Commit Graph

2727 Commits

Author SHA1 Message Date
hashicorp-ci d2705af11f
update bindata_assetfs.go 2021-01-20 22:52:26 +00:00
John Cowen cdb1730a21 Fix -ui-content-path without regex (#9569)
* Add templating to inject JSON into an application/json script tag

Plus an external script in order to pick it out and inject the values we
need injecting into ember's environment meta tag.

The UI still uses env style naming (CONSUL_*) but we uses the new style
JSON/golang props behind the scenes.

Co-authored-by: Paul Banks <banks@banksco.de>
2021-01-20 18:48:32 +00:00
Matt Keeler fb09ac5456 Fix flaky test by marking mock expectations as optional (#9596)
These expectations are optional because in a slow CI environment the deadline to cancell the context might occur before the go routine reaches issuing the RPC. Either way we are successfully ensuring context cancellation is working.
2021-01-20 15:59:07 +00:00
Freddy f2cfbde1b0 Update topology mapping Refs on all proxy instance deletions (#9589)
* Insert new upstream/downstream mapping to persist new Refs

* Avoid upserting mapping copy if it's a no-op

* Add test with panic repro

* Avoid deleting up/downstreams from inside memdb iterator

* Avoid deleting gateway mappings from inside memdb iterator

* Add CHANGELOG entry

* Tweak changelog entry

Co-authored-by: Paul Banks <banks@banksco.de>
2021-01-20 15:18:09 +00:00
Daniel Nephin 7f14ce7a7e Merge pull request #9591 from hashicorp/dnephin/state-store-coordinates-iter
state: do not delete from inside an iteration (coordinates)
2021-01-19 23:17:29 +00:00
Matt Keeler 5f3a185cb0 Merge pull request #9570 from hashicorp/bugfix/9498 2021-01-19 21:30:47 +00:00
Chris Piraino db3400c22d Fix bug in usage metrics when multiple service instances are changed in a single transaction (#9440)
* Fix bug in usage metrics that caused a negative count to occur

There were a couple of instances were usage metrics would do the wrong
thing and result in incorrect counts, causing the count to attempt to
decrement below zero and return an error. The usage metrics did not
account for various places where a single transaction could
delete/update/add multiple service instances at once.

We also remove the error when attempting to decrement below zero, and
instead just make sure we do not accidentally underflow the unsigned
integer. This is a more graceful failure than returning an error and not
allowing a transaction to commit.

* Add changelog
2021-01-12 21:32:29 +00:00
Daniel Nephin 7efc2e7516 Merge pull request #9444 from hashicorp/dnephin/config-tests-sanitize
config: Use golden for TestRuntimeConfig_Sanitize
2021-01-11 22:43:01 +00:00
Pierre Souchay 2f80430304 Display a warning when rpc.enable_streaming = true is set on a client (#9530)
* Display a warning when rpc.enable_streaming = true is set on a client

This option has no effect when running as an agent

* Added warning when server starts with use_streaming_backend but without rpc.enable_streaming

* Added unit test
2021-01-08 20:23:58 +00:00
Daniel Nephin 6dd7d1c6e6 Merge pull request #9250 from hashicorp/dnephin/config-tags-2
config: remove unnecessary json/hcl struct tags
2021-01-08 19:09:18 +00:00
Daniel Nephin bac369b0f4 Merge pull request #9249 from hashicorp/dnephin/config-tags
config: use fields to detect enterprise-only settings
2021-01-08 00:50:15 +00:00
Daniel Nephin 156c14ae14 Merge pull request #9251 from hashicorp/dnephin/config-cleanup-flags-and-opts
config: move testing shims and cleanup some defaults
2021-01-08 00:22:03 +00:00
Daniel Nephin 223b85f89e Merge pull request #7583 from hashicorp/dnephin/id-printing
Fix printing of ID types
2021-01-08 00:02:59 +00:00
Daniel Nephin 36193c17d1 Merge pull request #9461 from hashicorp/dnephin/xds-server
xds: enable race detector and some small cleanup
2021-01-07 23:35:32 +00:00
Daniel Nephin 7292fe7db0 Merge pull request #9213 from hashicorp/dnephin/resolve-tokens-take-2
acl: Remove some unused things and document delegate method
2021-01-06 23:52:17 +00:00
Daniel Nephin 84a9ac1589 Merge pull request #9512 from pierresouchay/streaming_fix_grpc_tls2
[Streaming][bugfix] handle TLS signalisation when TLS is disabled on client side (alternative to #9494)
2021-01-06 22:11:21 +00:00
Daniel Nephin c18234cba1 Merge pull request #9067 from naemono/6074-allow-config-MaxHeaderBytes
Adds option to configure HTTP Server's MaxHeaderBytes
2021-01-05 17:29:33 +00:00
Matt Keeler 3faee062a5 Special case the error returned when we have a Raft leader but are not tracking it in the ServerLookup (#9487)
This can happen when one other node in the cluster such as a client is unable to communicate with the leader server and sees it as failed. When that happens its failing status eventually gets propagated to the other servers in the cluster and eventually this can result in RPCs returning “No cluster leader” error.

That error is misleading and unhelpful for determing the root cause of the issue as its not raft stability but rather and client -> server networking issue. Therefore this commit will add a new error that will be returned in that case to differentiate between the two cases.
2021-01-04 19:05:53 +00:00
R.B. Boyer 85205a63e8 server: deletions of intentions by name using the intention API is now idempotent (#9278)
Restoring a behavior inadvertently changed while fixing #9254
2021-01-04 17:27:50 +00:00
John Cowen 6cd7ad3952 api: Ensure the internal/ui/service endpoint responds with an array (#9397)
In some circumstances this endpoint will have no results in it (dues to
ACLs, Namespaces or filtering).

This ensures that the response is at least an empty array (`[]`) rather
than `null`
2020-12-15 16:52:37 +00:00
hashicorp-ci 8b9b803589
update bindata_assetfs.go 2020-12-11 03:26:04 +00:00
R.B. Boyer aa03e9979e acl: global tokens created by auth methods now correctly replicate to secondary datacenters (#9351)
Previously the tokens would fail to insert into the secondary's state
store because the AuthMethod field of the ACLToken did not point to a
known auth method from the primary.
2020-12-09 21:27:24 +00:00
Kenia 0ee745c899 Create consul version metric with version label (#9350)
* create consul version metric with version label

* agent/agent.go: add pre-release Version as well as label

Co-Authored-By: Radha13 <kumari.radha3@gmail.com>

* verion and pre-release version labels.

* hyphen/- breaks prometheus

* Add Prometheus gauge defintion for version metric

* Add new metric to telemetry docs

Co-authored-by: Radha Kumari <kumari.radha3@gmail.com>
Co-authored-by: Aestek <thib.gilles@gmail.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2020-12-09 14:17:51 +00:00
Kyle Havlovitz 38bbf32a9c Merge pull request #9318 from hashicorp/ca-update-followup
connect: Fix issue with updating config in secondary
2020-12-02 20:18:26 +00:00
Kyle Havlovitz ff93919034 Merge pull request #9009 from hashicorp/update-secondary-ca
connect: Fix an issue with updating CA config in a secondary datacenter
2020-11-30 22:50:26 +00:00
Daniel Nephin 60d7f30169 Merge pull request #9284 from hashicorp/dnephin/agent-service-register
local: mark service as InSync when added to local agent state
2020-11-27 20:50:53 +00:00
Hans Hasselberg b3a0b8edd9 fix serf_wan documentation (#9289)
WAN config is different than LAN config, source of truth is
f72d2042a8/config.go (L315-L326)
and now the docs are correct.
2020-11-27 19:51:04 +00:00
Daniel Nephin d230cea541 Merge pull request #9247 from pierresouchay/streaming_predictible_order_for_health
[Streaming] Predictable order for results of /health/service/:serviceName to mimic memdb
2020-11-25 20:55:00 +00:00
Mike Morris 3ee6d1c14f
Merge branch 'release/1.9.x' into release/1.9.0 2020-11-24 14:50:39 -05:00
Mike Morris dbb1249f13 Merge branch 'stable-website' into release/1.9.0 2020-11-24 14:44:53 -05:00
hashicorp-ci 79bb27a363
update bindata_assetfs.go 2020-11-24 19:05:48 +00:00
R.B. Boyer 7467ffbff3 server: fix panic when deleting a non existent intention (#9254)
* server: fix panic when deleting a non existent intention

* add changelog

* Always return an error when deleting non-existent ixn

Co-authored-by: freddygv <gh@freddygv.xyz>
2020-11-24 18:44:58 +00:00
R.B. Boyer 3c7cf0216d server: fix panic when deleting a non existent intention (#9254)
* server: fix panic when deleting a non existent intention

* add changelog

* Always return an error when deleting non-existent ixn

Co-authored-by: freddygv <gh@freddygv.xyz>
2020-11-24 13:44:45 -05:00
Kit Patella 727780140e Merge pull request #9261 from hashicorp/telemetry/fix-missing-and-stale-docs-2
Telemetry/fix missing and stale docs
2020-11-23 21:34:59 +00:00
Kit Patella 146466a708 Merge pull request #9261 from hashicorp/telemetry/fix-missing-and-stale-docs-2
Telemetry/fix missing and stale docs
2020-11-23 21:34:55 +00:00
Freddy ff5215d882 Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-23 06:27:20 -07:00
Kit Patella fe6ef7e414 Merge pull request #9245 from hashicorp/telemetry/fix-missing-and-stale-docs
Telemetry/fix missing and stale docs
2020-11-20 20:55:51 +00:00
Kit Patella 6e607d7cd3 Merge pull request #9245 from hashicorp/telemetry/fix-missing-and-stale-docs
Telemetry/fix missing and stale docs
2020-11-20 20:55:45 +00:00
Freddy 4e44341d36 Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 16:50:17 -07:00
R.B. Boyer 140c220131
[1.9.0] command: when generating envoy bootstrap configs use the datacenter returned from the agent services endpoint (#9230)
Manual backport of #9229 into 1.9.0 branch

Fixes #9215
2020-11-19 15:33:41 -06:00
R.B. Boyer 32f6d17e5d command: when generating envoy bootstrap configs use the datacenter returned from the agent services endpoint (#9229)
Fixes #9215
2020-11-19 21:28:09 +00:00
Freddy 5137e4501d Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:17 +00:00
Daniel Nephin 6e5f062593 Merge pull request #9224 from hashicorp/dnephin/fix-multiple-http-listeners
agent: fix bug with multiple listeners
2020-11-18 21:53:27 +00:00
Daniel Nephin b2c5e2d059 Use freeport
To prevent other tests which already use freeport from flaking when port 0 steals their reserved port.
2020-11-18 16:07:00 -05:00
Daniel Nephin c6381b7e2b agent: fix bug with multiple listeners
Previously the listener was being passed to a closure in a loop without
capturing the loop variable. The result is only the last listener is
used, so the http/https servers only listen on one address.

This problem is fixed by capturing the variable by passing it into a
function.
2020-11-18 14:39:26 -05:00
Daniel Nephin 6a42641eb2 Merge pull request #9160 from hashicorp/dnephin/go-test-race-in-to-out-list
ci: change go-test-race package list to exclude list
2020-11-17 18:14:09 +00:00
hashicorp-ci 2dfe2401ec Merge branch 'release/1.9.0-rc1' into remote-x 2020-11-17 17:43:03 +00:00
hashicorp-ci 15ef28f57a
update bindata_assetfs.go 2020-11-17 16:28:08 +00:00
Matt Keeler dfaaa0b73a Refactor to call non-voting servers read replicas (#9191)
Co-authored-by: Kit Patella <kit@jepsen.io>
2020-11-17 15:54:38 +00:00
Freddy ef7ee6840a Add DC and NS support for Envoy metrics (#9207)
This PR updates the tags that we generate for Envoy stats.

Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
2020-11-16 19:55:18 -07:00
Kit Patella 88b013be99 Merge pull request #9198 from hashicorp/mkcp/telemetry/add-all-metric-definitions
Add metric definitions for all metrics known at Consul start
2020-11-16 16:26:16 -08:00
Kit Patella 82e7363b90 Merge pull request #9198 from hashicorp/mkcp/telemetry/add-all-metric-definitions
Add metric definitions for all metrics known at Consul start
2020-11-17 00:13:51 +00:00
Freddy 4d39305442 Add DC and NS support for Envoy metrics (#9207)
This PR updates the tags that we generate for Envoy stats.

Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
2020-11-16 23:37:50 +00:00
Matt Keeler dd857bfa37
Prevent panic if autopilot health is requested prior to leader establishment finishing. (#9204) 2020-11-16 17:14:56 -05:00
Matt Keeler e421da3b59 Prevent panic if autopilot health is requested prior to leader establishment finishing. (#9204) 2020-11-16 22:08:44 +00:00
Daniel Nephin 9b904de406 Merge pull request #9114 from hashicorp/dnephin/filtering-in-stream
stream: improve naming of Payload methods
2020-11-16 19:21:20 +00:00
R.B. Boyer 2747b5145a server: intentions CRUD requires connect to be enabled (#9194)
Fixes #9123
2020-11-13 22:19:47 +00:00
R.B. Boyer fee0c44ab2 server: remove config entry CAS in legacy intention API bridge code (#9151)
Change so line-item intention edits via the API are handled via the state store instead of via CAS operations.

Fixes #9143
2020-11-13 20:42:57 +00:00
R.B. Boyer a955705e5e server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 19:57:12 +00:00
Mike Morris 0ba0391bdd ci: update to Go 1.15.4 and alpine:3.12 (#9036)
* ci: stop building darwin/386 binaries

Go 1.15 drops support for 32-bit binaries on Darwin https://golang.org/doc/go1.15#darwin

* tls: ConnectionState::NegotiatedProtocolIsMutual is deprecated in Go 1.15, this value is always true

* correct error messages that changed slightly

* Completely regenerate some TLS test data

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2020-11-13 18:03:37 +00:00
R.B. Boyer d69640a6e9 server: break up Intention.Apply monolithic method (#9007)
The Intention.Apply RPC is quite large, so this PR attempts to break it down into smaller functions and dissolves the pre-config-entry approach to the breakdown as it only confused things.
2020-11-13 15:16:34 +00:00
Daniel Nephin 83338d7f9a Merge pull request #9162 from hashicorp/dnephin/fix-grpc-metrics
grpc: fix metrics
2020-11-12 22:04:18 +00:00
R.B. Boyer f815014432 agent: return the default ACL policy to callers as a header (#9101)
Header is: X-Consul-Default-ACL-Policy=<allow|deny>

This is of particular utility when fetching matching intentions, as the
fallthrough for a request that doesn't match any intentions is to
enforce using the default acl policy.
2020-11-12 16:39:16 +00:00
Matt Keeler 1f4da2ae9d Add a CLI command for retrieving the autopilot configuration. (#9142) 2020-11-11 18:19:32 +00:00
Mike Morris 9c989fef4d
Merge pull request #9155 from hashicorp/release/1.9.0-beta3
merge: 1.9.0-beta3
2020-11-11 12:55:23 -05:00
Daniel Nephin 07bfd1d46e Merge pull request #8976 from joel0/wrap-eof
Wrap rpc error object
2020-11-11 16:51:42 +00:00
Matt Keeler e669899abf Add a paramter in state store methods to indicate whether a resource insertion is from a snapshot restoration (#9156)
The Catalog, Config Entry, KV and Session resources potentially re-validate the input as its coming in. We need to prevent snapshot restoration failures due to missing namespaces or namespaces that are being deleted in enterprise.
2020-11-11 16:22:11 +00:00
Daniel Nephin b3368b8ee7 Merge pull request #9149 from joel0/wrap-errors
Use error wrapping to preserve error type info
2020-11-10 23:27:42 +00:00
hashicorp-ci ab5265479f
update bindata_assetfs.go 2020-11-10 01:18:51 +00:00
Matt Keeler 8539565046 Merge pull request #9103 from hashicorp/feature/autopilot-mod
Switch to using the external autopilot module
2020-11-09 16:30:48 +00:00
Mike Morris 4f1d2a1c56 chore: upgrade to gopsutil/v3 (#9118)
* deps: update golang.org/x/sys

* deps: update imports to gopsutil/v3

* chore: make update-vendor
2020-11-07 01:49:01 +00:00
Mike Morris b721e1956a chore: update bindata_assetfs.go 2020-11-06 14:47:30 -05:00
R.B. Boyer fff77349ed Revert "Add namespace support for metrics (OSS) (#9117)" (#9124)
This reverts commit 06b3b017d3.
2020-11-06 16:57:56 +00:00
Freddy e86f58b163 Add namespace support for metrics (OSS) (#9117) 2020-11-05 18:30:37 -07:00
R.B. Boyer c464630615 agent: sanitize ui metrics proxy header values on agent/self endpoint (#9104) 2020-11-05 19:26:11 +00:00
Daniel Nephin 82a753285b Merge pull request #9073 from hashicorp/dnephin/backport-streaming-namespaces
streaming: backport namespace changes
2020-11-05 19:19:49 +00:00
Daniel Nephin f0beecad24 Merge pull request #9061 from hashicorp/dnephin/event-fields
stream: support filtering by namespace
2020-11-05 19:19:02 +00:00
R.B. Boyer c14439a146 agent: protect the ui metrics proxy endpoint behind ACLs (#9099)
This ensures the metrics proxy endpoint is ACL protected behind a
wildcard `service:read` and `node:read` set of rules. For Consul
Enterprise these will need to span all namespaces:

```
service_prefix "" { policy = "read" }
node_prefix ""    { policy = "read" }

namespace_prefix "" {
  service_prefix "" { policy = "read" }
  node_prefix ""    { policy = "read" }
}
```

This PR contains just the backend changes. The frontend changes to
actually pass the consul token header to the proxy through the JS plugin
will come in another PR.
2020-11-04 18:52:43 +00:00
Daniel Nephin b577dc19bf Merge pull request #9068 from hashicorp/restore-test-signature
restore prior signature of test helper so enterprise compiles
2020-11-02 23:16:21 +00:00
R.B. Boyer d6e7bf40f8 agent: introduce path allow list for requests going through the metrics proxy (#9059)
Added a new option `ui_config.metrics_proxy.path_allowlist`. This defaults to `["/api/v1/query", "/api/v1/query_range"]` when the metrics provider is set to `prometheus`.

Requests that do not use one of the allow-listed paths (via exact match) get a 403 Forbidden response instead.
2020-10-30 21:50:28 +00:00
R.B. Boyer 211051d92b state: ensure we unblock intentions queries upon the upgrade to config entries (#9062)
1. do a state store query to list intentions as the agent would do over in `agent/proxycfg` backing `agent/xds`
2. upgrade the database and do a fresh `service-intentions` config entry write
3. the blocking query inside of the agent cache in (1) doesn't notice (2)
2020-10-29 20:29:07 +00:00
Daniel Nephin 3fca80a52e Merge pull request #9025 from hashicorp/dnephin/streaming-options
streaming: Use a no-op event publisher if streaming is disabled
2020-10-29 19:31:08 +00:00
Daniel Nephin 7b9ee25956
Merge pull request #9026 from hashicorp/dnephin/streaming-without-cache-query-param
streaming: rename config and remove requirement for cache=1
2020-10-28 12:33:25 -04:00
Daniel Nephin 477d665309
Merge pull request #8618 from hashicorp/dnephin/remove-txn-readtxn
state: Use ReadTxn everywhere
2020-10-28 12:32:47 -04:00
Kyle Havlovitz 9f893307de
Merge pull request #9053 from hashicorp/vault-token-lookupself
connect: Use the lookup-self endpoint for Vault token
2020-10-27 14:34:03 -07:00
Daniel Nephin f0ac093fef agent/grpc: add connection count metrics
Gauge metrics are great for understanding the current state, but can somtimes hide problems
if there are many disconnect/reconnects.

This commit adds counter metrics for connections and streams to make it easier to see the
count of newly created connections and streams.
2020-10-27 16:49:49 -04:00
Daniel Nephin 5319ba02b0 agent/grpc: rename metrics
These new names should make it easier to add counter metics with similar prefixes
2020-10-27 16:49:49 -04:00
Daniel Nephin c82d6aa4ff
Merge pull request #8961 from hashicorp/dnephin/grpc-resolve-node-id
agent/grpc: fix some test flakes and handle duplicate server IDs in the pool
2020-10-27 16:47:37 -04:00
Daniel Nephin 74ac34e358
Merge pull request #8998 from hashicorp/dnephin/lib-ttlcache
lib/ttlcache: extract a new package from agent/cache
2020-10-27 16:43:10 -04:00
Daniel Nephin 0f81915495
Merge pull request #8987 from hashicorp/dnephin/stream-filter
streaming: apply filter to a single item
2020-10-27 16:39:43 -04:00
Daniel Nephin 8bcd5040c7 agent/grpc: Add an integration test for ClientPool with TLS
Also deregister the resolver.Builder in tests.
2020-10-27 16:34:18 -04:00
Daniel Nephin 8a785a351c agent/grpc: pass metrics to constructor
Instead of referencing a package var. This does not fix the flaky test, but it seems more correct.
2020-10-27 16:34:17 -04:00
Daniel Nephin d19657404f agent/grpc: fix a flaky test by performing more retries
Instead of using retry.Run, which appears to have problems in some cases where it does not
emit an error message, use a for loop.

Increase the number of attempts and remove any sleep, since this operation is not that expensive to do
in a tight loop
2020-10-27 16:34:17 -04:00
Daniel Nephin df405ac978 agent/grpc: remove misleading warnings from test output
Handle shutdown properly in tests so that the tests don't warn about using a closed connection.
2020-10-27 16:34:16 -04:00
Daniel Nephin e101aa8a74 agent/grpc: fix a flake in TestHandler_EmitsStats 2020-10-27 16:34:16 -04:00
Daniel Nephin 19da9c3a9b agent/grpc: use a separate channel for closing the Accept
Closing l.conns can lead to a race and a 'panic: send on closed chan' when a
connection is in the middle of being handled when the server is shutting down.

Found using '-race -count=800'
2020-10-27 16:34:15 -04:00
Daniel Nephin d8299670cc agent/grpc/resolver: namespace the server ID with the DC name
So that if two datacenters end up with overlapping serverIDs we don't send requests to the wrong server
2020-10-27 16:34:15 -04:00
Kyle Havlovitz f700a5707b connect: Use the lookup-self endpoint for Vault token 2020-10-27 13:03:45 -07:00
hashicorp-ci bea3d0fd96 auto-updated agent/uiserver/bindata_assetfs.go from commit f4208b5fb 2020-10-27 14:56:48 +00:00
hashicorp-ci 7a1538f747 auto-updated agent/uiserver/bindata_assetfs.go from commit 30da884d5 2020-10-27 14:31:16 +00:00