2
0
mirror of https://github.com/status-im/consul.git synced 2025-01-25 21:19:12 +00:00

771 Commits

Author SHA1 Message Date
R.B. Boyer
e0d1e2689c
ci: upgrade to use Go 1.16.7 () 2021-08-16 12:21:16 -05:00
Kenia
019ce785ab
ui: Create Routing Configurations route and page () 2021-08-16 12:04:04 -04:00
Daniel Nephin
0575498d0d proxycfg: Lookup the agent token as a default
When no ACL token is provided with the service registration.
2021-08-12 15:51:34 -04:00
Mike Morris
3bae53a989
deps: upgrade gogo-protobuf to v1.3.2 ()
* deps: upgrade gogo-protobuf to v1.3.2

* go mod tidy using go 1.16

* proto: regen protobufs after upgrading gogo/protobuf

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-12 14:05:46 -04:00
Mark Anderson
d3cebbd32c
Fixup to support unix domain socket via command line ()
Missed the need to add support for unix domain socket config via
api/command line. This is a variant of the problems described in
it is easy to drop one.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-08-12 10:05:22 -07:00
Kenia
ab6a675209
ui: Split up the socket mode from the socket path () 2021-08-11 13:00:32 -04:00
Blake Covarrubias
1ee8655bfc
cli: Fix broken KV import on Windows ()
Consul 1.10 (PR ) introduced the ability to specify a prefix when
importing KV's. This however introduced a regression on Windows
systems which breaks `kv import`. The key name is joined with
specified`-prefix` using `filepath.Join()` which uses a forward slash
(/) to delimit values on Unix-based systems, and a backslash (\) to
delimit values on Windows – the latter of which is incompatible with
Consul KV paths.

This commit replaces filepath.Join() with path.Join() which uses a
forward slash as the delimiter, providing consistent key join behavior
across supported operating systems.

Fixes 
2021-08-10 14:42:05 -07:00
Blake Covarrubias
e41d6ee60f
cli: Use admin bind address in self_admin cluster ()
Configure the self_admin cluster to use the admin bind address
provided when starting Envoy.

Fixes 
2021-08-09 17:10:32 -07:00
Blake Covarrubias
6a68bfc5e1
cli: Test API access using /status/leader in consul watch ()
Replace call to /agent/self with /status/leader to verify agent
reachability before initializing a watch. This endpoint is not guarded
by ACLs, and as such can be queried by any API client regardless of
their permissions.

Fixes 
2021-08-09 09:00:33 -07:00
Daniel Nephin
d3325b0253
Merge pull request from bigmikes/acl-replication-fix
acl: acl replication routine to report the last error message
2021-08-06 18:29:51 -04:00
Giulio Micheloni
d4a3fe33e8 String type instead of error type and changelog. 2021-08-06 22:35:27 +01:00
Dhia Ayachi
b495036823
defer setting the state before returning to avoid stuck in INITIALIZING state ()
* defer setting the state before returning to avoid being stuck in `INITIALIZING` state

* add changelog

* move comment with the right if statement

* ca: report state transition error from setSTate

* update comment to reflect state transition

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-05 14:51:19 -04:00
Daniel Nephin
e94016872a
Merge pull request from hashicorp/dnephin/agent-tls-cert-expiration-metric
telemetry: add Agent TLS Certificate expiration metric
2021-08-04 18:42:02 -04:00
Kenia
bcd53e73a2
ui: Add Vault as a Service External Source () 2021-08-04 18:22:43 -04:00
Daniel Nephin
8c575445da telemetry: add a metric for agent TLS cert expiry 2021-08-04 13:51:44 -04:00
Kenia
8ad1ab9c08
ui: Fix Health Checks in K/V form Lock Sessions Info section () 2021-08-04 12:41:41 -04:00
Evan Culver
710bd90ef7
checks: Add Interval and Timeout to API response () 2021-08-03 15:26:49 -07:00
Kenia
2ee501be8d
ui: Add copy button for Secret ID in Tokens list page () 2021-07-30 13:52:37 -04:00
Blake Covarrubias
c919f2d9ea
api: Support QueryOptions on additional agent endpoints ()
Add support for setting QueryOptions on the following agent API endpoints:

- /agent/health/service/name/:name
- /agent/health/service/id/:id
- /agent/service/maintenance/:id

This follows the same pattern used in  to support query options
for other agent API endpoints.

Resolves 
2021-07-30 10:07:13 -07:00
Blake Covarrubias
2c78cbbee7 Add changelog 2021-07-30 09:58:11 -07:00
Daniel Nephin
d2b58cd0d6
Merge pull request from hashicorp/dnephin/streaming-setup-default-timeout
streaming: set default query timeout
2021-07-28 18:29:28 -04:00
Daniel Nephin
5edee9b69d add changelog 2021-07-28 17:50:01 -04:00
Kenia
eb5512fb74
ui: Fix dropdown option duplications () 2021-07-27 17:34:11 -04:00
Daniel Nephin
a0b114968e
Merge pull request from hashicorp/dnephin/debug-stream-metrics
debug: use the new metrics stream in debug command
2021-07-27 13:23:15 -04:00
Daniel Nephin
3bd5261923 Add changelog 2021-07-26 17:53:32 -04:00
Chris S. Kim
91c90a672a
agent: update proxy upstreams to inherit namespace from service () 2021-07-26 17:12:29 -04:00
Freddy
19f6e1ca31
Log the correlation ID when blocking queries fire ()
Knowing that blocking queries are firing does not provide much
information on its own. If we know the correlation IDs we can
piece together which parts of the snapshot have been populated.

Some of these responses might be empty from the blocking
query timing out. But if they're returning quickly I think we
can reasonably assume they contain data.
2021-07-23 16:36:17 -06:00
Dhia Ayachi
c6859b3fb0
config raft apply silent error ()
* return an error when the index is not valid

* check response as bool when applying `CAOpSetConfig`

* remove check for bool response

* fix error message and add check to test

* fix comment

* add changelog
2021-07-22 10:32:27 -04:00
Freddy
cf4821885d
Avoid panic on concurrent writes to cached service config map ()
If multiple instances of a service are co-located on the same node then
their proxies will all share a cache entry for their resolved service
configuration. This is because the cache key contains the name of the
watched service but does not take into account the ID of the watching
proxies.

This means that there will be multiple agent service manager watches
that can wake up on the same cache update. These watchers then
concurrently modify the value in the cache when merging the resolved
config into the local proxy definitions.

To avoid this concurrent map write we will only delete the key from
opaque config in the local proxy definition after the merge, rather
than from the cached value before the merge.
2021-07-20 10:09:29 -06:00
Blake Covarrubias
a0cd3dd88e
Add DNS recursor strategy option ()
This change adds a new `dns_config.recursor_strategy` option which
controls how Consul queries DNS resolvers listed in the `recursors`
config option. The supported options are `sequential` (default), and
`random`.

Closes 

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
Co-authored-by: Priyanka Sengupta <psengupta@flatiron.com>
2021-07-19 15:22:51 -07:00
Daniel Nephin
1c8ac9cd4b
Merge pull request from hashicorp/dnephin/trim-dns-response-with-edns
dns: properly trim response when EDNS is used
2021-07-16 18:09:25 -04:00
Evan Culver
0527dcff57
acls: Show AuthMethodNamespace when reading/listing ACL token meta () 2021-07-15 10:38:52 -07:00
Freddy
12b7e07d5c
Merge pull request from hashicorp/vuln/validate-sans 2021-07-15 09:43:55 -06:00
freddygv
444af47750 Add changelog entry 2021-07-15 09:27:46 -06:00
R.B. Boyer
20feb42d3a
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) () 2021-07-15 10:09:00 -05:00
John Cowen
0762da3a62
ui: [BUGFIX] Ensure we use the ns query param name when requesting permissions ()
Previously when namespaces were enabled, we weren't requesting permission for the actively selected namespace, and instead always checking the permissions for the default namespace.

This commit ensures we request permissions for the actively selected namespace.
2021-07-15 12:19:07 +01:00
Dhia Ayachi
6d331691dc add changelog entry 2021-07-14 17:50:00 -04:00
John Cowen
3e80e637ba
ui: [BUGFIX] Fix KV Code Editor syntax loading ()
This commit adds a bit of string wrangling to avoid the keys in our javascript source file also being transformed. Additionally, whilst looking at this we decided that Maps are a better dictionary than javascript objects, so we moved to use those here also (but this doesn't affect the issue)
2021-07-14 18:55:35 +01:00
John Cowen
54f0cd812a
ui: Show the correct 'ACLs Disabled' page when ACLs are disabled ()
Adds 'can access ACLs' which means one of two things

1. When ACLs are disabled I can access the 'please enable ACLs' page
2. When ACLs are enabled, its the same as canRead
2021-07-14 18:52:13 +01:00
John Cowen
b256313256
ui: [BUGFIX] Ensure in-folder KVs are created in the correct folder ()
When clicking to create a KV within folder name, would would be viewing a form that was a form for creating a KV in the root, which when the user clicked to save, saved the KV in the root.

For the moment at least I've removed the code that strips double slashes, and whilst this isn't ideal, it looks like we've picked up one of those bugs that turns into a 'feature', and completely reworking KV to not rely on the double slashes is not really an option right now.
2021-07-14 18:49:01 +01:00
Daniel Nephin
74fb650b6b
Merge pull request from hashicorp/dnephin/config-fix-ports-grpc
config: rename `ports.grpc` to `ports.xds`
2021-07-13 13:11:38 -04:00
Daniel Nephin
b5cd2050b4 fix backwards compat for envoy command
The compatv2 integration tests were failing because they use an older CLI version with a newer
HTTP API. This commit restores the GRPCPort field to the DebugConfig output to allow older
CIs to continue to fetch the port.
2021-07-13 12:31:49 -04:00
Dhia Ayachi
58bd817336
check expiry date of the root/intermediate before using it to sign a leaf ()
* ca: move provider creation into CAManager

This further decouples the CAManager from Server. It reduces the interface between them and
removes the need for the SetLogger method on providers.

* ca: move SignCertificate to CAManager

To reduce the scope of Server, and keep all the CA logic together

* ca: move SignCertificate to the file where it is used

* auto-config: move autoConfigBackend impl off of Server

Most of these methods are used exclusively for the AutoConfig RPC
endpoint. This PR uses a pattern that we've used in other places as an
incremental step to reducing the scope of Server.

* fix linter issues

* check error when `raftApplyMsgpack`

* ca: move SignCertificate to CAManager

To reduce the scope of Server, and keep all the CA logic together

* check expiry date of the intermediate before using it to sign a leaf

* fix typo in comment

Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>

* Fix test name

* do not check cert start date

* wrap error to mention it is the intermediate expired

* Fix failing test

* update comment

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* use shim to avoid sleep in test

* add root cert validation

* remove duplicate code

* Revert "fix linter issues"

This reverts commit 6356302b54f06c8f2dee8e59740409d49e84ef24.

* fix import issue

* gofmt leader_connect_ca

* add changelog entry

* update error message

Co-authored-by: Freddy <freddygv@users.noreply.github.com>

* fix error message in test

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-07-13 12:15:06 -04:00
R.B. Boyer
6c47efd532
connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots ()
progress on 
2021-07-13 11:12:07 -05:00
R.B. Boyer
7bf9ea55cf
connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider ()
progress on 
2021-07-13 11:11:46 -05:00
Iryna Shustava
95305881ce
cli/sdk: Allow applying redirect-traffic rules in a provided Linux namespace () 2021-07-13 10:05:48 -06:00
Evan Culver
13bd86527b
Add support for returning ACL secret IDs for accessors with acl:write () 2021-07-08 15:13:08 -07:00
Daniel Nephin
ec6da0859d
Merge pull request from hashicorp/copy-of-master
Changes that were accidentally merged into the old master branch
2021-07-08 16:28:56 -04:00
R.B. Boyer
c94b8c6a39
config: add agent config flag for enterprise clients to indicate they wish to join a particular partition () 2021-07-08 10:03:38 -05:00
Dhia Ayachi
6390e91be5
Add ca certificate metrics ()
* add intermediate ca metric routine

* add Gauge config for intermediate cert

* Stop metrics routine when stopping leader

* add changelog entry

* updage changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* use variables instead of a map

* go imports sort

* Add metrics for primary and secondary ca

* start metrics routine in the right DC

* add telemetry documentation

* update docs

* extract expiry fetching in a func

* merge metrics for primary and secondary into signing ca metric

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-07-07 09:41:01 -04:00