Commit Graph

13084 Commits

Author SHA1 Message Date
Freddy 4e44341d36 Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 16:50:17 -07:00
Kit Patella f3380b1c43 Merge pull request #9091 from scellef/correct-upgrade-guide
Correcting text on when default was changed in Consul
2020-11-19 00:55:51 +00:00
Mike Morris c2c8528073 website: update download callout for v1.9.0-rc1 2020-11-18 18:38:06 -05:00
Mike Morris 54fcfec78c Merge branch 'stable-website' into website/1.9.0-rc1 2020-11-18 18:35:01 -05:00
Mike Morris 883ba66bed Merge branch 'release/1.9.0-rc1' of github.com:hashicorp/consul into release/1.9.0-rc1 2020-11-18 10:28:50 -05:00
hashicorp-ci b22f57fcf2 Putting source back into Dev Mode 2020-11-17 17:42:59 +00:00
Mike Morris f3108c4901 changelog: fixup changelog.tmpl formatting 2020-11-17 11:37:52 -05:00
hashicorp-ci 35d3e629ed
Release v1.9.0-rc1 2020-11-17 16:28:09 +00:00
hashicorp-ci 15ef28f57a
update bindata_assetfs.go 2020-11-17 16:28:08 +00:00
Mike Morris c34ef87cc1 changelog: add unreleased UI entries 2020-11-17 11:16:57 -05:00
Kenia 64bf6d9ca7 ui: Changelog changes (#9209) 2020-11-17 11:15:35 -05:00
Matt Keeler 1f0007d3f3 [docs] Change links to the DNS information to the right place (#8675)
The redirects were working in many situations but some (INTERNALS.md) was not. This just flips everything over to using the real link.
2020-11-17 15:03:27 +00:00
Mike Morris 7bf22dac6e changelog: add unreleased v1.9.0-rc1 entries 2020-11-16 22:29:26 -05:00
Freddy ef7ee6840a Add DC and NS support for Envoy metrics (#9207)
This PR updates the tags that we generate for Envoy stats.

Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
2020-11-16 19:55:18 -07:00
Kit Patella 88b013be99 Merge pull request #9198 from hashicorp/mkcp/telemetry/add-all-metric-definitions
Add metric definitions for all metrics known at Consul start
2020-11-16 16:26:16 -08:00
Matt Keeler dd857bfa37
Prevent panic if autopilot health is requested prior to leader establishment finishing. (#9204) 2020-11-16 17:14:56 -05:00
Matt Keeler acb44bb3b5
Add changelog entry for namespace licensing fix (#9203) 2020-11-16 17:14:45 -05:00
John Cowen 9b5ffca2c8 ui: Replace NaN and undefined metrics values with `-` (#9200)
* ui: Add functionality to metrics mocks:

1. More randomness during blocking queries
2. NaN and undefined values that come from prometheus
3. General trivial amends to bring things closer to the style of the
project

* Provider should always provide data as a string or undefined

* Use a placeholder `-` if the metrics endpoint responds with undefined data
2020-11-16 15:24:32 +00:00
Luke Kysow 35191ac381 Docs for upgrading to CRDs (#9176)
* Add Upgrading to CRDs docs
2020-11-13 23:20:11 +00:00
Luke Kysow 9050263072 Docs for upgrading to CRDs (#9176)
* Add Upgrading to CRDs docs
2020-11-13 23:20:07 +00:00
Kit Patella 07c0179bf8 Merge pull request #9195 from hashicorp/mkcp/changelog/add-1dot9-metrics-flag-note
add note about future metric fixes and deprecations under disable_com…
2020-11-13 22:46:14 +00:00
R.B. Boyer 2747b5145a server: intentions CRUD requires connect to be enabled (#9194)
Fixes #9123
2020-11-13 22:19:47 +00:00
Matt Keeler a316947a81 Remove this constant as it is soon to be changing and we want to prevent backwards compat issues (#9193) 2020-11-13 22:10:24 +00:00
R.B. Boyer de5e631e72 ci: update to go 1.15.5 (#9187) 2020-11-13 21:36:01 +00:00
R.B. Boyer fee0c44ab2 server: remove config entry CAS in legacy intention API bridge code (#9151)
Change so line-item intention edits via the API are handled via the state store instead of via CAS operations.

Fixes #9143
2020-11-13 20:42:57 +00:00
R.B. Boyer a955705e5e server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 19:57:12 +00:00
Mike Morris 0ba0391bdd ci: update to Go 1.15.4 and alpine:3.12 (#9036)
* ci: stop building darwin/386 binaries

Go 1.15 drops support for 32-bit binaries on Darwin https://golang.org/doc/go1.15#darwin

* tls: ConnectionState::NegotiatedProtocolIsMutual is deprecated in Go 1.15, this value is always true

* correct error messages that changed slightly

* Completely regenerate some TLS test data

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2020-11-13 18:03:37 +00:00
John Cowen 8067b229e7 ui: Search/sort improvements (#9183) 2020-11-13 15:56:20 +00:00
Kenia a2e0246805 ui: Pass down nspace and dc from Service model down to prometheus request (#9175)
* Pass down nspace and dc from Service model down to prometheus request

* Reviewing notes fix-ups

* Fix on dc/nspace to send from upstream/downstream card
2020-11-13 15:39:36 +00:00
R.B. Boyer d69640a6e9 server: break up Intention.Apply monolithic method (#9007)
The Intention.Apply RPC is quite large, so this PR attempts to break it down into smaller functions and dissolves the pre-config-entry approach to the breakdown as it only confused things.
2020-11-13 15:16:34 +00:00
Kenia 34b31dab50 ui: Update to not return metrics for ingress gateways (#9081) 2020-11-13 10:16:01 -05:00
Kenia f340762cca ui: Fix up typo for the UI config template url (#9109) 2020-11-13 13:01:58 +00:00
John Cowen 4743ab045e ui: Upstream Instance Search and Sort (#9172)
* ui: Add predicate, comparator and necessary files for the search/sort

* Implement search and sort for upstream instance list

* ui: Tweak CSS so its all part of the component

* Remove the old proxy test attribute
2020-11-13 10:27:19 +00:00
Kenia 676a520ce3 ui: Topology Intentions Popovers (#9137)
* Refactor grid styling for Topology page

* Crate TopologyMetrics Button component and move styling

* Create intention ID

* fixup button styling

* Return a link to the create intention page

* Rename Button to Popover component

* Fixup serializer test

* ui: Inline Topology Intention Actions  (#9153)

* Add arrow and dot to/from metrics back in

* Add addional space to have metrics wrap and show in smaller screens

* Move logic for finding positioning

* Use color variables

Co-authored-by: John Cowen <johncowen@users.noreply.github.com>
2020-11-13 10:24:34 +00:00
Kenia bc77d91587 ui: Delete Proxy Info tab (#9141)
* Remove Proxy Info and create Upstreams and Exposed Paths tabs

* Update routes formatting

* Update typo for Expose.Checks

* Remove, update, and add tests

* Make consul-upstream-instance-list into a glimmer component

* Create styling for upstream-instance-list component
2020-11-13 10:02:18 +00:00
Iryna Shustava 135e51c95f docs: add link to the OpenShift platform guide to k8s docs (#9177) 2020-11-12 23:07:10 +00:00
Iryna Shustava 251841b759 docs: add link to the OpenShift platform guide to k8s docs (#9177) 2020-11-12 23:07:06 +00:00
Kyle Schochenmaier 4142a8b86a Docs: for consul-k8s health checks (#8819)
* docs for consul-k8s health checks

Co-authored-by: Derek Strickland <1111455+DerekStrickland@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
2020-11-12 22:57:09 +00:00
Kyle Schochenmaier ba82eab3fb Docs: for consul-k8s health checks (#8819)
* docs for consul-k8s health checks

Co-authored-by: Derek Strickland <1111455+DerekStrickland@users.noreply.github.com>
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
2020-11-12 22:57:05 +00:00
Nitya Dhanushkodi 246bb7123e Merge pull request #9179 from hashicorp/ndhanushkodi-patch-1
Update Helm compatibility matrix
2020-11-12 22:55:06 +00:00
Nitya Dhanushkodi b6459fe725 Merge pull request #9179 from hashicorp/ndhanushkodi-patch-1
Update Helm compatibility matrix
2020-11-12 22:55:02 +00:00
Daniel Nephin 83338d7f9a Merge pull request #9162 from hashicorp/dnephin/fix-grpc-metrics
grpc: fix metrics
2020-11-12 22:04:18 +00:00
R.B. Boyer f815014432 agent: return the default ACL policy to callers as a header (#9101)
Header is: X-Consul-Default-ACL-Policy=<allow|deny>

This is of particular utility when fetching matching intentions, as the
fallthrough for a request that doesn't match any intentions is to
enforce using the default acl policy.
2020-11-12 16:39:16 +00:00
Paul Banks b4cb9155d8
Update ui-visualization.mdx 2020-11-12 15:53:51 +00:00
Matt Keeler cbf788b649 Add changelog entry for autopilot state CLI (#9161) 2020-11-11 19:55:45 +00:00
Mike Morris a8158739c7 ci: publish bindata_assetfs.go for all release/.x branches (#9158) 2020-11-11 18:40:34 +00:00
Mike Morris 89d0a1003d ci: remove nonexistant autopilot directory from go-test-race (#9159) 2020-11-11 18:39:29 +00:00
Matt Keeler 1f4da2ae9d Add a CLI command for retrieving the autopilot configuration. (#9142) 2020-11-11 18:19:32 +00:00
Mike Morris 9c989fef4d
Merge pull request #9155 from hashicorp/release/1.9.0-beta3
merge: 1.9.0-beta3
2020-11-11 12:55:23 -05:00
John Cowen 3135f0628a ui: Add vendor directory as a target for JS linting and lint (#9157)
* ui: Add vendor for js linting

* Lint all the things
2020-11-11 17:00:29 +00:00