consul

Commit Graph

Author	SHA1	Message	Date
R.B. Boyer	c4b92d5534	connect: connect CA Roots in secondary datacenters should use a SigningKeyID derived from their local intermediate (#6513 ) This fixes an issue where leaf certificates issued in secondary datacenters would be reissued very frequently (every ~20 seconds) because the logic meant to detect root rotation was errantly triggering because a hash of the ultimate root (in the primary) was being compared against a hash of the local intermediate root (in the secondary) and always failing.	5 years ago
Matt Keeler	76cf54068b	Expand the QueryOptions and QueryMeta interfaces (#6545 ) In a previous PR I made it so that we had interfaces that would work enough to allow blockingQueries to work. However to complete this we need all fields to be settable and gettable. Notes: • If Go ever gets contracts/generics then we could get rid of all the Getters/Setters • protoc / protoc-gen-gogo are going to generate all the getters for us. • I copied all the getters/setters from the protobuf funcs into agent/structs/protobuf_compat.go • Also added JSON marshaling funcs that use jsonpb for protobuf types.	5 years ago
Freddy	fdd10dd8b8	Expose HTTP-based paths through Connect proxy (#6446 ) Fixes: #5396 This PR adds a proxy configuration stanza called expose. These flags register listeners in Connect sidecar proxies to allow requests to specific HTTP paths from outside of the node. This allows services to protect themselves by only listening on the loopback interface, while still accepting traffic from non Connect-enabled services. Under expose there is a boolean checks flag that would automatically expose all registered HTTP and gRPC check paths. This stanza also accepts a paths list to expose individual paths. The primary use case for this functionality would be to expose paths for third parties like Prometheus or the kubelet. Listeners for requests to exposed paths are be configured dynamically at run time. Any time a proxy, or check can be registered, a listener can also be created. In this initial implementation requests to these paths are not authenticated/encrypted.	5 years ago
Matt Keeler	51dcd126b7	Add support for implementing new requests with protobufs instea… (#6502 ) * Add build system support for protobuf generation This is done generically so that we don’t have to keep updating the makefile to add another proto generation. Note: anything not in the vendor directory and with a .proto extension will be run through protoc if the corresponding namespace.pb.go file is not up to date. If you want to rebuild just a single proto file you can do so with: make proto-rebuild PROTOFILES=<list of proto files to rebuild> Providing the PROTOFILES var will override the default behavior of finding all the .proto files. * Start adding types to the agent/proto package These will be needed for some other work and are by no means comprehensive. * Add ability to resolve/fixup the agentpb.ACLLinks structure in the state store. * Use protobuf marshalling of raft requests instead of msgpack for protoc generated types. This does not change any encoding of existing types. * Removed structs package automatically encoding with protobuf marshalling Instead the caller of raftApply that wants to opt-in to protobuf encoding will have to call `raftApplyProtobuf` * Run update-vendor to fixup modules.txt Nothing changed as far as dependencies go but the ordering of modules in that file depends on the time they are first seen and its not alphabetical. * Rename some things and implement the structs.RPCInfo interface bits agentpb.QueryOptions and agentpb.WriteRequest implement 3 of the 4 RPCInfo funcs and the new TargetDatacenter message type implements the fourth. * Use the right encoding function. * Renamed agent/proto package to agent/agentpb to prevent package name conflicts * Update modules.txt to fix ordering * Change blockingQuery to take in interfaces for the query options and meta * Add %T to error output. * Add/Update some comments	5 years ago
Pierre Souchay	be50400c62	Distinguish between DC not existing and not being available (#6399 )	5 years ago
R.B. Boyer	fd1c62ee8b	connect: ensure time.Duration fields retain their human readable forms in the API (#6348 ) This applies for both config entries and the compiled discovery chain. Also omit some other config entries fields when empty.	5 years ago
R.B. Boyer	561b2fe606	connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340 )	5 years ago
R.B. Boyer	ae79cdab1b	connect: introduce ExternalSNI field on service-defaults (#6324 ) Compiling this will set an optional SNI field on each DiscoveryTarget. When set this value should be used for TLS connections to the instances of the target. If not set the default should be used. Setting ExternalSNI will disable mesh gateway use for that target. It also disables several service-resolver features that do not make sense for an external service.	5 years ago
R.B. Boyer	1a485011d0	connect: updating a service-defaults config entry should leave an unset protocol alone (#6342 ) If the entry is updated for reasons other than protocol it is surprising that the value is explicitly persisted as 'tcp' rather than leaving it empty and letting it fall back dynamically on the proxy-defaults value.	5 years ago
R.B. Boyer	3975cb89bf	agent: blocking central config RPCs iterations should not interfere with each other (#6316 )	5 years ago
hashicorp-ci	5919c7c184	Merge Consul OSS branch 'master' at commit `8f7586b339`	5 years ago
Sarah Adams	8ff1f481fe	add flag to allow /operator/keyring requests to only hit local servers (#6279 ) Add parameter local-only to operator keyring list requests to force queries to only hit local servers (no WAN traffic). HTTP API: GET /operator/keyring?local-only=true CLI: consul keyring -list --local-only Sending the local-only flag with any non-GET/list request will result in an error.	5 years ago
Mike Morris	65be58703c	connect: remove managed proxies (#6220 ) * connect: remove managed proxies implementation and all supporting config options and structs * connect: remove deprecated ProxyDestination * command: remove CONNECT_PROXY_TOKEN env var * agent: remove entire proxyprocess proxy manager * test: remove all managed proxy tests * test: remove irrelevant managed proxy note from TestService_ServerTLSConfig * test: update ContentHash to reflect managed proxy removal * test: remove deprecated ProxyDestination test * telemetry: remove managed proxy note * http: remove /v1/agent/connect/proxy endpoint * ci: remove deprecated test exclusion * website: update managed proxies deprecation page to note removal * website: remove managed proxy configuration API docs * website: remove managed proxy note from built-in proxy config * website: add note on removing proxy subdirectory of data_dir	5 years ago
R.B. Boyer	8e22d80e35	connect: fix failover through a mesh gateway to a remote datacenter (#6259 ) Failover is pushed entirely down to the data plane by creating envoy clusters and putting each successive destination in a different load assignment priority band. For example this shows that normally requests go to 1.2.3.4:8080 but when that fails they go to 6.7.8.9:8080: - name: foo load_assignment: cluster_name: foo policy: overprovisioning_factor: 100000 endpoints: - priority: 0 lb_endpoints: - endpoint: address: socket_address: address: 1.2.3.4 port_value: 8080 - priority: 1 lb_endpoints: - endpoint: address: socket_address: address: 6.7.8.9 port_value: 8080 Mesh gateways route requests based solely on the SNI header tacked onto the TLS layer. Envoy currently only lets you configure the outbound SNI header at the cluster layer. If you try to failover through a mesh gateway you ideally would configure the SNI value per endpoint, but that's not possible in envoy today. This PR introduces a simpler way around the problem for now: 1. We identify any target of failover that will use mesh gateway mode local or remote and then further isolate any resolver node in the compiled discovery chain that has a failover destination set to one of those targets. 2. For each of these resolvers we will perform a small measurement of comparative healths of the endpoints that come back from the health API for the set of primary target and serial failover targets. We walk the list of targets in order and if any endpoint is healthy we return that target, otherwise we move on to the next target. 3. The CDS and EDS endpoints both perform the measurements in (2) for the affected resolver nodes. 4. For CDS this measurement selects which TLS SNI field to use for the cluster (note the cluster is always going to be named for the primary target) 5. For EDS this measurement selects which set of endpoints will populate the cluster. Priority tiered failover is ignored. One of the big downsides to this approach to failover is that the failover detection and correction is going to be controlled by consul rather than deferring that entirely to the data plane as with the prior version. This also means that we are bound to only failover using official health signals and cannot make use of data plane signals like outlier detection to affect failover. In this specific scenario the lack of data plane signals is ok because the effectiveness is already muted by the fact that the ultimate destination endpoints will have their data plane signals scrambled when they pass through the mesh gateway wrapper anyway so we're not losing much. Another related fix is that we now use the endpoint health from the underlying service, not the health of the gateway (regardless of failover mode).	5 years ago
R.B. Boyer	c395affc93	connect: expose an API endpoint to compile the discovery chain (#6248 ) In addition to exposing compilation over the API cleaned up the structures that would be exchanged to be cleaner and easier to support and understand. Also removed ability to configure the envoy OverprovisioningFactor.	5 years ago
R.B. Boyer	dcb609af83	connect: detect and prevent circular discovery chain references (#6246 )	5 years ago
R.B. Boyer	f02924fafe	connect: simplify the compiled discovery chain data structures (#6242 ) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.	5 years ago
R.B. Boyer	6393edba53	connect: reconcile how upstream configuration works with discovery chains (#6225 ) * connect: reconcile how upstream configuration works with discovery chains The following upstream config fields for connect sidecars sanely integrate into discovery chain resolution: - Destination Namespace/Datacenter: Compilation occurs locally but using different default values for namespaces and datacenters. The xDS clusters that are created are named as they normally would be. - Mesh Gateway Mode (single upstream): If set this value overrides any value computed for any resolver for the entire discovery chain. The xDS clusters that are created may be named differently (see below). - Mesh Gateway Mode (whole sidecar): If set this value overrides any value computed for any resolver for the entire discovery chain. If this is specifically overridden for a single upstream this value is ignored in that case. The xDS clusters that are created may be named differently (see below). - Protocol (in opaque config): If set this value overrides the value computed when evaluating the entire discovery chain. If the normal chain would be TCP or if this override is set to TCP then the result is that we explicitly disable L7 Routing and Splitting. The xDS clusters that are created may be named differently (see below). - Connect Timeout (in opaque config): If set this value overrides the value for any resolver in the entire discovery chain. The xDS clusters that are created may be named differently (see below). If any of the above overrides affect the actual result of compiling the discovery chain (i.e. "tcp" becomes "grpc" instead of being a no-op override to "tcp") then the relevant parameters are hashed and provided to the xDS layer as a prefix for use in naming the Clusters. This is to ensure that if one Upstream discovery chain has no overrides and tangentially needs a cluster named "api.default.XXX", and another Upstream does have overrides for "api.default.XXX" that they won't cross-pollinate against the operator's wishes. Fixes #6159	5 years ago
R.B. Boyer	8564b6bb38	connect: validate upstreams and prevent duplicates (#6224 ) * connect: validate upstreams and prevent duplicates * Actually run Upstream.Validate() instead of ignoring it as dead code. * Prevent two upstreams from declaring the same bind address and port. It wouldn't work anyway. * Prevent two upstreams from being declared that use the same type+name+namespace+datacenter. Due to how the Upstream.Identity() function worked this ended up mostly being enforced in xDS at use-time, but it should be enforced more clearly at register-time.	5 years ago
Paul Banks	e87cef2bb8	Revert "connect: support AWS PCA as a CA provider" (#6251 ) This reverts commit `3497b7c00d`.	5 years ago
Todd Radel	3497b7c00d	connect: support AWS PCA as a CA provider (#6189 ) Port AWS PCA provider from consul-ent	5 years ago
Todd Radel	2552f4a11a	connect: Support RSA keys in addition to ECDSA (#6055 ) Support RSA keys in addition to ECDSA	5 years ago
R.B. Boyer	c6c4a2251a	Merge Consul OSS branch master at commit `b3541c4f34`	5 years ago
Jeff Mitchell	94c73d0c92	Chunking support (#6172 ) * Initial chunk support This uses the go-raft-middleware library to allow for chunked commits to the KV	5 years ago
Matt Keeler	3053342198	Envoy Mesh Gateway integration tests (#6187 ) * Allow setting the mesh gateway mode for an upstream in config files * Add envoy integration test for mesh gateways This necessitated many supporting changes in most of the other test cases. Add remote mode mesh gateways integration test	5 years ago
R.B. Boyer	ad9e7b6ae9	connect: allow L7 routers to match on http methods (#6164 ) Fixes #6158	5 years ago
R.B. Boyer	85cf2706e6	connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. (#6163 ) This is a breaking change, but only in the context of the beta series.	5 years ago
R.B. Boyer	1dbd92e091	connect: validate and test more of the L7 config entries (#6156 )	5 years ago
R.B. Boyer	e039dfd7f8	connect: rework how the service resolver subset OnlyPassing flag works (#6173 ) The main change is that we no longer filter service instances by health, preferring instead to render all results down into EDS endpoints in envoy and merely label the endpoints as HEALTHY or UNHEALTHY. When OnlyPassing is set to true we will force consul checks in a 'warning' state to render as UNHEALTHY in envoy. Fixes #6171	5 years ago
Matt Keeler	d7fe8befa9	Update go-bexpr (#6190 ) * Update go-bexpr to v0.1.1 This brings in: • `in`/`not in` operators to do substring matching • `matches` / `not matches` operators to perform regex string matching. * Add the capability to auto-generate the filtering selector ops tables for our docs	5 years ago
Matt Keeler	4728329aeb	Various Gateway Fixes (#6093 ) * Ensure the mesh gateway configuration comes back in the api within each upstream * Add a test for the MeshGatewayConfig in the ToAPI functions * Ensure we don’t use gateways for dc local connections * Update the svc kind index for deletions * Replace the proxycfg.state cache with an interface for testing Also start implementing proxycfg state testing. * Update the state tests to verify some gateway watches for upstream-targets of a discovery chain.	5 years ago
R.B. Boyer	bcd2de3a2e	implement some missing service-router features and add more xDS testing (#6065 ) - also implement OnlyPassing filters for non-gateway clusters	5 years ago
R.B. Boyer	9138a97054	Fix bug in service-resolver redirects if the destination uses a default resolver. (#6122 ) Also: - add back an internal http endpoint to dump a compiled discovery chain for debugging purposes Before the CompiledDiscoveryChain.IsDefault() method would test: - is this chain just one resolver step? - is that resolver step just the default? But what I forgot to test: - is that resolver step for the same service that the chain represents? This last point is important because if you configured just one config entry: kind = "service-resolver" name = "web" redirect { service = "other" } and requested the chain for "web" you'd get back a default resolver for "other". In the xDS code the IsDefault() method is used to determine if this chain is "empty". If it is then we use the pre-discovery-chain logic that just uses data embedded in the Upstream object (and still lets the escape hatches function). In the example above that means certain parts of the xDS code were going to try referencing a cluster named "web..." despite the other parts of the xDS code maintaining clusters named "other...".	5 years ago
R.B. Boyer	67a36e3452	handle structs.ConfigEntry decoding similarly to api.ConfigEntry decoding (#6106 ) Both 'consul config write' and server bootstrap config entries take a decoding detour through mapstructure on the way from HCL to an actual struct. They both may take in snake_case or CamelCase (for consistency) so need very similar handling. Unfortunately since they are operating on mirror universes of structs (api.* vs structs.*) the code cannot be identitical, so try to share the kind-configuration and duplicate the rest for now.	5 years ago
Matt Keeler	6e65811db2	Envoy CLI bind addresses (#6107 ) * Ensure we MapWalk the proxy config in the NodeService and ServiceNode structs This gets rid of some json encoder errors in the catalog endpoints * Allow passing explicit bind addresses to envoy * Move map walking to the ConnectProxyConfig struct Any place where this struct gets JSON encoded will benefit as opposed to having to implement it everywhere. * Fail when a non-empty address is provided and not bindable * camel case * Update command/connect/envoy/envoy.go Co-Authored-By: Paul Banks <banks@banksco.de>	5 years ago
Matt Keeler	3eb3ee5a15	Merge pull request #6053 from hashicorp/gateways_and_resolvers Integrate Mesh Gateways with ServiceResolverSubsets	5 years ago
R.B. Boyer	43770b9391	digest the proxy-defaults protocol into the graph (#6050 )	5 years ago
Matt Keeler	3b6d5e382a	Implement caching for config entry lists Update agent/cache-types/config_entry.go Co-Authored-By: R.B. Boyer <public@richardboyer.net>	5 years ago
R.B. Boyer	4bdb690a25	activate most discovery chain features in xDS for envoy (#6024 )	5 years ago
Matt Keeler	bdebe62fd0	Fix some tests that I broke when refactoring the ConfigSnapshot (#6051 ) * Fix some tests that I broke when refactoring the ConfigSnapshot * Make sure the MeshGateway config is added to all the right api structs * Fix some more tests	5 years ago
Matt Keeler	8d953f5840	Implement Mesh Gateways This includes both ingress and egress functionality.	5 years ago
Matt Keeler	4bc1277315	Include a content hash of the intention for use during replication	5 years ago
Matt Keeler	3943e38133	Implement Kind based ServiceDump and caching of the ServiceDump RPC	5 years ago
R.B. Boyer	2ad516aeaf	do some initial config entry graph validation during writes (#6047 )	5 years ago
hashicorp-ci	43bda6fb76	Merge Consul OSS branch 'master' at commit `e91f73f592`	5 years ago
Hans Hasselberg	33a7df3330	tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597 )	5 years ago
R.B. Boyer	6a52f9f9fb	initial version of L7 config entry compiler (#5994 ) With this you should be able to fetch all of the relevant discovery chain config entries from the state store in one query and then feed them into the compiler outside of a transaction. There are a lot of TODOs scattered through here, but they're mostly around handling fun edge cases and can be deferred until more of the plumbing works completely.	5 years ago
R.B. Boyer	ceef44bbc9	adding new config entries for L7 discovery chain (unused) (#5987 )	5 years ago
hashicorp-ci	f4304e2e5b	Merge Consul OSS branch 'master' at commit `4eb73973b6`	5 years ago
Pierre Souchay	0e907f5aa8	Support for maximum size for Output of checks (#5233 ) * Support for maximum size for Output of checks This PR allows users to limit the size of output produced by checks at the agent and check level. When set at the agent level, it will limit the output for all checks monitored by the agent. When set at the check level, it can override the agent max for a specific check but only if it is lower than the agent max. Default value is 4k, and input must be at least 1.	5 years ago
Matt Keeler	43c5ba0304	New Cache Types (#5995 ) * Add a cache type for the Catalog.ListServices endpoint * Add a cache type for the Catalog.ListDatacenters endpoint	6 years ago
Aestek	b839f52195	kv: do not trigger watches when setting the same value (#5885 ) If a KVSet is performed but does not update the entry, do not trigger watches for this key. This avoids releasing blocking queries for KV values that did not actually changed.	6 years ago
Matt Keeler	f3d9b999ee	Add tagged addresses for services (#5965 ) This allows addresses to be tagged at the service level similar to what we allow for nodes already. The address translation that can be enabled with the `translate_wan_addrs` config was updated to take these new addresses into account as well.	6 years ago
R.B. Boyer	40336fd353	agent: fix several data races and bugs related to node-local alias checks (#5876 ) The observed bug was that a full restart of a consul datacenter (servers and clients) in conjunction with a restart of a connect-flavored application with bring-your-own-service-registration logic would very frequently cause the envoy sidecar service check to never reflect the aliased service. Over the course of investigation several bugs and unfortunate interactions were corrected: (1) local.CheckState objects were only shallow copied, but the key piece of data that gets read and updated is one of the things not copied (the underlying Check with a Status field). When the stock code was run with the race detector enabled this highly-relevant-to-the-test-scenario field was found to be racy. Changes: a) update the existing Clone method to include the Check field b) copy-on-write when those fields need to change rather than incrementally updating them in place. This made the observed behavior occur slightly less often. (2) If anything about how the runLocal method for node-local alias check logic was ever flawed, there was no fallback option. Those checks are purely edge-triggered and failure to properly notice a single edge transition would leave the alias check incorrect until the next flap of the aliased check. The change was to introduce a fallback timer to act as a control loop to double check the alias check matches the aliased check every minute (borrowing the duration from the non-local alias check logic body). This made the observed behavior eventually go away when it did occur. (3) Originally I thought there were two main actions involved in the data race: A. The act of adding the original check (from disk recovery) and its first health evaluation. B. The act of the HTTP API requests coming in and resetting the local state when re-registering the same services and checks. It took awhile for me to realize that there's a third action at work: C. The goroutines associated with the original check and the later checks. The actual sequence of actions that was causing the bad behavior was that the API actions result in the original check to be removed and re-added _without waiting for the original goroutine to terminate_. This means for brief windows of time during check definition edits there are two goroutines that can be sending updates for the alias check status. In extremely unlikely scenarios the original goroutine sees the aliased check start up in `critical` before being removed but does not get the notification about the nearly immediate update of that check to `passing`. This is interlaced wit the new goroutine coming up, initializing its base case to `passing` from the current state and then listening for new notifications of edge triggers. If the original goroutine "finishes" its update, it then commits one more write into the local state of `critical` and exits leaving the alias check no longer reflecting the underlying check. The correction here is to enforce that the old goroutines must terminate before spawning the new one for alias checks.	6 years ago
R.B. Boyer	20eefeea11	acl: a role binding rule for a role that does not exist should be ignored (#5778 ) I wrote the docs under this assumption but completely forgot to actually enforce it.	6 years ago
R.B. Boyer	b4371bcccd	acl: enforce that you cannot persist tokens and roles with missing links except during replication (#5779 )	6 years ago
Matt Keeler	42d32db817	Fix ConfigEntryResponse binary marshaller and ensure we watch the chan in ConfigEntry.Get even when no entry exists. (#5773 )	6 years ago
Paul Banks	8f5b16ebaf	Fix uint8 conversion issues for service config response maps.	6 years ago
Paul Banks	0cfb6051ea	Add integration test for central config; fix central config WIP (#5752 ) * Add integration test for central config; fix central config WIP * Add integration test for central config; fix central config WIP * Set proxy protocol correctly and begin adding upstream support * Add upstreams to service config cache key and start new notify watcher if they change. This doesn't update the tests to pass though. * Fix some merging logic get things working manually with a hack (TODO fix properly) * Simplification to not allow enabling sidecars centrally - it makes no sense without upstreams anyway * Test compile again and obvious ones pass. Lots of failures locally not debugged yet but may be flakes. Pushing up to see what CI does * Fix up service manageer and API test failures * Remove the enable command since it no longer makes much sense without being able to turn on sidecar proxies centrally * Remove version.go hack - will make integration test fail until release * Remove unused code from commands and upstream merge * Re-bump version to 1.5.0	6 years ago
Matt Keeler	69f902608c	Update to use a consulent build tag instead of just ent (#5759 )	6 years ago
Matt Keeler	d0f410cd84	Make a few config entry endpoints return 404s and allow for snake_case and lowercase key names. (#5748 )	6 years ago
Matt Keeler	4daa1585b0	ACL Token ID Initialization (#5307 )	6 years ago
Kyle Havlovitz	aba54cec55	Add HTTP endpoints for config entry management (#5718 )	6 years ago
Paul Banks	421ecd32fc	Connect: allow configuring Envoy for L7 Observability (#5558 ) * Add support for HTTP proxy listeners * Add customizable bootstrap configuration options * Debug logging for xDS AuthZ * Add Envoy Integration test suite with basic test coverage * Add envoy command tests to cover new cases * Add tracing integration test * Add gRPC support WIP * Merged changes from master Docker. get CI integration to work with same Dockerfile now * Make docker build optional for integration * Enable integration tests again! * http2 and grpc integration tests and fixes * Fix up command config tests * Store all container logs as artifacts in circle on fail * Add retries to outer part of stats measurements as we keep missing them in CI * Only dump logs on failing cases * Fix typos from code review * Review tidying and make tests pass again * Add debug logs to exec test. * Fix legit test failure caused by upstream rename in envoy config * Attempt to reduce cases of bad TLS handshake in CI integration tests * bring up the right service * Add prometheus integration test * Add test for denied AuthZ both HTTP and TCP * Try ANSI term for Circle	6 years ago
R.B. Boyer	e47d7eeddb	acl: adding support for kubernetes auth provider login (#5600 ) * auth providers * binding rules * auth provider for kubernetes * login/logout	6 years ago
R.B. Boyer	cc1aa3f973	acl: adding Roles to Tokens (#5514 ) Roles are named and can express the same bundle of permissions that can currently be assigned to a Token (lists of Policies and Service Identities). The difference with a Role is that it not itself a bearer token, but just another entity that can be tied to a Token. This lets an operator potentially curate a set of smaller reusable Policies and compose them together into reusable Roles, rather than always exploding that same list of Policies on any Token that needs similar permissions. This also refactors the acl replication code to be semi-generic to avoid 3x copypasta.	6 years ago
R.B. Boyer	7928305279	making ACLToken.ExpirationTime a *time.Time value instead of time.Time (#5663 ) This is mainly to avoid having the API return "0001-01-01T00:00:00Z" as a value for the ExpirationTime field when it is not set. Unfortunately time.Time doesn't respect the json marshalling "omitempty" directive.	6 years ago
R.B. Boyer	db43fc3a20	acl: ACL Tokens can now be assigned an optional set of service identities (#5390 ) These act like a special cased version of a Policy Template for granting a token the privileges necessary to register a service and its connect proxy, and read upstreams from the catalog.	6 years ago
R.B. Boyer	2144bd7fbd	acl: tokens can be created with an optional expiration time (#5353 )	6 years ago
Matt Keeler	5befe0f5d5	Implement config entry replication (#5706 )	6 years ago
Kyle Havlovitz	c269369760	Make central service config opt-in and rework the initial registration	6 years ago
Kyle Havlovitz	88e1d8ce03	Fill out the service manager functionality and fix tests	6 years ago
Kyle Havlovitz	7c25869e67	Add the service registration manager to the agent	6 years ago
Kyle Havlovitz	b186c3020c	Merge pull request #5615 from hashicorp/config-entry-rpc Add RPC endpoints for config entry operations	6 years ago
Kyle Havlovitz	fed7595d45	Rename config entry ACL methods	6 years ago
Matt Keeler	afa1cc98d1	Implement data filtering of some endpoints (#5579 ) Fixes: #4222 # Data Filtering This PR will implement filtering for the following endpoints: ## Supported HTTP Endpoints - `/agent/checks` - `/agent/services` - `/catalog/nodes` - `/catalog/service/:service` - `/catalog/connect/:service` - `/catalog/node/:node` - `/health/node/:node` - `/health/checks/:service` - `/health/service/:service` - `/health/connect/:service` - `/health/state/:state` - `/internal/ui/nodes` - `/internal/ui/services` More can be added going forward and any endpoint which is used to list some data is a good candidate. ## Usage When using the HTTP API a `filter` query parameter can be used to pass a filter expression to Consul. Filter Expressions take the general form of: ``` <selector> == <value> <selector> != <value> <value> in <selector> <value> not in <selector> <selector> contains <value> <selector> not contains <value> <selector> is empty <selector> is not empty not <other expression> <expression 1> and <expression 2> <expression 1> or <expression 2> ``` Normal boolean logic and precedence is supported. All of the actual filtering and evaluation logic is coming from the [go-bexpr](https://github.com/hashicorp/go-bexpr) library ## Other changes Adding the `Internal.ServiceDump` RPC endpoint. This will allow the UI to filter services better.	6 years ago
Kyle Havlovitz	690e9dd2c0	Move the ACL logic into the ConfigEntry interface	6 years ago
Kyle Havlovitz	f2ed482680	Add RPC endpoints for config entry operations	6 years ago
Kyle Havlovitz	a2fa9a0019	Cleaned up some error handling/comments around config entries	6 years ago
Kyle Havlovitz	d16be2e269	Encode config entry FSM messages in a generic type	6 years ago
Kyle Havlovitz	f6df5c9b3b	Clean up service config state store methods	6 years ago
Kyle Havlovitz	e199c37ee4	Add some basic normalize/validation logic for config entries	6 years ago
Kyle Havlovitz	d92577c16b	Fix fsm serialization and add snapshot/restore	6 years ago
Kyle Havlovitz	17aa6a5a34	Fill out state store/FSM functions and add tests	6 years ago
Kyle Havlovitz	9d07add047	Add config types and state store table	6 years ago
R.B. Boyer	f4a3b9d518	fix typos reported by golangci-lint:misspell (#5434 )	6 years ago
Matt Keeler	90040f8bff	Fixes for CVE-2019-8336 Fix error in detecting raft replication errors. Detect redacted token secrets and prevent attempting to insert. Add a Redacted field to the TokenBatchRead and TokenRead RPC endpoints This will indicate whether token secrets have been redacted. Ensure any token with a redacted secret in secondary datacenters is removed. Test that redacted tokens cannot be replicated.	6 years ago
Aestek	f1cdfbe40e	Allow DNS interface to use agent cache (#5300 ) Adds two new configuration parameters "dns_config.use_cache" and "dns_config.cache_max_age" controlling how DNS requests use the agent cache when querying servers.	6 years ago
R.B. Boyer	324ba5df17	update TestStateStore_ACLBootstrap to not rely upon request mutation (#5335 )	6 years ago
Matt Keeler	acfd87c673	Improve Connect with Prepared Queries (#5291 ) Given a query like: ``` { "Name": "tagged-connect-query", "Service": { "Service": "foo", "Tags": ["tag"], "Connect": true } } ``` And a Consul configuration like: ``` { "services": [ "name": "foo", "port": 8080, "connect": { "sidecar_service": {} }, "tags": ["tag"] ] } ``` If you executed the query it would always turn up with 0 results. This was because the sidecar service was being created without any tags. You could instead make your config look like: ``` { "services": [ "name": "foo", "port": 8080, "connect": { "sidecar_service": { "tags": ["tag"] } }, "tags": ["tag"] ] } ``` However that is a bit redundant for most cases. This PR ensures that the tags and service meta of the parent service get copied to the sidecar service. If there are any tags or service meta set in the sidecar service definition then this copying does not take place. After the changes, the query will now return the expected results. A second change was made to prepared queries in this PR which is to allow filtering on ServiceMeta just like we allow for filtering on NodeMeta.	6 years ago
Hans Hasselberg	552e150536	correct name	6 years ago
Hans Hasselberg	aebb50d47d	simpler fix	6 years ago
Hans Hasselberg	5db185a7e4	do not export that type	6 years ago
Hans Hasselberg	7f44100101	fix marshalling	6 years ago
Hans Hasselberg	d4790b2827	demo nomad problem	6 years ago
Matt Keeler	d5a3ba6cda	Disregard rules when set on a management token (#5261 ) * Disregard rules when set on a management token * Add unit test for legacy mgmt token with rules	6 years ago
Kyle Havlovitz	5bdf130767	Merge pull request #4869 from hashicorp/txn-checks Add node/service/check operations to transaction api	6 years ago
Paul Banks	ef9f27cbc8	connect: tame thundering herd of CSRs on CA rotation (#5228 ) * Support rate limiting and concurrency limiting CSR requests on servers; handle CA rotations gracefully with jitter and backoff-on-rate-limit in client * Add CSR rate limiting docs * Fix config naming and add tests for new CA configs	6 years ago
Kyle Havlovitz	21380021af	txn: update existing txn api docs with new operations	6 years ago
Matt Keeler	1ec5f2a27f	Store leaf cert indexes in raft and use for the ModifyIndex on the returned certs (#5211 ) * Store leaf cert indexes in raft and use for the ModifyIndex on the returned certs This ensures that future certificate signings will have a strictly greater ModifyIndex than any previous certs signed.	6 years ago

1 2 3 4 5 ...

303 Commits (9f7afb56b2e7551d6bdf2fb5f3d65244a2d8c13f)