consul

Commit Graph

Author	SHA1	Message	Date
Daniel Nephin	91a0c25932	ca: remove state check in secondarySetPrimaryRoots This function is only ever called from operations that have already acquired the state lock, so checking the value of state can never fail. This change is being made in preparation for splitting out a separate type for the secondary logic. The state can't easily be shared, so really only the expored top-level functions should acquire the 'state lock'.	3 years ago
Daniel Nephin	f1944458e4	ca: remove actingSecondaryCA This commit removes the actingSecondaryCA field, and removes the stateLock around it. This field was acting as a proxy for providerRoot != nil, so replace it with that check instead. The two methods which called secondarySetCAConfigured already set the state, so checking the state again at this point will not catch runtime errors (only programming errors, which we can catch with tests). In general, handling state transitions should be done on the "entrypoint" methods where execution starts, not in every internal method. This is being done to remove some unnecessary references to c.state, in preparations for extracting types for primary/secondary.	3 years ago
Daniel Nephin	b92084b8e8	ca: reduce consul provider backend interface a bit This makes it easier to fake, which will allow me to use the ConsulProvider as an 'external PKI' to test a customer setup where the actual root CA is not the root we use for the Consul CA. Replaces a call to the state store to fetch the clusterID with the clusterID field already available on the built-in provider.	3 years ago
Dhia Ayachi	3820e09a47	Partition/kv indexid sessions (#11639 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused operations_ent.go and operations_oss.go func * convert `indexNodeCheck` of `session_checks` table * partition `indexID` and `indexSession` of `tableSessionChecks` * remove partition for Checks as it's always use the session partition * partition sessions index id table * fix rebase issues Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Dhia Ayachi	bb83624950	Partition session checks store (#11638 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused operations_ent.go and operations_oss.go func * remove unused const * convert `IndexID` of `session_checks` table * convert `indexSession` of `session_checks` table * convert `indexNodeCheck` of `session_checks` table * partition `indexID` and `indexSession` of `tableSessionChecks` * fix oss linter * fix review comments * remove partition for Checks as it's always use the session partition Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Chris S. Kim	2350e7e56a	cleanup: Clarify deprecated legacy intention endpoints (#11635 )	3 years ago
Chris S. Kim	db5ee0e4d2	Merge from ent (#11506 )	3 years ago
R.B. Boyer	dd4a59db8e	agent: purge service/check registration files for incorrect partitions on reload (#11607 )	3 years ago
Iryna Shustava	0ee456649f	connect: Support auth methods for the vault connect CA provider (#11573 ) * Support vault auth methods for the Vault connect CA provider * Rotate the token (re-authenticate to vault using auth method) when the token can no longer be renewed	3 years ago
Daniel Nephin	b4080bc0dc	ca: use the cluster ID passed to the primary instead of fetching it from the state store.	3 years ago
Daniel Nephin	b9ab9bae12	ca: accept only the cluster ID to SpiffeIDSigningForCluster To make it more obivous where ClusterID is used, and remove the need to create a struct when only one field is used.	3 years ago
Will Jordan	68efecafed	Update node info sync comment (#11465 )	3 years ago
R.B. Boyer	1e02460bd1	re-run gofmt on 1.17 (#11579 ) This should let freshly recompiled golangci-lint binaries using Go 1.17 pass 'make lint'	3 years ago
R.B. Boyer	eb21649f82	partitions: various refactors to support partitioning the serf LAN pool (#11568 )	3 years ago
freddygv	0e507492d0	Update proxycfg for ingress service partitions	3 years ago
freddygv	e5b7c4713f	Accept partition for ingress services	3 years ago
freddygv	400697507b	Move assertion to after config fetch	3 years ago
freddygv	da5bcc574e	Use ClusterID to check for readiness The TrustDomain is populated from the Host() method which includes the hard-coded "consul" domain. This means that despite having an empty cluster ID, the TrustDomain won't be empty.	3 years ago
freddygv	6976044bc4	Prevent replicating partition-exports	3 years ago
freddygv	5c121d7a48	handle error scenario of empty local DC	3 years ago
freddygv	af29cda415	Restrict DC for partition-exports writes There are two restrictions: - Writes from the primary DC which explicitly target a secondary DC. - Writes to a secondary DC that do not explicitly target the primary DC. The first restriction is because the config entry is not supported in secondary datacenters. The second restriction is to prevent the scenario where a user writes the config entry to a secondary DC, the write gets forwarded to the primary, but then the config entry does not apply in the secondary. This makes the scope more explicit.	3 years ago
Freddy	00b5b0a0a2	Update filter chain creation for sidecar/ingress listeners (#11245 ) The duo of `makeUpstreamFilterChainForDiscoveryChain` and `makeListenerForDiscoveryChain` were really hard to reason about, and led to concealing a bug in their branching logic. There were several issues here: - They tried to accomplish too much: determining filter name, cluster name, and whether RDS should be used. - They embedded logic to handle significantly different kinds of upstream listeners (passthrough, prepared query, typical services, and catch-all) - They needed to coalesce different data sources (Upstream and CompiledDiscoveryChain) Rather than handling all of those tasks inside of these functions, this PR pulls out the RDS/clusterName/filterName logic. This refactor also fixed a bug with the handling of [UpstreamDefaults](https://www.consul.io/docs/connect/config-entries/service-defaults#defaults). These defaults get stored as UpstreamConfig in the proxy snapshot with a DestinationName of "", since they apply to all upstreams. However, this wildcard destination name must not be used when creating the name of the associated upstream cluster. The coalescing logic in the original functions here was in some situations creating clusters with a `.` prefix, which is not a valid destination.	3 years ago
Daniel Upton	50a1f20ff9	xds: prefer fed state gateway definitions if they're fresher (#11522 ) Fixes an issue described in #10132, where if two DCs are WAN federated over mesh gateways, and the gateway in the non-primary DC is terminated and receives a new IP address (as is commonly the case when running them on ephemeral compute instances) the primary DC is unable to re-establish its connection until the agent running on its own gateway is restarted. This was happening because we always preferred gateways discovered by the `Internal.ServiceDump` RPC (which would fail because there's no way to dial the remote DC) over those discovered in the federation state, which is replicated as long as the primary DC's gateway is reachable.	3 years ago
freddygv	cc5a7ed36c	Avoid returning empty roots with uninitialized CA Currently getCARoots could return an empty object with an empty trust domain before the CA is initialized. This commit returns an error while there is no CA config or no trust domain. There could be a CA config and no trust domain because the CA config can be created in InitializeCA before initialization succeeds.	3 years ago
Dhia Ayachi	7916268c40	refactor session state store tables to use the new index pattern (#11525 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * partition `tableSessions` table * fix sessions to use UUID and fix prefix index * fix oss build * clean up unused functions * fix oss compilation * add a partition indexer for sessions * Fix oss to not have partition index * fix oss tests * remove unused func `prefixIndexFromServiceNameAsString` * fix test error check * remove unused operations_ent.go and operations_oss.go func * remove unused const Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Dhia Ayachi	98735a6d12	KV refactoring, part 2 (#11512 ) * add partition to the kv get pretty print * fix failing test * add test for kvs RPC endpoint	3 years ago
Dhia Ayachi	520cb5858c	KV state store refactoring and partitioning (#11510 ) * state: port KV and Tombstone tables to new pattern * go fmt'ed * handle wildcards for tombstones * Fix graveyard ent vs oss * fix oss compilation error * add partition to tombstones and kv state store indexes * refactor to use `indexWithEnterpriseIndexable` * partition kvs indexID table * add `partitionedIndexEntryName` in oss for test purpose * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * add `singleValueID` implementation assertions * remove entmeta reference from oss Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>	3 years ago
Daniel Nephin	d9110136f2	ca: Only initialize clusterID in the primary The secondary must get the clusterID from the primary	3 years ago
Daniel Nephin	01bd3d118d	ca: return an error when secondary fails to initialize Previously secondaryInitialize would return nil in this case, which prevented the deferred initialize from happening, and left the CA in an uninitialized state until a config update or root rotation. To fix this I extracted the common parts into the delegate implementation. However looking at this again, it seems like the handling in secondaryUpdateRoots is impossible, because that function should never be called before the secondary is initialzied. I beleive we can remove some of that logic in a follow up.	3 years ago
Daniel Nephin	8ba760a2fc	acl: remove id and revision from Policy constructors The fields were removed in a previous commit. Also remove an unused constructor for PolicyMerger	3 years ago
Daniel Nephin	7c679c11e6	acl: remove Policy.ID and Policy.Revision These two fields do not appear to be used anywhere. We use the structs.ACLPolicy ID in the ACLResolver cache, but the acl.Policy ID and revision are not used.	3 years ago
R.B. Boyer	c7c5013edd	rename helper method to reflect the non-deprecated terminology (#11509 )	3 years ago
Connor	efe4b21287	Support Vault Namespaces explicitly in CA config (#11477 ) * Support Vault Namespaces explicitly in CA config If there is a Namespace entry included in the Vault CA configuration, set it as the Vault Namespace on the Vault client Currently the only way to support Vault namespaces in the Consul CA config is by doing one of the following: 1) Set the VAULT_NAMESPACE environment variable which will be picked up by the Vault API client 2) Prefix all Vault paths with the namespace Neither of these are super pleasant. The first requires direct access and modification to the Consul runtime environment. It's possible and expected, not super pleasant. The second requires more indepth knowledge of Vault and how it uses Namespaces and could be confusing for anyone without that context. It also infers that it is not supported * Add changelog * Remove fmt.Fprint calls * Make comment clearer * Add next consul version to website docs * Add new test for default configuration * go mod tidy * Add skip if vault not present * Tweak changelog text	3 years ago
R.B. Boyer	44c023a302	segments: ensure that the serf_lan_allowed_cidrs applies to network segments (#11495 )	3 years ago
Mark Anderson	7e8228a20b	Remove some usage of md5 from the system (#11491 ) * Remove some usage of md5 from the system OSS side of https://github.com/hashicorp/consul-enterprise/pull/1253 This is a potential security issue because an attacker could conceivably manipulate inputs to cause persistence files to collide, effectively deleting the persistence file for one of the colliding elements. Signed-off-by: Mark Anderson <manderson@hashicorp.com>	3 years ago
FFMMM	61bd417a82	plumb thru root cert tll to the aws ca provider (#11449 ) * plumb thru root cert ttl to the aws ca provider Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11449.txt Co-authored-by: Dhia Ayachi <dhia@hashicorp.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>	3 years ago
FFMMM	6004a21f35	fix aws pca certs (#11470 ) Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>	3 years ago
Mathew Estafanous	8fb90aacef	Convert (some) test endpoints to use ServeHTTP instead of direct calls to handlers. (#11445 )	3 years ago
FFMMM	4ddf973a31	add root_cert_ttl option for consul connect, vault ca providers (#11428 ) * add root_cert_ttl option for consul connect, vault ca providers Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * add changelog, pr feedback Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11428.txt, more docs Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * Update website/content/docs/agent/options.mdx Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>	3 years ago
Alessandro De Blasis	2f970555d9	config: warn the user if client_addr is empty if the provided value is empty string then the client services (DNS, HTTP, HTTPS, GRPC) are not listening and the user is not notified in any way about what's happening. Also, since a not provided client_addr defaults to 127.0.0.1, we make sure we are not getting unwanted warnings Signed-off-by: Alessandro De Blasis <alex@deblasis.net>	3 years ago
freddygv	60066e5154	Exclude default partition from GatewayKey string This will behave the way we handle SNI and SPIFFE IDs, where the default partition is excluded. Excluding the default ensures that don't attempt to compare default.dc2 to dc2 in OSS.	3 years ago
freddygv	e3666b0bc4	Update GatewayKeys deduplication Federation states data is only keyed on datacenter, so it cannot be directly compared against keys for gateway groups.	3 years ago
freddygv	90ce897456	Store GatewayKey in proxycfg snapshot for re-use	3 years ago
freddygv	bbe46e9522	Update locality check in xds	3 years ago
freddygv	4d4ccedb3a	Update locality check in proxycfg	3 years ago
Daniel Upton	d47b7311b8	Support Check-And-Set deletion of config entries (#11419 ) Implements #11372	3 years ago
Dhia Ayachi	2801785710	regenerate expired certs (#11462 ) * regenerate expired certs * add documentation to generate tests certificates	3 years ago
R.B. Boyer	c8cafb7654	agent: for various /v1/agent endpoints parse the partition parameter on the request (#11444 ) Also update the corresponding CLI commands to send the parameter appropriately. NOTE: Behavioral changes are not happening in this PR.	3 years ago
R.B. Boyer	af9ffc214d	agent: add a clone function for duplicating the serf lan configuration (#11443 )	3 years ago
Daniel Nephin	367b664318	Add tests for cert expiry metrics	3 years ago

... 6 7 8 9 10 ...

4284 Commits (ec1eb227ba75a80f17ba11a9a4b5d854f81d0c01)