Commit Graph

17391 Commits

Author SHA1 Message Date
Blake Covarrubias a78015c5fd
docs: Redirect /docs/security/acl/acl-system (#12975)
/docs/security/acl/acl-system was renamed in e9a42df from PR #12460 to
/docs/security/acl. A corresponding redirect was not added for this
page, resulting in a 404 being returned when accessing the old URL
path.

This commit redirects the former URL path to the new location, and
also updates all links on the site to point to the new location.
2022-05-09 09:04:23 -07:00
DanStough 8661be475b chore(ci): fix nightly UI test syntaxx 2022-05-09 11:02:58 -04:00
DanStough 5451863f9f chore(ci): exempt backport PRs from changelog-checker 2022-05-06 17:58:12 -04:00
Evan Culver 9c8606e138
peering: add store.PeeringsForService implementation (#12957) 2022-05-06 12:35:31 -07:00
DanStough eafd91f35c ci: add nightly action for UI testing release branches 2022-05-06 11:31:32 -04:00
Eric Haberkorn e7b9d025a4
Merge pull request #12956 from hashicorp/suport-lambda-connect-proxy
Support Invoking Lambdas from Sidecar Proxies
2022-05-06 08:17:38 -04:00
Christopher Swenson 7dbe048dbf
docs: Fix broken links for roles and service identities (#12954) 2022-05-05 16:24:18 -07:00
Eric 21c3134575 Support making requests to lambda from connect proxies. 2022-05-05 17:42:30 -04:00
FFMMM 745bd15b15
api: add PeeeringList, polish (#12934) 2022-05-05 14:15:42 -07:00
R.B. Boyer d4eef44f49
build: speed up linting by 1.5x (#12908) 2022-05-05 12:42:52 -05:00
Mark Anderson 7eda81d00d
Update website/content/docs/connect/config-entries/mesh.mdx (#12943)
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
Signed-off-by: Mark Anderson <manderson@hashicorp.com>

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-05-05 10:39:53 -07:00
Blake Covarrubias 20321402ce
docs: Restore agent config docs removed in PR #12562 (#12907)
* docs: Re-add config file content removed in PR #12562

Re-add agent config option content that was erroneously removed in #12562 with
commit f4c03d234.

* docs: Re-add CLI flag content removed in PR #12562

Re-add CLI flag content that was erroneously removed in #12562 with
commit c5220fd18.

* Update website/content/docs/agent/config/cli-flags.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-05-05 10:08:15 -07:00
Riddhi Shah 0c855fab98
Validate port on mesh service registration (#12881)
Add validation to ensure connect native services have a port or socketpath specified on catalog registration.
This was the only missing piece to ensure all mesh services are validated for a port (or socketpath) specification on catalog registration.
2022-05-05 09:13:30 -07:00
Mark Anderson c6ff4ba7d8
Support vault namespaces in connect CA (#12904)
* Support vault namespaces in connect CA

Follow on to some missed items from #12655

From an internal ticket "Support standard "Vault namespace in the
path" semantics for Connect Vault CA Provider"

Vault allows the namespace to be specified as a prefix in the path of
a PKI definition, but our usage of the Vault API includes calls that
don't support a namespaced key. In particular the sys.* family of
calls simply appends the key, instead of prefixing the namespace in
front of the path.

Unfortunately it is difficult to reliably parse a path with a
namespace; only vault knows what namespaces are present, and the '/'
separator can be inside a key name, as well as separating path
elements. This is in use in the wild; for example
'dc1/intermediate-key' is a relatively common naming schema.

Instead we add two new fields: RootPKINamespace and
IntermediatePKINamespace, which are the absolute namespace paths
'prefixed' in front of the respective PKI Paths.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 19:41:55 -07:00
Chris S. Kim abc472f2a3
Default discovery chain when upstream targets a DestinationPeer (#12942) 2022-05-04 16:25:25 -04:00
Mark Anderson 2fcac5224e
Merge pull request #12878 from hashicorp/ma/x-forwarded-client-cert
Support x-forwarded-client-cert
2022-05-04 11:05:44 -07:00
Evan Culver dfcd1f90a9
fix(ci): use correct variable syntax for build-distros job (#12933) 2022-05-04 10:45:23 -07:00
Dan Upton a668c36930
acl: gRPC login and logout endpoints (#12935)
Introduces two new public gRPC endpoints (`Login` and `Logout`) and
includes refactoring of the equivalent net/rpc endpoints to enable the
majority of logic to be reused (i.e. by extracting the `Binder` and
`TokenWriter` types).

This contains the OSS portions of the following enterprise commits:

- 75fcdbfcfa6af21d7128cb2544829ead0b1df603
- bce14b714151af74a7f0110843d640204082630a
- cc508b70fbf58eda144d9af3d71bd0f483985893
2022-05-04 17:38:45 +01:00
Mark Anderson 97f19a6ec1 Fix tests for APPEND_FORWARD change
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson 863bc16530 Change to use APPEND_FORWARD for terminating gateway
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson 6430af1c0e Update mesh config tests
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson 05dc5a26b7 Docs and changelog edits
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson fee6c7a7b6 Fixup missed config entry
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:59 -07:00
Mark Anderson d7e7cb09dc Add some docs
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-04 08:50:58 -07:00
Mark Anderson 28b4b3a85d Add x-forwarded-client-cert headers
Description
Add x-fowarded-client-cert information on trusted incoming connections.

Envoy provides support forwarding and annotating the
x-forwarded-client-cert header via the forward_client_cert_details
set_current_client_cert_details filter fields. It would be helpful for
consul to support this directly in its config. The escape hatches are
a bit cumbersome for this purpose.

This has been implemented on incoming connections to envoy. Outgoing
(from the local service through the sidecar) will not have a
certificate, and so are left alone.

A service on an incoming connection will now get headers something like this:

```
X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard]
```

Closes #12852
2022-05-04 08:50:58 -07:00
claire labry 8ebb515bfc
Merge pull request #12917 from hashicorp/add-release-config-key
Add config key to the promote-staging event
2022-05-03 17:26:46 -04:00
Amier Chery 03ac931b52
Merge pull request #12631 from driesgroblerw/patch-1
Updated the link to acl-policies
2022-05-03 14:59:05 -04:00
DanStough 8d655ded4c chore(ci): fix backport-assistant for stable website 2022-05-03 14:36:46 -04:00
Kyle Havlovitz 0696ed24c8
Merge pull request #12885 from hashicorp/acl-err-cache
Store and return RPC error in ACL cache entries
2022-05-03 10:44:22 -07:00
Kyle Havlovitz 76d62a14f5 Return ACLRemoteError from cache and test it correctly 2022-05-03 10:05:26 -07:00
DanStough e899e06c29 chore(ci): fix backport assistant 2022-05-03 12:41:12 -04:00
R.B. Boyer bd87505bf2
ci: upgrade bats and the circle machine executors to get integration tests to function again (#12918)
Bonus change: send less context when building the test-sds-server to
speed up the setup.
2022-05-03 11:21:32 -05:00
Claire Labry 561221a343
Add config key to the promote-staging event 2022-05-03 11:58:14 -04:00
FFMMM 3b3f001580
[sync oss] api: add peering api module (#12911) 2022-05-02 11:49:05 -07:00
Blake Covarrubias 54119f3225
docs: Add example Envoy escape hatch configs (#12764)
Add example escape hatch configurations for all supported override
types.
2022-05-02 11:25:59 -07:00
DanStough b2a005342b chore(ci): add initial support for backport assistant 2022-05-02 11:14:32 -04:00
Jared Kirschner cf12f8af20
Merge pull request #12762 from hashicorp/jkirschner-hashicorp-patch-1
docs: use correct previous name of recovery token
2022-04-29 18:35:56 -04:00
Chris S. Kim 9791bad136
peering: Make Upstream peer-aware (#12900)
Adds DestinationPeer field to Upstream.
Adds Peer field to UpstreamID and its string conversion functions.
2022-04-29 18:12:51 -04:00
Jared Kirschner 5be6f3402d
Merge pull request #12902 from hashicorp/jkirschner-hashicorp-patch-2
docs: fix typo
2022-04-29 17:59:26 -04:00
Jared Kirschner c1aacc2728
docs: fix typo 2022-04-29 17:57:21 -04:00
Jared Kirschner 0028d927e3
Merge pull request #12893 from hashicorp/docs/improve-consul-server-resilience
docs: add guidance on improving Consul resilience
2022-04-29 15:42:09 -04:00
Chris S. Kim 0d66301ea7
Cleanup peering files that used error types that were removed (#12892) 2022-04-29 14:02:26 -04:00
Jared Kirschner de51780eb8 docs: add guidance on improving Consul resilience
Discuss available strategies for improving server-level and infrastructure-level
fault tolerance in Consul.
2022-04-29 10:58:03 -07:00
Jeff Apple e286dc2a50
Merge pull request #12891 from hashicorp/docs-api-gateway-0.2.1
Docs: update for API Gateway v0.2.1
2022-04-29 10:50:04 -07:00
Mathew Estafanous 474385d153
Unify various status errors into one HTTP error type. (#12594)
Replaces specific error types for HTTP Status codes with 
a generic HTTPError type.

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
2022-04-29 13:42:49 -04:00
Jeff-Apple e8a1a1eb68 Dcos: update for API Gateway v0.2.1 2022-04-29 09:52:00 -07:00
Jared Kirschner d04fe6ca2c
Merge pull request #11810 from hashicorp/update-enterprise-packaging-in-feature-docs
Update enterprise packaging in feature docs
2022-04-28 19:38:59 -04:00
Jared Kirschner 964afedd13 docs: improve ent overview headings 2022-04-28 16:27:34 -07:00
Jared Kirschner 1ca903d28d docs: explicitly fill all ent feature matrix cells 2022-04-28 12:41:37 -07:00
Chris S. Kim 2626963db9
Add a Github action to remind people about backport automation (#12884) 2022-04-28 14:52:41 -04:00