1171 Commits

Author SHA1 Message Date
Kyle Havlovitz
4e5fb6bc19
connect: add provider state to snapshots 2018-07-11 11:34:49 -07:00
Kyle Havlovitz
462ace4867
connect: update leader initializeCA comment 2018-07-11 10:00:42 -07:00
Kyle Havlovitz
1d3f4b5099
connect: persist intermediate CAs on leader change 2018-07-11 09:44:30 -07:00
Matt Keeler
c54b43bef3 PR Updates
Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.
2018-07-11 09:44:54 -04:00
Matt Keeler
4d1ead10b3
Merge pull request #4371 from hashicorp/bugfix/gh-4358
Remove https://prefix from TLSConfig.Address
2018-07-11 08:50:10 -04:00
Pierre Souchay
fecae3de21 When renaming a node, ensure the name is not taken by another node.
Since DNS is case insensitive and DB as issues when similar names with different
cases are added, check for unicity based on case insensitivity.

Following another big incident we had in our cluster, we also validate
that adding/renaming a not does not conflicts with case insensitive
matches.

We had the following error once:

 - one node called: mymachine.MYDC.mydomain was shut off
 - another node (different ID) was added with name: mymachine.mydc.mydomain before
   72 hours

When restarting the consul server of domain, the consul server restarted failed
to start since it detected an issue in RAFT database because
mymachine.MYDC.mydomain and mymachine.mydc.mydomain had the same names.

Checking at registration time with case insensitivity should definitly fix
those issues and avoid Consul DB corruption.
2018-07-11 14:42:54 +02:00
Matt Keeler
bd76a34002
Merge pull request #4365 from pierresouchay/fix_test_warning
Fixed compilation warning about wrong type
2018-07-10 16:53:29 -04:00
Matt Keeler
3b6eef8ec6 Pass around an API Config object and convert to env vars for the managed proxy 2018-07-10 12:13:51 -04:00
Pierre Souchay
7d2e4b77ec Use %q, not %s as it used to 2018-07-10 16:52:08 +02:00
Matt Keeler
0fd7e97c2d Merge remote-tracking branch 'origin/master' into bugfix/prevent-multi-cname 2018-07-10 10:26:45 -04:00
Matt Keeler
d19c7d8882
Merge pull request #4303 from pierresouchay/non_blocking_acl
Only send one single ACL cache refresh across network when TTL is over
2018-07-10 08:57:33 -04:00
Matt Keeler
d066fb7b18
Merge pull request #4362 from hashicorp/bugfix/gh-4354
Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries
2018-07-10 08:50:31 -04:00
Pierre Souchay
b112bdd52d Fixed compilation warning about wrong type
It fixes the following warnings:

  agent/config/builder.go:1201: Errorf format %q has arg s of wrong type *string
  agent/config/builder.go:1240: Errorf format %q has arg s of wrong type *string
2018-07-09 23:43:56 +02:00
Paul Banks
41c3a4ac8e
Merge pull request #4038 from pierresouchay/ACL_additional_info
Track calls blocked by ACLs using metrics
2018-07-09 20:21:21 +01:00
MagnumOpus21
371f0c3d5f Tests/Proxy : Changed function name to match the system being tested. 2018-07-09 13:18:57 -04:00
MagnumOpus21
9d57b72e81 Resolved merge conflicts 2018-07-09 12:48:34 -04:00
MagnumOpus21
300330e24b Agent/Proxy: Formatting and test cases fix 2018-07-09 12:46:10 -04:00
Matt Keeler
962f6a1816 Remove https://prefix from TLSConfig.Address 2018-07-09 12:31:15 -04:00
Matt Keeler
cbf8f14451 Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries
This also changes where the enforcement of the enable_additional_node_meta_txt configuration gets applied.

formatNodeRecord returns the main RRs and the meta/TXT RRs in separate slices. Its then up to the caller to add to the appropriate sections or not.
2018-07-09 12:30:11 -04:00
MagnumOpus21
94e8ff55cf Proxy/Tests: Added test cases to check env variables 2018-07-09 12:28:29 -04:00
MagnumOpus21
6cecf2961d Agent/Proxy : Properly passes env variables to child 2018-07-09 12:28:29 -04:00
Pierre Souchay
ff53648df2 Merge remote-tracking branch 'origin/master' into ACL_additional_info 2018-07-07 14:09:18 +02:00
Pierre Souchay
0e4e451a56 Fixed indentation in test 2018-07-07 14:03:34 +02:00
Kyle Havlovitz
401b206a2e
Store the time CARoot is rotated out instead of when to prune 2018-07-06 16:05:25 -07:00
MagnumOpus21
1cd1b55682 Agent/Proxy : Properly passes env variables to child 2018-07-05 22:04:29 -04:00
Matt Keeler
e3783a75e7 Refactor to make this much less confusing 2018-07-03 11:04:19 -04:00
Matt Keeler
554035974e Add a bunch of comments about preventing multi-cname
Hopefully this a bit clearer as to the reasoning
2018-07-03 10:32:52 -04:00
Matt Keeler
22c2be5bf1 Fix some edge cases and add some tests. 2018-07-02 16:58:52 -04:00
Matt Keeler
9a8500412b Only allow 1 CNAME when querying for a service.
This just makes sure that if multiple services are registered with unique service addresses that we don’t blast back multiple CNAMEs for the same service DNS name and keeps us within the DNS specs.
2018-07-02 16:12:06 -04:00
Kyle Havlovitz
1492243e0a
connect/ca: add logic for pruning old stale RootCA entries 2018-07-02 10:35:05 -07:00
Matt Keeler
8a12d803fd
Merge pull request #4315 from hashicorp/bugfix/fix-server-enterprise
Move starting enterprise functionality
2018-07-02 12:28:10 -04:00
Pierre Souchay
bd023f352e Updated swith case to use same branch for async-cache and extend-cache 2018-07-02 17:39:34 +02:00
Pierre Souchay
1e7665c0d5 Updated documentation and adding more test case for async-cache 2018-07-01 23:50:30 +02:00
Pierre Souchay
abde81a3e7 Added async-cache with similar behaviour as extend-cache but asynchronously 2018-07-01 23:50:30 +02:00
Pierre Souchay
9406ca1c95 Only send one single ACL cache refresh across network when TTL is over
It will allow the following:

 * when connectivity is limited (saturated linnks between DCs), only one
   single request to refresh an ACL will be sent to ACL master DC instead
   of statcking ACL refresh queries
 * when extend-cache is used for ACL, do not wait for result, but refresh
   the ACL asynchronously, so no delay is not impacting slave DC
 * When extend-cache is not used, keep the existing blocking mechanism,
   but only send a single refresh request.

This will fix https://github.com/hashicorp/consul/issues/3524
2018-07-01 23:50:30 +02:00
Abhishek Chanda
36306c0076 Change bind_port to an int 2018-06-30 14:18:13 +01:00
Matt Keeler
22b7b688a3
Move starting enterprise functionality 2018-06-29 17:38:29 -04:00
Mitchell Hashimoto
6ef28dece0
agent/config: parse upstreams with multiple service definitions 2018-06-28 15:13:33 -05:00
Mitchell Hashimoto
e155d58b19
Merge pull request #4297 from hashicorp/b-intention-500-2
agent: 400 error on invalid UUID format, api handles errors properly
2018-06-28 05:27:19 +02:00
Matt Keeler
0f70034082 Move default uuid test into the consul package 2018-06-27 09:21:58 -04:00
Matt Keeler
d1a8f9cb3f go fmt changes 2018-06-27 09:07:22 -04:00
Mitchell Hashimoto
1c3e9af316
agent: 400 error on invalid UUID format, api handles errors properly 2018-06-27 07:40:06 +02:00
Matt Keeler
cf69ec42a4 Make sure to generate UUIDs when services are registered without one
This makes the behavior line up with the docs and expected behavior
2018-06-26 17:04:08 -04:00
mkeeler
28141971f9
Release v1.2.0 2018-06-25 19:45:20 +00:00
mkeeler
6813a99081 Merge remote-tracking branch 'connect/f-connect' 2018-06-25 19:42:51 +00:00
Kyle Havlovitz
162daca4d7 revert go changes to hide rotation config 2018-06-25 12:26:18 -07:00
Kyle Havlovitz
c20bbf8760 connect/ca: hide the RotationPeriod config field since it isn't used yet 2018-06-25 12:26:18 -07:00
Mitchell Hashimoto
a76f652fd2 agent: convert the proxy bind_port to int if it is a float 2018-06-25 12:26:18 -07:00
Matt Keeler
677d6dac80 Remove x509 name constraints
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Matt Keeler
163fe11101 Make sure we omit the Kind value in JSON if empty 2018-06-25 12:26:10 -07:00