:49:03 +00:00
Daniel Nephin f81b371bc1 Merge pull request #10515 from hashicorp/dnephin/fix-arm32-atomic-aligment
Fix panic on 32-bit platforms

Conflicts in tlsutil/config.go were resolved by dropping those changes.
The issue that was fixed in that file is not in 1.10.x.
2021-06-30 18:01:33 -04:00
Daniel Nephin 2dbd8231d8 Merge pull request #10514 from hashicorp/dnephin/actually-enable-streaming
streaming: fix not being able to enable streaming
2021-06-29 16:50:02 -04:00
Daniel Nephin d106120762 Merge pull request #10506 from hashicorp/dnephin/docs-rpc-query-metrics
docs: correct some misleading telemetry docs
2021-06-28 16:34:37 +00:00
R.B. Boyer 2293ccfeca structs: prevent service-defaults upstream configs from using wildcard names or namespaces (#10475) 2021-06-23 20:49:34 +00:00
R.B. Boyer d75c06c9d7 structs: add some missing config entry validation and clean up tests (#10465)
Affects kinds: service-defaults, ingress-gateway, terminating-gateway
2021-06-23 19:16:58 +00:00
hc-github-team-consul-core 39f3c09e00
update bindata_assetfs.go 2021-06-22 17:21:14 +00:00
hc-github-team-consul-core 5d9ff1df92
update bindata_assetfs.go 2021-06-17 21:45:27 +00:00
Freddy 89748d805a Merge pull request #10423 from hashicorp/fix-map 2021-06-17 19:56:26 +00:00
hc-github-team-consul-core b2331f599d
update bindata_assetfs.go 2021-06-16 22:24:01 +00:00
R.B. Boyer 6441b4b2c7 xds: fix flaky protocol tests (#10410) 2021-06-16 16:58:34 +00:00
Freddy fc86420955 Merge pull request #10404 from hashicorp/ingress-stats 2021-06-15 20:28:43 +00:00
R.B. Boyer 0958f1dc3c xds: adding more delta protocol tests (#10398)
Fixes #10125
2021-06-15 20:21:42 +00:00
Freddy f300a1fadb Omit empty tproxy config in JSON responses (#10402) 2021-06-15 19:54:11 +00:00
Nitya Dhanushkodi c9e5177b35 proxycfg: Ensure that endpoints for explicit upstreams in other datacenters are watched in transparent mode (#10391)
Co-authored-by: Freddy Vallenilla <freddy@hashicorp.com>
2021-06-15 18:03:52 +00:00