Commit Graph

9478 Commits

Author SHA1 Message Date
Matt Keeler 118adbb123
ACL Token Persistence and Reloading (#5328)
This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

* Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
* Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. 
* Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents.
* Docs updated to reflect the API additions and to show using the new endpoints.
* Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 14:28:31 -05:00
Kyle Havlovitz f07e928afc
Merge pull request #5325 from hashicorp/consul-ca-panic
connect/ca: fix a potential panic in the Consul provider
2019-02-27 09:43:44 -08:00
Hans Hasselberg 80e7d63fc2
Centralise tls configuration part 2 (#5374)
This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually!

This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 10:14:59 +01:00
danielehc f3610df40b Add more details on SkipNodeUpdate option (#5345)
* Add more details on SkipNodeUpdate option

* Updating the language for the entire parameter.
2019-02-26 11:00:23 -06:00
Hans Hasselberg 786b3b1095
Centralise tls configuration part 1 (#5366)
In order to be able to reload the TLS configuration, we need one way to generate the different configurations.

This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`.

This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 16:52:07 +01:00
Jack Pearkes cce1c14fac
website: update bootstrap-saas depenency (#5387)
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
2019-02-25 11:52:00 -08:00
Matt Keeler 6645d714d7
Update CHANGELOG.md 2019-02-25 14:07:14 -05:00
Aestek f1cdfbe40e Allow DNS interface to use agent cache (#5300)
Adds two new configuration parameters "dns_config.use_cache" and
"dns_config.cache_max_age" controlling how DNS requests use the agent
cache when querying servers.
2019-02-25 14:06:01 -05:00
R.B. Boyer c2a30c5fdd fix incorrect body of TestACLEndpoint_PolicyBatchRead
Lifted from PR #5307 as it was an unrelated drive-by fix on that PR anyway.

s/token/policy/
2019-02-22 09:32:51 -06:00
Paul Banks 360e3acc7c Add common blocking implementation details to docs (#5358)
* Add common blocking implementation details to docs

These come up over and over again with blocking query loops in our own code and third-party's. #5333 is possibly a case (unconfirmed) where "badly behaved" blocking clients cause issues, however since we've never explicitly documented these things it's not reasonable for third-party clients to have guessed that they are needed!

This hopefully gives us something to point to for the future.

It's a little wordy - happy to consider breaking some of the blocking stuff out of this page if we think it's appropriate but just wanted to quickly plaster over this gap in our docs for now.

* Update index.html.md

* Apply suggestions from code review

Co-Authored-By: banks <banks@banksco.de>

* Update index.html.md

* Update index.html.md

* Clearified monotonically

* Fixing formating
2019-02-21 15:33:45 -06:00
R.B. Boyer 00aa50cfa2 website: fix errant mention of 'snapshot save' on docs for 'snapshot restore' 2019-02-21 13:48:20 -06:00
R.B. Boyer 1598c787ae
Merge pull request #5344 from hashicorp/test-no-log-buffer
testutil: Set the environment variable NOLOGBUFFER=1 to have test agent logs go straight to stdout
2019-02-21 10:35:45 -06:00
R.B. Boyer df19c8a889
Merge pull request #5361 from hashicorp/update-some-tests-to-new-tokens
update agent/agent_endpoint_test.go to use V2 tokens with attached policies
2019-02-21 10:35:28 -06:00
kaitlincarter-hc 193c0b727b
[Docs] Helm Chart (#5350)
* Updating the Helm chart to include ACL parameter and examples.

* Updates based on feedback.

* Update website/source/docs/platform/k8s/helm.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-02-20 18:27:28 -06:00
R.B. Boyer b569f222f9 update agent/agent_endpoint_test.go to use V2 tokens with attached policies 2019-02-20 11:11:47 -06:00
kaitlincarter-hc a093af320c
[docs] ACL reset procedure (#5334)
* Adding reset instructions.

* Added link to the boostrapping guide for the reset procedure.

* Update website/source/docs/guides/acl.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/acl.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/acl.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-02-19 10:45:23 -06:00
Paul Banks 07e5308206
Update CHANGELOG.md 2019-02-19 13:46:58 +00:00
Nicholas Jackson 99fe9dabce Envoy config cluster (#5308)
* Start adding tests for cluster override

* Refactor tests for clusters

* Passing tests for custom upstream cluster override

* Added capability to customise local app cluster

* Rename config for local cluster override
2019-02-19 13:45:33 +00:00
Paul Banks aa338f7d86
Update CHANGELOG.md 2019-02-19 11:46:38 +00:00
Kainoa Seto b2af8862c7 Deferred updating response meta with consul headers (#5355) 2019-02-19 11:45:36 +00:00
Matt Keeler b3c7447014
Update CHANGELOG.md 2019-02-15 17:02:32 -05:00
Simone Di Maulo 2aa516fd64 Fix logfile open filemode (#5354)
Fixes #5346
2019-02-15 17:01:48 -05:00
R.B. Boyer c8a1acd508
Merge pull request #5349 from hashicorp/acl-endpoint-test-consistency
test: switch test file from assert -> require for consistency
2019-02-14 14:48:16 -06:00
R.B. Boyer ef8258cd4e test: switch test file from assert -> require for consistency
Also in acl_endpoint_test.go:

* convert logical blocks in some token tests to subtests
* remove use of require.New

This removes a lot of noise in a later PR.
2019-02-14 14:21:19 -06:00
kaitlincarter-hc 7598b32d1d
[Docs] New KV documentation (#5315)
* Adding new KV doc

* fixing the metadata

* Update website/source/docs/agent/kv.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/agent/kv.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/agent/kv.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/agent/kv.html.md
2019-02-14 10:25:17 -06:00
Matt Keeler 766d771017
Pass a testing.T into NewTestAgent and TestAgent.Start (#5342)
This way we can avoid unnecessary panics which cause other tests not to run.

This doesn't remove all the possibilities for panics causing other tests not to run, it just fixes the TestAgent
2019-02-14 10:59:14 -05:00
R.B. Boyer 46de2c5504 travis: enable branch builds for f-acl-ux and stop doing them for f-envoy 2019-02-13 14:05:09 -06:00
R.B. Boyer 397e9cd459
Merge pull request #5343 from hashicorp/fixes-grab-bag
various small fixes
2019-02-13 13:26:20 -06:00
R.B. Boyer 82c17d94e1 testutil: Set the environment variable NOLOGBUFFER=1 to have test agent logs go straight to stdout
This is a followup to the testing feature added in #5304.

While it is very nice to have test agent logs to through testing.T.Logf
so that only logs from failed tests are emitted, if a test is hanging or
taking a long time those logs are delayed. In that case setting
NOLOGBUFFER=1 will temporarily redirect them to stdout so you can see
immediate feedback about hangs when running the tests in verbose mode.

One current example of a test where this can be relevant is:

    $ go test ./agent/consul -run 'TestCatalog_ListServices_Stale' -v
2019-02-13 13:13:10 -06:00
R.B. Boyer adbe8ed370 correct some typos 2019-02-13 13:02:12 -06:00
R.B. Boyer 88bb53d001 ensure that we plumb our configured logger into all parts of the raft library 2019-02-13 13:02:09 -06:00
Dan Brown b24b3a56d0 Docs EA update RA and DG (#5336)
* Confirm RA against Consul 1.3

Change product_version frontmatter to ea_version and increase to 1.3

* Confirm DG against Consul 1.3

Change product_version frontmatter to ea_version and increase to 1.3
2019-02-13 12:53:21 -06:00
R.B. Boyer 2c983902be reduce the local scope of variable 2019-02-13 11:54:28 -06:00
R.B. Boyer a7de668260 update changelog 2019-02-13 11:51:38 -06:00
R.B. Boyer de0f585583
agent: only enable TLS on gRPC if the HTTPS API port is enabled (#5287)
Currently the gRPC server assumes that if you have configured TLS
certs on the agent (for RPC) that you want gRPC to be encrypted.
If gRPC is bound to localhost this can be overkill. For the API we
let the user choose to offer HTTP or HTTPS API endpoints
independently of the TLS cert configuration for a similar reason.

This setting will let someone encrypt RPC traffic with TLS but avoid
encrypting local gRPC traffic if that is what they want to do by only
enabling TLS on gRPC if the HTTPS API port is enabled.
2019-02-13 11:49:54 -06:00
R.B. Boyer f2ed3a3777
clarify the ACL.PolicyDelete endpoint (#5337)
There was an errant early-return in PolicyDelete() that bypassed the
rest of the function.  This was ok because the only caller of this
function ignores the results.

This removes the early-return making it structurally behave like
TokenDelete() and for both PolicyDelete and TokenDelete clarify the lone
callers to indicate that the return values are ignored.

We may wish to avoid the entire return value as well, but this patch
doesn't go that far.
2019-02-13 09:16:30 -06:00
Peter Souter ae814af631
Merge pull request #5338 from petems/fix_cloud_auto_join_docs
Update Azurerm Cloud Auto-Join docs
2019-02-13 01:14:12 +00:00
petems 5020f97911 Adds newline for bullets
* Formatting was previously broken
2019-02-13 00:54:51 +00:00
petems dad2b24b82 Adds note about secret value
* For future traveler, this literally ate up an entire day of debugging, so hopefully it helped you! 💃
2019-02-13 00:54:27 +00:00
petems 371cac266d Update specific perms for Azure
* `listAll` is not valid
2019-02-13 00:53:51 +00:00
petems 8acadd364a Add note about equals signs 2019-02-12 23:47:19 +00:00
R.B. Boyer 324ba5df17
update TestStateStore_ACLBootstrap to not rely upon request mutation (#5335) 2019-02-12 16:09:26 -06:00
Marlon Maxwel 41742f9504 Documentation - New plugin for frontend applications based in webpack (#5310)
* Add new plugin for front-end applications based in webpack

* Fix doc suggestion

Co-Authored-By: marlonmleite <marlonmleite@gmail.com>
2019-02-12 11:13:43 -06:00
Matt Keeler a4d1659ac2
Update CHANGELOG.md 2019-02-11 11:13:29 -05:00
Matt Keeler 7073ba4ed2
Move autopilot initialization to prevent race (#5322)
`establishLeadership` invoked during leadership monitoring may use autopilot to do promotions etc. There was a race with doing that and having autopilot initialized and this fixes it.
2019-02-11 11:12:24 -05:00
adawalli d7e4151fcb website: Update UI Policy recommendations from Guide (#5321)
The guide currently uses node, service, and service for the UI Policy.
This will cause a practically useless UI. This patch uses the _prefix
variants instead which will have the intended behavior.
2019-02-08 14:39:28 -06:00
Rebecca Zanzig fc1d9e5d78
Merge pull request #5302 from hashicorp/docs/k8s-acl
Update k8s ACL documentation
2019-02-07 13:46:44 -08:00
Rebecca Zanzig 1ef6bf3902 Add additional clarification to the ACL token wording 2019-02-07 13:26:17 -08:00
kaitlincarter-hc 5a98953c43
Apply suggestions from code review
Co-Authored-By: adilyse <rebecca@hashicorp.com>
2019-02-07 13:08:04 -08:00
Kyle Havlovitz 29e4c17b07
connect/ca: fix a potential panic in the Consul provider 2019-02-07 10:43:54 -08:00