Commit Graph

608 Commits

Author SHA1 Message Date
Chris S. Kim 8bdbe7c0fb
Update CI and release go versions to 1.17.5 (#11799) 2021-12-10 14:04:56 -05:00
Evan Culver a0c754d44f
connect: update SNI label extraction to support new taxonomy for partitions (#11786) 2021-12-10 10:26:22 -08:00
John Cowen 4400d7c071
ui: Change partitions to expect `[]` from the API (#11791) 2021-12-10 14:41:08 +00:00
FFMMM 74eb257b1c
[sync ent] increase segment max limit to 4*64, make configurable (#1424) (#11795)
* commit b6eb27563e747a78b7647d2b5da405e46364cc46
Author: FFMMM <FFMMM@users.noreply.github.com>
Date:   Thu Dec 9 13:53:44 2021 -0800

    increase segment max limit to 4*64, make configurable (#1424)

    Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* fix: rename ent changelog file

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-12-09 15:36:11 -08:00
R.B. Boyer 7b915456fd
update changelog for ent feature (#11794) 2021-12-09 16:44:14 -06:00
haxandmat d013ded88d
Improved performance of the version.GetHumanVersion function by 50% on memory allocation. (#11507)
Co-authored-by: Evan Culver <eculver@hashicorp.com>
2021-12-09 13:14:06 -08:00
John Cowen c410d295be
ui: Amends to Routing visualization for partitions (#11747)
* Update disco fixtures now we have partitions

* Add virtual-admin-6 fixture with partition 'redirects' and failovers

* Properly cope with extra partition segment for splitters and resolvers

* Make 'redirects' and failovers look/act consistently

* Fixup some unit tests
2021-12-09 10:47:58 +00:00
R.B. Boyer 5f5720837b
acl: ensure that the agent recovery token is properly partitioned (#11782) 2021-12-08 17:11:55 -06:00
Evan Culver 7a365fa0da
rpc: Unset partition before forwarding to remote datacenter (#11758) 2021-12-08 11:02:14 -08:00
Daniel Nephin dccd3f5806 Merge remote-tracking branch 'origin/main' into serve-panic-recovery 2021-12-07 16:30:41 -05:00
Dan Upton 3a91815169
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744) 2021-12-07 12:12:47 +00:00
freddygv b629b8f656 Add changelog entry 2021-12-06 12:35:11 -07:00
R.B. Boyer b1605639fc
light refactors to support making partitions and serf-based wan federation are mutually exclusive (#11755) 2021-12-06 13:18:02 -06:00
John Cowen 77412fd2e0
ui: Stop tables overlapping with their headers when scrolling (#11670) 2021-12-06 16:09:15 +00:00
R.B. Boyer e20e6348dd
areas: make the gRPC server tracker network area aware (#11748)
Fixes a bug whereby servers present in multiple network areas would be
properly segmented in the Router, but not in the gRPC mirror. This would
lead servers in the current datacenter leaving from a network area
(possibly during the network area's removal) from deleting their own
records that still exist in the standard WAN area.

The gRPC client stack uses the gRPC server tracker to execute all RPCs,
even those targeting members of the current datacenter (which is unlike
the net/rpc stack which has a bypass mechanism).

This would manifest as a gRPC method call never opening a socket because
it would block forever waiting for the current datacenter's pool of
servers to be non-empty.
2021-12-06 09:55:54 -06:00
Freddy a725f06c83
Merge pull request #11739 from hashicorp/ap/exports-rename 2021-12-06 08:20:50 -07:00
John Cowen 85c39092c0
ui: Adds basic support for partition exports to Service listings (#11702)
Also:

* ui: Add cross partition linking and rollout BucketList (#11712)

* ui: Add exported service partition to the source filter menu (#11727)
2021-12-06 11:06:33 +00:00
John Cowen 171cb0a247
ui: Adds partition support to Service and Node Identity templates (#11696) 2021-12-06 10:33:44 +00:00
John Cowen f27685cc40
ui: Adds basic support for the Routing tab viz with partitions (#11679) 2021-12-06 10:22:09 +00:00
John Cowen b07ff88874
ui: Add documentation link for partitions (#11668) 2021-12-06 10:09:44 +00:00
Freddy f24a206712
Merge pull request #11738 from hashicorp/ap/tproxy 2021-12-04 09:50:38 -07:00
Mike Morris 93f937f238
types: add types/tls.go for strongly-typed TLS versions and cipher suites (#11645)
types: add TLS constants

types: distinguish between human and Envoy serialization for TLSVersion constants

types: add DeprecatedAgentTLSVersions for backwards compatibility

types: add methods for printing TLSVersion as strings

types: add TLSVersionInvalid error value

types: add a basic test for TLSVersion comparison

types: add TLS cihper suite mapping using IANA constant names and values

types: adding ConsulAutoConfigTLSVersionStrings

changelog: add entry for TLSVersion and TLSCipherSuite types

types: initialize TLSVerison constants starting at zero

types: remove TLSVersionInvalid < 0 test

types: update note for ConsulAutoConfigTLSVersionStrings

types: programmatically invert TLSCipherSuites for HumanTLSCipherSuiteStrings lookup map

Co-authored-by: Dan Upton <daniel@floppy.co>

types: add test for TLSVersion zero-value

types: remove unused EnvoyTLSVersionStrings

types: implement MarshalJSON for TLSVersion

types: implement TLSVersionUnspecified as zero value

types: delegate TLS.MarshalJSON to json.Marshal, use ConsulConfigTLSVersionStrings as default String() values

Co-authored-by: Dan Upton <daniel@floppy.co>
2021-12-03 20:17:55 -05:00
freddygv cacfa79fc2 Add changelog entry 2021-12-03 17:50:40 -07:00
freddygv 9f3144b333 Add changelog entry 2021-12-03 17:31:42 -07:00
freddygv c148b73744 Add changelog entry 2021-12-03 17:12:43 -07:00
Freddy f032d6ef05
Merge pull request #11680 from hashicorp/ap/partition-exports-oss 2021-12-03 16:57:50 -07:00
freddygv 4b196fdb41 Add changelog entry 2021-12-03 16:55:19 -07:00
Freddy e246defb6c
Merge pull request #11720 from hashicorp/bbolt 2021-12-03 14:44:36 -07:00
Dan Upton 1e47e3c82b
Groundwork for exposing when queries are filtered by ACLs (#11569) 2021-12-03 17:11:26 +00:00
Kyle Havlovitz 0546bbe08a dns: add endpoint for querying service virtual IPs 2021-12-02 16:40:28 -08:00
Kyle Havlovitz 6f34a4f777
Merge pull request #11724 from hashicorp/service-virtual-ips
oss: add virtual IP generation for connect services
2021-12-02 16:16:57 -08:00
Kyle Havlovitz bd3c9ff244 Add changelog note 2021-12-02 15:54:40 -08:00
R.B. Boyer c46f9f9f31
agent: add variation of force-leave that exclusively works on the WAN (#11722)
Fixes #6548
2021-12-02 17:15:10 -06:00
Matt Keeler 09fd8f727e Add the changelog entry for bbolt modifications 2021-12-02 16:59:13 -05:00
Daniel Nephin 17a2d14d49 ca: set the correct SigningKeyID after config update with Vault provider
The test added in this commit shows the problem. Previously the
SigningKeyID was set to the RootCert not the local leaf signing cert.

This same bug was fixed in two other places back in 2019, but this last one was
missed.

While fixing this bug I noticed I had the same few lines of code in 3
places, so I extracted a new function for them.

There would be 4 places, but currently the InitializeCA flow sets this
SigningKeyID in a different way, so I've left that alone for now.
2021-12-02 16:07:11 -05:00
Daniel Nephin ff4581092e
Merge pull request #11671 from hashicorp/dnephin/ca-fix-storing-vault-intermediate
ca: fix storing the leaf signing cert with Vault provider
2021-12-02 16:02:24 -05:00
FFMMM 384d497f26
add MustRevalidate flag to connect_ca_leaf cache type; always use on non-blocking queries (#11693)
* always use MustRevalidate on non-blocking queries for connect ca leaf

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Update agent/agent_endpoint_test.go

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* pr feedback

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-12-02 11:32:15 -08:00
Daniel Nephin b29faa3e50 ca: fix stored CARoot representation with Vault provider
We were not adding the local signing cert to the CARoot. This commit
fixes that bug, and also adds support for fixing existing CARoot on
upgrade.

Also update the tests for both primary and secondary to be more strict.
Check the SigningKeyID is correct after initialization and rotation.
2021-12-02 12:42:49 -05:00
Dan Upton bf56a2c495
Rename `agent_master` ACL token in the API and CLI (#11669) 2021-12-02 17:05:27 +00:00
Dhia Ayachi 9705105311
fix changelog file name (#11710) 2021-12-02 11:41:08 -05:00
Dhia Ayachi 210cdd3e6f
add changelog (#11708) 2021-12-02 11:05:14 -05:00
Dan Upton d8afd2f6c8
Rename `master` and `agent_master` ACL tokens in the config file format (#11665) 2021-12-01 21:08:14 +00:00
R.B. Boyer db91cbf484
auto-config: ensure the feature works properly with partitions (#11699) 2021-12-01 13:32:34 -06:00
John Cowen 4e0507aed3
ui: Don't cache event sources following a 401 (#11681) 2021-12-01 13:24:52 +00:00
John Cowen f3d9565277
ui: Refactor KV and Lock Sessions following partitions update (#11666)
This commit uses all our new ways of doing things to Lock Sessions and their interactions with KV and Nodes. This is mostly around are new under-the-hood things, but also I took the opportunity to upgrade some of the CSS to reuse some of our CSS utils that have been made over the past few months (%csv-list and %horizontal-kv-list).

Also added (and worked on existing) documentation for Lock Session related components.
2021-12-01 11:33:33 +00:00
John Cowen b5c8af4580
ui: Add `Service.Partition` as available variable for dashboard urls (#11654) 2021-12-01 11:05:57 +00:00
John Cowen bda64f98b3
ui: Don't show policy datacenter selector for non-default partitions (#11656) 2021-12-01 11:05:15 +00:00
John Cowen f7b8df281b
ui: Add `Service.Namespace` variable to dashboard URL templates (#11640)
We currently allow only Datacenter, Service.Name, this PR adds Service.Namespace.
2021-11-25 10:47:07 +00:00
John Cowen 3f131dcf34
ui: Notifications re-organization/re-style (#11577)
- Moves where they appear up to the <App /> component.
- Instead of a <Notification /> wrapping component to move whatever you use for a notification up to where they need to appear (via ember-cli-flash), we now use a {{notification}} modifier now we have modifiers.
- Global notifications/flashes are no longer special styles of their own. You just use the {{notification}} modifier to hoist whatever component/element you want up to the top of the page. This means we can re-use our existing <Notice /> component for all our global UI notifications (this is the user visible change here)
2021-11-24 18:14:07 +00:00
John Cowen 2b8273bc6e
ui: Support for SSO with Admin Partitions (#11604)
* Upgrade AuthForm and document current state a little better
* Hoist SSO out of the AuthForm
* Bare minimum admin partitioned SSO

also:

ui: Tabbed Login with Token or SSO interface (#11619)

- I upgraded our super old, almost the first ember component I wrote, to use glimmer/almost template only. This should use slots/contextual components somehow, but thats a bigger upgrade so I didn't go that far.
- I've been wanting to upgrade the shape of our StateChart component for a very long while now, here its very apparent that it would be much better to do this sooner rather than later. I left it as is for now, but there will be a PR coming soon with a slight reshaping of this component.
- Added a did-upsert modifier which is a mix of did-insert/did-update
- Documentation added/amended for all the new things.
2021-11-24 14:53:12 +00:00
John Cowen b84ee47ff0
ui: Fix brand coloring for inline-code plus docs (#11578)
* ui: Fix brand coloring for inline-code plus docs

Also use --tones instead of --black/--white (#11601)

Co-authored-by: Evan Rowe <ev.rowe@gmail.com>
2021-11-23 18:32:11 +00:00
R.B. Boyer dd4a59db8e
agent: purge service/check registration files for incorrect partitions on reload (#11607) 2021-11-18 14:44:20 -06:00
Iryna Shustava 0ee456649f
connect: Support auth methods for the vault connect CA provider (#11573)
* Support vault auth methods for the Vault connect CA provider
* Rotate the token (re-authenticate to vault using auth method) when the token can no longer be renewed
2021-11-18 13:15:28 -07:00
John Cowen b7bd938411
ui: Store the default partition when logging in (#11591)
Make sure we store the default Partition for a users token.
2021-11-17 17:52:31 +00:00
John Cowen 35ccc2bc29
ui: Adding partitions + icons to upstreams/upstream instances (#11556)
Adds a partition badge/label/visual to upstreams and upstream instances.
2021-11-17 17:46:50 +00:00
John Cowen 2ef9ea00b1
ui: When certain menus are selected reset either nspace/partition (#11479)
For our dc, nspace and partition 'bucket' menus, sometimes when selecting one 'bucket' we need to reset a different 'bucket' back to the one that your token has by default (or the default if not). For example when switching to a different partition whilst you are in a non-default namespace of another partition, we need to switch you to the token default namespace of the partition you are switching to.
2021-11-17 15:59:26 +00:00
Dan Upton b51dc2f758
changelog: entry for snapshot agent `license_path` bug (#11561) 2021-11-16 23:07:14 +00:00
R.B. Boyer 2d37085faf
update changelog (#11575) 2021-11-16 15:21:20 -06:00
Mike Morris 25826e3ee4
deps: update gopsutil to fix Windows ARM and macOS non-Apple LLVM builds (#11586)
Bumps transitive dep go-ole to v1.2.6 with fixes
2021-11-16 15:40:11 -05:00
R.B. Boyer e6956893fb
api: ensure new partition fields are omit empty for back compat (#11585) 2021-11-16 12:28:34 -06:00
R.B. Boyer eb21649f82
partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
Freddy 86a30e9ce7
Merge pull request #11566 from hashicorp/ap/ingress
OSS Backport: Allow ingress gateways to target other partitions
2021-11-12 15:17:08 -07:00
R.B. Boyer ba792b050b
changelog sync (#11565) 2021-11-12 16:10:36 -06:00
freddygv 42ae90f473 Add changelog entry 2021-11-12 14:45:58 -07:00
Daniel Nephin 81759c7a41
Merge pull request #11557 from hashicorp/dnephin/changelog-namespace-default
Add changelog entry for namespace default policy/role fix
2021-11-12 12:19:42 -05:00
Alessandro De Blasis 53a61349e1
ui: Fix code editor resizing and restyle (#11474)
Fixes an issue where the code editor would not resizing to the full extent of the browser window plus CodeEditor restyling/refactoring

- :label named block
- :tools named block
- :content named block
- code and CSS cleanup
- CodeEditor.mdx

Signed-off-by: Alessandro De Blasis <alex@deblasis.net>

Co-authored-by: John Cowen <johncowen@users.noreply.github.com>
2021-11-12 15:28:06 +00:00
Daniel Nephin 70fce0cb8f Add changelog entry 2021-11-11 16:09:00 -05:00
Dan Upton 50329bf5f6
changelog: entry for enterprise licensing bug fix (#11551) 2021-11-11 13:39:05 +00:00
John Cowen 6557f52962
ui: Bump our browser support (#11505)
Bumps our browser support to a "rough ~2 years back" approach.
2021-11-11 13:37:49 +00:00
John Cowen 66f1dd9425
ui: [Port] Ensure the tokens default nspace (and partition) is passed thru to the auth endpoint (#11490)
Most HTTP API calls will use the default namespace of the calling token to additionally filter/select the data used for the response if one is not specified by the frontend.

The internal permissions/authorize endpoint does not do this (you can ask for permissions from different namespaces in on request).

Therefore this PR adds the tokens default namespace in the frontend only to our calls to the authorize endpoint. I tried to do it in a place that made it feel like it's getting added in the backend, i.e. in a place which was least likely to ever require changing or thinking about.

Note:  We are probably going to change this internal endpoint to also inspect the tokens default namespace on the backend. At which point we can revert this commit/PR.

* Add the same support for the tokens default partition
2021-11-11 12:02:29 +00:00
Kenia 37de276350
ui: Add Consul API Gateway as an external source (#11371) 2021-11-10 16:54:12 -05:00
Freddy 3e486cae86
Merge pull request #11546 from hashicorp/ui/bug/revert-11328
ui: Revert #11328 allow-${}-style-interpolation due, to browser support
2021-11-10 14:53:23 -07:00
99 0c5fdb167d
Add changelog entry (#11549) 2021-11-10 14:53:52 -05:00
John Cowen 537c4f32f7 Revert "Merge pull request #11328 from radiantly/ui/feature/allow-${}-style-interpolation"
This reverts commit cd55c0cda3, reversing
changes made to 14af8cb7a9.
2021-11-10 17:54:33 +00:00
Freddy aca0576cd1
Merge pull request #11541 from hashicorp/secondary-exports
OSS Backport: Prevent writing partition-exports entries to secondary DCs
2021-11-10 09:49:53 -07:00
Nitya Dhanushkodi 139c4eb844
command/redirect_traffic: Redirect DNS requests to Consul if -consul-dns-ip is passed in (#11480)
* command/redirect_traffic: add rules to redirect DNS to Consul. Currently uses a hack to get the consul dns service ip, and this hack only works when the service is deployed in the same namespace as consul.
* command/redirect_traffic: redirect DNS to Consul when -consul-dns-ip is passed in
* Add unit tests to Consul DNS IP table redirect rules

Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
2021-11-10 09:10:48 -05:00
John Cowen aeaa0a6c96
ui: Temporarily force all UI capabilities (#11520)
Temporarily revert to pre-1.10 UI functionality by overwriting frontend
permissions. These are used to hide certain UI elements, but they are
still enforced on the backend.

This temporary measure should be removed again once https://github.com/hashicorp/consul/issues/11098
has been resolved
2021-11-10 11:05:27 +00:00
freddygv a17f20be04 Add changelog entry 2021-11-09 16:45:20 -07:00
Freddy 00b5b0a0a2
Update filter chain creation for sidecar/ingress listeners (#11245)
The duo of `makeUpstreamFilterChainForDiscoveryChain` and `makeListenerForDiscoveryChain` were really hard to reason about, and led to concealing a bug in their branching logic. There were several issues here:

- They tried to accomplish too much: determining filter name, cluster name, and whether RDS should be used. 
- They embedded logic to handle significantly different kinds of upstream listeners (passthrough, prepared query, typical services, and catch-all)
- They needed to coalesce different data sources (Upstream and CompiledDiscoveryChain)

Rather than handling all of those tasks inside of these functions, this PR pulls out the RDS/clusterName/filterName logic.

This refactor also fixed a bug with the handling of [UpstreamDefaults](https://www.consul.io/docs/connect/config-entries/service-defaults#defaults). These defaults get stored as UpstreamConfig in the proxy snapshot with a DestinationName of "*", since they apply to all upstreams. However, this wildcard destination name must not be used when creating the name of the associated upstream cluster. The coalescing logic in the original functions here was in some situations creating clusters with a `*.` prefix, which is not a valid destination.
2021-11-09 14:43:51 -07:00
John Cowen 1515c3e667
ui: Filter global intentions list by selected partition (#11475)
* ui: Filter global intentions list by namespace and partition

Filters global intention listing by the current partition rather than trying to use a wildcard.
2021-11-09 17:38:24 +00:00
Kyle Havlovitz 6c0bd0550f
Merge pull request #11461 from deblasis/feature/empty_client_addr_warning
config: warn the user if client_addr is empty
2021-11-09 09:37:38 -08:00
Mark Anderson adb7510a7e
Fixup changelog filename (#11501)
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-11-09 09:32:27 -08:00
Daniel Upton 50a1f20ff9
xds: prefer fed state gateway definitions if they're fresher (#11522)
Fixes an issue described in #10132, where if two DCs are WAN federated
over mesh gateways, and the gateway in the non-primary DC is terminated
and receives a new IP address (as is commonly the case when running them
on ephemeral compute instances) the primary DC is unable to re-establish
its connection until the agent running on its own gateway is restarted.

This was happening because we always preferred gateways discovered by
the `Internal.ServiceDump` RPC (which would fail because there's no way
to dial the remote DC) over those discovered in the federation state,
which is replicated as long as the primary DC's gateway is reachable.
2021-11-09 16:45:36 +00:00
Freddy 7d95d90fce
Merge pull request #11514 from hashicorp/dnephin/ca-fix-secondary-init
ca: properly handle the case where the secondary initializes after the primary
2021-11-08 17:16:16 -07:00
freddygv 44748bf234 Add changelog entry 2021-11-08 17:14:27 -07:00
Giulio Micheloni af7b7b5693
Merge branch 'main' into serve-panic-recovery 2021-11-06 16:12:06 +01:00
R.B. Boyer d110d8735f
update changelog (#11513) 2021-11-05 17:00:19 -05:00
R.B. Boyer c7c5013edd
rename helper method to reflect the non-deprecated terminology (#11509) 2021-11-05 13:51:50 -05:00
Kenia 4c2fa322a1
ui: Topology view with no dependencies (#11280) 2021-11-05 13:46:41 -04:00
Connor efe4b21287
Support Vault Namespaces explicitly in CA config (#11477)
* Support Vault Namespaces explicitly in CA config

If there is a Namespace entry included in the Vault CA configuration,
set it as the Vault Namespace on the Vault client

Currently the only way to support Vault namespaces in the Consul CA
config is by doing one of the following:
1) Set the VAULT_NAMESPACE environment variable which will be picked up
by the Vault API client
2) Prefix all Vault paths with the namespace

Neither of these are super pleasant. The first requires direct access
and modification to the Consul runtime environment. It's possible and
expected, not super pleasant.

The second requires more indepth knowledge of Vault and how it uses
Namespaces and could be confusing for anyone without that context. It
also infers that it is not supported

* Add changelog

* Remove fmt.Fprint calls

* Make comment clearer

* Add next consul version to website docs

* Add new test for default configuration

* go mod tidy

* Add skip if vault not present

* Tweak changelog text
2021-11-05 11:42:28 -05:00
R.B. Boyer 44c023a302
segments: ensure that the serf_lan_allowed_cidrs applies to network segments (#11495) 2021-11-04 17:17:19 -05:00
R.B. Boyer e9ca2e091e
add changelog entry (#11494) 2021-11-04 16:52:54 -05:00
Mark Anderson 7e8228a20b
Remove some usage of md5 from the system (#11491)
* Remove some usage of md5 from the system

OSS side of https://github.com/hashicorp/consul-enterprise/pull/1253

This is a potential security issue because an attacker could conceivably manipulate inputs to cause persistence files to collide, effectively deleting the persistence file for one of the colliding elements.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-11-04 13:07:54 -07:00
FFMMM 61bd417a82
plumb thru root cert tll to the aws ca provider (#11449)
* plumb thru root cert ttl to the aws ca provider

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Update .changelog/11449.txt

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>

Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
2021-11-04 12:19:08 -07:00
John Cowen 72be2dd204
ui: Ensure we check intention service prefix permissions for per service (#11409)
Port of: Ensure we check intention service prefix permissions for per service (#11270)

Previously, when showing some action buttons for 'per service intentions' we used a global 'can I do something with any intention' permission to decide whether to show a certain button or not. If a user has a token that does not have 'global' intention permissions, but does have intention permissions on one or more specific services (for example via service / service_prefix), this meant that we did not show them certain buttons required to create/edit the intentions for this specific service.

This PR adds that extra permissions check so we now check the intentions permissions per service instead of using the 'global' "can I edit intentions" question/request.

**Notes:**

- If a HTML button is `disabled` this means tippy.js doesn't adopt the
popover properly and subsequently hide it from the user, so aswell as
just disabling the button so you can't active the popover, we also don't
even put the popover on the page
- If `ability.item` or `ability.item.Resources` are empty then assume no access

**We don't try to disable service > right hand side intention actions here**

Whether you can create intentions for a service depends on the
_destination_ of the intention you would like to create. For the
topology view going from the LHS to the center, this is straightforwards
as we only need to know the permissions for the central service, as when
you are going from the LHS to the center, the center is the
_destination_.

When going from the center to the RHS the _destination[s]_ are on the
RHS. This means we need to know the permissions for potentially 1000s of
services all in one go in order to know when to show a button or not.

We can't realistically discover the permissions for service > RHS
services as we'd have either make a HTTP request per right hand service,
or potentially make an incredibly large POST request for all the
potentially 1000s of services on the right hand side (more preferable to
1000s of HTTP requests).

Therefore for the moment at least we keep the old functionality (thin client)
for the middle to RHS here. If you do go to click on the button and you
don't have permissions to update the intention you will still not be
able to update it, only you won't know this until you click the button
(at which point you'll get a UI visible 403 error)

Note: We reversed the conditional here between 1.10 and 1.11

So this make 100% sense that the port is different here to 1.11
2021-11-04 12:10:28 +00:00
FFMMM 4ddf973a31
add root_cert_ttl option for consul connect, vault ca providers (#11428)
* add root_cert_ttl option for consul connect, vault ca providers

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* add changelog, pr feedback

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Update .changelog/11428.txt, more docs

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/agent/options.mdx

Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
2021-11-02 11:02:10 -07:00
Daniel Nephin 51d8417545
Merge pull request #10690 from tarat44/h2c-support-in-ping-checks
add support for h2c in h2 ping health checks
2021-11-02 13:53:06 -04:00
Alessandro De Blasis 2238df6fa4 changelog
Signed-off-by: Alessandro De Blasis <alex@deblasis.net>
2021-11-01 22:47:20 +00:00
Daniel Upton d47b7311b8
Support Check-And-Set deletion of config entries (#11419)
Implements #11372
2021-11-01 16:42:01 +00:00
Jared Kirschner 0854e1d684
Merge pull request #11348 from kbabuadze/fix-answers-alt-domain
Fix answers for alt domain
2021-10-29 17:09:20 -04:00