Commit Graph

2600 Commits

Author SHA1 Message Date
Blake Covarrubias 895a8a43b2
docs: document format for TTL values in Consul config (#6693) 2020-02-11 10:47:21 +01:00
kaitlincarter-hc be35f68ec5
docs: adding note to ACL rules page for intentions. (#6569) 2020-02-11 10:28:48 +01:00
Blake Covarrubias 4ea2685a7c Fix broken link to consul-aws guide on Learn 2020-02-10 12:25:54 -08:00
Hans Hasselberg 9cb7adb304
add envoy version 1.12.2 and 1.13.0 to the matrix (#7240)
* add 1.12.2

* add envoy 1.13.0

* Introduce -envoy-version to get 1.10.0 passing.

* update old version and fix consul-exec case

* add envoy_version and fix check

* Update Envoy CLI tests to account for the 1.13 compatibility changes.

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2020-02-10 14:53:04 -05:00
Matt Keeler 0b1902f03f
Remove the 1.7.0 beta banner on downloads page (#7253) 2020-02-10 14:20:51 -05:00
Kit Patella 55f19a9eb2
rpc: measure blocking queries (#7224)
* agent: measure blocking queries

* agent.rpc: update docs to mention we only record blocking queries

* agent.rpc: make go fmt happy

* agent.rpc: fix non-atomic read and decrement with bitwise xor of uint64 0

* agent.rpc: clarify review question

* agent.rpc: today I learned that one must declare all variables before interacting with goto labels

* Update agent/consul/server.go

agent.rpc: more precise comment on `Server.queriesBlocking`

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/agent/telemetry.html.md

agent.rpc: improve queries_blocking description

Co-Authored-By: Paul Banks <banks@banksco.de>

* agent.rpc: fix some bugs found in review

* add a note about the updated counter behavior to telemetry.md

* docs: add upgrade-specific note on consul.rpc.quer{y,ies_blocking} behavior

Co-authored-by: Paul Banks <banks@banksco.de>
2020-02-10 10:01:15 -08:00
Akshay Ganeshen 8beb716414
feat: support sending body in HTTP checks (#6602) 2020-02-10 09:27:12 -07:00
danielehc 20600403b2
Adding upgrade-legacy doc (#7212)
Addresses #7071
2020-02-10 15:43:51 +01:00
Kyle Havlovitz 88ae18a2b2 Update config entry docs for namespaces 2020-02-07 12:01:04 -08:00
Blake Covarrubias 91245622db docs: Indent secretName and secretKey under aclSyncToken
These are sub-parameters under aclSyncToken. Fix indentation so that
they are properly displayed under that top-level key.
2020-02-06 10:40:33 -08:00
Fredrik Hoem Grelland d364a64f9a
docs: namespaces has erroneous HCL example (#7228) 2020-02-06 06:33:07 -06:00
Freddy cb77fc6d01
Add managed service provider token (#7218)
Stubs for enterprise-only ACL token to be used by managed service providers.
2020-02-04 13:58:56 -07:00
Paschalis Tsilias a335aa57c5
Expose Envoy's /stats for statsd agents (#7173)
* Expose Envoy /stats for statsd agents; Add testcases

* Remove merge conflict leftover

* Add support for prefix instead of path; Fix docstring to mirror these changes

* Add new config field to docs; Add testcases to check that /stats/prometheus is exposed as well

* Parametrize matchType (prefix or path) and value

* Update website/source/docs/connect/proxies/envoy.md

Co-Authored-By: Paul Banks <banks@banksco.de>

Co-authored-by: Paul Banks <banks@banksco.de>
2020-02-03 17:19:34 +00:00
Anudeep Reddy b5b4226d4f
[docs] Enabling connect requires server restarts (#6904) 2020-02-03 09:58:12 -06:00
Mohammad Gufran 47cc162ca3
docs: add Flightpath to the list of community tools (#7176) 2020-02-03 13:16:21 +01:00
Stuart Williams 3eb76691df
docs: rate limiting applies to Consul agents in server mode (#6932) 2020-02-03 13:10:47 +01:00
Chris Arcand d40b9f3501
docs: update available Sentinel imports (#6920) 2020-02-03 11:44:25 +01:00
Michael Hofer 4ab3af0ede
docs: add missing Autopilot -min-quorum documentation (#7192) 2020-02-03 10:59:53 +01:00
Blake Covarrubias e158922615 Fix org name in Helm chart's imageEnvoy description
Update the description for the Helm chart's connectInject.imageEnvoy
parameter to reflect the correct organization name for images published by
EnvoyProxy.io.
2020-02-03 01:46:58 -08:00
Alexandru Matei 5a6e602b86
docs: add detailed documentation about Health Checking specific service using the gRPC method (#6574) 2020-02-03 10:19:06 +01:00
Anthony Scalisi 1565351a5c
docs: fix typos, IDs are UUIDs, /acl/token endpoints manage ACL tokens (#5736) 2020-02-03 09:41:54 +01:00
Hans Hasselberg 5531678e9e
Security fixes (#7182)
* Mitigate HTTP/RPC Services Allow Unbounded Resource Usage

Fixes #7159.

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 11:19:37 -05:00
Sarah Christoff fbb9120894
[docs] Clarify retry-join (#7078) 2020-01-30 12:52:58 -06:00
Matt Keeler 6855a778c2
Updates to the Txn API for namespaces (#7172)
* Updates to the Txn API for namespaces

* Update agent/consul/txn_endpoint.go

Co-Authored-By: R.B. Boyer <rb@hashicorp.com>

Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-30 13:12:26 -05:00
Iryna Shustava 7b549b0b5e
docs: clarify that clients and servers need to talk over LAN if outside k8s (#7156) 2020-01-29 19:09:38 -08:00
Iryna Shustava 22872b03a6
docs: Clarify the use of kustomize or ship with the Helm chart (#7154) 2020-01-28 22:18:12 -08:00
Chris Piraino 401221de58
Allow users to configure either unstructured or JSON logging (#7130)
* hclog Allow users to choose between unstructured and JSON logging
2020-01-28 17:50:41 -06:00
Iryna Shustava 14369f03ce docs: update ACL perms for the /connect/ca/roots endpoint (#7155) 2020-01-28 20:01:25 +01:00
Blake Covarrubias 08909661c2 docs: Fix success/passing health check definition
This commit changes the health check example shown for the
success/failures_before_passing option to correctly show that the value
of `checks` is an array of objects, not an object.

Added text clarifying these check parameters are available in Consul
1.7.0 and later.

Expanded the health check to provide a more complete configuration
example.

Resolves #7114.
2020-01-27 12:15:25 -08:00
Matt Keeler bbc2eb1951
Add the v1/catalog/node-services/:node endpoint (#7115)
The backing RPC already existed but the endpoint will be useful for other service syncing processes such as consul-k8s as this endpoint can return all services registered with a node regardless of namespacing.
2020-01-24 09:27:25 -05:00
Blake Covarrubias b3cf47c861 Redirect /docs/guides/outage.html to Learn
Resolves: #6953
2020-01-24 00:26:07 -08:00
Alexey Miasoedov b71630b752 fix Unix socket path in docs 2020-01-22 09:11:24 -08:00
David Yu ee329db79a
Merge pull request #7104 from hashicorp/david-yu-patch-4
Small change to TLS connection wording
2020-01-22 08:51:34 -08:00
Kit Ewbank 7b17f789d3 docs: add Helm chart 'dns.clusterIP' value. (#5845) 2020-01-22 17:32:08 +01:00
Hans Hasselberg 11a571de95
agent: setup grpc server with auto_encrypt certs and add -https-port (#7086)
* setup grpc server with TLS config used across consul.
* add -https-port flag
2020-01-22 11:32:17 +01:00
Iryna Shustava a33154ac9b
Add docs about rolling out TLS on k8s (#7096)
* Add docs about gradually rolling out TLS on k8s

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
2020-01-21 19:29:55 -08:00
David Yu 26a0ea1c39
Small change to wording
Removing automatic connection wording for applications for the time being. From @blake 
> They can automatically establish TLS connections without being aware that TLS is happening. They are aware that they’re routed through the Connect proxy, the app has to configure itself to use the local upstream port.
2020-01-21 16:27:43 -08:00
Luke Kysow c9dbcc31ec
Merge pull request #6970 from hashicorp/k8s-docs-refactor
Kubernetes docs reorganization
2020-01-18 19:08:26 -06:00
Luke Kysow e0aff262cf
Reorg kube docs 2020-01-18 19:07:53 -06:00
Hans Hasselberg 804eb17094
connect: check if intermediate cert needs to be renewed. (#6835)
Currently when using the built-in CA provider for Connect, root certificates are valid for 10 years, however secondary DCs get intermediates that are valid for only 1 year. There is no mechanism currently short of rotating the root in the primary that will cause the secondary DCs to renew their intermediates.
This PR adds a check that renews the cert if it is half way through its validity period.

In order to be able to test these changes, a new configuration option was added: IntermediateCertTTL which is set extremely low in the tests.
2020-01-17 23:27:13 +01:00
Hans Hasselberg 87f32c8ba6
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944)
* Add CreateCSRWithSAN
* Use CreateCSRWithSAN in auto_encrypt and cache
* Copy DNSNames and IPAddresses to cert
* Verify auto_encrypt.sign returns cert with SAN
* provide configuration options for auto_encrypt dnssan and ipsan
* rename CreateCSRWithSAN to CreateCSR
2020-01-17 23:25:26 +01:00
Matej Urbas ce023359fe agent: configurable MaxQueryTime and DefaultQueryTime. (#3777) 2020-01-17 14:20:57 +01:00
John Cowen bc86002be9
docs: Add note about using valid DNS labels for service names (#7035)
Add note about using valid DNS labels for service names
2020-01-15 15:36:17 +00:00
Kit Patella 8be67b777a
Small improvements to Connect docs (#6910)
* docs/connect add link to intentions and minor phrasing change

* docs/connect pluralize 'applications'

* Update website/source/docs/connect/connect-internals.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>
2020-01-14 14:59:27 -08:00
Freddy e635b24215
Update force-leave ACL requirement to operator:write (#7033) 2020-01-14 15:40:34 -07:00
Matt Keeler 663cf1e9a8
AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 10:09:29 -05:00
Matt Keeler 8bd34e126f
Intentions ACL enforcement updates (#7028)
* Renamed structs.IntentionWildcard to structs.WildcardSpecifier

* Refactor ACL Config

Get rid of remnants of enterprise only renaming.

Add a WildcardName field for specifying what string should be used to indicate a wildcard.

* Add wildcard support in the ACL package

For read operations they can call anyAllowed to determine if any read access to the given resource would be granted.

For write operations they can call allAllowed to ensure that write access is granted to everything.

* Make v1/agent/connect/authorize namespace aware

* Update intention ACL enforcement

This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior.

Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself.

* Refactor Intention.Apply to make things easier to follow.
2020-01-13 15:51:40 -05:00
danielehc 6ae75f6063
added disclaimer about network segments due to Serf limitations (#7004)
* added disclaimer about network segments due to Serf limitations

using work made at https://github.com/hashicorp/consul/pull/6558 by @thepomeranian

* Lowercasing functionality name

* Update website/source/docs/enterprise/network-segments/index.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

Co-authored-by: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2020-01-09 10:41:31 +01:00
danielehc a207f1a147
Update docs to point to new learn guide (#7003)
* Changed the link to point to new guide
* Removed querystring from link
2020-01-09 10:26:47 +01:00
DevOps Rob 0785bcc8df Azure MSI for cloud auto-join (#7000)
* Azure MSI documentation

Adding in note about support for Azure MSI authentication method for Cloud auto-join

* fixing text formatting

fixing text formatting

* missing word

missing word - variable

* Update website/source/docs/agent/cloud-auto-join.html.md

Language change to be specific about where the security risk mitigation is concerned

Co-Authored-By: Jack Pearkes <jackpearkes@gmail.com>

Co-authored-by: Jack Pearkes <jackpearkes@gmail.com>
2020-01-08 20:43:45 -05:00