Commit Graph

15179 Commits

Author SHA1 Message Date
R.B. Boyer e0d1e2689c
ci: upgrade to use Go 1.16.7 (#10856) 2021-08-16 12:21:16 -05:00
hc-github-team-consul-core ed85684d96 auto-updated agent/uiserver/bindata_assetfs.go from commit ae9c31338 2021-08-16 16:10:17 +00:00
Kenia ae9c313382
ui: Update intention permissions notice wording (#10836) 2021-08-16 12:04:26 -04:00
Kenia 019ce785ab
ui: Create Routing Configurations route and page (#10835) 2021-08-16 12:04:04 -04:00
Blake Covarrubias 97b4fdff0d
Document possible risk w.r.t exposing the admin API in Envoy (#10817)
Add a section to the Connect Security page which highlights the risks
of exposing Envoy's administration interface outside of localhost.

Resolves #5692

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Co-authored-by: Kent 'picat' Gruber <kent@hashicorp.com>
2021-08-13 10:05:29 -07:00
Blake Covarrubias 8a396ae73f
Document tagged addresses (#10744)
Add section for tagged addresses on service definition documentation.

Resolves #6989

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-08-12 16:49:59 -07:00
Blake Covarrubias 8aa89c2c12
docs: Clarify ingress gateway's -address flag (#10810)
Clarify the function of `-address` flag when instantiating an ingress
gateway.

Resolves #9849

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-08-12 14:56:07 -07:00
Kyle Havlovitz fa5df0349d
Merge pull request #10843 from hashicorp/partitions/rename-default
oss: Rename default partition
2021-08-12 14:45:53 -07:00
Kyle Havlovitz 073b6c8411 oss: Rename default partition 2021-08-12 14:31:37 -07:00
Daniel Nephin 3e2ec34409
Merge pull request #10824 from hashicorp/dnephin/acl-token-bug
proxycfg: Use acl.tokens.default token as a default when there is no token in the registration
2021-08-12 17:00:35 -04:00
Daniel Nephin 0575498d0d proxycfg: Lookup the agent token as a default
When no ACL token is provided with the service registration.
2021-08-12 15:51:34 -04:00
Daniel Nephin b313f495b8 proxycfg: Add a test to show the bug
When a token is not provided at registration, the agent token is not being used.
2021-08-12 15:47:59 -04:00
Mike Morris 3bae53a989
deps: upgrade gogo-protobuf to v1.3.2 (#10813)
* deps: upgrade gogo-protobuf to v1.3.2

* go mod tidy using go 1.16

* proto: regen protobufs after upgrading gogo/protobuf

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-12 14:05:46 -04:00
Mark Anderson d3cebbd32c
Fixup to support unix domain socket via command line (#10758)
Missed the need to add support for unix domain socket config via
api/command line. This is a variant of the problems described in
it is easy to drop one.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-08-12 10:05:22 -07:00
Daniel Nephin 525bc2d763
Merge pull request #10832 from hashicorp/dnephin/contrib-check-register-flows
contrib: add list of check register flows
2021-08-12 12:22:30 -04:00
Daniel Nephin ccf3a3bbb3 contrib: add list of check register flows 2021-08-12 12:08:36 -04:00
Chris Piraino 8f5e2a440b
docs: remove note on ingress gateway hosts field needing a port number (#10827)
This was necessary in older versions of Consul, but was obsoleted by
making Consul add the port number itself when constructing the Envoy
configuration.
2021-08-11 16:36:57 -05:00
Blake Covarrubias 99b1d8ed8c docs: Update code blocks across website
* Use CodeTabs for examples in multiple formats.
* Ensure correct language on code fences.
* Use CodeBlockConfig for examples with filenames, or which need
highlighted content.
2021-08-11 13:20:03 -07:00
hc-github-team-consul-core 199e850d16 auto-updated agent/uiserver/bindata_assetfs.go from commit ab6a67520 2021-08-11 17:05:51 +00:00
Kenia ab6a675209
ui: Split up the socket mode from the socket path (#10581) 2021-08-11 13:00:32 -04:00
Blake Covarrubias 7622e52013 docs: Add supported consistency modes to prepared queries
Resolves #3475
2021-08-10 16:19:22 -07:00
Blake Covarrubias 3363da7d35 docs: Add JSON examples to all config entries
This commit adds example JSON configs for several config entry
resources were missing examples in this language.

The examples have been updated to use the new CodeTabs resource
instead of the Tab component.
2021-08-10 15:34:28 -07:00
Blake Covarrubias 1ee8655bfc
cli: Fix broken KV import on Windows (#10820)
Consul 1.10 (PR #9792) introduced the ability to specify a prefix when
importing KV's. This however introduced a regression on Windows
systems which breaks `kv import`. The key name is joined with
specified`-prefix` using `filepath.Join()` which uses a forward slash
(/) to delimit values on Unix-based systems, and a backslash (\) to
delimit values on Windows – the latter of which is incompatible with
Consul KV paths.

This commit replaces filepath.Join() with path.Join() which uses a
forward slash as the delimiter, providing consistent key join behavior
across supported operating systems.

Fixes #10583
2021-08-10 14:42:05 -07:00
Blake Covarrubias e41d6ee60f
cli: Use admin bind address in self_admin cluster (#10757)
Configure the self_admin cluster to use the admin bind address
provided when starting Envoy.

Fixes #10747
2021-08-09 17:10:32 -07:00
trujillo-adam 067c8c2c5c
Merge pull request #10812 from hashicorp/docs-envoy-proxy-breaks-when-enabling-tls
docs: adding env var info
2021-08-09 15:58:37 -07:00
trujillo-adam 9e348edfaf
Merge branch 'main' into docs-envoy-proxy-breaks-when-enabling-tls 2021-08-09 14:57:29 -07:00
trujillo-adam ec7526caaa
Update website/content/docs/connect/proxies/envoy.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-09 13:36:28 -07:00
trujillo-adam 7d00adb824
Update website/content/docs/connect/proxies/envoy.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-09 13:36:07 -07:00
trujillo-adam 3fabe18acd docs: adding env var info, resolves #7926 2021-08-09 13:14:02 -07:00
Blake Covarrubias 6a68bfc5e1
cli: Test API access using /status/leader in consul watch (#10795)
Replace call to /agent/self with /status/leader to verify agent
reachability before initializing a watch. This endpoint is not guarded
by ACLs, and as such can be queried by any API client regardless of
their permissions.

Fixes #9353
2021-08-09 09:00:33 -07:00
Daniel Nephin 67fc97522f server: remove defaulting of PrimaryDatacenter
The constructor for Server is not at all the appropriate place to be setting default
values for a config struct that was passed in.

In production this value is always set from agent/config. In tests we should set the
default in a test helper.
2021-08-06 18:45:24 -04:00
Daniel Nephin d3325b0253
Merge pull request #10612 from bigmikes/acl-replication-fix
acl: acl replication routine to report the last error message
2021-08-06 18:29:51 -04:00
Daniel Nephin 7160f7a614 acl: remove ACLDatacenter
This field has been unnecessary for a while now. It was always set to the same value
as PrimaryDatacenter. So we can remove the duplicate field and use PrimaryDatacenter
directly.

This change was made by GoLand refactor, which did most of the work for me.
2021-08-06 18:27:00 -04:00
Giulio Micheloni d4a3fe33e8 String type instead of error type and changelog. 2021-08-06 22:35:27 +01:00
Mike Morris cbab337803
changelog: add 1.10.1, 1.9.8 and 1.8.14 2021-08-05 18:09:57 -04:00
Daniel Nephin 5c7589c84a
Merge pull request #10743 from hashicorp/dnephin/acl-resolver-2
acl: decouple filtering from ACLResolver and remove a couple methods
2021-08-05 15:47:05 -04:00
Daniel Nephin e1f04e8c96
Merge pull request #10742 from hashicorp/dnephin/acl-resolver
acl: move agent/consul vet functions
2021-08-05 15:36:49 -04:00
Daniel Nephin b837ba35a0 acl: remove Server.ResolveTokenIdentityAndDefaultMeta
This method suffered from similar naming to a couple other methods on Server, and had not great
re-use (2 callers). By copying a few of the lines into one of the callers we can move the
implementation into the second caller.

Once moved, we can see that ResolveTokenAndDefaultMeta is identical in both Client and Server, and
likely should be further refactored, possibly into ACLResolver.

This change is being made to make ACL resolution easier to trace.
2021-08-05 15:20:13 -04:00
Daniel Nephin 6cf6e7c5fe acl: remove Server.ResolveTokenToIdentityAndAuthorizer
This method was an alias for ACLResolver.ResolveTokenToIdentityAndAuthorizer. By removing the
method that does nothing the code becomes easier to trace.
2021-08-05 15:20:13 -04:00
Daniel Nephin cc4f155801 acl: recouple acl filtering from ACLResolver
ACL filtering only needs an authorizer and a logger. We can decouple filtering from
the ACLResolver by passing in the necessary logger.

This change is being made in preparation for moving the ACLResolver into an acl package
2021-08-05 15:20:13 -04:00
Daniel Nephin 111f3620a8 acl: remove unused error return
filterACLWithAuthorizer could never return an error. This change moves us a little bit
closer to being able to enable errcheck and catch problems caused by unhandled error
return values.
2021-08-05 15:20:13 -04:00
Daniel Nephin c0100543d0 acl: rename acl.Authorizer vars to authz
For consistency
2021-08-05 15:19:47 -04:00
Daniel Nephin 4f5477ccfa acl: move vet functions
These functions are moved to the one place they are called to improve code locality.

They are being moved out of agent/consul/acl.go in preparation for moving
ACLResolver to an acl package.
2021-08-05 15:19:24 -04:00
Daniel Nephin c4eadb6b96 acl: move vetRegisterWithACL and vetDeregisterWithACL
These functions are used in only one place. Move the functions next to their one caller
to improve code locality.

This change is being made in preparation for moving the ACLResolver into an
acl package. The moved functions were previously in the same file as the ACLResolver.
By moving them out of that file we may be able to move the entire file
with fewer modifications.
2021-08-05 15:17:54 -04:00
Daniel Nephin 1deba421c7
Merge pull request #10770 from hashicorp/dnephin/log-cert-expiration
telemetry: add log message when certs are about to expire
2021-08-05 15:17:20 -04:00
Daniel Nephin 0c42b38c92
Merge pull request #10793 from hashicorp/dnephin/acl-intentions
acl: small cleanup of a couple Authorization flows
2021-08-05 15:16:49 -04:00
Dhia Ayachi b495036823
defer setting the state before returning to avoid stuck in `INITIALIZING` state (#10630)
* defer setting the state before returning to avoid being stuck in `INITIALIZING` state

* add changelog

* move comment with the right if statement

* ca: report state transition error from setSTate

* update comment to reflect state transition

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-05 14:51:19 -04:00
sridhar 8b4672f644
Update website/content/docs/k8s/connect/ingress-gateways.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-04 16:25:36 -07:00
Daniel Nephin e94016872a
Merge pull request #10768 from hashicorp/dnephin/agent-tls-cert-expiration-metric
telemetry: add Agent TLS Certificate expiration metric
2021-08-04 18:42:02 -04:00
Daniel Nephin c718de730b acl: remove special handling of services in txn_endpoint
Follow up to: https://github.com/hashicorp/consul/pull/10738#discussion_r680190210

Previously we were passing an Authorizer that would always allow the
operation, then later checking the authorization using vetServiceTxnOp.

On the surface this seemed strange, but I think it was actually masking
a bug as well. Over time `servicePreApply` was changed to add additional
authorization for `service.Proxy.DestinationServiceName`, but because
we were passing a nil Authorizer, that authorization was not handled on
the txn_endpoint.

`TxnServiceOp.FillAuthzContext` has some special handling in enterprise,
so we need to make sure to continue to use that from the Txn endpoint.

This commit removes the `vetServiceTxnOp` function, and passes in the
`FillAuthzContext` function so that `servicePreApply` can be used by
both the catalog and txn endpoints. This should be much less error prone
and prevent bugs like this in the future.
2021-08-04 18:32:20 -04:00