Commit Graph

2215 Commits

Author SHA1 Message Date
hc-github-team-consul-core 10cf54e7a6 Merge branch 'release/1.8.11' into remote-x 2021-06-03 20:51:46 +00:00
hc-github-team-consul-core 3c4cea9158
update bindata_assetfs.go 2021-06-03 19:57:32 +00:00
Mike Morris ea6d6dd2ee Revert "Revert "Merge pull request #10277 from hashicorp/dnephin/backport-serf-tag-refactor""
This reverts commit 442a8efc7f.
2021-06-03 14:24:30 -04:00
Daniel Nephin ee250d3113 Merge pull request #10321 from hashicorp/dnephin/backport-debug-cli-fix
[1.9.x] debug: remove the CLI check for debug_enabled
2021-05-31 20:10:45 +00:00
hc-github-team-consul-core 2195429f32
update bindata_assetfs.go 2021-05-26 02:18:23 +00:00
Mike Morris 442a8efc7f Revert "Merge pull request #10277 from hashicorp/dnephin/backport-serf-tag-refactor"
This reverts commit f45ab674ce, reversing
changes made to 985ca60d35.
2021-05-25 21:15:19 -04:00
Daniel Nephin 4bd66e0348 Merge pull request #10272 from hashicorp/dnephin/backport-namespace-license-fix
Backport some ent changes for serf tags
2021-05-21 12:54:51 -04:00
hc-github-team-consul-core 985ca60d35 Merge branch 'release/1.8.11-beta1' into remote-x 2021-05-18 20:55:05 +00:00
hc-github-team-consul-core 4b23e123ab
update bindata_assetfs.go 2021-05-18 20:19:37 +00:00
Daniel Nephin ee992f788d Merge pull request #8812 from jjshanks/GH-8728
GH-8728 add raft default values
2021-05-18 19:33:17 +00:00
R.B. Boyer 2f9c448801 server: ensure that central service config flattening properly resets the state each time (#10245)
The prior solution to call reply.Reset() aged poorly since newer fields
were added to the reply, but not added to Reset() leading serial
blocking query loops on the server to blend replies.

This could manifest as a service-defaults protocol change from
default=>http not reverting back to default after the config entry
reponsible was deleted.

Backport of #10239 to 1.9.x
2021-05-14 18:25:37 +00:00
R.B. Boyer 63d03e3b6a agent: ensure we hash the non-deprecated upstream fields on ServiceConfigRequest (#10240) (#10244)
Backport of #10240 to 1.9.x
2021-05-14 15:49:55 +00:00
Daniel Nephin ea6600dacc Merge pull request #10218 from hashicorp/dnephin/backport-local-agent-fix
[1.9.x] agent/local: do not persist the agent or user token
2021-05-12 17:20:07 +00:00
Daniel Nephin f8d33b36fd local: default to the agent token instead of the user token
When de-registering in anti-entropy sync, when there is no service or
check token.

The agent token will fall back to the default (aka user) token if no agent
token is set, so the existing behaviour still works, but it will prefer
the agent token over the user token if both are set.

ref: https://www.consul.io/docs/agent/options#acl_tokens

The agent token seems more approrpiate in this case, since this is an
"internal operation", not something initiated by the user.
2021-05-04 14:45:31 -04:00
R.B. Boyer 55600be4a9
[1.8.x] connect: update supported envoy versions to 1.14.7, 1.13.7, 1.12.7, 1.11.2 (#10106) 2021-04-29 15:56:24 -05:00
Matt Keeler 835d3d4258 Add replication metrics (#10073)
# Conflicts:
#	agent/consul/replication.go
2021-04-23 16:18:08 -04:00
Kyle Havlovitz 658e6a97bb Merge pull request #9672 from hashicorp/ca-force-skip-xc
connect/ca: Allow ForceWithoutCrossSigning for all providers
2021-04-20 15:41:32 -05:00
hashicorp-ci 201e25ed70
update bindata_assetfs.go 2021-04-15 18:15:39 +00:00
Kent 'picat' Gruber 447dd528f6 Merge pull request #10023 from hashicorp/fix-raw-kv-xss
Add content type headers to raw KV responses
2021-04-15 09:48:14 -04:00
R.B. Boyer cbf1e5d3e9
Merge pull request #10026 from hashicorp/1.8.x-fix-wan-ipv6-key
[1.8.x] Fix advertise_addr_wan_ipv6 configuration key
2021-04-14 16:53:04 -05:00
Daniel Nephin 1cc59bd0cf Merge pull request #9851 from panascais-forks/fix-wan-ipv6-key
Fix advertise_addr_wan_ipv6 configuration key
2021-04-14 16:29:28 -05:00
Daniel Nephin 168e8da213 Merge pull request #10025 from hashicorp/dnephin/fix-snapshot-auth-methods
snapshot: fix saving of auth methods
2021-04-14 17:25:13 -04:00
Matt Keeler 46de6ba9ca
Backport 10013: Move static token resolution into the ACLResolver (#10013) (#10017)
# Conflicts:
#	agent/acl.go
#	agent/acl_test.go
#	agent/agent.go
#	agent/ui_endpoint.go
2021-04-14 13:04:32 -04:00
Hans Hasselberg 0d0f14f901 introduce certopts (#9606)
* introduce cert opts

* it should be using the same signer

* lint and omit serial
2021-03-22 09:17:23 +00:00
hashicorp-ci 1f92b6cb84
update bindata_assetfs.go 2021-03-04 19:22:47 +00:00
John Cowen 24981a6c68 ui: Remove any trailing fullstop/period DNS characters from Gateways UI API (#9752)
Previous to this commit, the API response would include Gateway
Addresses in the form `domain.name.:8080`, which due to the addition of
the port is probably not the expected response.

This commit rightTrims any `.` characters from the end of the domain
before formatting the address to include the port resulting in
`domain.name:8080`
2021-02-25 09:36:43 +00:00
R.B. Boyer 76795ae6d6
test: omit envoy golden test files that differ from the latest version (#9824)
backport of #9807 to 1.8.x
2021-02-24 15:49:32 -06:00
R.B. Boyer 46edc401ad connect: if the token given to the vault provider returns no data avoid a panic (#9806)
Improves #9800
2021-02-22 20:09:25 +00:00
R.B. Boyer 40987a2b69
xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel (#9794)
1.8.x backport of #9765

Conflicts:
- agent/xds/listeners_test.go
- test/integration/connect/envoy/helpers.bash
- agent/xds/testdata (different envoy versions)
2021-02-22 10:45:40 -06:00
hashicorp-ci b18269d20a
update bindata_assetfs.go 2021-02-11 19:00:47 +00:00
R.B. Boyer 22640c9e87
[1.8.x] connect: update supported envoy point releases to 1.14.6, 1.13.7, 1.12.7, 1.11.2 (#9739)
selective backport of #9737
2021-02-10 13:11:51 -06:00
R.B. Boyer 415be133fa
connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate (#9428) (#9734)
1.8.x backport of #9428
2021-02-09 16:55:22 -06:00
Matt Keeler 5b543790d2
Backport to release/1.8.x: #9738 - Stop background refresh of cached data for requests that result in ACL not found errors (#9742) 2021-02-09 11:32:38 -05:00
Freddy c18a218bbb Avoid potential proxycfg/xDS deadlock using non-blocking send 2021-02-08 23:18:38 +00:00
R.B. Boyer 556b8bd1c2 server: use the presense of stored federation state data as a sign that we already activated the federation state feature flag (#9519)
This way we only have to wait for the serf barrier to pass once before
we can make use of federation state APIs Without this patch every
restart needs to re-compute the change.
2021-02-08 19:30:58 +00:00
R.B. Boyer eed2302b43 xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists (#9651)
Also fix a similar issue in Terminating Gateways that was masked by an overzealous test.
2021-02-08 16:20:37 +00:00
R.B. Boyer bb5c2e802b xds: deduplicate mesh gateway listeners in a stable way (#9650)
In a situation where the mesh gateway is configured to bind to multiple
network interfaces, we use a feature called 'tagged addresses'.
Sometimes an address is duplicated across multiple tags such as 'lan'
and 'lan_ipv4'.

There is code to deduplicate these things when creating envoy listeners,
but that code doesn't ensure that the same tag wins every time. If the
winning tag flaps between xDS discovery requests it will cause the
listener to be drained and replaced.
2021-02-05 22:28:57 +00:00
Hans Hasselberg e6584182f2 Add flags to support CA generation for Connect (#9585) 2021-01-27 07:55:31 +00:00
R.B. Boyer 685c38a1b1 server: initialize mgw-wanfed to use local gateways more on startup (#9528)
Fixes #9342
2021-01-25 23:31:28 +00:00
hashicorp-ci dd110e8c74 Merge branch 'release/1.8.8' into remote-x 2021-01-22 20:17:04 +00:00
hashicorp-ci e2f9307430
update bindata_assetfs.go 2021-01-22 18:50:02 +00:00
R.B. Boyer f135c3b64e server: when wan federating via mesh gateways only do heuristic primary DC bypass on the leader (#9366)
Fixes #9341
2021-01-22 16:07:11 +00:00
Matt Keeler 7cddf128e9
Backport #9570 to release/1.8.x: Ensure that CA initialization does not block leader election. (#9571)
Backport of PR: 9570

After fixing that bug I uncovered a couple more:

Fix an issue where we might try to cross sign a cert when we never had a valid root.
Fix a potential issue where reconfiguring the CA could cause either the Vault or AWS PCA CA providers to delete resources that are still required by the new incarnation of the CA.

Ensure that CA initialization does not block leader election.

After fixing that bug I uncovered a couple more:

Fix an issue where we might try to cross sign a cert when we never had a valid root.
Fix a potential issue where reconfiguring the CA could cause either the Vault or AWS PCA CA providers to delete resources that are still required by the new incarnation of the CA.
2021-01-21 09:04:30 -05:00
Matt Keeler 87f7bb475c Fix flaky test by marking mock expectations as optional (#9596)
These expectations are optional because in a slow CI environment the deadline to cancell the context might occur before the go routine reaches issuing the RPC. Either way we are successfully ensuring context cancellation is working.
2021-01-20 15:59:13 +00:00
Matt Keeler 0d4b710c4a Special case the error returned when we have a Raft leader but are not tracking it in the ServerLookup (#9487)
This can happen when one other node in the cluster such as a client is unable to communicate with the leader server and sees it as failed. When that happens its failing status eventually gets propagated to the other servers in the cluster and eventually this can result in RPCs returning “No cluster leader” error.

That error is misleading and unhelpful for determing the root cause of the issue as its not raft stability but rather and client -> server networking issue. Therefore this commit will add a new error that will be returned in that case to differentiate between the two cases.
2021-01-04 19:05:58 +00:00
hashicorp-ci bf98530f78
update bindata_assetfs.go 2020-12-10 21:46:51 +00:00
R.B. Boyer 0ecd16a382
acl: global tokens created by auth methods now correctly replicate to secondary datacenters (#9363)
Previously the tokens would fail to insert into the secondary's state
store because the AuthMethod field of the ACLToken did not point to a
known auth method from the primary.

Backport of #9351 to 1.8.x
2020-12-10 08:35:48 -06:00
hashicorp-ci 0b1d1323d7
update bindata_assetfs.go 2020-12-03 19:11:42 +00:00
Kyle Havlovitz e51bd34952 Merge pull request #9318 from hashicorp/ca-update-followup
connect: Fix issue with updating config in secondary
2020-12-02 20:18:32 +00:00
Kyle Havlovitz 6e62166f6d Merge pull request #9009 from hashicorp/update-secondary-ca
connect: Fix an issue with updating CA config in a secondary datacenter
2020-11-30 16:13:12 -08:00