Commit Graph

10698 Commits (b2c0c08e087884a037f6e9c33b8dbac8829ab9ed)

Author SHA1 Message Date
Kyle Havlovitz 5bdf130767
Merge pull request #4869 from hashicorp/txn-checks
Add node/service/check operations to transaction api
2019-01-22 11:16:09 -08:00
Kyle Havlovitz a28ba4687d
connect/ca: return a better error message if the CA isn't fully initialized when signing 2019-01-22 11:15:09 -08:00
Matt Keeler 922baf811c
Update CHANGELOG.md 2019-01-22 13:18:14 -05:00
Matt Keeler 579a8b32ed
Fix several ACL token/policy resolution issues. (#5246)
* Fix 2 remote ACL policy resolution issues

1 - Use the right method to fire async not found errors when the ACL.PolicyResolve RPC returns that error. This was previously accidentally firing a token result instead of a policy result which would have effectively done nothing (unless there happened to be a token with a secret id == the policy id being resolved.

2. When concurrent policy resolution is being done we single flight the requests. The bug before was that for the policy resolution that was going to piggy back on anothers RPC results it wasn’t waiting long enough for the results to come back due to looping with the wrong variable.

* Fix a handful of other edge case ACL scenarios

The main issue was that token specific issues (not able to access a particular policy or the token being deleted after initial fetching) were poisoning the policy cache.

A second issue was that for concurrent token resolutions, the first resolution to get started would go fetch all the policies. If before the policies were retrieved a second resolution request came in, the new request would register watchers for those policies but then never block waiting for them to complete. This resulted in using the default policy when it shouldn't have.
2019-01-22 13:14:43 -05:00
Paul Banks ef9f27cbc8
connect: tame thundering herd of CSRs on CA rotation (#5228)
* Support rate limiting and concurrency limiting CSR requests on servers; handle CA rotations gracefully with jitter and backoff-on-rate-limit in client

* Add CSR rate limiting docs

* Fix config naming and add tests for new CA configs
2019-01-22 17:19:36 +00:00
R.B. Boyer d3eb781384 Check ACLs more often for xDS endpoints.
For established xDS gRPC streams recheck ACLs for each DiscoveryRequest
or DiscoveryResponse. If more than 5 minutes has elapsed since the last
ACL check, recheck even without an incoming DiscoveryRequest or
DiscoveryResponse. ACL failures will terminate the stream.
2019-01-22 11:12:40 -06:00
kaitlincarter-hc 3e45da1414
Add acl.enable_key_list_policy to agent config docs. (#5227)
* Adding key list parameter to agent config docs.

* Fixed typo in master token section

* Updated based on comments from Paul and Matt.
2019-01-22 10:20:05 -06:00
Kyle Havlovitz ddc4a8d848
oss: add the enterprise server stub for intention replication check 2019-01-18 17:32:10 -08:00
R.B. Boyer 2dea3e2bd7 Fix some test typos. 2019-01-18 16:12:43 -06:00
Matt Keeler 884b2e00af
Update CHANGELOG.md 2019-01-18 12:45:51 -05:00
Matt Keeler 7e6b3e6a0c
Implement prepared query upstreams watching for envoy (#5224)
Fixes #4969 

This implements non-blocking request polling at the cache layer which is currently only used for prepared queries. Additionally this enables the proxycfg manager to poll prepared queries for use in envoy proxy upstreams.
2019-01-18 12:44:04 -05:00
Erik R. Rygg 8c87238b99
Merge pull request #5215 from hashicorp/deployment_guide_updates
Include information about multi-dc Connect
2019-01-17 19:39:41 -07:00
John Cowen 66c139ceae
UI: Text change and clarity Node Health > Health Checks (#5115)
Text change Node Health > Health Checks
Also adds an info icon and tooltip to Health Checks column header
2019-01-17 09:20:00 +00:00
Jihoon Chung d5e28bda56 ui: Fix typo in acl-migration guide link (#5135) 2019-01-17 09:03:23 +00:00
Rebecca Zanzig fbb40d72c0
Merge pull request #5230 from hashicorp/docs/helm-formatting
Docs/helm formatting
2019-01-16 15:00:42 -08:00
Rebecca Zanzig ebba215891 Fix broken links 2019-01-16 14:42:12 -08:00
Rebecca Zanzig df99f4a3ac Indent code blocks further to fix list formatting 2019-01-16 14:31:50 -08:00
Rebecca Zanzig 388ff4caed
Merge pull request #5222 from hashicorp/docs/helm-0.5.0
Add documentation about the two additional Helm chart options
2019-01-16 14:18:15 -08:00
Chris Wang 1e3bda174d Fix typo in k8s connect documentation (#5229) 2019-01-16 17:03:40 -05:00
Kyle Havlovitz 21380021af txn: update existing txn api docs with new operations 2019-01-15 16:54:07 -08:00
kaitlincarter-hc 59c010eb3b
Update links for learn migration (#5223)
* Stared updaing links for the learn migration

* Language change cluster -> datacenter (#5212)

* Updating the language from cluster to datacenter in the backup guide to be consistent and more accurate.

* missed some clusters

* updated three broken links for the sidebar nav
2019-01-15 14:57:17 -06:00
Hans Hasselberg 3c110d5c78
Sorting entries in Changelog for upcoming release 2019-01-15 10:54:03 +01:00
Rebecca Zanzig 98b3c13dbb
Merge pull request #5213 from hashicorp/docs/helm-security
Add a security warning about the default Helm chart installation
2019-01-14 16:28:31 -08:00
Rebecca Zanzig 6de477ef96 Add documentation about the two additional Helm chart options
Adds info about `k8stag` and `nodePortSyncType` options that were
added in consul-helm v0.5.0.

Additionally moves the k8sprefix to match the order in the Helm chart
values file, while also clarifying that it only affects one sync
direction.
2019-01-14 16:15:26 -08:00
Rebecca Zanzig 1c70407bd1 Add a security warning about the default Helm chart installation
If a user installs the default Helm chart Consul on a Kubernetes
cluster that is open to the internet, it is lacking some important
security configurations.
2019-01-14 15:59:27 -08:00
kaitlincarter-hc adcdc81f93
Language change cluster -> datacenter (#5212)
* Updating the language from cluster to datacenter in the backup guide to be consistent and more accurate.

* missed some clusters
2019-01-14 10:46:34 -06:00
Matt Keeler 6fe09aa23b
Update CHANGELOG.md 2019-01-11 16:06:17 -05:00
Matt Keeler 1ec5f2a27f
Store leaf cert indexes in raft and use for the ModifyIndex on the returned certs (#5211)
* Store leaf cert indexes in raft and use for the ModifyIndex on the returned certs

This ensures that future certificate signings will have a strictly greater ModifyIndex than any previous certs signed.
2019-01-11 16:04:57 -05:00
Matt Keeler 834e168f94
Update CHANGELOG.md 2019-01-11 09:31:49 -05:00
Aestek 4afbe792df Improve blocking queries on services that do not exist (#4810)
## Background

When making a blocking query on a missing service (was never registered, or is not registered anymore) the query returns as soon as any service is updated.
On clusters with frequent updates (5~10 updates/s in our DCs) these queries virtually do not block, and clients with no protections againt this waste ressources on the agent and server side. Clients that do protect against this get updates later than they should because of the backoff time they implement between requests.

## Implementation

While reducing the number of unnecessary updates we still want :
* Clients to be notified as soon as when the last instance of a service disapears.
* Clients to be notified whenever there's there is an update for the service.
* Clients to be notified as soon as the first instance of the requested service is added.

To reduce the number of unnecessary updates we need to block when a request to a missing service is made. However in the following case :

1. Client `client1` makes a query for service `foo`, gets back a node and X-Consul-Index 42
2. `foo` is unregistered 
3. `client1`  makes a query for `foo` with `index=42` -> `foo` does not exist, the query blocks and `client1` is not notified of the change on `foo` 

We could store the last raft index when each service was last alive to know wether we should block on the incoming query or not, but that list could grow indefinetly. 
We instead store the last raft index when a service was unregistered and use it when a query targets a service that does not exist. 
When a service `srv` is unregistered this "missing service index" is always greater than any X-Consul-Index held by the clients while `srv` was up, allowing us to immediatly notify them.

1. Client `client1` makes a query for service `foo`, gets back a node and `X-Consul-Index: 42`
2. `foo` is unregistered, we set the "missing service index" to 43 
3. `client1` makes a blocking query for `foo` with `index=42` -> `foo` does not exist, we check against the "missing service index" and return immediatly with `X-Consul-Index: 43`
4. `client1` makes a blocking query for `foo` with `index=43` -> we block
5. Other changes happen in the cluster, but foo still doesn't exist and "missing service index" hasn't changed, the query is still blocked
6. `foo` is registered again on index 62 -> `foo` exists and its index is greater than 43, we unblock the query
2019-01-11 09:26:14 -05:00
R.B. Boyer 4db60f8243
website: minor acl guide fixes (#5214) 2019-01-10 14:17:20 -06:00
Elghazal Ahmed 2e97a4858f website: add autowire in Community Tools list (#5118)
* add autowire in Community Tools list

* put list in the right alphabetic order
2019-01-10 12:27:55 -06:00
Hans Hasselberg f8112e7eaf
Update CHANGELOG.md 2019-01-10 17:44:40 +01:00
Hans Hasselberg 27738c77c0
Update CHANGELOG.md 2019-01-10 17:43:31 +01:00
Matt Keeler 052d68b5fb
Update CHANGELOG.md 2019-01-10 11:25:01 -05:00
Matt Keeler baa8946ea6
cache: Pass through wait query param to the cache.Get (#5203)
This adds a MaxQueryTime field to the connect ca leaf cache request type and populates it via the wait query param. The cache will then do the right thing and timeout the operation as expected if no new leaf cert is available within that time.

Fixes #4462 

The reproduction scenario in the original issue now times out appropriately.
2019-01-10 11:23:37 -05:00
Matt Keeler 27a9f51b24
Update CHANGELOG.md 2019-01-10 10:51:16 -05:00
Pierre Souchay 1618d79518 Allow `"disable_host_node_id": false` to work on Linux as non-root. (#4926)
Bump `shirou/gopsutil` to include https://github.com/shirou/gopsutil/pull/603

This will allow to have consistent node-id even when machine is reinstalled
when using `"disable_host_node_id": false`

It will fix https://github.com/hashicorp/consul/issues/4914 and allow having
the same node-id even when reinstalling a node from scratch. However,
it is only compatible with a single OS (installing to Windows will change
the node-id, but it seems acceptable).
2019-01-10 10:50:14 -05:00
Matt Keeler 8969b8d3e4
Update CHANGELOG.md 2019-01-10 09:29:51 -05:00
Aestek c043de5381 [Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719)
* Add -write-allowed-nets option

* Add documentation for the new write_allowed_nets option
2019-01-10 09:27:26 -05:00
Matt Keeler 1048f3d5e7
acl: Prevent tokens from deleting themselves (#5210)
Fixes #4897 

Also apparently token deletion could segfault in secondary DCs when attempting to delete non-existant tokens. For that reason both checks are wrapped within the non-nil check.
2019-01-10 09:22:51 -05:00
Paul Banks 315cfef08c
Update CHANGELOG.md 2019-01-10 12:50:31 +00:00
Paul Banks 82487d8f68
Update CHANGELOG.md 2019-01-10 12:47:59 +00:00
Paul Banks 0638e09b6e
connect: agent leaf cert caching improvements (#5091)
* Add State storage and LastResult argument into Cache so that cache.Types can safely store additional data that is eventually expired.

* New Leaf cache type working and basic tests passing. TODO: more extensive testing for the Root change jitter across blocking requests, test concurrent fetches for different leaves interact nicely with rootsWatcher.

* Add multi-client and delayed rotation tests.

* Typos and cleanup error handling in roots watch

* Add comment about how the FetchResult can be used and change ca leaf state to use a non-pointer state.

* Plumb test override of root CA jitter through TestAgent so that tests are deterministic again!

* Fix failing config test
2019-01-10 12:46:11 +00:00
kaitlincarter-hc 2dfc9ae989
Re-worked the ACL guide into two docs and an updated guide. (#5093)
* Re-worked the ACL guide into two docs and an updated guide.

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Updating syntax based on amayer5125's comments.

* Missed one of amayer5125's comments

* found a bad link in the acl system docs

* fixing a link in the rules docs
2019-01-09 15:07:20 -06:00
Kyle Havlovitz c07c5446a8 txn: clean up some state store/acl code 2019-01-09 11:59:23 -08:00
Erik R. Rygg 6580890f6e Include information about multi-dc Connect 2019-01-08 14:30:36 -07:00
Matt Keeler 0e280b5a08
Update CHANGELOG.md 2019-01-08 11:44:36 -05:00
dawxy 238d430275 Fix data race (#5029)
Fix #4357
2019-01-08 11:43:14 -05:00
Hans Hasselberg 067027230b
connect: add tls config for vault connect ca provider (#5125)
* add tlsconfig for vault connect ca provider.
* add options to the docs
* add tests for new configuration
2019-01-08 17:09:22 +01:00