consul

Commit Graph

Author	SHA1	Message	Date
Kyle Havlovitz	0d9c99b227	Clean up ent meta id usage in overview summary	3 years ago
Eric	776f5843d0	remove gogo from pbservice	3 years ago
Mark Anderson	5590da2732	Fixup dropped SecretID usage Looks like something got munged at some point. Not sure how it slipped in, but my best guess is that because TestTxn_Apply_ACLDeny is marked flaky we didn't block merge because it failed. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Kyle Havlovitz	e530fbfb33	oss: Add overview UI internal endpoint	3 years ago
Dhia Ayachi	72a997242b	split `pbcommon` to `pbcommon` and `pbcommongogo` (#12587 ) * mogify needed pbcommon structs * mogify needed pbconnect structs * fix compilation errors and make config_translate_test pass * add missing file * remove redundant oss func declaration * fix EnterpriseMeta to copy the right data for enterprise * rename pbcommon package to pbcommongogo * regenerate proto and mog files * add missing mog files * add pbcommon package * pbcommon no mog * fix enterprise meta code generation * fix enterprise meta code generation (pbcommongogo) * fix mog generation for gogo * use `protoc-go-inject-tag` to inject tags * rename proto package * pbcommon no mog * use `protoc-go-inject-tag` to inject tags * add non gogo proto to make file * fix proto get	3 years ago
Dan Upton	f8e2e3c710	streaming: emit events when Connect CA Roots change (#12590 ) OSS sync of enterprise changes at 614f786d	3 years ago
FFMMM	a7e5ee005a	factor out recording func, add unit tests (#12585 ) Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
Dan Upton	7298967070	Restructure gRPC server setup (#12586 ) OSS sync of enterprise changes at 0b44395e	3 years ago
FFMMM	e5ebc47a94	pre register new rpc metric, rename metric (#12582 )	3 years ago
Mark Anderson	fa63aed1fa	Add source of authority annotations to the PermissionDeniedError output. (#12567 ) This extends the acl.AllowAuthorizer with source of authority information. The next step is to unify the AllowAuthorizer and ACLResolveResult structures; that will be done in a separate PR. Part of #12481 Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Dan Upton	b36d4e16b6	Support per-listener TLS configuration ⚙️ (#12504 ) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.	3 years ago
Evan Culver	e3e481022e	lib: add validation package + DNS label validation (#12535 ) Co-authored-by: Chris S. Kim <ckim@hashicorp.com>	3 years ago
FFMMM	db27ea3484	[sync oss] add net/rpc interceptor implementation (#12573 ) * sync ent changes from 866dcb0667 Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * update oss go.mod Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
Jared Kirschner	6c84083307	Merge pull request #11821 from hashicorp/error-if-get-request-has-body http: error if GET request has non-empty body	3 years ago
Jared Kirschner	c73267f318	http: WARN if GET request has non-empty body Give the user a hint that they might be doing something wrong if their GET request has a non-empty body, which can easily happen using curl's --data-urlencode if specifying request type via "--request GET" rather than "--get". See https://github.com/hashicorp/consul/issues/11471.	3 years ago
Eric	eea8300187	Remove the stdduration gogo extension	3 years ago
mrspanishviking	7180c99960	Revert "[Docs] Agent configuration hierarchy "	3 years ago
trujillo-adam	4151dc097a	fixing merge conflicts part 3	3 years ago
Eric Haberkorn	e92dd9dc9a	Merge pull request #12556 from hashicorp/wire-up-serverless-patcher Create and wire up the serverless patcher	3 years ago
Eric Haberkorn	fc3c0f312c	Merge pull request #12557 from hashicorp/remove-healthcheck-gogo-stdduration Remove Gogo Stdduration From the Healthcheck Protobufs	3 years ago
Eric	4e6b34725d	Remove gogo stdduration from the healthcheck protobufs	3 years ago
Eric	cf3e517d0e	Create and wire up the serverless patcher	3 years ago
trujillo-adam	76d55ac2b4	merging new hierarchy for agent configuration	3 years ago
Mark Anderson	676ea58bc4	Refactor config checks oss (#12550 ) Currently the config_entry.go subsystem delegates authorization decisions via the ConfigEntry interface CanRead and CanWrite code. Unfortunately this returns a true/false value and loses the details of the source. This is not helpful, especially since it the config subsystem can be more complex to understand, since it covers so many domains. This refactors CanRead/CanWrite to return a structured error message (PermissionDenied or the like) with more details about the reason for denial. Part of #12241 Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Eric Haberkorn	d59364fa7f	Merge pull request #12536 from hashicorp/add-serverless-config Add the `connect.enable_serverless_plugin` configuration option	3 years ago
Eric Haberkorn	44609c0ca5	Merge pull request #12539 from hashicorp/make-xds-lib Make the xdscommon package	3 years ago
Eric	3302b2eec2	Add the `connect.enable_serverless_plugin` configuration option.	3 years ago
Mark Anderson	aaefe15613	Bulk acl message fixup oss (#12470 ) * First pass for helper for bulk changes Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Convert ACLRead and ACLWrite to new form Signed-off-by: Mark Anderson <manderson@hashicorp.com> * AgentRead and AgentWRite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fix EventWrite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * KeyRead, KeyWrite, KeyList Signed-off-by: Mark Anderson <manderson@hashicorp.com> * KeyRing Signed-off-by: Mark Anderson <manderson@hashicorp.com> * NodeRead NodeWrite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * OperatorRead and OperatorWrite Signed-off-by: Mark Anderson <manderson@hashicorp.com> * PreparedQuery Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Intention partial Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fix ServiceRead, Write ,etc Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Error check ServiceRead? Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fix Sessionread/Write Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fixup snapshot ACL Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Error fixups for txn Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Add changelog Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Fixup review comments Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Eric	f5c9fa6fa6	Make an xdscommon package that will be shared between Consul and Envoy plugins	3 years ago
Eric Haberkorn	abfcde1bc6	Merge pull request #12529 from hashicorp/add-meta-to-service-config-response Add `Meta` to `ServiceConfigResponse`	3 years ago
Eric Haberkorn	9d0ec2eec2	Code review changes	3 years ago
R.B. Boyer	2a56e0055b	proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531 ) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.	3 years ago
Eric	f7cc7ff5cd	Add `Meta` to `ServiceConfigResponse`	3 years ago
R.B. Boyer	8307e40f2b	reduce flakiness/raciness of errNotFound and errNotChanged blocking query tests (#12518 ) Improves tests from #12362 These tests try to setup the following concurrent scenario: 1. (goroutine 1) execute read RPC with index=0 2. (goroutine 1) get response from (1) @ index=10 3. (goroutine 1) execute read RPC with index=10 and block 4. (goroutine 2) WHILE (3) is blocking, start slamming the system with stray writes that will cause the WatchSet to wakeup 5. (goroutine 2) after doing all writes, shut down the reader above 6. (goroutine 1) stops reading, double checks that it only ever woke up once (from 1)	3 years ago
R.B. Boyer	9268715697	server: fix spurious blocking query suppression for discovery chains (#12512 ) Minor fix for behavior in #12362 IsDefault sometimes returns true even if there was a proxy-defaults or service-defaults config entry that was consulted. This PR fixes that.	3 years ago
Daniel Nephin	5ba994a73f	Merge pull request #12298 from jorgemarey/b-persistnewrootandconfig Avoid raft change when no config is provided on persistNewRootAndConfig	3 years ago
Daniel Nephin	161206e24d	ca: make sure the test fails without the fix Also change the path used for the secondary so that both primary and secondary do not overwrite each other.	3 years ago
R.B. Boyer	58e053c336	raft: upgrade to v1.3.6 (#12496 ) Add additional protections on the Consul side to prevent NonVoters from bootstrapping raft. This should un-flake TestServer_Expect_NonVoters	3 years ago
Daniel Nephin	73c91ed80f	Merge pull request #12467 from hashicorp/dnephin/ci-vault-test-safer ca: require that tests that use Vault are named correctly	3 years ago
R.B. Boyer	6666832077	test: parallelize more of TestLeader_ReapOrLeftMember_IgnoreSelf (#12468 ) before: $ go test ./agent/consul -run TestLeader_ReapOrLeftMember_IgnoreSelf ok github.com/hashicorp/consul/agent/consul 21.147s after: $ go test ./agent/consul -run TestLeader_ReapOrLeftMember_IgnoreSelf ok github.com/hashicorp/consul/agent/consul 5.402s	3 years ago
Jorge Marey	f429c1a5d9	Fix vault test with suggested changes	3 years ago
Jorge Marey	1a0baf4024	Add test case to verify #12298	3 years ago
Jorge Marey	4375dd2409	Avoid raft change when no config is provided on CAmanager - This avoids a change to the raft store when no roots or config are provided to persistNewRootAndConfig	3 years ago
Daniel Nephin	d669226784	ca: fix a test This test does not use Vault, so does not need ca.SkipIfVaultNotPresent	3 years ago
Daniel Nephin	1f00ede559	ca: require that tests that use Vault are named correctly Previously we were using two different criteria to decide where to run a test. The main `go-test` job would skip Vault tests based on the presence of the `vault` binary, but the `test-connect-ca-providers` job would run tests based on the name. This led to a scenario where a test may never run in CI. To fix this problem I added a name check to the function we use to skip the test. This should ensure that any test that requires vault is named correctly to be run as part of the `test-connect-ca-providers` job. At the same time I relaxed the regex we use. I verified this runs the same tests using `go test --list Vault`. I made this change because a bunch of tests in `agent/connect/ca` used `Vault` in the name, without the underscores. Instead of changing a bunch of test names, this seemed easier. With this approach, the worst case is that we run a few extra tests in the `test-connect-ca-providers` job, which doesn't seem like a problem.	3 years ago
R.B. Boyer	7b0548dd8d	server: suppress spurious blocking query returns where multiple config entries are involved (#12362 ) Starting from and extending the mechanism introduced in #12110 we can specially handle the 3 main special Consul RPC endpoints that react to many config entries in a single blocking query in Connect: - `DiscoveryChain.Get` - `ConfigEntry.ResolveServiceConfig` - `Intentions.Match` All of these will internally watch for many config entries, and at least one of those will likely be not found in any given query. Because these are blends of multiple reads the exact solution from #12110 isn't perfectly aligned, but we can tweak the approach slightly and regain the utility of that mechanism. ### No Config Entries Found In this case, despite looking for many config entries none may be found at all. Unlike #12110 in this scenario we do not return an empty reply to the caller, but instead synthesize a struct from default values to return. This can be handled nearly identically to #12110 with the first 1-2 replies being non-empty payloads followed by the standard spurious wakeup suppression mechanism from #12110. ### No Change Since Last Wakeup Once a blocking query loop on the server has completed and slept at least once, there is a further optimization we can make here to detect if any of the config entries that were present at specific versions for the prior execution of the loop are identical for the loop we just woke up for. In that scenario we can return a slightly different internal sentinel error and basically externally handle it similar to #12110. This would mean that even if 20 discovery chain read RPC handling goroutines wakeup due to the creation of an unrelated config entry, the only ones that will terminate and reply with a blob of data are those that genuinely have new data to report. ### Extra Endpoints Since this pattern is pretty reusable, other key config-entry-adjacent endpoints used by `agent/proxycfg` also were updated: - `ConfigEntry.List` - `Internal.IntentionUpstreams` (tproxy)	3 years ago
Chris S. Kim	25f4a425d1	Merge pull request #12442 from danieleva/12422-keyring Allows keyring operations on client agents	3 years ago
Evan Culver	522676ed8d	connect: Update supported Envoy versions to include 1.19.3 and 1.18.6	3 years ago
Evan Culver	b95f010ac0	connect: Upgrade Envoy 1.20 to 1.20.2 (#12443 )	3 years ago
R.B. Boyer	ca112f8721	fix flaky test panic (#12446 )	3 years ago
R.B. Boyer	957146401e	catalog: compare node names case insensitively in more places (#12444 ) Many places in consul already treated node names case insensitively. The state store indexes already do it, but there are a few places that did a direct byte comparison which have now been corrected. One place of particular consideration is ensureCheckIfNodeMatches which is executed during snapshot restore (among other places). If a node check used a slightly different casing than the casing of the node during register then the snapshot restore here would deterministically fail. This has been fixed. Primary approach: git grep -i "node.[!=]=.node" -- ':!_test.go' ':!docs' git grep -i '\[[^]]member[^]]\] git grep -i '\[[^]]$member\\|name\\|node$[^]]\]' -- ':!_test.go' ':!website' ':!ui' ':!agent/proxycfg/testing.go:' ':!*.md'	3 years ago
Daniele Vazzola	e76ca318dc	Allows keyring operations on client agents	3 years ago
R.B. Boyer	64271289ec	server: partly fix config entry replication issue that prevents replication in some circumstances (#12307 ) There are some cross-config-entry relationships that are enforced during "graph validation" at persistence time that are required to be maintained. This means that config entries may form a digraph at times. Config entry replication procedes in a particular sorted order by kind and name. Occasionally there are some fixups to these digraphs that end up replicating in the wrong order and replicating the leaves (ingress-gateway) before the roots (service-defaults) leading to replication halting due to a graph validation error related to things like mismatched service protocol requirements. This PR changes replication to give each computed change (upsert/delete) a fair shot at being applied before deciding to terminate that round of replication in error. In the case where we've simply tried to do the operations in the wrong order at least ONE of the outstanding requests will complete in the right order, leading the subsequent round to have fewer operations to do, with a smaller likelihood of graph validation errors. This does not address all scenarios, but for scenarios where the edits are being applied in the wrong order this should avoid replication halting. Fixes #9319 The scenario that is NOT ADDRESSED by this PR is as follows: 1. create: service-defaults: name=new-web, protocol=http 2. create: service-defaults: name=old-web, protocol=http 3. create: service-resolver: name=old-web, redirect-to=new-web 4. delete: service-resolver: name=old-web 5. update: service-defaults: name=old-web, protocol=grpc 6. update: service-defaults: name=new-web, protocol=grpc 7. create: service-resolver: name=old-web, redirect-to=new-web If you shutdown dc2 just before (4) and turn it back on after (7) replication is impossible as there is no single edit you can make to make forward progress.	3 years ago
Chris S. Kim	ea47f066d7	Merge pull request #12430 from hashicorp/ci/main-assetfs-build auto-updated agent/uiserver/bindata_assetfs.go from commit `73b6687c5`	3 years ago
Daniel Nephin	771df290d7	Merge pull request #11910 from hashicorp/dnephin/ca-provider-interface-for-ica-in-primary ca: add support for an external trusted CA	3 years ago
R.B. Boyer	8b987a4d59	configentry: make a new package to hold shared config entry structs that aren't used for RPC or the FSM (#12384 ) First two candidates are ConfigEntryKindName and DiscoveryChainConfigEntries.	3 years ago
Dhia Ayachi	cd9d8d44a5	file watcher to be used for configuration auto-reload feature (#12301 ) * add config watcher to the config package * add logging to watcher * add test and refactor to add WatcherEvent. * add all API calls and fix a bug with recreated files * add tests for watcher * remove the unnecessary use of context * Add debug log and a test for file rename * use inode to detect if the file is recreated/replaced and only listen to create events. * tidy ups (#1535) * tidy ups * Add tests for inode reconcile * fix linux vs windows syscall * fix linux vs windows syscall * fix windows compile error * increase timeout * use ctime ID * remove remove/creation test as it's a use case that fail in linux * fix linux/windows to use Ino/CreationTime * fix the watcher to only overwrite current file id * fix linter error * fix remove/create test * set reconcile loop to 200 Milliseconds * fix watcher to not trigger event on remove, add more tests * on a remove event try to add the file back to the watcher and trigger the handler if success * fix race condition * fix flaky test * fix race conditions * set level to info * fix when file is removed and get an event for it after * fix to trigger handler when we get a remove but re-add fail * fix error message * add tests for directory watch and fixes * detect if a file is a symlink and return an error on Add * rename Watcher to FileWatcher and remove symlink deref * add fsnotify@v1.5.1 * fix go mod * fix flaky test * Apply suggestions from code review Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> * fix a possible stack overflow * do not reset timer on errors, rename OS specific files * start the watcher when creating it * fix data race in tests * rename New func * do not call handler when a remove event happen * events trigger on write and rename * fix watcher tests * make handler async * remove recursive call * do not produce events for sub directories * trim "/" at the end of a directory when adding * add missing test * fix logging * add todo * fix failing test * fix flaking tests * fix flaky test * add logs * fix log text * increase timeout * reconcile when remove * check reconcile when removed * fix reconcile move test * fix logging * delete invalid file * Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix review comments * fix is watched to properly catch a remove * change test timeout * fix test and rename id * fix test to create files with different mod time. * fix deadlock when stopping watcher * Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix a deadlock when calling stop while emitting event is blocked * make sure to close the event channel after the event loop is done * add go doc * back date file instead of sleeping * Apply suggestions from code review Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * check error Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
hc-github-team-consul-core	ad14a2bffd	auto-updated agent/uiserver/bindata_assetfs.go from commit `73b6687c5`	3 years ago
Evan Culver	602e08ada7	checks: populate interval and timeout when registering services (#11138 )	3 years ago
Kyle Havlovitz	362753cad7	Merge pull request #12385 from hashicorp/tproxy-http-upstream-fix xds: respect chain protocol on default discovery chain	3 years ago
Daniel Nephin	dc484ee09e	rpc: set response to nil when not found Otherwise when the query times out we might incorrectly send a value for the reply, when we should send an empty reply. Also document errNotFound and how to handle the result in that case.	3 years ago
Daniel Nephin	6021105dfc	ca: test that original certs from secondary still verify There's a chance this could flake if the secondary hasn't received the update yet, but running this test many times doesn't show any flakes yet.	3 years ago
Daniel Nephin	6b679aa9d4	Update TODOs to reference an issue with more details And remove a no longer needed TODO	3 years ago
Daniel Nephin	1853a32df6	ca: add test cases for rotating external trusted CA	3 years ago
Daniel Nephin	5e8ea2a039	ca: add a test for secondary with external CA	3 years ago
Daniel Nephin	42ec34d101	ca: examine the full chain in newCARoot make TestNewCARoot much more strict compare the full result instead of only a few fields. add a test case with 2 and 3 certificates in the pem	3 years ago
Daniel Nephin	71f3ae04e2	ca: small docs improvements	3 years ago
Daniel Nephin	86994812ed	ca: cleanup validateSetIntermediate	3 years ago
Daniel Nephin	c1c1580bf8	ca: only return the leaf cert from Sign in vault provider The interface is documented as 'Sign will only return the leaf', and the other providers only return the leaf. It seems like this was added during the initial implementation, so is likely just something we missed. It doesn't break anything , but it does cause confusing cert chains in the API response which could break something in the future.	3 years ago
Daniel Nephin	85ecbaf109	Merge pull request #12110 from hashicorp/dnephin/blocking-queries-not-found rpc: make blocking queries for non-existent items more efficient	3 years ago
Ashwin Venkatesh	6e6cd928a2	Parse datacenter from request (#12370 ) * Parse datacenter from request - Parse the value of the datacenter from the create/delete requests for AuthMethods and BindingRules so that they can be created in and deleted from the datacenters specified in the request.	3 years ago
Kyle Havlovitz	3fe358b831	xds: respect chain protocol on default discovery chain	3 years ago
Florian Apolloner	f01f00fc84	Support for connect native services in topology view. (#12098 )	3 years ago
Chris S. Kim	154b781bc8	Move IndexEntryName helpers to common files (#12365 )	3 years ago
Daniel Nephin	8a6e75ac81	rpc: add errNotFound to all Get queries Any query that returns a list of items is not part of this commit.	3 years ago
Daniel Nephin	4b33bdf396	Make blockingQuery efficient with 'not found' results. By using the query results as state. Blocking queries are efficient when the query matches some results, because the ModifyIndex of those results, returned as queryMeta.Mindex, will never change unless the items themselves change. Blocking queries for non-existent items are not efficient because the queryMeta.Index can (and often does) change when other entities are written. This commit reduces the churn of these queries by using a different comparison for "has changed". Instead of using the modified index, we use the existence of the results. If the previous result was "not found" and the new result is still "not found", we know we can ignore the modified index and continue to block. This is done by setting the minQueryIndex to the returned queryMeta.Index, which prevents the query from returning before a state change is observed.	3 years ago
Daniel Nephin	897b953f66	Add a test for blocking query on non-existent entry This test shows how blocking queries are not efficient when the query returns no results. The test fails with 100+ calls instead of the expected 2. This test is still a bit flaky because it depends on the timing of the writes. It can sometimes return 3 calls. A future commit should fix this and make blocking queries even more optimal for not-found results.	3 years ago
Daniel Nephin	3301f94004	rpc: improve docs for blockingQuery Follow the Go convention of accepting a small interface that documents the methods used by the function. Clarify the rules for implementing a query function passed to blockingQuery.	3 years ago
R.B. Boyer	115946da99	server: conditionally avoid writing a config entry to raft if it was already the same (#12321 ) This will both save on unnecessary raft operations as well as unnecessarily incrementing the raft modify index of config entries subject to no-op updates.	3 years ago
FFMMM	78264a8030	Vendor in rpc mono repo for net/rpc fork, go-msgpack, msgpackrpc. (#12311 ) This commit syncs ENT changes to the OSS repo. Original commit details in ENT: ``` commit 569d25f7f4578981c3801e6e067295668210f748 Author: FFMMM <FFMMM@users.noreply.github.com> Date: Thu Feb 10 10:23:33 2022 -0800 Vendor fork net rpc (#1538) * replace net/rpc w consul-net-rpc/net/rpc Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * replace msgpackrpc and go-msgpack with fork from mono repo Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * gofmt all files touched Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> ``` Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
R.B. Boyer	52009ae86a	missed this test adjustment (#12331 )	3 years ago
R.B. Boyer	fa4577d1a9	local: fixes a data race in anti-entropy sync (#12324 ) The race detector noticed this initially in `TestAgentConfigWatcherSidecarProxy` but it is not restricted to just tests. The two main changes here were: - ensure that before we mutate the internal `agent/local` representation of a Service (for tags or VIPs) we clone those fields - ensure that there's no function argument joint ownership between the caller of a function and the local state when calling `AddService`, `AddCheck`, and related using `copystructure` for now.	3 years ago
Dao Thanh Tung	add15e12f7	URL-encode/decode resource names for HTTP API part 5 (#12297 )	3 years ago
Mark Anderson	1a16f7ee70	Refactor to make ACL errors more structured. (#12308 ) * First phase of refactoring PermissionDeniedError Add extended type PermissionDeniedByACLError that captures information about the accessor, particular permission type and the object and name of the thing being checked. It may be worth folding the test and error return into a single helper function, that can happen at a later date. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Freddy	9580f79f86	Merge pull request #12223 from hashicorp/proxycfg/passthrough-cleanup	3 years ago
freddygv	ceb52d649a	Account for upstream targets in another DC. Transparent proxies typically cannot dial upstreams in remote datacenters. However, if their upstream configures a redirect to a remote DC then the upstream targets will be in another datacenter. In that sort of case we should use the WAN address for the passthrough.	3 years ago
freddygv	cbea3d203c	Fix race of upstreams with same passthrough ip Due to timing, a transparent proxy could have two upstreams to dial directly with the same address. For example: - The orders service can dial upstreams shipping and payment directly. - An instance of shipping at address 10.0.0.1 is deregistered. - Payments is scaled up and scheduled to have address 10.0.0.1. - The orders service receives the event for the new payments instance before seeing the deregistration for the shipping instance. At this point two upstreams have the same passthrough address and Envoy will reject the listener configuration. To disambiguate this commit considers the Raft index when storing passthrough addresses. In the example above, 10.0.0.1 would only be associated with the newer payments service instance.	3 years ago
freddygv	659ebc05a9	Ensure passthrough addresses get cleaned up Transparent proxies can set up filter chains that allow direct connections to upstream service instances. Services that can be dialed directly are stored in the PassthroughUpstreams map of the proxycfg snapshot. Previously these addresses were not being cleaned up based on new service health data. The list of addresses associated with an upstream service would only ever grow. As services scale up and down, eventually they will have instances assigned to an IP that was previously assigned to a different service. When IP addresses are duplicated across filter chain match rules the listener config will be rejected by Envoy. This commit updates the proxycfg snapshot management so that passthrough addresses can get cleaned up when no longer associated with a given upstream. There is still the possibility of a race condition here where due to timing an address is shared between multiple passthrough upstreams. That concern is mitigated by #12195, but will be further addressed in a follow-up.	3 years ago
Freddy	378a7258e3	Prevent xDS tight loop on cfg errors (#12195 )	3 years ago
Dhia Ayachi	4f0a71d7b4	fix race when starting a service while the agent `serviceManager` is … (#12302 ) * fix race when starting a service while the agent `serviceManager` is stopping * add changelog	3 years ago
Daniel Nephin	01784470f3	Merge pull request #12277 from hashicorp/dnephin/panic-in-service-register catalog: initialize the refs map to prevent a nil panic	3 years ago
Daniel Nephin	82c264b2b3	config-entry: fix a panic when registering a service or ingress gateway	3 years ago
R.B. Boyer	89bd1f57b5	xds: allow only one outstanding delta request at a time (#12236 ) Fixes #11876 This enforces that multiple xDS mutations are not issued on the same ADS connection at once, so that we can 100% control the order that they are applied. The original code made assumptions about the way multiple in-flight mutations were applied on the Envoy side that was incorrect.	3 years ago
Daniel Nephin	7ec658b7ac	Merge pull request #12265 from hashicorp/dnephin/logging-in-tests sdk: add TestLogLevel for setting log level in tests	3 years ago
Daniel Nephin	437f769916	A test to reproduce the issue	3 years ago
Daniel Nephin	51b0f82d0e	Make test more readable And fix typo	3 years ago
Daniel Nephin	608597c7b6	ca: relax and move private key type/bit validation for vault This commit makes two changes to the validation. Previously we would call this validation in GenerateRoot, which happens both on initialization (when a follower becomes leader), and when a configuration is updated. We only want to do this validation during config update so the logic was moved to the UpdateConfiguration function. Previously we would compare the config values against the actual cert. This caused problems when the cert was created manually in Vault (not created by Consul). Now we compare the new config against the previous config. Using a already created CA cert should never error now. Adding the key bit and types to the config should only error when the previous values were not the defaults.	3 years ago
Daniel Nephin	d707173253	ca: small cleanup of TestConnectCAConfig_Vault_TriggerRotation_Fails Before adding more test cases	3 years ago
Daniel Nephin	3f590bb8a1	testing: fix test failures caused by new log level These two tests require debug logging enabled, because they look for log lines. Also switched to testify assertions because the previous errors were not clear.	3 years ago
Daniel Nephin	b058845110	sdk: add TestLogLevel for setting log level in tests And default log level to WARN.	3 years ago
Daniel Nephin	7839b2d7e0	ca: add a test that uses an intermediate CA as the primary CA This test found a bug in the secondary. We were appending the root cert to the PEM, but that cert was already appended. This was failing validation in Vault here: https://github.com/hashicorp/vault/blob/sdk/v0.3.0/sdk/helper/certutil/types.go#L329 Previously this worked because self signed certs have the same SubjectKeyID and AuthorityKeyID. So having the same self-signed cert repeated doesn't fail that check. However with an intermediate that is not self-signed, those values are different, and so we fail the check. A test I added in a previous commit should show that this continues to work with self-signed root certs as well.	3 years ago
Daniel Nephin	ac732ce82b	acl: un-embed ACLIdentity This is safer than embedding two interface because there are a number of places where we check the concrete type. If we check the concrete type on the top-level interface it will fail. So instead expose the ACLIdentity from a method.	3 years ago
Daniel Nephin	9d80c1886a	Merge pull request #12167 from hashicorp/dnephin/acl-resolve-token-3 acl: rename ResolveTokenToIdentityAndAuthorizer to ResolveToken	3 years ago
Daniel Nephin	997bf1e5a4	Merge pull request #12166 from hashicorp/dnephin/acl-resolve-token-2 acl: remove ResolveTokenToIdentity	3 years ago
Daniel Nephin	343b6deb79	acl: rename ResolveTokenToIdentityAndAuthorizer to ResolveToken This change allows us to remove one of the last remaining duplicate resolve token methods (Server.ResolveToken). With this change we are down to only 2, where the second one also handles setting the default EnterpriseMeta from the token.	3 years ago
Daniel Nephin	d363cc0f07	acl: remove unused methods on fakes, and add changelog Also document the metric that was removed in a previous commit.	3 years ago
Daniel Nephin	b2b84e7fc6	Merge pull request #12165 from hashicorp/dnephin/acl-resolve-token acl: remove some of the duplicate resolve token methods	3 years ago
Mathew Estafanous	c5d2bea92c	Change error-handling across handlers. (#12225 )	3 years ago
Fulvio	66f0173355	URL-encode/decode resource names for HTTP API part 4 (#12190 )	3 years ago
Dan Upton	fdfe079674	streaming: split event buffer by key (#12080 )	3 years ago
freddygv	c31c1158a6	Add failing test The updated test fails because passthrough upstream addresses are not being cleaned up.	3 years ago
Daniel Nephin	9b7468f99e	ca/provider: remove ActiveRoot from Provider	3 years ago
Daniel Nephin	c2b9c81a55	ca: update MockProvider for new interface	3 years ago
Daniel Nephin	f05bad4a1d	ca: update GenerateRoot godoc	3 years ago
Daniel Nephin	9a59733b7d	Merge pull request #11663 from hashicorp/dnephin/ca-remove-one-call-to-active-root-2 ca: remove second call to Provider.ActiveRoot	3 years ago
Daniel Nephin	db0478265b	Merge pull request #12109 from hashicorp/dnephin/blocking-query-1 rpc: make blockingQuery easier to read	3 years ago
Daniel Nephin	7a6e03c19b	acl: Remove a call to aclAccessorID I missed this on the first pass, we no longer need to look up this ID, because we have it from the Authorizer.	3 years ago
Daniel Nephin	7125fec346	Merge pull request #11221 from hashicorp/dnephin/acl-resolver-5 acl: extract a backend type for the ACLResolverBackend	3 years ago
Dao Thanh Tung	759dd93544	URL-encode/decode resource names for HTTP API part 3 (#12103 )	3 years ago
Daniel Nephin	f9aef8018b	Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com>	3 years ago
Daniel Nephin	737c0097e0	acl: extract a backend type for the ACLResolverBackend This is a small step to isolate the functionality that is used for the ACLResolver from the large Client and Server structs.	3 years ago
R.B. Boyer	d2c0945f52	xds: fix for delta xDS reconnect bug in LDS/CDS (#12174 ) When a wildcard xDS type (LDS/CDS/SRDS) reconnects from a delta xDS stream, prior to envoy `1.19.0` it would populate the `ResourceNamesSubscribe` field with the full list of currently subscribed items, instead of simply omitting it to infer that it wanted everything (which is what wildcard mode means). This upstream issue was filed in envoyproxy/envoy#16063 and fixed in envoyproxy/envoy#16153 which went out in Envoy `1.19.0` and is fixed in later versions (later refactored in envoyproxy/envoy#16855). This PR conditionally forces LDS/CDS to be wildcard-only even when the connected Envoy requests a non-wildcard subscription, but only does so on versions prior to `1.19.0`, as we should not need to do this on later versions. This fixes the failure case as described here: #11833 (comment) Co-authored-by: Huan Wang <fredwanghuan@gmail.com>	3 years ago
Daniel Nephin	e134e43da6	acl: remove calls to ResolveIdentityFromToken We already have an ACLResolveResult, so we can get the accessor ID from it.	3 years ago
Daniel Nephin	edca8d61a3	acl: remove ResolveTokenToIdentity By exposing the AccessorID from the primary ResolveToken method we can remove this duplication.	3 years ago
Daniel Nephin	a5e8af79c3	acl: return a resposne from ResolveToken that includes the ACLIdentity So that we can duplicate duplicate methods.	3 years ago
Daniel Nephin	8c9c48e219	acl: remove duplicate methods Now that ACLResolver is embedded we don't need ResolveTokenToIdentity on Client and Server. Moving ResolveTokenAndDefaultMeta to ACLResolver removes the duplicate implementation.	3 years ago
Daniel Nephin	241663a046	acl: embed ACLResolver in Client and Server In preparation for removing duplicate resolve token methods.	3 years ago
Chris S. Kim	bee18f4a1d	Generate bindata_assetfs.go (#12146 )	3 years ago
R.B. Boyer	b60d89e7ef	bulk rewrite using this script set -euo pipefail unset CDPATH cd "$(dirname "$0")" for f in $(git grep '\brequire := require\.New(' \| cut -d':' -f1 \| sort -u); do echo "=== require: $f ===" sed -i '/require := require.New(t)/d' $f # require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($[^tr]$/require.\1(t,\2/g' $f # require.XXX(tblah) but not require.XXX(t, blah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($t[^,]$/require.\1(t,\2/g' $f # require.XXX(rblah) but not require.XXX(r, blah) sed -i 's/\brequire\.$[a-zA-Z0-9_]$($r[^,]$/require.\1(t,\2/g' $f gofmt -s -w $f done for f in $(git grep '\bassert := assert\.New(' \| cut -d':' -f1 \| sort -u); do echo "=== assert: $f ===" sed -i '/assert := assert.New(t)/d' $f # assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($[^tr]$/assert.\1(t,\2/g' $f # assert.XXX(tblah) but not assert.XXX(t, blah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($t[^,]$/assert.\1(t,\2/g' $f # assert.XXX(rblah) but not assert.XXX(r, blah) sed -i 's/\bassert\.$[a-zA-Z0-9_]$($r[^,]$/assert.\1(t,\2/g' $f gofmt -s -w $f done	3 years ago
R.B. Boyer	31f6f55bbe	test: normalize require.New and assert.New syntax	3 years ago
R.B. Boyer	424f3cdd2c	proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125 ) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.	3 years ago
Dan Upton	ca3aca92c4	[OSS] Remove remaining references to master (#11827 )	3 years ago
VictorBac	31a39c9528	Add GRPC and GRPCUseTLS to api.HealthCheckDefinition (#12108 ) * Add GRPC to HealthCheckDefinition * add GRPC and GRPCUseTLS	3 years ago
Evan Culver	e35dd08a63	connect: Upgrade Envoy 1.20 to 1.20.1 (#11895 )	3 years ago
Daniel Nephin	71767f1b3e	rpc: cleanup exit and blocking condition logic in blockingQuery Remove some unnecessary comments around query_blocking metric. The only line that needs any comments in the atomic decrement. Cleanup the block and return comments and logic. The old comment about AbandonCh may have been relevant before, but it is expected behaviour now. The logic was simplified by inverting the err condition.	3 years ago
Daniel Nephin	72a733bed8	rpc: extract rpcQueryTimeout method This helps keep the logic in blockingQuery more focused. In the future we may have a separate struct for RPC queries which may allow us to move this off of Server.	3 years ago
Daniel Nephin	fd0a9fd4f3	rpc: move the index defaulting to setQueryMeta. This safeguard should be safe to apply in general. We are already applying it to non-blocking queries that call blockingQuery, so it should be fine to apply it to others.	3 years ago
Daniel Nephin	4b67d6c18b	rpc: add subtests to blockingQuery test	3 years ago
Daniel Nephin	f92dc11002	rpc: refactor blocking query To remove the TODO, and make it more readable. In general this reduces the scope of variables, making them easier to reason about. It also introduces more early returns so that we can see the flow from the structure of the function.	3 years ago
Daniel Nephin	f31e0b8b1a	Merge pull request #11661 from hashicorp/dnephin/ca-remove-one-call-to-active-root ca: remove one call to Provider.ActiveRoot	3 years ago
Kyle Havlovitz	0db874c38b	Add virtual IP generation for term gateway backed services	3 years ago
Chris S. Kim	98ea6d1cf1	Fix race with tags (#12041 )	3 years ago
Chris S. Kim	a0acf9978f	Fix races in anti-entropy tests (#12028 )	3 years ago
Mike Morris	1b1a97e8f9	ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576 ) * xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com>	3 years ago
Dao Thanh Tung	88c7cfa578	URL-encode/decode resource names for HTTP API part 2 (#11957 )	3 years ago
Daniel Nephin	d57dec5878	ca: remove unnecessary var, and slightly reduce cyclo complexity `newIntermediate` is always equal to `needsNewIntermediate`, so we can remove the extra variable and use the original directly. Also remove the `activeRoot.ID != newActiveRoot.ID` case from an if, because that case is already checked above, and `needsNewIntermediate` will already be true in that case. This condition now reads a lot better: > Persist a new root if we did not have one before, or if generated a new intermediate.	3 years ago
Daniel Nephin	0de7efb316	ca: remove unused provider.ActiveRoot call In the previous commit the single use of this storedRoot was removed. In this commit the original objective is completed. The Provider.ActiveRoot is being removed because 1. the secondary should get the active root from the Consul primary DC, not the provider, so that secondary DCs do not need to communicate with a provider instance in a different DC. 2. so that the Provider.ActiveRoot interface can be changed without impacting other code paths.	3 years ago
Daniel Nephin	d0578c6dfc	ca: extract the lookup of the active primary CA This method had only one caller, which always looked for the active root. This commit moves the lookup into the method to reduce the logic in the one caller. This is being done in preparation for a larger change. Keeping this separate so it is easier to see. The `storedRootID != primaryRoots.ActiveRootID` is being removed because these can never be different. The `storedRootID` comes from `provider.ActiveRoot`, the `primaryRoots.ActiveRootID` comes from the store `CARoot` from the primary. In both cases the source of the data is the primary DC. Technically they could be different if someone modified the provider outside of Consul, but that would break many things, so is not a supported flow. If these were out of sync because of ordering of events then the secondary will soon receive an update to `primaryRoots` and everything will be sorted out again.	3 years ago
Daniel Nephin	7121c78d34	ca: update godoc To clarify what to expect from the data stored in this field, and the behaviour of this function.	3 years ago
Daniel Nephin	abac8baa5d	ca: remove one call to provider.ActiveRoot ActiveRoot should not be called from the secondary DC, because there should not be a requirement to run the same Vault instance in a secondary DC. SignIntermediate is called in a secondary DC, so it should not call ActiveRoot We would also like to change the interface of ActiveRoot so that we can support using an intermediate cert as the primary CA in Consul. In preparation for making that change I am reducing the number of calls to ActiveRoot, so that there are fewer code paths to modify when the interface changes. This change required a change to the mockCAServerDelegate we use in tests. It was returning the RootCert for SignIntermediate, but that is not an accurate fake of production. In production this would also be a separate cert.	3 years ago
Daniel Nephin	eaa084fd41	ca: remove redundant append of an intermediate cert Immediately above this line we are already appending the full list of intermediates. The `provider.ActiveIntermediate` MUST be in this list of intermediates because it must be available to all the other non-leader Servers. If it was not in this list of intermediates then any proxy that received data from a non-leader would have the wrong certs. This is being removed now because we are planning on changing the `Provider.ActiveIntermediate` interface, and removing these extra calls ahead of time helps make that change easier.	3 years ago
Daniel Nephin	11f4cdaa49	ca: only generate a single private key for the whole test case Using tracing and cpu profiling I found that the majority of the time in these test cases is spent generating a private key. We really don't need separate private keys, so we can generate only one and use it for all cases. With this change the test runs much faster.	3 years ago
Daniel Nephin	b3ffe7ac72	ca: cleanup a test Fix the name to match the function it is testing Remove unused code Fix the signature, instead of returning (error, string) which should be (string, error) accept a testing.T to emit errors. Handle the error from encode.	3 years ago
Daniel Nephin	1fd6b16399	ca: use the new leaf signing lookup func in leader metrics	3 years ago
Blake Covarrubias	4bd92921f4	api: Return 404 when deregistering a non-existent check (#11950 ) Update the `/agent/check/deregister/` API endpoint to return a 404 HTTP response code when an attempt is made to de-register a check ID that does not exist on the agent. This brings the behavior of /agent/check/deregister/ in line with the behavior of /agent/service/deregister/ which was changed in #10632 to similarly return a 404 when de-registering non-existent services. Fixes #5821	3 years ago
Dhia Ayachi	1eac39ae9c	clone the service under lock to avoid a data race (#11940 ) * clone the service under lock to avoid a data race * add change log * create a struct and copy the pointer to mutate it to avoid a data race * fix failing test * revert added space * add comments, to clarify the data race.	3 years ago
Daniel Nephin	065f6f89fb	Merge pull request #11918 from hashicorp/dnephin/tob-followup Fix a few small bugs	3 years ago
Daniel Nephin	abfc1e4840	snapshot: return the error from replyFn The only function passed to SnapshotRPC today always returns a nil error, so there's no way to exercise this bug in practice. This change is being made for correctness so that it doesn't become a problem in the future, if we ever pass a different function to SnapshotRPC.	3 years ago
Daniel Nephin	0166b0839c	config: correctly capture all errors. Some calls to multierror.Append were not using the existing b.err, which meant we were losing all previous errors.	3 years ago
Chris S. Kim	4cd2542a3e	Fix test for ENT (#11946 )	3 years ago
Chris S. Kim	e4bcaac08c	Fix test for ENT (#11941 )	3 years ago
Dhia Ayachi	e653f81919	reset `coalesceTimer` to nil as soon as the event is consumed (#11924 ) * reset `coalesceTimer` to nil as soon as the event is consumed * add change log * refactor to add relevant test. * fix linter * Apply suggestions from code review Co-authored-by: Freddy <freddygv@users.noreply.github.com> * remove non needed check Co-authored-by: Freddy <freddygv@users.noreply.github.com>	3 years ago
Mathew Estafanous	0fdd1318e9	Ensure consistency with error-handling across all handlers. (#11599 )	3 years ago
Jared Kirschner	b393c90ce7	Clarify service and check error messages (use ID) Error messages related to service and check operations previously included the following substrings: - service %q - check %q From this error message, it isn't clear that the expected field is the ID for the entity, not the name. For example, if the user has a service named test, the error message would read 'Unknown service "test"'. This is misleading - a service with that name does exist, but not with that ID. The substrings above have been modified to make it clear that ID is needed, not name: - service with ID %q - check with ID %q	3 years ago
Jared Kirschner	a36ddc31c7	Merge pull request #11335 from littlestar642/url-encoded-args URL-encode/decode resource names for HTTP API	3 years ago
Chris S. Kim	30550f2c63	testing: Revert assertion for virtual IP flag (#11932 )	3 years ago
Jared Kirschner	e0ddb9e4c5	Merge pull request #11820 from hashicorp/improve-ui-disabled-api-response http: improve UI not enabled response message	3 years ago
littlestar642	634c72d22f	add path escape and unescape to path params	3 years ago
Daniel Nephin	1683da66b0	Merge pull request #11796 from hashicorp/dnephin/cleanup-test-server testing: stop using an old version in testServer	3 years ago
freddygv	21f2c2e68d	Purge chain if it shouldn't be there	3 years ago
freddygv	fe85138453	additional test fixes	3 years ago
freddygv	d26b4860fd	Account for new upstreams constraint in tests	3 years ago
freddygv	2fe27b748d	Check ingress upstreams when gating chain watches	3 years ago
freddygv	6814e84459	Use ptr receiver in all Upstream methods	3 years ago
freddygv	6af9a0d8cf	Avoid storing chain without an upstream	3 years ago
freddygv	ba12dc215b	Clean up chains separately from their watches	3 years ago
freddygv	c5c290c503	Validate chains are associated with upstreams Previously we could get into a state where discovery chain entries were not cleaned up after the associated watch was cancelled. These changes add handling for that case where stray chain references are encountered.	3 years ago
freddygv	70d6358426	Store intention upstreams in snapshot	3 years ago
R.B. Boyer	81ea8129d7	proxycfg: ensure all of the watches are canceled if they are cancelable (#11824 )	3 years ago
Jared Kirschner	f81dd817ff	Merge pull request #11818 from hashicorp/improve-url-not-found-response http: improve 404 Not Found response message	3 years ago
R.B. Boyer	4aabbe529c	proxycfg: use external addresses in tproxy when crossing partition boundaries (#11823 )	3 years ago
Jared Kirschner	2de79abc00	http: improve 404 Not Found response message When a URL path is not found, return a non-empty message with the 404 status code to help the user understand what went wrong. If the URL path was not prefixed with '/v1/', suggest that may be the cause of the problem (which is a common mistake).	3 years ago
Freddy	85fe875d07	Use anonymousToken when querying by secret ID (#11813 ) Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Dan Upton <daniel@floppy.co> This query has been incorrectly querying by accessor ID since New ACLs were added. However, the legacy token compat allowed this to continue to work, since it made a fallback query for the anonymousToken ID. PR #11184 removed this legacy token query, which means that the query by accessor ID is now the only check for the anonymous token's existence. This PR updates the GetBySecret call to use the secret ID of the token.	3 years ago
R.B. Boyer	631c649291	various partition related todos (#11822 )	3 years ago
Jared Kirschner	34ea9ae8c9	http: improve UI not enabled response message Response now clearly indicates: - the UI is disabled - how to enable the UI	3 years ago
Kyle Havlovitz	b50ef696c6	Merge pull request #11812 from hashicorp/metrics-ui-acls oss: use wildcard partition in metrics proxy ui endpoint	3 years ago
Kyle Havlovitz	9dcaf0539c	Merge pull request #11798 from hashicorp/vip-goroutine-check leader: move the virtual IP version check into a goroutine	3 years ago
Kyle Havlovitz	018693b6ee	acl: use wildcard partition in metrics proxy ui endpoint	3 years ago
Kyle Havlovitz	80a4489844	state: fix freed VIP table id index	3 years ago
Kyle Havlovitz	ecbd3eb2a6	Exit before starting the vip check routine if possible	3 years ago
Daniel Nephin	0a9cb62859	testing: Deprecate functions for creating a server. These helper functions actually end up hiding important setup details that should be visible from the test case. We already have a convenient way of setting this config when calling newTestServerWithConfig.	3 years ago
Daniel Nephin	c9a992f5e8	testing: remove old config.Build version DefaultConfig already sets the version to version.Version, so by removing this our tests will run with the version that matches the code.	3 years ago
Kyle Havlovitz	04ef1c3fa0	leader: move the virtual IP version check into a goroutine	3 years ago
FFMMM	74eb257b1c	[sync ent] increase segment max limit to 464, make configurable (#1424 ) (#11795 ) commit b6eb27563e747a78b7647d2b5da405e46364cc46 Author: FFMMM <FFMMM@users.noreply.github.com> Date: Thu Dec 9 13:53:44 2021 -0800 increase segment max limit to 464, make configurable (#1424) Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> fix: rename ent changelog file Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
Daniel Nephin	f9647ece05	Merge pull request #11780 from hashicorp/dnephin/ca-test-vault-in-secondary ca: improve test coverage for RenewIntermediate	3 years ago
R.B. Boyer	bb75e63eb4	agent: ensure service maintenance checks for matching partitions ahead of other errors (#11788 ) This matches behavior in most other agent api endpoints.	3 years ago
Daniel Nephin	4116a143e0	fix misleading errors on vault shutdown	3 years ago
Daniel Nephin	968aeff1bb	ca: prune some unnecessary lookups in the tests	3 years ago
Daniel Nephin	305655a8b1	ca: remove duplicate WaitFor function	3 years ago
Daniel Nephin	1dec6bb815	ca: fix flakes in RenewIntermediate tests I suspect one problem was that we set structs.IntermediateCertRenewInterval to 1ms, which meant that in some cases the intermediate could renew before we stored the original value. Another problem was that the 'wait for intermediate' loop was calling the provider.ActiveIntermediate, but the comparison needs to use the RPC endpoint to accurately represent a user request. So changing the 'wait for' to use the state store ensures we don't race. Also moves the patching into a separate function. Removes the addition of ca.CertificateTimeDriftBuffer as part of calculating halfTime. This was added in a previous commit to attempt to fix the flake, but it did not appear to fix the problem. Adding the time here was making the tests fail when using the shared patch function. It's not clear to me why, but there's no reason we should be including this time in the halfTime calculation.	3 years ago
Daniel Nephin	2e4e8bd791	ca: improve RenewIntermediate tests Use the new verifyLearfCert to show the cert verifies with intermediates from both sources. This required using the RPC interface so that the leaf pem was constructed correctly. Add IndexedCARoots.Active since that is a common operation we see in a few places.	3 years ago
Daniel Nephin	a4ba1f348d	ca: add a test for Vault in secondary DC	3 years ago
Daniel Nephin	a5d9b1d322	ca: Add CARoots.Active method Which will be used in the next commit.	3 years ago
R.B. Boyer	5f5720837b	acl: ensure that the agent recovery token is properly partitioned (#11782 )	3 years ago
Daniel Nephin	f72e285fe8	Merge pull request #11721 from hashicorp/dnephin/ca-export-fsm-operation ca: use the real FSM operation in tests	3 years ago
Daniel Nephin	214dcf8d0d	ca: use the real FSM operation in tests Previously we had a couple copies that reproduced the FSM operation. These copies introduce risk that the test does not accurately match production. This PR removes the test versions of the FSM operation, and exports the real production FSM operation so that it can be used in tests. The consul provider tests did need to change because of this. Previously we would return a hardcoded value of 2, but in production this value is always incremented.	3 years ago
R.B. Boyer	592ac8f96a	test: test server should auto cleanup (#11779 )	3 years ago
Evan Culver	7a365fa0da	rpc: Unset partition before forwarding to remote datacenter (#11758 )	3 years ago
Daniel Nephin	dccd3f5806	Merge remote-tracking branch 'origin/main' into serve-panic-recovery	3 years ago
Dan Upton	7efab269c0	Rename `Master` and `AgentMaster` fields in config protobuf (#11764 )	3 years ago
Chris S. Kim	f8f8580ab2	Godocs updates for catalog endpoints (#11716 )	3 years ago
Mathew Estafanous	0a9621ec7a	Transition all endpoint tests in agent_endpoint_test.go to go through ServeHTTP (#11499 )	3 years ago
Dan Upton	205ce9a69d	Remove references to "master" ACL tokens in tests (#11751 )	3 years ago
Dan Upton	7fe81171d9	Rename `ACLMasterToken` => `ACLInitialManagementToken` (#11746 )	3 years ago
Dan Upton	3a91815169	agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744 )	3 years ago
R.B. Boyer	9315a9812f	return the max	3 years ago
freddygv	60fe5f75bb	Remove support for failover to partition Failing over to a partition is more siimilar to failing over to another datacenter than it is to failing over to a namespace. In a future release we should update how localities for failover are specified. We should be able to accept a list of localities which can include both partition and datacenter.	3 years ago
freddygv	5c1f7aa372	Allow cross-partition references in disco chain * Add partition fields to targets like service route destinations * Update validation to prevent cross-DC + cross-partition references * Handle partitions when reading config entries for disco chain * Encode partition in compiled targets	3 years ago
R.B. Boyer	b1605639fc	light refactors to support making partitions and serf-based wan federation are mutually exclusive (#11755 )	3 years ago
R.B. Boyer	e20e6348dd	areas: make the gRPC server tracker network area aware (#11748 ) Fixes a bug whereby servers present in multiple network areas would be properly segmented in the Router, but not in the gRPC mirror. This would lead servers in the current datacenter leaving from a network area (possibly during the network area's removal) from deleting their own records that still exist in the standard WAN area. The gRPC client stack uses the gRPC server tracker to execute all RPCs, even those targeting members of the current datacenter (which is unlike the net/rpc stack which has a bypass mechanism). This would manifest as a gRPC method call never opening a socket because it would block forever waiting for the current datacenter's pool of servers to be non-empty.	3 years ago
Freddy	a725f06c83	Merge pull request #11739 from hashicorp/ap/exports-rename	3 years ago
freddygv	e91509383f	Clean up additional refs to partition exports	3 years ago
freddygv	ed6076db26	Rename partition-exports to exported-services Using a name less tied to partitions gives us more flexibility to use this config entry in OSS for exports between datacenters/meshes.	3 years ago
freddygv	f5b25401b3	Update intention topology to use new table	3 years ago
freddygv	55970c6ccd	Avoid updating default decision from wildcard ixn Given that we do not allow wildcard partitions in intentions, no one ixn can override the DefaultAllow setting. Only the default ACL policy applies across all partitions.	3 years ago
freddygv	497aab669f	Add a new table to query service names by kind This table purposefully does not index by partition/namespace. It's a global view into all service names. This table is intended to replace the current serviceListTxn watch in intentionTopologyTxn. For cross-partition transparent proxying we need to be able to calculate upstreams from intentions in any partition. This means that the existing serviceListTxn function is insufficient since it's scoped to a partition. Moving away from that function is also beneficial because it watches the main "services" table, so watchers will wake up when any instance is registered or deregistered.	3 years ago
freddygv	e7a7042c69	Update listener generation to account for consul VIP	3 years ago
Freddy	f032d6ef05	Merge pull request #11680 from hashicorp/ap/partition-exports-oss	3 years ago
Dan Upton	3b9dfca88d	internal: support `ResultsFilteredByACLs` flag/header (#11643 )	3 years ago
Dan Upton	c8204330ed	query: support `ResultsFilteredByACLs` in query list endpoint (#11620 )	3 years ago
Dhia Ayachi	ce326b6074	port oss changes (#11736 )	3 years ago
Freddy	e246defb6c	Merge pull request #11720 from hashicorp/bbolt	3 years ago
Dan Upton	047aa2ffb0	fedstate: support `ResultsFilteredByACLs` in `ListMeshGateways` endpoint (#11644 )	3 years ago
Dan Upton	361d9c2862	catalog: support `ResultsFilteredByACLs` flag/header (#11594 )	3 years ago
Dan Upton	4c0956c03a	coordinate: support `ResultsFilteredByACLs` flag/header (#11617 )	3 years ago
Dan Upton	bf1e2ca551	sessions: support `ResultsFilteredByACLs` flag/header (#11606 )	3 years ago
Dan Upton	d92f0d84c6	txn: support `ResultsFilteredByACLs` flag in `Read` endpoint (#11632 )	3 years ago
Dan Upton	547aa219ea	agent: support `X-Consul-Results-Filtered-By-ACLs` header in agent-local endpoints (#11610 )	3 years ago
Dhia Ayachi	86159c6ed8	sessions partitioning tests (#11734 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused operations_ent.go and operations_oss.go func * remove unused const * convert `IndexID` of `session_checks` table * convert `indexSession` of `session_checks` table * convert `indexNodeCheck` of `session_checks` table * partition `indexID` and `indexSession` of `tableSessionChecks` * fix oss linter * fix review comments * remove partition for Checks as it's always use the session partition * fix tests * fix tests * do not namespace nodeChecks index Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Dan Upton	c314be2ff9	intention: support `ResultsFilteredByACLs` flag/header (#11612 )	3 years ago
Mark Anderson	a89ffba2d4	Cross port of ent #1383 (#11726 ) Cross port of ent #1383 "Reject non-default datacenter when making partitioned ACLs" On the OSS side this is a minor refactor to add some more checks that are only applicable to enterprise code. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
Dan Upton	599a4d6619	config: support `ResultsFilteredByACLs` in list/list all endpoints (#11621 )	3 years ago
Dan Upton	c4c68915c9	event: support `X-Consul-Results-Filtered-By-ACLs` header in list (#11616 )	3 years ago
Dan Upton	474ef7cc1f	kv: support `ResultsFilteredByACLs` in list/list keys (#11593 )	3 years ago
Dan Upton	cf1bd585f6	health: support `ResultsFilteredByACLs` flag/header (#11602 )	3 years ago
Dan Upton	1e47e3c82b	Groundwork for exposing when queries are filtered by ACLs (#11569 )	3 years ago
Kyle Havlovitz	0546bbe08a	dns: add endpoint for querying service virtual IPs	3 years ago
Kyle Havlovitz	6f34a4f777	Merge pull request #11724 from hashicorp/service-virtual-ips oss: add virtual IP generation for connect services	3 years ago
Kyle Havlovitz	4f2cfee4b0	consul: add virtual IP generation for connect services	3 years ago
R.B. Boyer	c46f9f9f31	agent: add variation of force-leave that exclusively works on the WAN (#11722 ) Fixes #6548	3 years ago
Matt Keeler	c7a94843ee	Emit raft-boltdb metrics	3 years ago
Daniel Nephin	e47cecc653	config: add NoFreelistSync option # Conflicts: # agent/config/testdata/TestRuntimeConfig_Sanitize-enterprise.golden # agent/consul/server.go	3 years ago
Matt Keeler	42a5635bc3	Use raft-boltdb/v2	3 years ago
Daniel Nephin	17a2d14d49	ca: set the correct SigningKeyID after config update with Vault provider The test added in this commit shows the problem. Previously the SigningKeyID was set to the RootCert not the local leaf signing cert. This same bug was fixed in two other places back in 2019, but this last one was missed. While fixing this bug I noticed I had the same few lines of code in 3 places, so I extracted a new function for them. There would be 4 places, but currently the InitializeCA flow sets this SigningKeyID in a different way, so I've left that alone for now.	3 years ago
Daniel Nephin	96f95889db	Merge pull request #11713 from hashicorp/dnephin/ca-test-names ca: make test naming consistent	3 years ago
Daniel Nephin	ff4581092e	Merge pull request #11671 from hashicorp/dnephin/ca-fix-storing-vault-intermediate ca: fix storing the leaf signing cert with Vault provider	3 years ago
Daniel Nephin	81afb208ac	Merge pull request #11677 from hashicorp/dnephin/freeport-interface sdk: use t.Cleanup in freeport and remove unnecessary calls	3 years ago
Daniel Nephin	447097b166	ca: make test naming consistent While working on the CA system it is important to be able to run all the tests related to the system, without having to wait for unrelated tests. There are many slow and unrelated tests in agent/consul, so we need some way to filter to only the relevant tests. This PR renames all the CA system related tests to start with either `TestCAMananger` for tests of internal operations that don't have RPC endpoint, or `TestConnectCA` for tests of RPC endpoints. This allows us to run all the test with: go test -run 'TestCAMananger\|TestConnectCA' ./agent/consul The test naming follows an undocumented convention of naming tests as follows: Test[<struct name>_]<function name>[_<test case description>] I tried to always keep Primary/Secondary at the end of the description, and _Vault_ has to be in the middle because of our regex to run those tests as a separate CI job. You may notice some of the test names changed quite a bit. I did my best to identify the underlying method being tested, but I may have been slightly off in some cases.	3 years ago
FFMMM	384d497f26	add MustRevalidate flag to connect_ca_leaf cache type; always use on non-blocking queries (#11693 ) * always use MustRevalidate on non-blocking queries for connect ca leaf Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update agent/agent_endpoint_test.go Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * pr feedback Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>	3 years ago
Daniel Nephin	28a8a64019	ca: make getLeafSigningCertFromRoot safer As a method on the struct type this would not be safe to call without first checking c.isIntermediateUsedToSignLeaf. So for now, move this logic to the CAMananger, so that it is always correct.	3 years ago
Daniel Nephin	b29faa3e50	ca: fix stored CARoot representation with Vault provider We were not adding the local signing cert to the CARoot. This commit fixes that bug, and also adds support for fixing existing CARoot on upgrade. Also update the tests for both primary and secondary to be more strict. Check the SigningKeyID is correct after initialization and rotation.	3 years ago
Dan Upton	bf56a2c495	Rename `agent_master` ACL token in the API and CLI (#11669 )	3 years ago
Dan Upton	d8afd2f6c8	Rename `master` and `agent_master` ACL tokens in the config file format (#11665 )	3 years ago
Chris S. Kim	54e4d1b7b2	ENT to OSS sync (#11703 )	3 years ago
R.B. Boyer	db91cbf484	auto-config: ensure the feature works properly with partitions (#11699 )	3 years ago
Daniel Nephin	32ef9c5d5c	ca: add some godoc and func for finding leaf signing cert This will be used in a follow up commit.	3 years ago
Daniel Nephin	4185045a7f	sdk/freeport: rename Port to GetOne For better consistency with GetN	3 years ago
Chris S. Kim	56fab21582	Refactor test helper (#11689 ) Allow custom ACL root tokens to be passed	3 years ago
Chris S. Kim	36246c5791	acl: Fill authzContext from token in Coordinate endpoints (#11688 )	3 years ago
freddygv	dd662d7058	Move ent config test to ent file	3 years ago
freddygv	5e1f7b7c36	Prevent partition-exports entry from OSS usage Validation was added on the config entry kind since that is called when validating config entries to bootstrap via agent configuration and when applying entries via the config RPC endpoint.	3 years ago
Daniel Nephin	e8312d6b5a	testing: remove unnecessary calls to freeport Previously we believe it was necessary for all code that required ports to use freeport to prevent conflicts. https://github.com/dnephin/freeport-test shows that it is actually save to use port 0 (`127.0.0.1:0`) as long as it is passed directly to `net.Listen`, and the listener holds the port for as long as it is needed. This works because freeport explicitly avoids the ephemeral port range, and port 0 always uses that range. As you can see from the test output of https://github.com/dnephin/freeport-test, the two systems never use overlapping ports. This commit converts all uses of freeport that were being passed directly to a net.Listen to use port 0 instead. This allows us to remove a bit of wrapping we had around httptest, in a couple places.	3 years ago
Daniel Nephin	d795a73f78	testing: use the new freeport interfaces	3 years ago
Daniel Nephin	56f9238d15	go-sso: remove returnFunc now that freeport handles return	3 years ago
Daniel Nephin	8c7475d95e	sdk: add freeport functions that use t.Cleanup	3 years ago
Daniel Nephin	59204598c8	ca: clean up unnecessary raft.Apply response checking In `d2ab767fef` raftApply was changed to handle this check in a single place, instad of having every caller check it. It looks like these few places were missed when I did that clean up. This commit removes the remaining resp.(error) checks, since they are all no-ops now.	3 years ago
Daniel Nephin	52f0853ff9	Merge pull request #11339 from hashicorp/dnephin/ca-manager-isolate-secondary-2 ca: reduce use of state in the secondary	3 years ago
Daniel Nephin	91a0c25932	ca: remove state check in secondarySetPrimaryRoots This function is only ever called from operations that have already acquired the state lock, so checking the value of state can never fail. This change is being made in preparation for splitting out a separate type for the secondary logic. The state can't easily be shared, so really only the expored top-level functions should acquire the 'state lock'.	3 years ago
Daniel Nephin	f1944458e4	ca: remove actingSecondaryCA This commit removes the actingSecondaryCA field, and removes the stateLock around it. This field was acting as a proxy for providerRoot != nil, so replace it with that check instead. The two methods which called secondarySetCAConfigured already set the state, so checking the state again at this point will not catch runtime errors (only programming errors, which we can catch with tests). In general, handling state transitions should be done on the "entrypoint" methods where execution starts, not in every internal method. This is being done to remove some unnecessary references to c.state, in preparations for extracting types for primary/secondary.	3 years ago
Daniel Nephin	b92084b8e8	ca: reduce consul provider backend interface a bit This makes it easier to fake, which will allow me to use the ConsulProvider as an 'external PKI' to test a customer setup where the actual root CA is not the root we use for the Consul CA. Replaces a call to the state store to fetch the clusterID with the clusterID field already available on the built-in provider.	3 years ago
Dhia Ayachi	3820e09a47	Partition/kv indexid sessions (#11639 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused operations_ent.go and operations_oss.go func * convert `indexNodeCheck` of `session_checks` table * partition `indexID` and `indexSession` of `tableSessionChecks` * remove partition for Checks as it's always use the session partition * partition sessions index id table * fix rebase issues Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Dhia Ayachi	bb83624950	Partition session checks store (#11638 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused operations_ent.go and operations_oss.go func * remove unused const * convert `IndexID` of `session_checks` table * convert `indexSession` of `session_checks` table * convert `indexNodeCheck` of `session_checks` table * partition `indexID` and `indexSession` of `tableSessionChecks` * fix oss linter * fix review comments * remove partition for Checks as it's always use the session partition Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Chris S. Kim	2350e7e56a	cleanup: Clarify deprecated legacy intention endpoints (#11635 )	3 years ago
Chris S. Kim	db5ee0e4d2	Merge from ent (#11506 )	3 years ago
R.B. Boyer	dd4a59db8e	agent: purge service/check registration files for incorrect partitions on reload (#11607 )	3 years ago
Iryna Shustava	0ee456649f	connect: Support auth methods for the vault connect CA provider (#11573 ) * Support vault auth methods for the Vault connect CA provider * Rotate the token (re-authenticate to vault using auth method) when the token can no longer be renewed	3 years ago
Daniel Nephin	b4080bc0dc	ca: use the cluster ID passed to the primary instead of fetching it from the state store.	3 years ago
Daniel Nephin	b9ab9bae12	ca: accept only the cluster ID to SpiffeIDSigningForCluster To make it more obivous where ClusterID is used, and remove the need to create a struct when only one field is used.	3 years ago
Will Jordan	68efecafed	Update node info sync comment (#11465 )	3 years ago
R.B. Boyer	1e02460bd1	re-run gofmt on 1.17 (#11579 ) This should let freshly recompiled golangci-lint binaries using Go 1.17 pass 'make lint'	3 years ago
R.B. Boyer	eb21649f82	partitions: various refactors to support partitioning the serf LAN pool (#11568 )	3 years ago
freddygv	0e507492d0	Update proxycfg for ingress service partitions	3 years ago
freddygv	e5b7c4713f	Accept partition for ingress services	3 years ago
freddygv	400697507b	Move assertion to after config fetch	3 years ago
freddygv	da5bcc574e	Use ClusterID to check for readiness The TrustDomain is populated from the Host() method which includes the hard-coded "consul" domain. This means that despite having an empty cluster ID, the TrustDomain won't be empty.	3 years ago
freddygv	6976044bc4	Prevent replicating partition-exports	3 years ago
freddygv	5c121d7a48	handle error scenario of empty local DC	3 years ago
freddygv	af29cda415	Restrict DC for partition-exports writes There are two restrictions: - Writes from the primary DC which explicitly target a secondary DC. - Writes to a secondary DC that do not explicitly target the primary DC. The first restriction is because the config entry is not supported in secondary datacenters. The second restriction is to prevent the scenario where a user writes the config entry to a secondary DC, the write gets forwarded to the primary, but then the config entry does not apply in the secondary. This makes the scope more explicit.	3 years ago
Freddy	00b5b0a0a2	Update filter chain creation for sidecar/ingress listeners (#11245 ) The duo of `makeUpstreamFilterChainForDiscoveryChain` and `makeListenerForDiscoveryChain` were really hard to reason about, and led to concealing a bug in their branching logic. There were several issues here: - They tried to accomplish too much: determining filter name, cluster name, and whether RDS should be used. - They embedded logic to handle significantly different kinds of upstream listeners (passthrough, prepared query, typical services, and catch-all) - They needed to coalesce different data sources (Upstream and CompiledDiscoveryChain) Rather than handling all of those tasks inside of these functions, this PR pulls out the RDS/clusterName/filterName logic. This refactor also fixed a bug with the handling of [UpstreamDefaults](https://www.consul.io/docs/connect/config-entries/service-defaults#defaults). These defaults get stored as UpstreamConfig in the proxy snapshot with a DestinationName of "", since they apply to all upstreams. However, this wildcard destination name must not be used when creating the name of the associated upstream cluster. The coalescing logic in the original functions here was in some situations creating clusters with a `.` prefix, which is not a valid destination.	3 years ago
Kyle Havlovitz	6c0bd0550f	Merge pull request #11461 from deblasis/feature/empty_client_addr_warning config: warn the user if client_addr is empty	3 years ago
Daniel Upton	50a1f20ff9	xds: prefer fed state gateway definitions if they're fresher (#11522 ) Fixes an issue described in #10132, where if two DCs are WAN federated over mesh gateways, and the gateway in the non-primary DC is terminated and receives a new IP address (as is commonly the case when running them on ephemeral compute instances) the primary DC is unable to re-establish its connection until the agent running on its own gateway is restarted. This was happening because we always preferred gateways discovered by the `Internal.ServiceDump` RPC (which would fail because there's no way to dial the remote DC) over those discovered in the federation state, which is replicated as long as the primary DC's gateway is reachable.	3 years ago
Freddy	7d95d90fce	Merge pull request #11514 from hashicorp/dnephin/ca-fix-secondary-init ca: properly handle the case where the secondary initializes after the primary	3 years ago
freddygv	cc5a7ed36c	Avoid returning empty roots with uninitialized CA Currently getCARoots could return an empty object with an empty trust domain before the CA is initialized. This commit returns an error while there is no CA config or no trust domain. There could be a CA config and no trust domain because the CA config can be created in InitializeCA before initialization succeeds.	3 years ago
Dhia Ayachi	7916268c40	refactor session state store tables to use the new index pattern (#11525 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused func `prefixIndexFromServiceNameAsString` * fix test error check * remove unused operations_ent.go and operations_oss.go func * remove unused const Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Dhia Ayachi	98735a6d12	KV refactoring, part 2 (#11512 ) * add partition to the kv get pretty print * fix failing test * add test for kvs RPC endpoint	3 years ago
Dhia Ayachi	520cb5858c	KV state store refactoring and partitioning (#11510 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * partition kvs indexID table * add `partitionedIndexEntryName` in oss for test purpose * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * remove entmeta reference from oss Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Giulio Micheloni	af7b7b5693	Merge branch 'main' into serve-panic-recovery	3 years ago
Daniel Nephin	d9110136f2	ca: Only initialize clusterID in the primary The secondary must get the clusterID from the primary	3 years ago
Daniel Nephin	01bd3d118d	ca: return an error when secondary fails to initialize Previously secondaryInitialize would return nil in this case, which prevented the deferred initialize from happening, and left the CA in an uninitialized state until a config update or root rotation. To fix this I extracted the common parts into the delegate implementation. However looking at this again, it seems like the handling in secondaryUpdateRoots is impossible, because that function should never be called before the secondary is initialzied. I beleive we can remove some of that logic in a follow up.	3 years ago
Daniel Nephin	8ba760a2fc	acl: remove id and revision from Policy constructors The fields were removed in a previous commit. Also remove an unused constructor for PolicyMerger	3 years ago
Daniel Nephin	7c679c11e6	acl: remove Policy.ID and Policy.Revision These two fields do not appear to be used anywhere. We use the structs.ACLPolicy ID in the ACLResolver cache, but the acl.Policy ID and revision are not used.	3 years ago
R.B. Boyer	c7c5013edd	rename helper method to reflect the non-deprecated terminology (#11509 )	3 years ago
Connor	efe4b21287	Support Vault Namespaces explicitly in CA config (#11477 ) * Support Vault Namespaces explicitly in CA config If there is a Namespace entry included in the Vault CA configuration, set it as the Vault Namespace on the Vault client Currently the only way to support Vault namespaces in the Consul CA config is by doing one of the following: 1) Set the VAULT_NAMESPACE environment variable which will be picked up by the Vault API client 2) Prefix all Vault paths with the namespace Neither of these are super pleasant. The first requires direct access and modification to the Consul runtime environment. It's possible and expected, not super pleasant. The second requires more indepth knowledge of Vault and how it uses Namespaces and could be confusing for anyone without that context. It also infers that it is not supported * Add changelog * Remove fmt.Fprint calls * Make comment clearer * Add next consul version to website docs * Add new test for default configuration * go mod tidy * Add skip if vault not present * Tweak changelog text	3 years ago
R.B. Boyer	44c023a302	segments: ensure that the serf_lan_allowed_cidrs applies to network segments (#11495 )	3 years ago
Mark Anderson	7e8228a20b	Remove some usage of md5 from the system (#11491 ) * Remove some usage of md5 from the system OSS side of https://github.com/hashicorp/consul-enterprise/pull/1253 This is a potential security issue because an attacker could conceivably manipulate inputs to cause persistence files to collide, effectively deleting the persistence file for one of the colliding elements. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
FFMMM	61bd417a82	plumb thru root cert tll to the aws ca provider (#11449 ) * plumb thru root cert ttl to the aws ca provider Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11449.txt Co-authored-by: Dhia Ayachi <dhia@hashicorp.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>	3 years ago
FFMMM	6004a21f35	fix aws pca certs (#11470 ) Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
Mathew Estafanous	8fb90aacef	Convert (some) test endpoints to use ServeHTTP instead of direct calls to handlers. (#11445 )	3 years ago
FFMMM	4ddf973a31	add root_cert_ttl option for consul connect, vault ca providers (#11428 ) * add root_cert_ttl option for consul connect, vault ca providers Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * add changelog, pr feedback Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11428.txt, more docs Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * Update website/content/docs/agent/options.mdx Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>	3 years ago
Daniel Nephin	51d8417545	Merge pull request #10690 from tarat44/h2c-support-in-ping-checks add support for h2c in h2 ping health checks	3 years ago
Alessandro De Blasis	2f970555d9	config: warn the user if client_addr is empty if the provided value is empty string then the client services (DNS, HTTP, HTTPS, GRPC) are not listening and the user is not notified in any way about what's happening. Also, since a not provided client_addr defaults to 127.0.0.1, we make sure we are not getting unwanted warnings Signed-off-by: Alessandro De Blasis <alex@deblasis.net>	3 years ago
Daniel Nephin	b57cae94de	Merge pull request #10771 from hashicorp/dnephin/emit-telemetry-metrics-immediately telemetry: improve cert expiry metrics	3 years ago
freddygv	60066e5154	Exclude default partition from GatewayKey string This will behave the way we handle SNI and SPIFFE IDs, where the default partition is excluded. Excluding the default ensures that don't attempt to compare default.dc2 to dc2 in OSS.	3 years ago
freddygv	e3666b0bc4	Update GatewayKeys deduplication Federation states data is only keyed on datacenter, so it cannot be directly compared against keys for gateway groups.	3 years ago
freddygv	90ce897456	Store GatewayKey in proxycfg snapshot for re-use	3 years ago
freddygv	bbe46e9522	Update locality check in xds	3 years ago
freddygv	4d4ccedb3a	Update locality check in proxycfg	3 years ago
Daniel Nephin	7337cfd6dc	Merge pull request #11340 from hashicorp/dnephin/ca-manager-provider ca: split the Provider interface into Primary/Secondary	3 years ago
Daniel Nephin	eee598e91c	Merge pull request #11338 from hashicorp/dnephin/ca-manager-isolate-secondary ca: clearly identify methods that are primary-only or secondary-only	3 years ago
Daniel Upton	d47b7311b8	Support Check-And-Set deletion of config entries (#11419 ) Implements #11372	3 years ago
Dhia Ayachi	2801785710	regenerate expired certs (#11462 ) * regenerate expired certs * add documentation to generate tests certificates	3 years ago
Jared Kirschner	0854e1d684	Merge pull request #11348 from kbabuadze/fix-answers-alt-domain Fix answers for alt domain	3 years ago
R.B. Boyer	c8cafb7654	agent: for various /v1/agent endpoints parse the partition parameter on the request (#11444 ) Also update the corresponding CLI commands to send the parameter appropriately. NOTE: Behavioral changes are not happening in this PR.	3 years ago
R.B. Boyer	af9ffc214d	agent: add a clone function for duplicating the serf lan configuration (#11443 )	3 years ago
Daniel Nephin	367b664318	Add tests for cert expiry metrics	3 years ago
Daniel Nephin	210d37e4ab	Merge pull request #10671 from hashicorp/dnephin/fix-subscribe-test-flake subscribe: improve TestSubscribeBackend_IntegrationWithServer_DeliversAllMessages	3 years ago
Evan Culver	61be9371f5	connect: Remove support for Envoy 1.16 (#11354 )	3 years ago
Evan Culver	bec08f4ec3	connect: Add support for Envoy 1.20 (#11277 )	3 years ago
freddygv	ac96ce6552	Ensure partition-exports kind gets marshalled The api module has decoding functions that rely on 'kind' being present of payloads. This is so that we can decode into the appropriate api type for the config entry. This commit ensures that a static kind is marshalled in responses from Consul's api endpoints so that the api module can decode them.	3 years ago
Daniel Nephin	a8e2e1c365	agent: move agent tls metric monitor to a more appropriate place And add a test for it	3 years ago
Daniel Nephin	c92513ec16	telemetry: set cert expiry metrics to NaN on start So that followers do not report 0, which would make alerting difficult.	3 years ago
Daniel Nephin	9264ce89d2	telemetry: fix cert expiry metrics by removing labels These labels should be set by whatever process scrapes Consul (for prometheus), or by the agent that receives them (for datadog/statsd). We need to remove them here because the labels are part of the "metric key", so we'd have to pre-declare the metrics with the labels. We could do that, but that is extra work for labels that should be added from elsewhere. Also renames the closure to be more descriptive.	3 years ago
Daniel Nephin	7948720bbb	telemetry: only emit leader cert expiry metrics on the servers	3 years ago
Daniel Nephin	7fe60e5989	telemetry: prevent stale values from cert monitors Prometheus scrapes metrics from each process, so when leadership transfers to a different node the previous leader would still be reporting the old cached value. By setting NaN, I believe we should zero-out the value, so that prometheus should only consider the value from the new leader.	3 years ago
Daniel Nephin	0cc58f54de	telemetry: improve cert expiry metrics Emit the metric immediately so that after restarting an agent, the new expiry time will be emitted. This is particularly important when this metric is being monitored, because we want the alert to resovle itself immediately. Also fixed a bug that was exposed in one of these metrics. The CARoot can be nil, so we have to handle that case.	3 years ago
Daniel Nephin	a3c781682d	subscribe: attempt to fix a flaky test TestSubscribeBackend_IntegrationWithServer_DeliversAllMessages has been flaking a few times. This commit cleans up the test a bit, and improves the failure output. I don't believe this actually fixes the flake, but I'm not able to reproduce it reliably. The failure appears to be that the event with Port=0 is being sent in both the snapshot and as the first event after the EndOfSnapshot event. Hopefully the improved logging will show us if these are really duplicate events, or actually different events with different indexes.	3 years ago
Freddy	fbcf9f3f6c	Merge pull request #11435 from hashicorp/ent-authorizer-refactor [OSS] Export ACLs refactor	3 years ago
Freddy	303532825f	Merge pull request #11432 from hashicorp/ap/exports-mgw [OSS] Update mesh gateways to handle partitions	3 years ago
freddygv	43360eb216	Rework acl exports interface	3 years ago
Freddy	ec7e94d129	Merge pull request #11433 from hashicorp/exported-service-acls [OSS] acl: Expand ServiceRead and NodeRead to account for partition exports	3 years ago

... 5 6 7 8 9 ...

4455 Commits (eac9767c3d2fe8d91784638337f2226aa3f9995b)