2001 Commits (95031f9f9045469a1ecee326f1c12319cb62b34e)

Author	SHA1	Message	Date
Daniel Nephin	dd40a1535e	testing: reduce verbosity of output log ... Previously the log output included the test name twice and a long date format. The test output is already grouped by test, so adding the test name did not add any new information. The date and time are only useful to understand elapsed time, so using a short format should provide succident detail. Also fixed a bug in NewTestAgentWithFields where nil was returned instead of the test agent.	5 years ago
Daniel Nephin	1d90ecc31d	Remove unused token parameter	5 years ago
Daniel Nephin	ef68e404a5	A little less 'just'	5 years ago
Daniel Nephin	002fc85ef2	Remove unused customEDSClusterJSON	5 years ago
Matt Keeler	028654410c	Ensure server requirements checks are done against ALL known se… (#7491) ... Co-authored-by: Paul Banks <banks@banksco.de>	5 years ago
Matt Keeler	74a665afc3	Add information about which services are proxied to ui services… (#7417)	5 years ago
Daniel Nephin	b5c7d292e4	Merge pull request #7516 from hashicorp/dnephin/remove-unused-method ... agent: Remove unused method Encrypted from delegate interface	5 years ago
Daniel Nephin	bb8833a2d5	agent: Remove unused Encrypted from interface ... It appears to be unused. It looks like it has been around a while, I geuss at some point we stopped using this method.	5 years ago
Freddy	18d356899c	Enable CLI to register terminating gateways (#7500) ... * Enable CLI to register terminating gateways * Centralize gateway proxy configuration	5 years ago
Daniel Nephin	33c7894123	Merge pull request #7498 from hashicorp/dnephin/small-cleanup ... envoy: small cleanup in cmd and server	5 years ago
Alejandro Baez	bafa69bb69	Add PolicyReadByName for API (#6615)	5 years ago
Chris Piraino	136099d834	Fix flakey health check reload test (#7490) ... This test would occasionally fail because we checked for a status of "critical" initially. This races with the actual healthcheck being run and declared passing. We instead use a ttl health check so that we don't rely on timing at all.	5 years ago
Daniel Nephin	266bdf7465	agent: Remove xdsServer field ... The field is only referenced from a single method, it can be a local var	5 years ago
Daniel Nephin	326453eaa1	dns: Remove a few unused params	5 years ago
Daniel Nephin	61ec7aa5c9	ci: Run all connect/ca tests from the integration suite ... To reduce the chance of some tests not being run because it does not match the regex passed to '-run'. Also document why some tests are allowed to be skipped on CI.	5 years ago
Daniel Nephin	f4a35dfd84	ci: Do not skip tests because of missing binaries on CI ... If the CI environment is not correct for running tests the tests should fail, so that we don't accidentally stop running some tests because of a change to our CI environment. Also removed a duplicate delcaration from init. I believe one was overriding the other as they are both in the same package.	5 years ago
Kim Ngo	bef693df9c	agent/xds: Update mesh gateway to use service router timeout (#7444) ... * website/connect/proxy/envoy: specify timeout precedence for services behind mesh gateway	5 years ago
Matt Keeler	80db61193c	Fix ACL mode advertisement and detection (#7451) ... These changes are necessary to ensure advertisement happens correctly even when datacenters are connected via network areas in Consul enterprise. This also changes how we check if ACLs can be upgraded within the local datacenter. Previously we would iterate through all LAN members. Now we just use the ServerLookup type to iterate through all known servers in the DC.	5 years ago
Freddy	709932f088	Update MSP token and filtering (#7431)	5 years ago
Hans Hasselberg	7777891aa6	tls: remove old ciphers (#7282) ... Following advice from: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices, this PR removes old ciphers.	5 years ago
R.B. Boyer	85a08bf8ed	server: strip local ACL tokens from RPCs during forwarding if crossing datacenters (#7419) ... Fixes #7414	5 years ago
Kyle Havlovitz	955ee64b95	Merge pull request #7373 from hashicorp/acl-segments-fix ... Add stub methods for ACL/segment bug fix from enterprise	5 years ago
R.B. Boyer	6adad71125	wan federation via mesh gateways (#6884) ... This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the *agent* and the results of that operation for primary mesh gateways are needed in the *server* there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.	5 years ago
Matt Keeler	e3891db55b	Gather instance counts of aggregated services (#7415)	5 years ago
Pierre Souchay	864f7efffa	agent: configuration reload preserves check's statuses for services (#7345) ... This fixes issue #7318 Between versions 1.5.2 and 1.5.3, a regression has been introduced regarding health of services. A patch #6144 had been issued for HealthChecks of nodes, but not for healthchecks of services. What happened when a reload was: 1. save all healthcheck statuses 2. cleanup everything 3. add new services with healthchecks In step 3, the state of healthchecks was taken into account locally, so at step 3, but since we cleaned up at step 2, state was lost. This PR introduces the snap parameter, so step 3 can use information from step 1	5 years ago
Hans Hasselberg	c46e2ae59b	docs: add docs for kv_max_value_size (#7405) ... Apart from the added docs, the error messages are similar now and are pointing to the corresponding options. Fixes #6708.	5 years ago
Kim Ngo	a8f4123d37	agent/txn_endpoint: configure max txn request length (#7388) ... configure max transaction size separately from kv limit	5 years ago
Matt Keeler	7584dfe8c8	Fix session backwards incompatibility with 1.6.x and earlier.	5 years ago
John Cowen	e83fb1882c	Adds http_config.response_headers to the UI headers plus tests (#7369)	5 years ago
Pierre Souchay	2300e2d4ba	agent: take Prometheus MIME-type header into account (#7371) ... This will avoid adding format=prometheus in request and to parse more easily metrics using Prometheus. This commit follows https://github.com/hashicorp/consul/pull/6514 as the PR has been closed and extends it by accepting old Prometheus mime-type.	5 years ago
Kyle Havlovitz	7c57837908	Add stub methods for ACL/segment bug fix from enterprise	5 years ago
Hans Hasselberg	e05ac57e8f	tls: support tls 1.3 (#7325)	5 years ago
Matt Keeler	861f754dad	Properly detect no alt domain set (#7323)	5 years ago
Matt Keeler	4c9577678e	xDS Mesh Gateway Resolver Subset Fixes (#7294) ... * xDS Mesh Gateway Resolver Subset Fixes The first fix was that clusters were being generated for every service resolver subset regardless of there being any service instances of the associated service in that dc. The previous logic didn’t care at all but now it will omit generating those clusters unless we also have service instances that should be proxied. The second fix was to respect the DefaultSubset of a service resolver so that mesh-gateways would configure the endpoints of the unnamed subset cluster to only those endpoints matched by the default subsets filters. * Refactor the gateway endpoint generation to be a little easier to read	5 years ago
rerorero	2630a949f7	fix: Destroying a session that doesn't exist returns status cod… (#6905) ... fix #6840	5 years ago
Wim	3a2c865ff6	Fix high cpu usage with IPv6 recursor address. Closes #6120 (#6128)	5 years ago
Chris Piraino	47ff532735	Fixes envoy config when both RetryOn* values are set (#7280)	5 years ago
Lars Lehtonen	6bcd596539	agent/proxycfg: fix dropped error in state.initWatchesMeshGateway() (#7267)	5 years ago
Matt Keeler	b137060630	Allow the PolicyResolve and RoleResolve endpoints to process na… (#7296)	5 years ago
Hans Hasselberg	315d57bfb1	agent: sensible keyring error (#7272) ... Fixes #7231. Before an agent would always emit a warning when there is an encrypt key in the configuration and an existing keyring stored, which is happening on restart. Now it only emits that warning when the encrypt key from the configuration is not part of the keyring.	5 years ago
Hans Hasselberg	cb0f94487c	config: increase http_max_conns_per_client default to 200 (#7289)	5 years ago
R.B. Boyer	12876983cf	avoid 'panic: Log in goroutine after TestCacheGet_refreshAge has completed' (#7276)	5 years ago
R.B. Boyer	80b1165976	fix use of hclog logger (#7264)	5 years ago
Matt Keeler	f523469529	Merge branch 'master' of github.com:hashicorp/consul	5 years ago
hashicorp-ci	f0cac9260f	update bindata_assetfs.go	5 years ago
ShimmerGlass	68e0f6bf84	agent: add server raft.{last,applied}_index gauges (#6694) ... These metrics are useful for : * Tracking the rate of update to the db * Allow to have a rough idea of when an index originated	5 years ago
gaoxinge	216eb29d6b	tests: convert windows style path to posix style path to avoid hcl parsing error (#6351)	5 years ago
Matt Keeler	e231d62bc9	Make the config entry and leaf cert cache types ns aware (#7256)	5 years ago
Hans Hasselberg	6739fe6e83	connect: add validations around intermediate cert ttl (#7213)	5 years ago
R.B. Boyer	73ba5d9990	make the TestRPC_RPCMaxConnsPerClient test less flaky (#7255)	5 years ago
Sarah Christoff	6678c8898a	Fix flaky TestAutopilot_BootstrapExpect (#7242)	5 years ago
Kit Patella	55f19a9eb2	rpc: measure blocking queries (#7224) ... * agent: measure blocking queries * agent.rpc: update docs to mention we only record blocking queries * agent.rpc: make go fmt happy * agent.rpc: fix non-atomic read and decrement with bitwise xor of uint64 0 * agent.rpc: clarify review question * agent.rpc: today I learned that one must declare all variables before interacting with goto labels * Update agent/consul/server.go agent.rpc: more precise comment on `Server.queriesBlocking` Co-Authored-By: Paul Banks <banks@banksco.de> * Update website/source/docs/agent/telemetry.html.md agent.rpc: improve queries_blocking description Co-Authored-By: Paul Banks <banks@banksco.de> * agent.rpc: fix some bugs found in review * add a note about the updated counter behavior to telemetry.md * docs: add upgrade-specific note on consul.rpc.quer{y,ies_blocking} behavior Co-authored-by: Paul Banks <banks@banksco.de>	5 years ago
Akshay Ganeshen	8beb716414	feat: support sending body in HTTP checks (#6602)	5 years ago
Matt Keeler	4f21bbdb4e	OSS Changes for agent local state namespace testing (#7250)	5 years ago
Matt Keeler	d0cd092e3b	Catalog + Namespace OSS changes. (#7219) ... * Various Prepared Query + Namespace things * Last round of OSS changes for a namespaced catalog	5 years ago
R.B. Boyer	8c596953b0	agent: ensure that we always use the same settings for msgpack (#7245) ... We set RawToString=true so that []uint8 => string when decoding an interface{}. We set the MapType so that map[interface{}]interface{} decodes to map[string]interface{}. Add tests to ensure that this doesn't break existing usages. Fixes #7223	5 years ago
Freddy	01855d8579	Remove outdated TODO (#7244)	5 years ago
Matt Keeler	444517080b	Fix a bug with ACL enforcement of reads on namespaced config entries. (#7239)	5 years ago
Kit Patella	9a220f3010	agent/consul server: fix LeaderTest_ChangeNodeID (#7236) ... * fix LeaderTest_ChangeNodeID to use StatusLeft and add waitForAnyLANLeave * unextract the waitFor... fn, simplify, and provide a more descriptive error	5 years ago
Matt Keeler	9e5fd7f925	OSS Changes for various config entry namespacing bugs (#7226)	5 years ago
Hans Hasselberg	6a18f01b42	agent: ensure node info sync and full sync. (#7189) ... This fixes #7020. There are two problems this PR solves: * if the node info changes it is highly likely to get service and check registration permission errors unless those service tokens have node:write. Hopefully services you register don’t have this permission. * the timer for a full sync gets reset for every partial sync which means that many partial syncs are preventing a full sync from happening Instead of syncing node info last, after services and checks, and possibly saving one RPC because it is included in every service sync, I am syncing node info first. It is only ever going to be a single RPC that we are only doing when node info has changed. This way we are guaranteed to sync node info even when something goes wrong with services or checks which is more likely because there are more syncs happening for them.	5 years ago
R.B. Boyer	0ecb4538c1	agent: differentiate wan vs lan loggers in memberlist and serf (#7205) ... This should be a helpful change until memberlist and serf can be properly switched to native hclog.	5 years ago
Matt Keeler	dceb107325	Fix disco chain graph validation for namespaces (#7217) ... Previously this happened to be validating only the chains in the default namespace. Now it will validate all chains in all namespaces when the global proxy-defaults is changed.	5 years ago
Matt Keeler	228da48f5d	Minor Non-Functional Updates (#7215) ... * Cleanup the discovery chain compilation route handling Nothing functionally should be different here. The real difference is that when creating new targets or handling route destinations we use the router config entries name and namespace instead of that of the top level request. Today they SHOULD always be the same but that may not always be the case. This hopefully also makes it easier to understand how the router entries are handled. * Refactor a small bit of the service manager tests in oss We used to use the stringHash function to compute part of the filename where things would get persisted to. This has been changed in the core code to calling the StringHash method on the ServiceID type. It just so happens that the new method will output the same value for anything in the default namespace (by design actually). However, logically this filename computation in the test should do the same thing as the core code itself so I updated it here. Also of note is that newer enterprise-only tests for the service manager cannot use the old stringHash function at all because it will produce incorrect results for non-default namespaces.	5 years ago
Freddy	cb77fc6d01	Add managed service provider token (#7218) ... Stubs for enterprise-only ACL token to be used by managed service providers.	5 years ago
Hans Hasselberg	f6ec8ed92b	agent: increase watchLimit to 8192. (#7200) ... The previous value was too conservative and users with many instances were having problems because of it. This change increases the limit to 8192 which reportedly fixed most of the issues with that. Related: #4984, #4986, #5050.	5 years ago
Matt Keeler	dfb0177dbc	Testing updates to support namespaced testing of the agent/xds… (#7185) ... * Various testing updates to support namespaced testing of the agent/xds package * agent/proxycfg package updates to support better namespace testing	5 years ago
Davor Kapsa	3cb4def563	auto_encrypt: check previously ignored error (#6604)	5 years ago
hashicorp-ci	1fcf4bfc10	update bindata_assetfs.go	5 years ago
Hans Hasselberg	5531678e9e	Security fixes (#7182) ... * Mitigate HTTP/RPC Services Allow Unbounded Resource Usage Fixes #7159. Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Paul Banks <banks@banksco.de>	5 years ago
Matt Keeler	d5f9268222	ACL enforcement for the agent/health/services endpoints (#7191) ... ACL enforcement for the agent/health/services endpoints	5 years ago
R.B. Boyer	cf29bd4dcf	cli: improve the file safety of 'consul tls' subcommands (#7186) ... - also fixing the signature of file.WriteAtomicWithPerms	5 years ago
Matt Keeler	d8c0be2c84	agent: add ACL enforcement to the v1/agent/health/service/* endpoints ... This adds acl enforcement to the two endpoints that were missing it. Note that in the case of getting a services health by its id, we still must first lookup the service so we still "leak" information about a service with that ID existing. There isn't really a way around it though as ACLs are meant to check service names.	5 years ago
Matt Keeler	6855a778c2	Updates to the Txn API for namespaces (#7172) ... * Updates to the Txn API for namespaces * Update agent/consul/txn_endpoint.go Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>	5 years ago
Matt Keeler	cf27dff62f	Add some better waits to prevent CA is nil test flakes (#7171)	5 years ago
Matt Keeler	0be862fe46	Small refactoring to move meta parsing into the switch statement (#7170)	5 years ago
Matt Keeler	bfc03ec587	Fix a couple bugs regarding intentions with namespaces (#7169)	5 years ago
Matt Keeler	61d8778210	Sync some feature flag support from enterprise (#7167)	5 years ago
R.B. Boyer	d78b5008ce	various tweaks on top of the hclog work (#7165)	5 years ago
Chris Piraino	401221de58	Allow users to configure either unstructured or JSON logging (#7130) ... * hclog Allow users to choose between unstructured and JSON logging	5 years ago
Matt Keeler	848938ad48	Output proper HTTP status codes for Txn requests that are too large (#7157)	5 years ago
Kit Patella	0d336edb65	Add accessorID of token when ops are denied by ACL system (#7117) ... * agent: add and edit doc comments * agent: add ACL token accessorID to debugging traces * agent: polish acl debugging * agent: minor fix + string fmt over value interp * agent: undo export & fix logging field names * agent: remove note and migrate up to code review * Update agent/consul/acl.go Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com> * agent: incorporate review feedback * Update agent/acl.go Co-Authored-By: R.B. Boyer <public@richardboyer.net> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: R.B. Boyer <public@richardboyer.net>	5 years ago
Anthony Scalisi	beb928f8de	fix spelling errors (#7135)	5 years ago
hashicorp-ci	1194d2fbb7	update bindata_assetfs.go	5 years ago
Matt Keeler	c09693e545	Updates to Config Entries and Connect for Namespaces (#7116)	5 years ago
Matt Keeler	bbc2eb1951	Add the v1/catalog/node-services/:node endpoint (#7115) ... The backing RPC already existed but the endpoint will be useful for other service syncing processes such as consul-k8s as this endpoint can return all services registered with a node regardless of namespacing.	5 years ago
Chris Piraino	59f1462801	Fix segfault when removing both a service and associated check (#7108) ... * Fix segfault when removing both a service and associated check updateSyncState creates entries in the services and checks maps for remote services/checks that are not found locally, so that we can then make sure to delete them in our reconciliation process. However, the values added to the map are missing key fields that the rest of the code expects to not be nil. * Add comment stating Check field can be nil	5 years ago
R.B. Boyer	0f44bcd3d8	agent: default the primary_datacenter to the datacenter if not configured (#7111) ... Something similar already happens inside of the server (agent/consul/server.go) but by doing it in the general config parsing for the agent we can have agent-level code rely on the PrimaryDatacenter field, too.	5 years ago
Hans Hasselberg	7d6ea82527	raft: increase raft notify buffer. (#6863) ... * Increase raft notify buffer. Fixes https://github.com/hashicorp/consul/issues/6852. Increasing the buffer helps recovering from leader flapping. It lowers the chances of the flapping leader to get into a deadlock situation like described in #6852.	5 years ago
Hans Hasselberg	11a571de95	agent: setup grpc server with auto_encrypt certs and add -https-port (#7086) ... * setup grpc server with TLS config used across consul. * add -https-port flag	5 years ago
Hans Hasselberg	82c556d1be	connect: use correct subject key id for leaf certificates. (#7091)	5 years ago
R.B. Boyer	c91d0fa2c9	make TestCatalogNodes_Blocking less flaky (#7074) ... - Explicitly wait to start the test until the initial AE sync of the node. - Run the blocking query in the main goroutine to cut down on possible poor goroutine scheduling issues being to blame for delays. - If the blocking query is woken up with no index change, rerun the query. This may happen if the CI server is loaded and time dilation is happening.	5 years ago
R.B. Boyer	e2eb9f0585	test: ensure we don't ask vault to sign a leaf that outlives its CA when acting as a secondary (#7100)	5 years ago
Hans Hasselberg	f0fc9aea7f	tests: fix autopilot test (#7092)	5 years ago
Aestek	8fc736038a	agent: remove service sidecars in Agent.cleanupRegistration (#7022) ... Sidecar proxies were left behind when cleaning up after an unsuccessful registration. There are now also removed when the service is cleanup up.	5 years ago
Hans Hasselberg	9c1361c02b	raft: update raft to v1.1.2 (#7079) ... * update raft * use hclogger for raft.	5 years ago
Hans Hasselberg	804eb17094	connect: check if intermediate cert needs to be renewed. (#6835) ... Currently when using the built-in CA provider for Connect, root certificates are valid for 10 years, however secondary DCs get intermediates that are valid for only 1 year. There is no mechanism currently short of rotating the root in the primary that will cause the secondary DCs to renew their intermediates. This PR adds a check that renews the cert if it is half way through its validity period. In order to be able to test these changes, a new configuration option was added: IntermediateCertTTL which is set extremely low in the tests.	5 years ago
Hans Hasselberg	87f32c8ba6	auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) ... * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR	5 years ago
Aestek	ba8fd8296f	Add support for dual stack IPv4/IPv6 network (#6640) ... * Use consts for well known tagged adress keys * Add ipv4 and ipv6 tagged addresses for node lan and wan * Add ipv4 and ipv6 tagged addresses for service lan and wan * Use IPv4 and IPv6 address in DNS	5 years ago
Aestek	5dc8875bd3	agent: do not deregister service checks twice (#6168) ... Deregistering a service from the catalog automatically deregisters its checks, however the agent still performs a deregister call for each service checks even after the service has been deregistered. With ACLs enabled this results in logs like: "message:consul: "Catalog.Deregister" RPC failed to server server_ip:8300: rpc error making call: rpc error making call: Unknown check 'check_id'" This change removes associated checks from the agent state when deregistering a service, which results in less calls to the servers and supresses the error logs.	5 years ago
Matej Urbas	ce023359fe	agent: configurable MaxQueryTime and DefaultQueryTime. (#3777)	5 years ago
Freddy	e635b24215	Update force-leave ACL requirement to operator:write (#7033)	5 years ago
Matt Keeler	663cf1e9a8	AuthMethod updates to support alternate namespace logins (#7029)	5 years ago
Matt Keeler	8bd34e126f	Intentions ACL enforcement updates (#7028) ... * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.	5 years ago
Pierre Souchay	3bf2e640c7	rpc: log method when a server/server RPC call fails (#4548) ... Sometimes, we have lots of errors in cross calls between DCs (several hundreds / sec) Enrich the log in order to help diagnose the root cause of issue.	5 years ago
Matt Keeler	27f49eede9	Move where the service-resolver watch is done so that it happen… (#7025) ... Before we were issuing 1 watch for every service in the services listing which would have caused the agent to process many more identical events simultaneously.	5 years ago
R.B. Boyer	10f04a8c4a	connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index (#7011)	5 years ago
R.B. Boyer	50c879923c	connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison (#7012) ... Fixes #6886	5 years ago
Matt Keeler	fa2003d7cb	Move Session.CheckIDs into OSS only code. (#6993)	5 years ago
hashicorp-ci	5e45e3470b	update bindata_assetfs.go	5 years ago
R.B. Boyer	abb1603a86	Restore a few more service-kind index updates so blocking in ServiceDump works in more cases (#6948) ... Restore a few more service-kind index updates so blocking in ServiceDump works in more cases Namely one omission was that check updates for dumped services were not unblocking. Also adds a ServiceDump state store test and also fix a watch bug with the normal dump. Follow-on from #6916	5 years ago
Matt Keeler	a78f7d7a34	OSS changes for implementing token based namespace inferencing ... remove debug log	5 years ago
Matt Keeler	be9ba707ba	Unflake the TestACLEndpoint_TokenList test ... In order to do this I added a waitForLeaderEstablishment helper which does the right thing to ensure that leader establishment has finished. fixup	5 years ago
Matt Keeler	80d13d500b	Miscellaneous acl package cleanup ... • Renamed EnterpriseACLConfig to just Config • Removed chained_authorizer_oss.go as it was empty • Renamed acl.go to errors.go to more closely describe its contents	5 years ago
Matt Keeler	0b346616e9	Rename EnterpriseAuthorizerContext -> AuthorizerContext	5 years ago
Matt Keeler	3faee222f2	OSS changes to allow for parsing the enterprise DNS config prop… (#6959)	5 years ago
Preetha	c47dbffe1c	autopilot: fix dead server removal condition to use correct failure tolerance (#4017) ... * Make dead server removal condition in autopilot use correct failure tolerance rules * Introduce func with explanation	5 years ago
Wim	4f5d5020b8	dns: fix memoryleak by upgrading outdated miekg/dns (#6748) ... * Add updated github.com/miekg/dns to go modules * Add updated github.com/miekg/dns to vendor * Fix github.com/miekg/dns api breakage * Decrease size when trimming UDP packets Need more room for the header(?), if we don't decrease the size we get an "overflow unpacking uint32" from the dns library * Fix dns truncate tests with api changes * Make windows build working again. Upgrade x/sys and x/crypto and vendor This upgrade is needed because of API breakage in x/sys introduced by the minimal x/sys dependency of miekg/dns This API breakage has been fixed in commit 855e68c859	5 years ago
Hans Hasselberg	7d0f72c60a	acl: use constant time comparing to check token (#6943)	5 years ago
Matt Keeler	9d801d1dc2	ui: feature support templating for index.html (#6921)	5 years ago
hashicorp-ci	aca92ad58f	update bindata_assetfs.go	5 years ago
Matt Keeler	e81e338260	Fix blocking for ServiceDumping by kind (#6919)	5 years ago
Matt Keeler	5934f803bf	Sync of OSS changes to support namespaces (#6909)	5 years ago
rerorero	34649b8820	[ci] fix: go-fmt fails on master branch (#6906)	5 years ago
Matt Keeler	2343413bf0	Fix the TestAPI_CatalogRegistration test	5 years ago
Hans Hasselberg	9ff69194a2	tls: auto_encrypt and verify_incoming (#6811) (#6899) ... * relax requirements for auto_encrypt on server * better error message when auto_encrypt and verify_incoming on * docs: explain verify_incoming on Consul clients.	5 years ago
Hans Hasselberg	2ad0831b34	agent: fewer file local differences between enterprise and oss (#6820) (#6898) ... * Increase number to test ignore. Consul Enterprise has more flags and since we are trying to reduce the differences between both code bases, we are increasing the number in oss. The semantics don't change, it is just a cosmetic thing. * Introduce agent.initEnterprise for enterprise related hooks. * Sync test with ent version. * Fix import order. * revert error wording.	5 years ago
Matt Keeler	8f0ab0129e	Miscellaneous Fixes (#6896) ... Ensure we close the Sentinel Evaluator so as not to leak go routines Fix a bunch of test logging so that various warnings when starting a test agent go to the ltest logger and not straight to stdout. Various canned ent meta types always return a valid pointer (no more nils). This allows us to blindly deref + assign in various places. Update ACL index tracking to ensure oss -> ent upgrades will work as expected. Update ent meta parsing to include function to disallow wildcarding.	5 years ago
Matt Keeler	a704ebe639	Add Namespace support to the API module and the CLI commands (#6874) ... Also update the Docs and fixup the HTTP API to return proper errors when someone attempts to use Namespaces with an OSS agent. Add Namespace HTTP API docs Make all API endpoints disallow unknown fields	5 years ago
Matt Keeler	deb91f3d3c	[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) ... * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.	5 years ago
Matt Keeler	c05ab15485	Fix the TestLeader_SecondaryCA_IntermediateRefresh test flakine… (#6885) ... Fix the TestLeader_SecondaryCA_IntermediateRefresh test flakiness	5 years ago
Hans Hasselberg	f457cfa965	tests: increase TLSHandshakeTimeout to help slow tests (#6864) ... Fixes https://github.com/hashicorp/consul/issues/6858.	5 years ago
Matt Keeler	71b1c9cc3c	Fix the TestLeader_SecondaryCA_IntermediateRefresh test flakiness	5 years ago
Mike Morris	66b8c20990	Bump go-discover to support EC2 Metadata Service v2 (#6865) ... Refs https://github.com/hashicorp/go-discover/pull/128 * deps: add replace directive for gocheck Transitive dep, source at https://launchpad.net/gocheck indicates project moved. This also avoids a dependency on bzr when fetching modules. Refs https://github.com/hashicorp/consul/pull/6818 * deps: make update-vendor * test: update retry-join expected names from go-discover	5 years ago
Chris Piraino	f3b54fa535	Allow configuration of upstream connection limits in Envoy (#6829) ... * Adds 'limits' field to the upstream configuration of a connect proxy This allows a user to configure the envoy connect proxy with 'max_connections', 'max_queued_requests', and 'max_concurrent_requests'. These values are defined in the local proxy on a per-service instance basis and should thus NOT be thought of as a global-level or even service-level value.	5 years ago
Matt Keeler	be8fd29052	Fix dns service SRV lookup when service address is a fqdn (#6792) ... Fix dns service SRV lookup when service address is a fqdn	5 years ago
Sarah Adams	aed5cb7669	give feedback to CLI user on forceleave command if node does not exist (#6841)	5 years ago
R.B. Boyer	2011f3d7dc	xds: mesh gateway CDS requests are now allowed to receive an empty CDS reply (#6787) ... This is the rest of the fix for #6543 that was incompletely fixed in #6576.	5 years ago
Matt Keeler	b069d6777b	OSS KV Modifications to Support Namespaces	5 years ago
Matt Keeler	7b471f6bf8	OSS Modifications necessary for sessions namespacing	5 years ago
Paul Banks	cd1b613352	connect: Add AWS PCA provider (#6795) ... * Update AWS SDK to use PCA features. * Add AWS PCA provider * Add plumbing for config, config validation tests, add test for inheriting existing CA resources created by user * Unparallel the tests so we don't exhaust PCA limits * Merge updates * More aggressive polling; rate limit pass through on sign; Timeout on Sign and CA create * Add AWS PCA docs * Fix Vault doc typo too * Doc typo * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Doc fixes; tests for erroring if State is modified via API * More review cleanup * Uncomment tests! * Minor suggested clean ups	5 years ago
Chris Piraino	7d4d416a4d	test: unflake two TestHealthServiceNode_* tests ... Replaces WaitForLeader with WaitForTestAgent. This waits to make sure that the node itself is correctly registered in the catalog before attempting additional registrations.	5 years ago
Chris Piraino	b437b53d55	test: unflake TestDNS_ServiceLookup_WanTranslation ... Use retry.R struct to check length of WANMembers so that retries can work appropriately.	5 years ago
Chris Piraino	3fb7101fa9	test: unflake TestCatalogServiceNodes_DistanceSort ... Remove a time.Sleep and replace with retry.Run around call to CatalogServiceNodes.	5 years ago
Paul Banks	d7329097b2	Change CA Configure struct to pass Datacenter through (#6775) ... * Change CA Configure struct to pass Datacenter through * Remove connect/ca/plugin as we don't have immediate plans to use it. We still intend to one day but there are likely to be several changes to the CA provider interface before we do so it's better to rebuild from history when we do that work properly. * Rename PrimaryDC; fix endpoint in secondary DCs	5 years ago
Matt Keeler	c343d90304	Finish the comment	5 years ago
Matt Keeler	8f1f15a827	Track the correct check id for idempotent service/check updates	5 years ago
Nicolas Benoit	0e9a2e5bd0	Fix dns service SRV lookup when service address is a fqdn ... Refactor dns to have same behavior between A and SRV. Current implementation returns the node name instead of the service address. With this fix when querying for SRV record service address is return in the SRV record. And when performing a simple dns lookup it returns a CNAME to the service address.	5 years ago
Paul Banks	b621910618	Support Connect CAs that can't cross sign (#6726) ... * Support Connect CAs that can't cross sign * revert spurios mod changes from make tools * Add log warning when forcing CA rotation * Fixup SupportsCrossSigning to report errors and work with Plugin interface (fixes tests) * Fix failing snake_case test * Remove misleading comment * Revert "Remove misleading comment" This reverts commit bc4db9cabed8ad5d0e39b30e1fe79196d248349c. * Remove misleading comment * Regen proto files messed up by rebase	5 years ago
Paul Banks	45d57ca601	connect: Allow CA Providers to store small amount of state (#6751) ... * pass logger through to provider * test for proper operation of NeedsLogger * remove public testServer function * Ooops actually set the logger in all the places we need it - CA config set wasn't and causing segfault * Fix all the other places in tests where we set the logger * Allow CA Providers to persist some state * Update CA provider plugin interface * Fix plugin stubs to match provider changes * Update agent/connect/ca/provider.go Co-Authored-By: R.B. Boyer <rb@hashicorp.com> * Cleanup review comments	5 years ago
Todd Radel	29b5253154	connect: Implement NeedsLogger interface for CA providers (#6556) ... * add NeedsLogger to Provider interface * implements NeedsLogger in default provider * pass logger through to provider * test for proper operation of NeedsLogger * remove public testServer function * Switch test to actually assert on logging output rather than reflection. --amend * Ooops actually set the logger in all the places we need it - CA config set wasn't and causing segfault * Fix all the other places in tests where we set the logger * Add TODO comment	5 years ago
Todd Radel	54f92e2924	Make all Connect Cert Common Names valid FQDNs (#6423)	5 years ago
Matt Keeler	ff8157fb51	Fill the Authz Context with a Sentinel Scope (#6729)	5 years ago
Matt Keeler	ab5a05f71d	Fix type name (#6728)	5 years ago
Matt Keeler	825e19bc5f	Add DirEntry method to fill enterprise authz context	5 years ago
Matt Keeler	d491a3a9d5	Miscellaneous fixes (#6727)	5 years ago
Ferenc Fabian	c90e838495	Case sensitive Authorization header with lower-cased scheme in… (#6724)	5 years ago
Paul Banks	87699eca2f	Fix support for RSA CA keys in Connect. (#6638) ... * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com>	5 years ago
Matt Keeler	5d687ce6a9	Fix the Synthetic Policy Tests (#6715)	5 years ago
Matt Keeler	d554f77d0d	Add hook for validating the enterprise meta attached to a reque… (#6695)	5 years ago
Matt Keeler	16c7ce8b4c	Add note about RPC multiplexing and TLS content type mutual exc… (#6698)	5 years ago
Matt Keeler	8ac79d0b8b	PreVerify acl:read access for listing endpoints (#6696) ... We still will need to filter results based on the authorizer too but this helps to give an early 403.	5 years ago
Sarah Adams	78ad8203a4	Use encoding/json as JSON decoder instead of mapstructure (#6680) ... Fixes #6147	5 years ago
Sarah Christoff	5e1c6e907b	Set MinQuorum variable in Autopilot (#6654) ... * Add MinQuorum to Autopilot	5 years ago
Matt Keeler	66d138f35e	More Replication Abstractions (#6689) ... Also updated ACL replication to use a function to fill in the desired enterprise meta for all remote listing RPCs.	5 years ago
Matt Keeler	440f6ea17a	Ensure that cache entries for tokens are prefixed “token-secret… (#6688) ... This will be necessary once we store other types of identities in here.	5 years ago
Matt Keeler	79f78632e1	Update the ACL Resolver to allow for Consul Enterprise specific hooks. (#6687)	5 years ago
Matt Keeler	e4ea9b0a96	Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) ... Main Changes: • method signature updates everywhere to account for passing around enterprise meta. • populate the EnterpriseAuthorizerContext for all ACL related authorizations. • ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing. • Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation. Secondary Changes: • Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies. • Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure) • AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise. • Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally. • Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token. • Added a bunch of ACL test helpers for inserting ACL resource test data.	5 years ago
Sarah Adams	0c9487ae72	regression tests for existing agent/ decoding behavior (#6624) ... tests for existing JSON decoding behavior	5 years ago
rerorero	86c8e48dd9	fix: incorrect struct tag and WaitGroup usage (#6649) ... * remove duplicated json tag * fix: incorrect wait group usage	5 years ago
R.B. Boyer	97aa050c20	agent: allow mesh gateways to initialize even if there are no connect services registered yet (#6576) ... Fixes #6543 Also improved some of the proxycfg tests to cover snapshot validity better.	5 years ago
R.B. Boyer	8dcba472a2	xds: tcp services using the discovery chain should not assume RDS during LDS (#6623) ... Previously the logic for configuring RDS during LDS for L7 upstreams was overapplied to TCP proxies resulting in a cluster name of <emptystring> being used incorrectly. Fixes #6621	5 years ago
Freddy	60f6ec0c2f	Store check type in catalog (#6561)	5 years ago
R.B. Boyer	de6ce5b1d9	server: ensure the primary dc and ACL dc match (#6634) ... This is mostly a sanity check for server tests that skip the normal config builder equivalent fixup.	5 years ago
R.B. Boyer	3aeb740430	unflake TestLeader_SecondaryCA_Initialize (#6631)	5 years ago
R.B. Boyer	e6bfcb0ca8	fix flaky multidc acl tests that failed to wait for token replication (#6628) ... If acls have not yet replicated to the secondary then authz requests will be remotely resolved by the primary. Now these tests explicitly wait until replication has caught up first.	5 years ago
R.B. Boyer	040f47c46e	appease the retry linter (#6629)	5 years ago
Paul Banks	d7aa425339	Allow time for secondary CA to initialize (#6627)	5 years ago
Matt Keeler	973341a592	ACL Authorizer overhaul (#6620) ... * ACL Authorizer overhaul To account for upcoming features every Authorization function can now take an extra *acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil. Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision. * Include stub for extra enterprise rules in the global management policy * Allow for an upgrade of the global-management policy	5 years ago
PHBourquin	039615641e	Checks to passing/critical only after reaching a consecutive success/failure threshold (#5739) ... A check may be set to become passing/critical only if a specified number of successive checks return passing/critical in a row. Status will stay identical as before until the threshold is reached. This feature is available for HTTP, TCP, gRPC, Docker & Monitor checks.	5 years ago
Sarah Christoff	194f5740ce	ui_content_path config option fix (#6601) ... * fix ui-content-path config option	5 years ago
Hans Hasselberg	b6499fe6b8	Do not surface left servers (#6420) ... * do not surface left servers in catalog	5 years ago
R.B. Boyer	6439af86eb	agent: clients should only attempt to remove pruned nodes once per call (#6591)	5 years ago
Sarah Christoff	5e26971864	Prune Unhealthy Agents (#6571) ... * Add -prune flag to ForceLeave	5 years ago
R.B. Boyer	06ca8cd2d7	agent: updates to the agent token trigger anti-entropy full syncs (#6577)	5 years ago
Matt Keeler	d65bbbfd4e	Implement Leader Routine Management (#6580) ... * Implement leader routine manager Switch over the following to use it for go routine management: • Config entry Replication • ACL replication - tokens, policies, roles and legacy tokens • ACL legacy token upgrade • ACL token reaping • Intention Replication • Secondary CA Roots Watching • CA Root Pruning Also added the StopAll call into the Server Shutdown method to ensure all leader routines get killed off when shutting down. This should be mostly unnecessary as `revokeLeadership` should manually stop each one but just in case we really want these to go away (eventually).	5 years ago
Matt Keeler	28221f66f2	Use encoding/json instead of jsonpb even for protobuf types (#6572) ... This only works so long as we use simplistic protobuf types. Constructs such as oneof or Any types that require type annotations for decoding properly will fail hard but that is by design. If/when we want to use any of that we will probably need to consider a v2 API.	5 years ago
Matt Keeler	fc4bcfd81f	Add EnterpriseConfig stubs (#6566)	5 years ago
Matt Keeler	abed91d069	Generate JSON and Binary Marshalers for Protobuf Types (#6564) ... * Add JSON and Binary Marshaler Generators for Protobuf Types * Generate files with the correct version of gogo/protobuf I have pinned the version in the makefile so when you run make tools you get the right version. This pulls the version out of go.mod so it should remain up to date. The version at the time of this commit we are using is v1.2.1 * Fixup some shell output * Update how we determine the version of gogo This just greps the go.mod file instead of expecting the go mod cache to already be present * Fixup vendoring and remove no longer needed json encoder functions	5 years ago
John Cowen	b3b32dc0f6	ui: UI Release Merge (ui-staging merge) (#6527) ... ## HTTPAdapter (#5637) ## Ember upgrade 2.18 > 3.12 (#6448) ### Proxies can no longer get away with not calling _super This means that we can't use create anymore to define dynamic methods. Therefore we dynamically make 2 extended Proxies on demand, and then create from those. Therefore we can call _super in the init method of the extended Proxies. ### We aren't allowed to reset a service anymore We never actually need to now anyway, this is a remnant of the refactor from browser based confirmations. We fix it as simply as possible here but will revisit and remove the old browser confirm functionality at a later date ### Revert classes to use ES5 style to workaround babel transp. probs Using a mixture of ES6 classes (and hence super) and arrow functions means that when babel transpiles the arrow functions down to ES5, a reference to this is moved before the call to super, hence causing a js error. Furthermore, we the testing environment no longer lets use use apply/call on the constructor. These errors only manifests during testing (only in the testing environment), the application itself runs fine with no problems without this change. Using ES5 style class definitions give us freedom to do all of the above without causing any errors, so we reverted these classes back to ES5 class definitions ### Skip test that seems to have changed due to a change in RSVP timing This test tests a usecase/area of the API that will probably never ever be used, it was more testing out the API. We've skipped the test for now as this doesn't affect the application itself, but left a note to come back here later to investigate further ### Remove enumerableContentDidChange Initial testing looks like we don't need to call this function anymore, the function no longer exists ### Rework Changeset.isSaving to take into account new ember APIs Setting/hanging a computedProperty of an instantiated object no longer works. Move to setting it on the prototype/class definition instead ### Change how we detect whether something requires listening New ember API's have changed how you can detect whether something is a computedProperty or not. It's not immediately clear if its even possible now. Therefore we change how we detect whether something should be listened to or not by just looking for presence of `addEventListener` ### Potentially temporary change of ci test scripts to ensure deps exist All our tooling scripts run through a Makefile (for people familiar with only using those), which then call yarn scripts which can be called independently (for people familar with only using yarn). The Makefile targets always check to make sure all the dependencies are installed before running anything that requires them (building, testing etc). The CI scripts/targets didn't follow this same route and called the yarn scripts directly (usually CI builds a cache of the dependencies first). For some reason this cache isn't doing what it usually does, and it looks as though, in CI, ember isn't installed. This commit makes the CI scripts consistently use the same method as all of the other tooling scripts (Makefile target > Install Deps if required > call yarn script). This should install the dependencies if for some reason the CI cache building doesn't complete/isn't successful. Potentially this commit may be reverted if, the root of the problem is elsewhere, although consistency is always good, so it might be a good idea to leave this commit as is even if we need to debug and fix things elsewhere. ### Make test-parallel consistent with the rest of the tooling scripts As we are here making changes for CI purposes (making test-ci consistent), we spotted that test-parallel is also inconsistent and also the README manual instructions won't work without `ember` installed globally. This commit makes everything consistent and changes the manual instructions to use the local ember instance that gets installed via yarn ### Re-wrangle catchable to fit with new ember 3.12 APIs In the upgrade from ember 3.8 > 3.12 the public interfaces for ComputedProperties have changed slightly. `meta` is no longer a public property of ComputedProperty but of a ComputedDecoratorImpl mixin instead. 7e4ba1096e/packages/%40ember/-internals/metal/lib/computed.ts (L725) There seems to be no way, by just using publically available methods, to replicate this behaviour so that we can create our own 'ComputedProperty` factory via injecting the ComputedProperty class as we did previously. 3f333bada1/ui-v2/app/utils/computed/factory.js (L1-L18) Instead we dynamically hang our `Catchable` `catch` method off the instantiated ComputedProperty. In doing it like this `ComputedProperty` has already has its `meta` method mixed in so we don't have to manually mix it in ourselves (which doesn't seem possible) This functionality is only used during our work in trying to ensure our EventSource/BlockingQuery work was as 'ember-like' as possible (i.e. using the traditional Route.model hooks and ember-like Controller properties). Our ongoing/upcoming work on a componentized approach to data a.k.a `<DataSource />` means we will be able to remove the majority of the code involved here now that it seems to be under an amount of flux in ember. ### Build bindata_assetfs.go with new UI changes	5 years ago
Matt Keeler	923d8671a4	Add support for parameterizing the ACL config used with a TestA… (#6559) ... * Add support for parameterizing the ACL config used with a TestAgent Using tokens that are UUIDs will get rid of some warnings * Refactor to allow setting all tokens and change the template to ignore unset values.	5 years ago
R.B. Boyer	c4b92d5534	connect: connect CA Roots in secondary datacenters should use a SigningKeyID derived from their local intermediate (#6513) ... This fixes an issue where leaf certificates issued in secondary datacenters would be reissued very frequently (every ~20 seconds) because the logic meant to detect root rotation was errantly triggering because a hash of the ultimate root (in the primary) was being compared against a hash of the local intermediate root (in the secondary) and always failing.	5 years ago
R.B. Boyer	9566df524e	agent: cache notifications work after error if the underlying RPC returns index=1 (#6547) ... Fixes #6521 Ensure that initial failures to fetch an agent cache entry using the notify API where the underlying RPC returns a synthetic index of 1 correctly recovers when those RPCs resume working. The bug in the Cache.notifyBlockingQuery used to incorrectly "fix" the index for the next query from 0 to 1 for all queries, when it should have not done so for queries that errored. Also fixed some things that made debugging difficult: - config entry read/list endpoints send back QueryMeta headers - xds event loops don't swallow the cache notification errors	5 years ago
Matt Keeler	76cf54068b	Expand the QueryOptions and QueryMeta interfaces (#6545) ... In a previous PR I made it so that we had interfaces that would work enough to allow blockingQueries to work. However to complete this we need all fields to be settable and gettable. Notes: • If Go ever gets contracts/generics then we could get rid of all the Getters/Setters • protoc / protoc-gen-gogo are going to generate all the getters for us. • I copied all the getters/setters from the protobuf funcs into agent/structs/protobuf_compat.go • Also added JSON marshaling funcs that use jsonpb for protobuf types.	5 years ago
Freddy	fdd10dd8b8	Expose HTTP-based paths through Connect proxy (#6446) ... Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.	5 years ago
R.B. Boyer	5882e21b2b	agent: tolerate more failure scenarios during service registration with central config enabled (#6472) ... Also: * Finished threading replaceExistingChecks setting (from GH-4905) through service manager. * Respected the original configSource value that was used to register a service or a check when restoring persisted data. * Run several existing tests with and without central config enabled (not exhaustive yet). * Switch to ioutil.ReadFile for all types of agent persistence.	5 years ago
Matt Keeler	100ebd63f9	Allow for enterprise only leader routines (#6533) ... Eventually I am thinking we may need a way to register these at different priority levels but for now sticking this here is fine	5 years ago
R.B. Boyer	af01d397a5	connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492) ... The fields in the certs are meant to hold the original binary representation of this data, not some ascii-encoded version. The only time we should be colon-hex-encoding fields is for display purposes or marshaling through non-TLS mediums (like RPC).	5 years ago
R.B. Boyer	796de297c8	connect: intermediate CA certs generated with the vault provider lack URI SANs (#6491) ... This only affects vault versions >=1.1.1 because the prior code accidentally relied upon a bug that was fixed in https://github.com/hashicorp/vault/pull/6505 The existing tests should have caught this, but they were using a vendored copy of vault version 0.10.3. This fixes the tests by running an actual copy of vault instead of an in-process copy. This has the added benefit of changing the dependency on vault to just vault/api. Also update VaultProvider to use similar SetIntermediate validation code as the ConsulProvider implementation.	5 years ago
Matt Keeler	51dcd126b7	Add support for implementing new requests with protobufs instea… (#6502) ... * Add build system support for protobuf generation This is done generically so that we don’t have to keep updating the makefile to add another proto generation. Note: anything not in the vendor directory and with a .proto extension will be run through protoc if the corresponding namespace.pb.go file is not up to date. If you want to rebuild just a single proto file you can do so with: make proto-rebuild PROTOFILES=<list of proto files to rebuild> Providing the PROTOFILES var will override the default behavior of finding all the .proto files. * Start adding types to the agent/proto package These will be needed for some other work and are by no means comprehensive. * Add ability to resolve/fixup the agentpb.ACLLinks structure in the state store. * Use protobuf marshalling of raft requests instead of msgpack for protoc generated types. This does not change any encoding of existing types. * Removed structs package automatically encoding with protobuf marshalling Instead the caller of raftApply that wants to opt-in to protobuf encoding will have to call `raftApplyProtobuf` * Run update-vendor to fixup modules.txt Nothing changed as far as dependencies go but the ordering of modules in that file depends on the time they are first seen and its not alphabetical. * Rename some things and implement the structs.RPCInfo interface bits agentpb.QueryOptions and agentpb.WriteRequest implement 3 of the 4 RPCInfo funcs and the new TargetDatacenter message type implements the fourth. * Use the right encoding function. * Renamed agent/proto package to agent/agentpb to prevent package name conflicts * Update modules.txt to fix ordering * Change blockingQuery to take in interfaces for the query options and meta * Add %T to error output. * Add/Update some comments	5 years ago