consul

Commit Graph

Author	SHA1	Message	Date
freddygv	31e757de2a	Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations.	4 years ago
R.B. Boyer	a0d26430cc	connect: if the token given to the vault provider returns no data avoid a panic (#9806 ) Improves #9800	4 years ago
Matt Keeler	d9d4c492ab	Ensure that CA initialization does not block leader election. After fixing that bug I uncovered a couple more: Fix an issue where we might try to cross sign a cert when we never had a valid root. Fix a potential issue where reconfiguring the CA could cause either the Vault or AWS PCA CA providers to delete resources that are still required by the new incarnation of the CA.	4 years ago
Daniel Nephin	b9e60c0775	testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ```	4 years ago
Kyle Havlovitz	0bfda4481f	Add CA server delegate interface for testing	4 years ago
Kyle Havlovitz	6fba82a4fa	connect: Add CAManager for synchronizing CA operations	4 years ago
Kyle Havlovitz	af34b26221	connect: Add logic for updating secondary DC intermediate on config set	4 years ago
Daniel Nephin	3dfb7c224b	stream: Use a no-op event publisher if streaming is disabled	4 years ago
Kyle Havlovitz	f700a5707b	connect: Use the lookup-self endpoint for Vault token	4 years ago
Kyle Havlovitz	01ce9f5b18	Update CI for leader renew CA test using Vault	4 years ago
Kyle Havlovitz	e13f4af06b	connect: Check for expired root cert when cross-signing	4 years ago
Kyle Havlovitz	2ec94b027e	connect: Enable renewing the intermediate cert in the primary DC	4 years ago
Hans Hasselberg	d4877f03e7	fix TestLeader_SecondaryCA_IntermediateRenew (#8702 ) * fix lessThanHalfTime * get lock for CAProvider() * make a var to relate both vars * rename to getCAProviderWithLock * move CertificateTimeDriftBuffer to agent/connect/ca	4 years ago
Kyle Havlovitz	b1b21139ca	Merge branch 'master' into vault-ca-renew-token	4 years ago
Kyle Havlovitz	1cd7c43544	Update vault CA for latest api client	4 years ago
Kyle Havlovitz	7ffef62ed7	Clean up CA shutdown logic and error	4 years ago
Kyle Havlovitz	49056fe70f	Clean up Vault renew tests and shutdown	4 years ago
Kyle Havlovitz	f40fb577fe	Use mapstructure for decoding vault data	4 years ago
Kyle Havlovitz	aa97366020	Add a stop function to make sure the renewer is shut down on leader change	4 years ago
Kyle Havlovitz	2f7210bde2	Move IntermediateCertTTL to common CA config	4 years ago
Kyle Havlovitz	411b6537ef	Add a test for token renewal	4 years ago
Kyle Havlovitz	97f1f341d6	Automatically renew the token used by the Vault CA provider	4 years ago
Matt Keeler	9da8c51ac5	Fix issue with changing the agent token causing failure to renew the auto-encrypt certificate The fallback method would still work but it would get into a state where it would let the certificate expire for 10s before getting a new one. And the new one used the less secure RPC endpoint. This is also a pretty large refactoring of the auto encrypt code. I was going to write some tests around the certificate monitoring but it was going to be impossible to get a TestAgent configured in such a way that I could write a test that ran in less than an hour or two to exercise the functionality. Moving the certificate monitoring into its own package will allow for dependency injection and in particular mocking the cache types to control how it hands back certificates and how long those certificates should live. This will allow for exercising the main loop more than would be possible with it coupled so tightly with the Agent.	4 years ago
Daniel Nephin	f65e21e6dc	Remove unused return values	4 years ago
Daniel Nephin	a9851e1812	Merge pull request #8070 from hashicorp/dnephin/add-gofmt-simplify ci: Enable gofmt simplify	5 years ago
Daniel Nephin	068b43df90	Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'	5 years ago
Paul Banks	f6ac08be04	state: track changes so that they may be used to produce change events	5 years ago
Hans Hasselberg	5281cb74db	Setup intermediate_pki_path on secondary when using vault (#8001 ) Make sure to mount vault backend for intermediate_pki_path on secondary dc.	5 years ago
Jono Sosulska	c554ba9e10	Replace whitelist/blacklist terminology with allowlist/denylist (#7971 ) * Replace whitelist/blacklist terminology with allowlist/denylist	5 years ago
Daniel Nephin	61ec7aa5c9	ci: Run all connect/ca tests from the integration suite To reduce the chance of some tests not being run because it does not match the regex passed to '-run'. Also document why some tests are allowed to be skipped on CI.	5 years ago
Daniel Nephin	f4a35dfd84	ci: Do not skip tests because of missing binaries on CI If the CI environment is not correct for running tests the tests should fail, so that we don't accidentally stop running some tests because of a change to our CI environment. Also removed a duplicate delcaration from init. I believe one was overriding the other as they are both in the same package.	5 years ago
Hans Hasselberg	6739fe6e83	connect: add validations around intermediate cert ttl (#7213 )	5 years ago
R.B. Boyer	8c596953b0	agent: ensure that we always use the same settings for msgpack (#7245 ) We set RawToString=true so that []uint8 => string when decoding an interface{}. We set the MapType so that map[interface{}]interface{} decodes to map[string]interface{}. Add tests to ensure that this doesn't break existing usages. Fixes #7223	5 years ago
Matt Keeler	dfb0177dbc	Testing updates to support namespaced testing of the agent/xds… (#7185 ) * Various testing updates to support namespaced testing of the agent/xds package * agent/proxycfg package updates to support better namespace testing	5 years ago
Matt Keeler	bfc03ec587	Fix a couple bugs regarding intentions with namespaces (#7169 )	5 years ago
Chris Piraino	401221de58	Allow users to configure either unstructured or JSON logging (#7130 ) * hclog Allow users to choose between unstructured and JSON logging	5 years ago
Matt Keeler	c09693e545	Updates to Config Entries and Connect for Namespaces (#7116 )	5 years ago
Hans Hasselberg	82c556d1be	connect: use correct subject key id for leaf certificates. (#7091 )	5 years ago
R.B. Boyer	e2eb9f0585	test: ensure we don't ask vault to sign a leaf that outlives its CA when acting as a secondary (#7100 )	5 years ago
Hans Hasselberg	804eb17094	connect: check if intermediate cert needs to be renewed. (#6835 ) Currently when using the built-in CA provider for Connect, root certificates are valid for 10 years, however secondary DCs get intermediates that are valid for only 1 year. There is no mechanism currently short of rotating the root in the primary that will cause the secondary DCs to renew their intermediates. This PR adds a check that renews the cert if it is half way through its validity period. In order to be able to test these changes, a new configuration option was added: IntermediateCertTTL which is set extremely low in the tests.	5 years ago
Hans Hasselberg	87f32c8ba6	auto_encrypt: set dns and ip san for k8s and provide configuration (#6944 ) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR	5 years ago
Matt Keeler	8bd34e126f	Intentions ACL enforcement updates (#7028 ) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.	5 years ago
R.B. Boyer	10f04a8c4a	connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index (#7011 )	5 years ago
Paul Banks	cd1b613352	connect: Add AWS PCA provider (#6795 ) * Update AWS SDK to use PCA features. * Add AWS PCA provider * Add plumbing for config, config validation tests, add test for inheriting existing CA resources created by user * Unparallel the tests so we don't exhaust PCA limits * Merge updates * More aggressive polling; rate limit pass through on sign; Timeout on Sign and CA create * Add AWS PCA docs * Fix Vault doc typo too * Doc typo * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Doc fixes; tests for erroring if State is modified via API * More review cleanup * Uncomment tests! * Minor suggested clean ups	5 years ago
Paul Banks	d7329097b2	Change CA Configure struct to pass Datacenter through (#6775 ) * Change CA Configure struct to pass Datacenter through * Remove connect/ca/plugin as we don't have immediate plans to use it. We still intend to one day but there are likely to be several changes to the CA provider interface before we do so it's better to rebuild from history when we do that work properly. * Rename PrimaryDC; fix endpoint in secondary DCs	5 years ago
Paul Banks	b621910618	Support Connect CAs that can't cross sign (#6726 ) * Support Connect CAs that can't cross sign * revert spurios mod changes from make tools * Add log warning when forcing CA rotation * Fixup SupportsCrossSigning to report errors and work with Plugin interface (fixes tests) * Fix failing snake_case test * Remove misleading comment * Revert "Remove misleading comment" This reverts commit bc4db9cabed8ad5d0e39b30e1fe79196d248349c. * Remove misleading comment * Regen proto files messed up by rebase	5 years ago
Paul Banks	45d57ca601	connect: Allow CA Providers to store small amount of state (#6751 ) * pass logger through to provider * test for proper operation of NeedsLogger * remove public testServer function * Ooops actually set the logger in all the places we need it - CA config set wasn't and causing segfault * Fix all the other places in tests where we set the logger * Allow CA Providers to persist some state * Update CA provider plugin interface * Fix plugin stubs to match provider changes * Update agent/connect/ca/provider.go Co-Authored-By: R.B. Boyer <rb@hashicorp.com> * Cleanup review comments	5 years ago
Todd Radel	29b5253154	connect: Implement NeedsLogger interface for CA providers (#6556 ) * add NeedsLogger to Provider interface * implements NeedsLogger in default provider * pass logger through to provider * test for proper operation of NeedsLogger * remove public testServer function * Switch test to actually assert on logging output rather than reflection. --amend * Ooops actually set the logger in all the places we need it - CA config set wasn't and causing segfault * Fix all the other places in tests where we set the logger * Add TODO comment	5 years ago
Todd Radel	54f92e2924	Make all Connect Cert Common Names valid FQDNs (#6423 )	5 years ago
Paul Banks	87699eca2f	Fix support for RSA CA keys in Connect. (#6638 ) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com>	5 years ago

1 2 3

137 Commits (da31e0449ea6323956f8ebc942a6d76332c52e27)