consul

Commit Graph

Author	SHA1	Message	Date
Daniel Nephin	8a6e75ac81	rpc: add errNotFound to all Get queries Any query that returns a list of items is not part of this commit.	3 years ago
Daniel Nephin	4b33bdf396	Make blockingQuery efficient with 'not found' results. By using the query results as state. Blocking queries are efficient when the query matches some results, because the ModifyIndex of those results, returned as queryMeta.Mindex, will never change unless the items themselves change. Blocking queries for non-existent items are not efficient because the queryMeta.Index can (and often does) change when other entities are written. This commit reduces the churn of these queries by using a different comparison for "has changed". Instead of using the modified index, we use the existence of the results. If the previous result was "not found" and the new result is still "not found", we know we can ignore the modified index and continue to block. This is done by setting the minQueryIndex to the returned queryMeta.Index, which prevents the query from returning before a state change is observed.	3 years ago
Daniel Nephin	897b953f66	Add a test for blocking query on non-existent entry This test shows how blocking queries are not efficient when the query returns no results. The test fails with 100+ calls instead of the expected 2. This test is still a bit flaky because it depends on the timing of the writes. It can sometimes return 3 calls. A future commit should fix this and make blocking queries even more optimal for not-found results.	3 years ago
Daniel Nephin	3301f94004	rpc: improve docs for blockingQuery Follow the Go convention of accepting a small interface that documents the methods used by the function. Clarify the rules for implementing a query function passed to blockingQuery.	3 years ago
R.B. Boyer	115946da99	server: conditionally avoid writing a config entry to raft if it was already the same (#12321 ) This will both save on unnecessary raft operations as well as unnecessarily incrementing the raft modify index of config entries subject to no-op updates.	3 years ago
FFMMM	78264a8030	Vendor in rpc mono repo for net/rpc fork, go-msgpack, msgpackrpc. (#12311 ) This commit syncs ENT changes to the OSS repo. Original commit details in ENT: ``` commit 569d25f7f4578981c3801e6e067295668210f748 Author: FFMMM <FFMMM@users.noreply.github.com> Date: Thu Feb 10 10:23:33 2022 -0800 Vendor fork net rpc (#1538) * replace net/rpc w consul-net-rpc/net/rpc Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * replace msgpackrpc and go-msgpack with fork from mono repo Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * gofmt all files touched Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> ``` Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
R.B. Boyer	52009ae86a	missed this test adjustment (#12331 )	3 years ago
R.B. Boyer	fa4577d1a9	local: fixes a data race in anti-entropy sync (#12324 ) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.	3 years ago
Dao Thanh Tung	add15e12f7	URL-encode/decode resource names for HTTP API part 5 (#12297 )	3 years ago
Mark Anderson	1a16f7ee70	Refactor to make ACL errors more structured. (#12308 ) * First phase of refactoring PermissionDeniedError Add extended type PermissionDeniedByACLError that captures information about the accessor, particular permission type and the object and name of the thing being checked. It may be worth folding the test and error return into a single helper function, that can happen at a later date. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Freddy	9580f79f86	Merge pull request #12223 from hashicorp/proxycfg/passthrough-cleanup	3 years ago
freddygv	ceb52d649a	Account for upstream targets in another DC. Transparent proxies typically cannot dial upstreams in remote datacenters. However, if their upstream configures a redirect to a remote DC then the upstream targets will be in another datacenter. In that sort of case we should use the WAN address for the passthrough.	3 years ago
freddygv	cbea3d203c	Fix race of upstreams with same passthrough ip Due to timing, a transparent proxy could have two upstreams to dial directly with the same address. For example: - The orders service can dial upstreams shipping and payment directly. - An instance of shipping at address 10.0.0.1 is deregistered. - Payments is scaled up and scheduled to have address 10.0.0.1. - The orders service receives the event for the new payments instance before seeing the deregistration for the shipping instance. At this point two upstreams have the same passthrough address and Envoy will reject the listener configuration. To disambiguate this commit considers the Raft index when storing passthrough addresses. In the example above, 10.0.0.1 would only be associated with the newer payments service instance.	3 years ago
freddygv	659ebc05a9	Ensure passthrough addresses get cleaned up Transparent proxies can set up filter chains that allow direct connections to upstream service instances. Services that can be dialed directly are stored in the PassthroughUpstreams map of the proxycfg snapshot. Previously these addresses were not being cleaned up based on new service health data. The list of addresses associated with an upstream service would only ever grow. As services scale up and down, eventually they will have instances assigned to an IP that was previously assigned to a different service. When IP addresses are duplicated across filter chain match rules the listener config will be rejected by Envoy. This commit updates the proxycfg snapshot management so that passthrough addresses can get cleaned up when no longer associated with a given upstream. There is still the possibility of a race condition here where due to timing an address is shared between multiple passthrough upstreams. That concern is mitigated by #12195, but will be further addressed in a follow-up.	3 years ago
Freddy	378a7258e3	Prevent xDS tight loop on cfg errors (#12195 )	3 years ago
Dhia Ayachi	4f0a71d7b4	fix race when starting a service while the agent `serviceManager` is … (#12302 ) * fix race when starting a service while the agent `serviceManager` is stopping * add changelog	3 years ago
Daniel Nephin	01784470f3	Merge pull request #12277 from hashicorp/dnephin/panic-in-service-register catalog: initialize the refs map to prevent a nil panic	3 years ago
Daniel Nephin	82c264b2b3	config-entry: fix a panic when registering a service or ingress gateway	3 years ago
R.B. Boyer	89bd1f57b5	xds: allow only one outstanding delta request at a time (#12236 ) Fixes #11876 This enforces that multiple xDS mutations are not issued on the same ADS connection at once, so that we can 100% control the order that they are applied. The original code made assumptions about the way multiple in-flight mutations were applied on the Envoy side that was incorrect.	3 years ago
Daniel Nephin	7ec658b7ac	Merge pull request #12265 from hashicorp/dnephin/logging-in-tests sdk: add TestLogLevel for setting log level in tests	3 years ago
Daniel Nephin	437f769916	A test to reproduce the issue	3 years ago
Daniel Nephin	51b0f82d0e	Make test more readable And fix typo	3 years ago
Daniel Nephin	608597c7b6	ca: relax and move private key type/bit validation for vault This commit makes two changes to the validation. Previously we would call this validation in GenerateRoot, which happens both on initialization (when a follower becomes leader), and when a configuration is updated. We only want to do this validation during config update so the logic was moved to the UpdateConfiguration function. Previously we would compare the config values against the actual cert. This caused problems when the cert was created manually in Vault (not created by Consul). Now we compare the new config against the previous config. Using a already created CA cert should never error now. Adding the key bit and types to the config should only error when the previous values were not the defaults.	3 years ago
Daniel Nephin	d707173253	ca: small cleanup of TestConnectCAConfig_Vault_TriggerRotation_Fails Before adding more test cases	3 years ago
Daniel Nephin	3f590bb8a1	testing: fix test failures caused by new log level These two tests require debug logging enabled, because they look for log lines. Also switched to testify assertions because the previous errors were not clear.	3 years ago
Daniel Nephin	b058845110	sdk: add TestLogLevel for setting log level in tests And default log level to WARN.	3 years ago
Daniel Nephin	7839b2d7e0	ca: add a test that uses an intermediate CA as the primary CA This test found a bug in the secondary. We were appending the root cert to the PEM, but that cert was already appended. This was failing validation in Vault here: https://github.com/hashicorp/vault/blob/sdk/v0.3.0/sdk/helper/certutil/types.go#L329 Previously this worked because self signed certs have the same SubjectKeyID and AuthorityKeyID. So having the same self-signed cert repeated doesn't fail that check. However with an intermediate that is not self-signed, those values are different, and so we fail the check. A test I added in a previous commit should show that this continues to work with self-signed root certs as well.	3 years ago
Daniel Nephin	ac732ce82b	acl: un-embed ACLIdentity This is safer than embedding two interface because there are a number of places where we check the concrete type. If we check the concrete type on the top-level interface it will fail. So instead expose the ACLIdentity from a method.	3 years ago
Daniel Nephin	9d80c1886a	Merge pull request #12167 from hashicorp/dnephin/acl-resolve-token-3 acl: rename ResolveTokenToIdentityAndAuthorizer to ResolveToken	3 years ago
Daniel Nephin	997bf1e5a4	Merge pull request #12166 from hashicorp/dnephin/acl-resolve-token-2 acl: remove ResolveTokenToIdentity	3 years ago
Daniel Nephin	343b6deb79	acl: rename ResolveTokenToIdentityAndAuthorizer to ResolveToken This change allows us to remove one of the last remaining duplicate resolve token methods (Server.ResolveToken). With this change we are down to only 2, where the second one also handles setting the default EnterpriseMeta from the token.	3 years ago
Daniel Nephin	d363cc0f07	acl: remove unused methods on fakes, and add changelog Also document the metric that was removed in a previous commit.	3 years ago
Daniel Nephin	b2b84e7fc6	Merge pull request #12165 from hashicorp/dnephin/acl-resolve-token acl: remove some of the duplicate resolve token methods	3 years ago
Mathew Estafanous	c5d2bea92c	Change error-handling across handlers. (#12225 )	3 years ago
Fulvio	66f0173355	URL-encode/decode resource names for HTTP API part 4 (#12190 )	3 years ago
Dan Upton	fdfe079674	streaming: split event buffer by key (#12080 )	3 years ago
freddygv	c31c1158a6	Add failing test The updated test fails because passthrough upstream addresses are not being cleaned up.	3 years ago
Daniel Nephin	9b7468f99e	ca/provider: remove ActiveRoot from Provider	3 years ago
Daniel Nephin	c2b9c81a55	ca: update MockProvider for new interface	3 years ago
Daniel Nephin	f05bad4a1d	ca: update GenerateRoot godoc	3 years ago
Daniel Nephin	9a59733b7d	Merge pull request #11663 from hashicorp/dnephin/ca-remove-one-call-to-active-root-2 ca: remove second call to Provider.ActiveRoot	3 years ago
Daniel Nephin	db0478265b	Merge pull request #12109 from hashicorp/dnephin/blocking-query-1 rpc: make blockingQuery easier to read	3 years ago
Daniel Nephin	7a6e03c19b	acl: Remove a call to aclAccessorID I missed this on the first pass, we no longer need to look up this ID, because we have it from the Authorizer.	3 years ago
Daniel Nephin	7125fec346	Merge pull request #11221 from hashicorp/dnephin/acl-resolver-5 acl: extract a backend type for the ACLResolverBackend	3 years ago
Dao Thanh Tung	759dd93544	URL-encode/decode resource names for HTTP API part 3 (#12103 )	3 years ago
Daniel Nephin	f9aef8018b	Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com>	3 years ago
Daniel Nephin	737c0097e0	acl: extract a backend type for the ACLResolverBackend This is a small step to isolate the functionality that is used for the ACLResolver from the large Client and Server structs.	3 years ago
R.B. Boyer	d2c0945f52	xds: fix for delta xDS reconnect bug in LDS/CDS (#12174 ) When a wildcard xDS type (LDS/CDS/SRDS) reconnects from a delta xDS stream, prior to envoy `1.19.0` it would populate the `ResourceNamesSubscribe` field with the full list of currently subscribed items, instead of simply omitting it to infer that it wanted everything (which is what wildcard mode means). This upstream issue was filed in envoyproxy/envoy#16063 and fixed in envoyproxy/envoy#16153 which went out in Envoy `1.19.0` and is fixed in later versions (later refactored in envoyproxy/envoy#16855). This PR conditionally forces LDS/CDS to be wildcard-only even when the connected Envoy requests a non-wildcard subscription, but only does so on versions prior to `1.19.0`, as we should not need to do this on later versions. This fixes the failure case as described here: #11833 (comment) Co-authored-by: Huan Wang <fredwanghuan@gmail.com>	3 years ago
Daniel Nephin	e134e43da6	acl: remove calls to ResolveIdentityFromToken We already have an ACLResolveResult, so we can get the accessor ID from it.	3 years ago
Daniel Nephin	edca8d61a3	acl: remove ResolveTokenToIdentity By exposing the AccessorID from the primary ResolveToken method we can remove this duplication.	3 years ago
Daniel Nephin	a5e8af79c3	acl: return a resposne from ResolveToken that includes the ACLIdentity So that we can duplicate duplicate methods.	3 years ago
Daniel Nephin	8c9c48e219	acl: remove duplicate methods Now that ACLResolver is embedded we don't need ResolveTokenToIdentity on Client and Server. Moving ResolveTokenAndDefaultMeta to ACLResolver removes the duplicate implementation.	3 years ago
Daniel Nephin	241663a046	acl: embed ACLResolver in Client and Server In preparation for removing duplicate resolve token methods.	3 years ago
Chris S. Kim	bee18f4a1d	Generate bindata_assetfs.go (#12146 )	3 years ago
R.B. Boyer	b60d89e7ef	bulk rewrite using this script set -euo pipefail unset CDPATH cd "$(dirname "$0")" for f in $(git grep '\brequire := require\.New(' \| cut -d':' -f1 \| sort -u); do echo "=== require: $f ===" sed -i '/require := require.New(t)/d' $f # require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($[^tr]$/require.\1(t,\2/g' $f # require.XXX(tblah) but not require.XXX(t, blah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($t[^,]$/require.\1(t,\2/g' $f # require.XXX(rblah) but not require.XXX(r, blah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($r[^,]$/require.\1(t,\2/g' $f gofmt -s -w $f done for f in $(git grep '\bassert := assert\.New(' \| cut -d':' -f1 \| sort -u); do echo "=== assert: $f ===" sed -i '/assert := assert.New(t)/d' $f # assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($[^tr]$/assert.\1(t,\2/g' $f # assert.XXX(tblah) but not assert.XXX(t, blah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($t[^,]$/assert.\1(t,\2/g' $f # assert.XXX(rblah) but not assert.XXX(r, blah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($r[^,]$/assert.\1(t,\2/g' $f gofmt -s -w $f done	3 years ago
R.B. Boyer	31f6f55bbe	test: normalize require.New and assert.New syntax	3 years ago
R.B. Boyer	424f3cdd2c	proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125 ) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.	3 years ago
Dan Upton	ca3aca92c4	[OSS] Remove remaining references to master (#11827 )	3 years ago
VictorBac	31a39c9528	Add GRPC and GRPCUseTLS to api.HealthCheckDefinition (#12108 ) * Add GRPC to HealthCheckDefinition * add GRPC and GRPCUseTLS	3 years ago
Evan Culver	e35dd08a63	connect: Upgrade Envoy 1.20 to 1.20.1 (#11895 )	3 years ago
Daniel Nephin	71767f1b3e	rpc: cleanup exit and blocking condition logic in blockingQuery Remove some unnecessary comments around query_blocking metric. The only line that needs any comments in the atomic decrement. Cleanup the block and return comments and logic. The old comment about AbandonCh may have been relevant before, but it is expected behaviour now. The logic was simplified by inverting the err condition.	3 years ago
Daniel Nephin	72a733bed8	rpc: extract rpcQueryTimeout method This helps keep the logic in blockingQuery more focused. In the future we may have a separate struct for RPC queries which may allow us to move this off of Server.	3 years ago
Daniel Nephin	fd0a9fd4f3	rpc: move the index defaulting to setQueryMeta. This safeguard should be safe to apply in general. We are already applying it to non-blocking queries that call blockingQuery, so it should be fine to apply it to others.	3 years ago
Daniel Nephin	4b67d6c18b	rpc: add subtests to blockingQuery test	3 years ago
Daniel Nephin	f92dc11002	rpc: refactor blocking query To remove the TODO, and make it more readable. In general this reduces the scope of variables, making them easier to reason about. It also introduces more early returns so that we can see the flow from the structure of the function.	3 years ago
Daniel Nephin	f31e0b8b1a	Merge pull request #11661 from hashicorp/dnephin/ca-remove-one-call-to-active-root ca: remove one call to Provider.ActiveRoot	3 years ago
Kyle Havlovitz	0db874c38b	Add virtual IP generation for term gateway backed services	3 years ago
Chris S. Kim	98ea6d1cf1	Fix race with tags (#12041 )	3 years ago
Chris S. Kim	a0acf9978f	Fix races in anti-entropy tests (#12028 )	3 years ago
Mike Morris	1b1a97e8f9	ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576 ) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>	3 years ago
Dao Thanh Tung	88c7cfa578	URL-encode/decode resource names for HTTP API part 2 (#11957 )	3 years ago
Daniel Nephin	d57dec5878	ca: remove unnecessary var, and slightly reduce cyclo complexity `newIntermediate` is always equal to `needsNewIntermediate`, so we can remove the extra variable and use the original directly. Also remove the `activeRoot.ID != newActiveRoot.ID` case from an if, because that case is already checked above, and `needsNewIntermediate` will already be true in that case. This condition now reads a lot better: > Persist a new root if we did not have one before, or if generated a new intermediate.	3 years ago
Daniel Nephin	0de7efb316	ca: remove unused provider.ActiveRoot call In the previous commit the single use of this storedRoot was removed. In this commit the original objective is completed. The Provider.ActiveRoot is being removed because 1. the secondary should get the active root from the Consul primary DC, not the provider, so that secondary DCs do not need to communicate with a provider instance in a different DC. 2. so that the Provider.ActiveRoot interface can be changed without impacting other code paths.	3 years ago
Daniel Nephin	d0578c6dfc	ca: extract the lookup of the active primary CA This method had only one caller, which always looked for the active root. This commit moves the lookup into the method to reduce the logic in the one caller. This is being done in preparation for a larger change. Keeping this separate so it is easier to see. The `storedRootID != primaryRoots.ActiveRootID` is being removed because these can never be different. The `storedRootID` comes from `provider.ActiveRoot`, the `primaryRoots.ActiveRootID` comes from the store `CARoot` from the primary. In both cases the source of the data is the primary DC. Technically they could be different if someone modified the provider outside of Consul, but that would break many things, so is not a supported flow. If these were out of sync because of ordering of events then the secondary will soon receive an update to `primaryRoots` and everything will be sorted out again.	3 years ago
Daniel Nephin	7121c78d34	ca: update godoc To clarify what to expect from the data stored in this field, and the behaviour of this function.	3 years ago
Daniel Nephin	abac8baa5d	ca: remove one call to provider.ActiveRoot ActiveRoot should not be called from the secondary DC, because there should not be a requirement to run the same Vault instance in a secondary DC. SignIntermediate is called in a secondary DC, so it should not call ActiveRoot We would also like to change the interface of ActiveRoot so that we can support using an intermediate cert as the primary CA in Consul. In preparation for making that change I am reducing the number of calls to ActiveRoot, so that there are fewer code paths to modify when the interface changes. This change required a change to the mockCAServerDelegate we use in tests. It was returning the RootCert for SignIntermediate, but that is not an accurate fake of production. In production this would also be a separate cert.	3 years ago
Daniel Nephin	eaa084fd41	ca: remove redundant append of an intermediate cert Immediately above this line we are already appending the full list of intermediates. The `provider.ActiveIntermediate` MUST be in this list of intermediates because it must be available to all the other non-leader Servers. If it was not in this list of intermediates then any proxy that received data from a non-leader would have the wrong certs. This is being removed now because we are planning on changing the `Provider.ActiveIntermediate` interface, and removing these extra calls ahead of time helps make that change easier.	3 years ago
Daniel Nephin	11f4cdaa49	ca: only generate a single private key for the whole test case Using tracing and cpu profiling I found that the majority of the time in these test cases is spent generating a private key. We really don't need separate private keys, so we can generate only one and use it for all cases. With this change the test runs much faster.	3 years ago
Daniel Nephin	b3ffe7ac72	ca: cleanup a test Fix the name to match the function it is testing Remove unused code Fix the signature, instead of returning (error, string) which should be (string, error) accept a testing.T to emit errors. Handle the error from encode.	3 years ago
Daniel Nephin	1fd6b16399	ca: use the new leaf signing lookup func in leader metrics	3 years ago
Blake Covarrubias	4bd92921f4	api: Return 404 when deregistering a non-existent check (#11950 ) Update the `/agent/check/deregister/` API endpoint to return a 404 HTTP response code when an attempt is made to de-register a check ID that does not exist on the agent. This brings the behavior of /agent/check/deregister/ in line with the behavior of /agent/service/deregister/ which was changed in #10632 to similarly return a 404 when de-registering non-existent services. Fixes #5821	3 years ago
Dhia Ayachi	1eac39ae9c	clone the service under lock to avoid a data race (#11940 ) * clone the service under lock to avoid a data race * add change log * create a struct and copy the pointer to mutate it to avoid a data race * fix failing test * revert added space * add comments, to clarify the data race.	3 years ago
Daniel Nephin	065f6f89fb	Merge pull request #11918 from hashicorp/dnephin/tob-followup Fix a few small bugs	3 years ago
Daniel Nephin	abfc1e4840	snapshot: return the error from replyFn The only function passed to SnapshotRPC today always returns a nil error, so there's no way to exercise this bug in practice. This change is being made for correctness so that it doesn't become a problem in the future, if we ever pass a different function to SnapshotRPC.	3 years ago
Daniel Nephin	0166b0839c	config: correctly capture all errors. Some calls to multierror.Append were not using the existing b.err, which meant we were losing all previous errors.	3 years ago
Chris S. Kim	4cd2542a3e	Fix test for ENT (#11946 )	3 years ago
Chris S. Kim	e4bcaac08c	Fix test for ENT (#11941 )	3 years ago
Dhia Ayachi	e653f81919	reset `coalesceTimer` to nil as soon as the event is consumed (#11924 ) * reset `coalesceTimer` to nil as soon as the event is consumed * add change log * refactor to add relevant test. * fix linter * Apply suggestions from code review Co-authored-by: Freddy <freddygv@users.noreply.github.com> * remove non needed check Co-authored-by: Freddy <freddygv@users.noreply.github.com>	3 years ago
Mathew Estafanous	0fdd1318e9	Ensure consistency with error-handling across all handlers. (#11599 )	3 years ago
Jared Kirschner	b393c90ce7	Clarify service and check error messages (use ID) Error messages related to service and check operations previously included the following substrings: - service %q - check %q From this error message, it isn't clear that the expected field is the ID for the entity, not the name. For example, if the user has a service named test, the error message would read 'Unknown service "test"'. This is misleading - a service with that name does exist, but not with that ID. The substrings above have been modified to make it clear that ID is needed, not name: - service with ID %q - check with ID %q	3 years ago
Jared Kirschner	a36ddc31c7	Merge pull request #11335 from littlestar642/url-encoded-args URL-encode/decode resource names for HTTP API	3 years ago
Chris S. Kim	30550f2c63	testing: Revert assertion for virtual IP flag (#11932 )	3 years ago
Jared Kirschner	e0ddb9e4c5	Merge pull request #11820 from hashicorp/improve-ui-disabled-api-response http: improve UI not enabled response message	3 years ago
littlestar642	634c72d22f	add path escape and unescape to path params	3 years ago
Daniel Nephin	1683da66b0	Merge pull request #11796 from hashicorp/dnephin/cleanup-test-server testing: stop using an old version in testServer	3 years ago
freddygv	21f2c2e68d	Purge chain if it shouldn't be there	3 years ago
freddygv	fe85138453	additional test fixes	3 years ago
freddygv	d26b4860fd	Account for new upstreams constraint in tests	3 years ago
freddygv	2fe27b748d	Check ingress upstreams when gating chain watches	3 years ago
freddygv	6814e84459	Use ptr receiver in all Upstream methods	3 years ago
freddygv	6af9a0d8cf	Avoid storing chain without an upstream	3 years ago
freddygv	ba12dc215b	Clean up chains separately from their watches	3 years ago
freddygv	c5c290c503	Validate chains are associated with upstreams Previously we could get into a state where discovery chain entries were not cleaned up after the associated watch was cancelled. These changes add handling for that case where stray chain references are encountered.	3 years ago
freddygv	70d6358426	Store intention upstreams in snapshot	3 years ago
R.B. Boyer	81ea8129d7	proxycfg: ensure all of the watches are canceled if they are cancelable (#11824 )	3 years ago
Jared Kirschner	f81dd817ff	Merge pull request #11818 from hashicorp/improve-url-not-found-response http: improve 404 Not Found response message	3 years ago
R.B. Boyer	4aabbe529c	proxycfg: use external addresses in tproxy when crossing partition boundaries (#11823 )	3 years ago
Jared Kirschner	2de79abc00	http: improve 404 Not Found response message When a URL path is not found, return a non-empty message with the 404 status code to help the user understand what went wrong. If the URL path was not prefixed with '/v1/', suggest that may be the cause of the problem (which is a common mistake).	3 years ago
Freddy	85fe875d07	Use anonymousToken when querying by secret ID (#11813 ) Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Dan Upton <daniel@floppy.co> This query has been incorrectly querying by accessor ID since New ACLs were added. However, the legacy token compat allowed this to continue to work, since it made a fallback query for the anonymousToken ID. PR #11184 removed this legacy token query, which means that the query by accessor ID is now the only check for the anonymous token's existence. This PR updates the GetBySecret call to use the secret ID of the token.	3 years ago
R.B. Boyer	631c649291	various partition related todos (#11822 )	3 years ago
Jared Kirschner	34ea9ae8c9	http: improve UI not enabled response message Response now clearly indicates: - the UI is disabled - how to enable the UI	3 years ago
Kyle Havlovitz	b50ef696c6	Merge pull request #11812 from hashicorp/metrics-ui-acls oss: use wildcard partition in metrics proxy ui endpoint	3 years ago
Kyle Havlovitz	9dcaf0539c	Merge pull request #11798 from hashicorp/vip-goroutine-check leader: move the virtual IP version check into a goroutine	3 years ago
Kyle Havlovitz	018693b6ee	acl: use wildcard partition in metrics proxy ui endpoint	3 years ago
Kyle Havlovitz	80a4489844	state: fix freed VIP table id index	3 years ago
Kyle Havlovitz	ecbd3eb2a6	Exit before starting the vip check routine if possible	3 years ago
Daniel Nephin	0a9cb62859	testing: Deprecate functions for creating a server. These helper functions actually end up hiding important setup details that should be visible from the test case. We already have a convenient way of setting this config when calling newTestServerWithConfig.	3 years ago
Daniel Nephin	c9a992f5e8	testing: remove old config.Build version DefaultConfig already sets the version to version.Version, so by removing this our tests will run with the version that matches the code.	3 years ago
Kyle Havlovitz	04ef1c3fa0	leader: move the virtual IP version check into a goroutine	3 years ago
FFMMM	74eb257b1c	[sync ent] increase segment max limit to 464, make configurable (#1424 ) (#11795 ) commit b6eb27563e747a78b7647d2b5da405e46364cc46 Author: FFMMM <FFMMM@users.noreply.github.com> Date: Thu Dec 9 13:53:44 2021 -0800 increase segment max limit to 464, make configurable (#1424) Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> fix: rename ent changelog file Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
Daniel Nephin	f9647ece05	Merge pull request #11780 from hashicorp/dnephin/ca-test-vault-in-secondary ca: improve test coverage for RenewIntermediate	3 years ago
R.B. Boyer	bb75e63eb4	agent: ensure service maintenance checks for matching partitions ahead of other errors (#11788 ) This matches behavior in most other agent api endpoints.	3 years ago
Daniel Nephin	4116a143e0	fix misleading errors on vault shutdown	3 years ago
Daniel Nephin	968aeff1bb	ca: prune some unnecessary lookups in the tests	3 years ago
Daniel Nephin	305655a8b1	ca: remove duplicate WaitFor function	3 years ago
Daniel Nephin	1dec6bb815	ca: fix flakes in RenewIntermediate tests I suspect one problem was that we set structs.IntermediateCertRenewInterval to 1ms, which meant that in some cases the intermediate could renew before we stored the original value. Another problem was that the 'wait for intermediate' loop was calling the provider.ActiveIntermediate, but the comparison needs to use the RPC endpoint to accurately represent a user request. So changing the 'wait for' to use the state store ensures we don't race. Also moves the patching into a separate function. Removes the addition of ca.CertificateTimeDriftBuffer as part of calculating halfTime. This was added in a previous commit to attempt to fix the flake, but it did not appear to fix the problem. Adding the time here was making the tests fail when using the shared patch function. It's not clear to me why, but there's no reason we should be including this time in the halfTime calculation.	3 years ago
Daniel Nephin	2e4e8bd791	ca: improve RenewIntermediate tests Use the new verifyLearfCert to show the cert verifies with intermediates from both sources. This required using the RPC interface so that the leaf pem was constructed correctly. Add IndexedCARoots.Active since that is a common operation we see in a few places.	3 years ago
Daniel Nephin	a4ba1f348d	ca: add a test for Vault in secondary DC	3 years ago
Daniel Nephin	a5d9b1d322	ca: Add CARoots.Active method Which will be used in the next commit.	3 years ago
R.B. Boyer	5f5720837b	acl: ensure that the agent recovery token is properly partitioned (#11782 )	3 years ago
Daniel Nephin	f72e285fe8	Merge pull request #11721 from hashicorp/dnephin/ca-export-fsm-operation ca: use the real FSM operation in tests	3 years ago
Daniel Nephin	214dcf8d0d	ca: use the real FSM operation in tests Previously we had a couple copies that reproduced the FSM operation. These copies introduce risk that the test does not accurately match production. This PR removes the test versions of the FSM operation, and exports the real production FSM operation so that it can be used in tests. The consul provider tests did need to change because of this. Previously we would return a hardcoded value of 2, but in production this value is always incremented.	3 years ago
R.B. Boyer	592ac8f96a	test: test server should auto cleanup (#11779 )	3 years ago
Evan Culver	7a365fa0da	rpc: Unset partition before forwarding to remote datacenter (#11758 )	3 years ago
Daniel Nephin	dccd3f5806	Merge remote-tracking branch 'origin/main' into serve-panic-recovery	3 years ago
Dan Upton	7efab269c0	Rename `Master` and `AgentMaster` fields in config protobuf (#11764 )	3 years ago
Chris S. Kim	f8f8580ab2	Godocs updates for catalog endpoints (#11716 )	3 years ago
Mathew Estafanous	0a9621ec7a	Transition all endpoint tests in agent_endpoint_test.go to go through ServeHTTP (#11499 )	3 years ago
Dan Upton	205ce9a69d	Remove references to "master" ACL tokens in tests (#11751 )	3 years ago
Dan Upton	7fe81171d9	Rename `ACLMasterToken` => `ACLInitialManagementToken` (#11746 )	3 years ago
Dan Upton	3a91815169	agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744 )	3 years ago
R.B. Boyer	9315a9812f	return the max	3 years ago
freddygv	60fe5f75bb	Remove support for failover to partition Failing over to a partition is more siimilar to failing over to another datacenter than it is to failing over to a namespace. In a future release we should update how localities for failover are specified. We should be able to accept a list of localities which can include both partition and datacenter.	3 years ago
freddygv	5c1f7aa372	Allow cross-partition references in disco chain * Add partition fields to targets like service route destinations * Update validation to prevent cross-DC + cross-partition references * Handle partitions when reading config entries for disco chain * Encode partition in compiled targets	3 years ago
R.B. Boyer	b1605639fc	light refactors to support making partitions and serf-based wan federation are mutually exclusive (#11755 )	3 years ago
R.B. Boyer	e20e6348dd	areas: make the gRPC server tracker network area aware (#11748 ) Fixes a bug whereby servers present in multiple network areas would be properly segmented in the Router, but not in the gRPC mirror. This would lead servers in the current datacenter leaving from a network area (possibly during the network area's removal) from deleting their own records that still exist in the standard WAN area. The gRPC client stack uses the gRPC server tracker to execute all RPCs, even those targeting members of the current datacenter (which is unlike the net/rpc stack which has a bypass mechanism). This would manifest as a gRPC method call never opening a socket because it would block forever waiting for the current datacenter's pool of servers to be non-empty.	3 years ago
Freddy	a725f06c83	Merge pull request #11739 from hashicorp/ap/exports-rename	3 years ago
freddygv	e91509383f	Clean up additional refs to partition exports	3 years ago
freddygv	ed6076db26	Rename partition-exports to exported-services Using a name less tied to partitions gives us more flexibility to use this config entry in OSS for exports between datacenters/meshes.	3 years ago
freddygv	f5b25401b3	Update intention topology to use new table	3 years ago
freddygv	55970c6ccd	Avoid updating default decision from wildcard ixn Given that we do not allow wildcard partitions in intentions, no one ixn can override the DefaultAllow setting. Only the default ACL policy applies across all partitions.	3 years ago
freddygv	497aab669f	Add a new table to query service names by kind This table purposefully does not index by partition/namespace. It's a global view into all service names. This table is intended to replace the current serviceListTxn watch in intentionTopologyTxn. For cross-partition transparent proxying we need to be able to calculate upstreams from intentions in any partition. This means that the existing serviceListTxn function is insufficient since it's scoped to a partition. Moving away from that function is also beneficial because it watches the main "services" table, so watchers will wake up when any instance is registered or deregistered.	3 years ago
freddygv	e7a7042c69	Update listener generation to account for consul VIP	3 years ago
Freddy	f032d6ef05	Merge pull request #11680 from hashicorp/ap/partition-exports-oss	3 years ago
Dan Upton	3b9dfca88d	internal: support `ResultsFilteredByACLs` flag/header (#11643 )	3 years ago
Dan Upton	c8204330ed	query: support `ResultsFilteredByACLs` in query list endpoint (#11620 )	3 years ago
Dhia Ayachi	ce326b6074	port oss changes (#11736 )	3 years ago
Freddy	e246defb6c	Merge pull request #11720 from hashicorp/bbolt	3 years ago
Dan Upton	047aa2ffb0	fedstate: support `ResultsFilteredByACLs` in `ListMeshGateways` endpoint (#11644 )	3 years ago
Dan Upton	361d9c2862	catalog: support `ResultsFilteredByACLs` flag/header (#11594 )	3 years ago
Dan Upton	4c0956c03a	coordinate: support `ResultsFilteredByACLs` flag/header (#11617 )	3 years ago
Dan Upton	bf1e2ca551	sessions: support `ResultsFilteredByACLs` flag/header (#11606 )	3 years ago
Dan Upton	d92f0d84c6	txn: support `ResultsFilteredByACLs` flag in `Read` endpoint (#11632 )	3 years ago
Dan Upton	547aa219ea	agent: support `X-Consul-Results-Filtered-By-ACLs` header in agent-local endpoints (#11610 )	3 years ago
Dhia Ayachi	86159c6ed8	sessions partitioning tests (#11734 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused operations_ent.go and operations_oss.go func * remove unused const * convert `IndexID` of `session_checks` table * convert `indexSession` of `session_checks` table * convert `indexNodeCheck` of `session_checks` table * partition `indexID` and `indexSession` of `tableSessionChecks` * fix oss linter * fix review comments * remove partition for Checks as it's always use the session partition * fix tests * fix tests * do not namespace nodeChecks index Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Dan Upton	c314be2ff9	intention: support `ResultsFilteredByACLs` flag/header (#11612 )	3 years ago
Mark Anderson	a89ffba2d4	Cross port of ent #1383 (#11726 ) Cross port of ent #1383 "Reject non-default datacenter when making partitioned ACLs" On the OSS side this is a minor refactor to add some more checks that are only applicable to enterprise code. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Dan Upton	599a4d6619	config: support `ResultsFilteredByACLs` in list/list all endpoints (#11621 )	3 years ago
Dan Upton	c4c68915c9	event: support `X-Consul-Results-Filtered-By-ACLs` header in list (#11616 )	3 years ago
Dan Upton	474ef7cc1f	kv: support `ResultsFilteredByACLs` in list/list keys (#11593 )	3 years ago
Dan Upton	cf1bd585f6	health: support `ResultsFilteredByACLs` flag/header (#11602 )	3 years ago
Dan Upton	1e47e3c82b	Groundwork for exposing when queries are filtered by ACLs (#11569 )	3 years ago
Kyle Havlovitz	0546bbe08a	dns: add endpoint for querying service virtual IPs	3 years ago
Kyle Havlovitz	6f34a4f777	Merge pull request #11724 from hashicorp/service-virtual-ips oss: add virtual IP generation for connect services	3 years ago
Kyle Havlovitz	4f2cfee4b0	consul: add virtual IP generation for connect services	3 years ago
R.B. Boyer	c46f9f9f31	agent: add variation of force-leave that exclusively works on the WAN (#11722 ) Fixes #6548	3 years ago
Matt Keeler	c7a94843ee	Emit raft-boltdb metrics	3 years ago
Daniel Nephin	e47cecc653	config: add NoFreelistSync option # Conflicts: # agent/config/testdata/TestRuntimeConfig_Sanitize-enterprise.golden # agent/consul/server.go	3 years ago
Matt Keeler	42a5635bc3	Use raft-boltdb/v2	3 years ago
Daniel Nephin	17a2d14d49	ca: set the correct SigningKeyID after config update with Vault provider The test added in this commit shows the problem. Previously the SigningKeyID was set to the RootCert not the local leaf signing cert. This same bug was fixed in two other places back in 2019, but this last one was missed. While fixing this bug I noticed I had the same few lines of code in 3 places, so I extracted a new function for them. There would be 4 places, but currently the InitializeCA flow sets this SigningKeyID in a different way, so I've left that alone for now.	3 years ago
Daniel Nephin	96f95889db	Merge pull request #11713 from hashicorp/dnephin/ca-test-names ca: make test naming consistent	3 years ago
Daniel Nephin	ff4581092e	Merge pull request #11671 from hashicorp/dnephin/ca-fix-storing-vault-intermediate ca: fix storing the leaf signing cert with Vault provider	3 years ago
Daniel Nephin	81afb208ac	Merge pull request #11677 from hashicorp/dnephin/freeport-interface sdk: use t.Cleanup in freeport and remove unnecessary calls	3 years ago
Daniel Nephin	447097b166	ca: make test naming consistent While working on the CA system it is important to be able to run all the tests related to the system, without having to wait for unrelated tests. There are many slow and unrelated tests in agent/consul, so we need some way to filter to only the relevant tests. This PR renames all the CA system related tests to start with either `TestCAMananger` for tests of internal operations that don't have RPC endpoint, or `TestConnectCA` for tests of RPC endpoints. This allows us to run all the test with: go test -run 'TestCAMananger\|TestConnectCA' ./agent/consul The test naming follows an undocumented convention of naming tests as follows: Test[<struct name>_]<function name>[_<test case description>] I tried to always keep Primary/Secondary at the end of the description, and _Vault_ has to be in the middle because of our regex to run those tests as a separate CI job. You may notice some of the test names changed quite a bit. I did my best to identify the underlying method being tested, but I may have been slightly off in some cases.	3 years ago
FFMMM	384d497f26	add MustRevalidate flag to connect_ca_leaf cache type; always use on non-blocking queries (#11693 ) * always use MustRevalidate on non-blocking queries for connect ca leaf Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update agent/agent_endpoint_test.go Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * pr feedback Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>	3 years ago
Daniel Nephin	28a8a64019	ca: make getLeafSigningCertFromRoot safer As a method on the struct type this would not be safe to call without first checking c.isIntermediateUsedToSignLeaf. So for now, move this logic to the CAMananger, so that it is always correct.	3 years ago
Daniel Nephin	b29faa3e50	ca: fix stored CARoot representation with Vault provider We were not adding the local signing cert to the CARoot. This commit fixes that bug, and also adds support for fixing existing CARoot on upgrade. Also update the tests for both primary and secondary to be more strict. Check the SigningKeyID is correct after initialization and rotation.	3 years ago
Dan Upton	bf56a2c495	Rename `agent_master` ACL token in the API and CLI (#11669 )	3 years ago
Dan Upton	d8afd2f6c8	Rename `master` and `agent_master` ACL tokens in the config file format (#11665 )	3 years ago
Chris S. Kim	54e4d1b7b2	ENT to OSS sync (#11703 )	3 years ago
R.B. Boyer	db91cbf484	auto-config: ensure the feature works properly with partitions (#11699 )	3 years ago
Daniel Nephin	32ef9c5d5c	ca: add some godoc and func for finding leaf signing cert This will be used in a follow up commit.	3 years ago
Daniel Nephin	4185045a7f	sdk/freeport: rename Port to GetOne For better consistency with GetN	3 years ago
Chris S. Kim	56fab21582	Refactor test helper (#11689 ) Allow custom ACL root tokens to be passed	3 years ago
Chris S. Kim	36246c5791	acl: Fill authzContext from token in Coordinate endpoints (#11688 )	3 years ago
freddygv	dd662d7058	Move ent config test to ent file	3 years ago
freddygv	5e1f7b7c36	Prevent partition-exports entry from OSS usage Validation was added on the config entry kind since that is called when validating config entries to bootstrap via agent configuration and when applying entries via the config RPC endpoint.	3 years ago
Daniel Nephin	e8312d6b5a	testing: remove unnecessary calls to freeport Previously we believe it was necessary for all code that required ports to use freeport to prevent conflicts. https://github.com/dnephin/freeport-test shows that it is actually save to use port 0 (`127.0.0.1:0`) as long as it is passed directly to `net.Listen`, and the listener holds the port for as long as it is needed. This works because freeport explicitly avoids the ephemeral port range, and port 0 always uses that range. As you can see from the test output of https://github.com/dnephin/freeport-test, the two systems never use overlapping ports. This commit converts all uses of freeport that were being passed directly to a net.Listen to use port 0 instead. This allows us to remove a bit of wrapping we had around httptest, in a couple places.	3 years ago
Daniel Nephin	d795a73f78	testing: use the new freeport interfaces	3 years ago
Daniel Nephin	56f9238d15	go-sso: remove returnFunc now that freeport handles return	3 years ago

... 2 3 4 5 6 ...

4231 Commits (de51780eb87bf060fcebc87a862af667c6acbefc)