Commit Graph

10041 Commits

Author SHA1 Message Date
Rebecca Zanzig 6c7245ce84 Add docs about new Helm `priorityClassName` options 2019-03-08 09:42:53 -08:00
Rebecca Zanzig 7d62c8fbec
Merge pull request #5443 from hashicorp/docs/acl-to-sync
Move aclSyncToken docs under `syncCatalog`
2019-03-08 09:06:43 -08:00
Kyle Havlovitz 1e4523f55e Add logic to allow changing a failed node's ID 2019-03-07 22:42:54 -08:00
Rebecca Zanzig 3dbd73ee23 Move aclSyncToken docs under `syncCatalog`
Additionally updates the anchors to follow the established convention.
2019-03-07 16:54:11 -08:00
Judith Malnick 80194732c5
[docs] fix link to prepared query rules (#5435)
* [docs] fix link to prepared query rules

* Update website/source/api/query.html.md

Co-Authored-By: judithpatudith <judith@hashicorp.com>
2019-03-07 12:10:40 -08:00
Rebecca Zanzig f1864b128e
Merge pull request #5431 from hashicorp/docs/helm-extraConfig
[docs] Add examples for the `extraConfig` options in the Helm chart
2019-03-06 14:25:25 -08:00
Rebecca Zanzig c07b7cc154 Add examples for the `extraConfig` options in the Helm chart 2019-03-06 13:01:17 -08:00
Alvin Huang 77727d23ae
Merge pull request #5436 from hashicorp/fix-typo
fix typos
2019-03-06 15:00:17 -05:00
Alvin Huang 8cb8108b1b fix typos 2019-03-06 14:47:33 -05:00
R.B. Boyer f4a3b9d518
fix typos reported by golangci-lint:misspell (#5434) 2019-03-06 11:13:28 -06:00
kaitlincarter-hc 9b1bc8d96d
[Docs] Production Guide for ACLs (#5385)
* New guide for ACLs

* Fixing some formatting issues.

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Resolving PR comments.

* Closing the rest of the PR comments

* Updates for persistence.

* Updating commands.

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-03-06 10:46:07 -06:00
Chip Vaughn f658748a79
Merge pull request #5420 from hashicorp/f-catalog-changes
Catalog API Doc Changes
2019-03-06 11:00:37 -05:00
Chip Vaughn ea38ad18f1 Update to registering services via Catalog API 2019-03-06 09:41:12 -05:00
Chip Vaughn ad25767416 Update to registering services via Catalog API 2019-03-06 09:23:37 -05:00
Hans Hasselberg eb0895c5fb
tlsutil: don't use `server_name` config for RPC connections (#5394)
* server name only for outgoing https for checks
2019-03-05 21:35:43 +01:00
R.B. Boyer 2ffbea41c8 improve flaky LANReap tests by expliciting configuring the tombstone timeout
In TestServer_LANReap autopilot is running, so the alternate flow
through the serf reaping function is possible. In that situation the
ReconnectTimeout is not relevant so for parity also override the
TombstoneTimeout value as well.

For additional parity update the TestServer_WANReap and
TestClient_LANReap versions of this test in the same way even though
autopilot is irrelevant here .
2019-03-05 14:34:03 -06:00
R.B. Boyer 5bea49ecb0 tests: avoid leaking child processes from agent/proxyprocess package 2019-03-05 14:29:25 -06:00
R.B. Boyer a99f7aaa25 website: fix broken links 2019-03-05 14:24:33 -06:00
Hans Hasselberg feaece034b
website: fix gemfile.lock (#5429) 2019-03-05 20:55:04 +01:00
Matt Keeler a4e2fe67eb Putting source back into Dev Mode 2019-03-05 19:26:42 +00:00
Matt Keeler 9e7d0ff2d4 Merge branch 'master' of https://github.com/hashicorp/consul 2019-03-05 19:05:53 +00:00
novotnyr aa6a392489 [docs] Add IntelliJ Consul to the list of community tools (#5379) 2019-03-05 13:58:03 +01:00
Matt Keeler 567e41ff6b
Release v1.4.3 2019-03-04 19:21:20 +00:00
Matt Keeler 67f4633134 Update Changelog 2019-03-04 19:18:25 +00:00
Matt Keeler 90040f8bff Fixes for CVE-2019-8336
Fix error in detecting raft replication errors.

Detect redacted token secrets and prevent attempting to insert.

Add a Redacted field to the TokenBatchRead and TokenRead RPC endpoints

This will indicate whether token secrets have been redacted.

Ensure any token with a redacted secret in secondary datacenters is removed.

Test that redacted tokens cannot be replicated.
2019-03-04 19:13:24 +00:00
Chip Vaughn ae8f273a92 Update to registering services via Catalog API 2019-03-04 09:46:37 -05:00
Chip Vaughn 9e91906664 Update to registering services via Catalog API 2019-03-04 09:45:24 -05:00
Matt Keeler 59cca0b975
Update CHANGELOG.md 2019-03-04 09:43:51 -05:00
Hans Hasselberg d35824b1fa default to tls 1.2 as promised. (#5340) 2019-03-04 09:42:04 -05:00
Matt Keeler 7a418f70cf
Update CHANGELOG.md 2019-03-04 09:35:13 -05:00
Aestek 2aac4d5168 Register and deregisters services and their checks atomically in the local state (#5012)
Prevent race between register and deregister requests by saving them
together in the local state on registration.
Also adds more cleaning in case of failure when registering services
/ checks.
2019-03-04 09:34:05 -05:00
Matt Keeler 219e9f8297
Update CHANGELOG.md 2019-03-04 09:29:54 -05:00
Matt Keeler 6e6910ea11
Dont modify memdb owned token data for get/list requests of tokens (#5412)
Previously we were fixing up the token links directly on the *ACLToken returned by memdb. This invalidated some assumptions that a snapshot is immutable as well as potentially being able to cause a crash.

The fix here is to give the policy link fixing function copy on write semantics. When no fixes are necessary we can return the memdb object directly, otherwise we copy it and create a new list of links.

Eventually we might find a better way to keep those policy links in sync but for now this fixes the issue.
2019-03-04 09:28:46 -05:00
Aestek 02f991843f Fix race condition in DNS when using cache (#5398)
* Fix race condition in DNS when using cache

The healty node filtering was modifying the result from the cache, which
caused a crash when multiple queries were made to the same service
simultaneously.
We now copy the node slice before filtering to ensure we do not modify
the data stored in the cache.

* Fix wording in dns cache config doc

s/dns_max_age/cache_max_age/
2019-03-04 09:22:01 -05:00
Matt Keeler 767b8c22ea
Update CHANGELOG.md 2019-03-04 09:20:58 -05:00
Matt Keeler 200c0fb3e9
Call RemoveServer for reap events (#5317)
This ensures that servers are removed from RPC routing when they are reaped.
2019-03-04 09:19:35 -05:00
R.B. Boyer 409c901f8e test: fix concurrent map access when setting up test vault 2019-03-01 14:30:19 -06:00
R.B. Boyer 6955186239 fix ignored errors in state store internals as reported by errcheck 2019-03-01 14:18:00 -06:00
R.B. Boyer c7067645dd fix a few leap-year related clock math inaccuracies and failing tests 2019-03-01 13:51:49 -06:00
Hans Hasselberg e64c5c5899 typo (#5407) 2019-03-01 08:51:37 -06:00
Matt Keeler 4833c5dee5
Update CHANGELOG.md 2019-02-27 14:29:41 -05:00
Matt Keeler 118adbb123
ACL Token Persistence and Reloading (#5328)
This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

* Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
* Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. 
* Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents.
* Docs updated to reflect the API additions and to show using the new endpoints.
* Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 14:28:31 -05:00
Kyle Havlovitz f07e928afc
Merge pull request #5325 from hashicorp/consul-ca-panic
connect/ca: fix a potential panic in the Consul provider
2019-02-27 09:43:44 -08:00
Hans Hasselberg 80e7d63fc2
Centralise tls configuration part 2 (#5374)
This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually!

This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 10:14:59 +01:00
danielehc f3610df40b Add more details on SkipNodeUpdate option (#5345)
* Add more details on SkipNodeUpdate option

* Updating the language for the entire parameter.
2019-02-26 11:00:23 -06:00
Hans Hasselberg 786b3b1095
Centralise tls configuration part 1 (#5366)
In order to be able to reload the TLS configuration, we need one way to generate the different configurations.

This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`.

This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 16:52:07 +01:00
Jack Pearkes cce1c14fac
website: update bootstrap-saas depenency (#5387)
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
2019-02-25 11:52:00 -08:00
Matt Keeler 6645d714d7
Update CHANGELOG.md 2019-02-25 14:07:14 -05:00
Aestek f1cdfbe40e Allow DNS interface to use agent cache (#5300)
Adds two new configuration parameters "dns_config.use_cache" and
"dns_config.cache_max_age" controlling how DNS requests use the agent
cache when querying servers.
2019-02-25 14:06:01 -05:00
Alvin Huang 77eecf1046 add wait to TestClient_JoinLAN 2019-02-22 17:34:45 -05:00