Commit Graph

75 Commits

Author SHA1 Message Date
Mike Morris b589604d92 changelog: add entry for network areas WAN config fix 2021-05-25 21:24:06 -04:00
Mike Morris 442a8efc7f Revert "Merge pull request #10277 from hashicorp/dnephin/backport-serf-tag-refactor"
This reverts commit f45ab674ce, reversing
changes made to 985ca60d35.
2021-05-25 21:15:19 -04:00
Daniel Nephin 4bd66e0348 Merge pull request #10272 from hashicorp/dnephin/backport-namespace-license-fix
Backport some ent changes for serf tags
2021-05-21 12:54:51 -04:00
Daniel Nephin ee992f788d Merge pull request #8812 from jjshanks/GH-8728
GH-8728 add raft default values
2021-05-18 19:33:17 +00:00
R.B. Boyer 2f9c448801 server: ensure that central service config flattening properly resets the state each time (#10245)
The prior solution to call reply.Reset() aged poorly since newer fields
were added to the reply, but not added to Reset() leading serial
blocking query loops on the server to blend replies.

This could manifest as a service-defaults protocol change from
default=>http not reverting back to default after the config entry
reponsible was deleted.

Backport of #10239 to 1.9.x
2021-05-14 18:25:37 +00:00
R.B. Boyer 63d03e3b6a agent: ensure we hash the non-deprecated upstream fields on ServiceConfigRequest (#10240) (#10244)
Backport of #10240 to 1.9.x
2021-05-14 15:49:55 +00:00
Freddy c2cfa6cf76 Add changelog entry for network area timeout updates (#10241) 2021-05-13 21:06:19 +00:00
Daniel Nephin ea6600dacc Merge pull request #10218 from hashicorp/dnephin/backport-local-agent-fix
[1.9.x] agent/local: do not persist the agent or user token
2021-05-12 17:20:07 +00:00
Daniel Nephin f8d33b36fd local: default to the agent token instead of the user token
When de-registering in anti-entropy sync, when there is no service or
check token.

The agent token will fall back to the default (aka user) token if no agent
token is set, so the existing behaviour still works, but it will prefer
the agent token over the user token if both are set.

ref: https://www.consul.io/docs/agent/options#acl_tokens

The agent token seems more approrpiate in this case, since this is an
"internal operation", not something initiated by the user.
2021-05-04 14:45:31 -04:00
R.B. Boyer 55600be4a9
[1.8.x] connect: update supported envoy versions to 1.14.7, 1.13.7, 1.12.7, 1.11.2 (#10106) 2021-04-29 15:56:24 -05:00
Matt Keeler c9919348be Update changelog and add telemetry docs (#10107) 2021-04-23 16:08:19 -04:00
Kyle Havlovitz 658e6a97bb Merge pull request #9672 from hashicorp/ca-force-skip-xc
connect/ca: Allow ForceWithoutCrossSigning for all providers
2021-04-20 15:41:32 -05:00
Kent 'picat' Gruber 065fe32c1b Merge pull request #10030 from hashicorp/fix-ent-audit-log-bypass
Add synthetic enterprise entry for CVE-2021-28156
2021-04-15 16:14:43 +00:00
Kent 'picat' Gruber 447dd528f6 Merge pull request #10023 from hashicorp/fix-raw-kv-xss
Add content type headers to raw KV responses
2021-04-15 09:48:14 -04:00
R.B. Boyer cbf1e5d3e9
Merge pull request #10026 from hashicorp/1.8.x-fix-wan-ipv6-key
[1.8.x] Fix advertise_addr_wan_ipv6 configuration key
2021-04-14 16:53:04 -05:00
Daniel Nephin 1cc59bd0cf Merge pull request #9851 from panascais-forks/fix-wan-ipv6-key
Fix advertise_addr_wan_ipv6 configuration key
2021-04-14 16:29:28 -05:00
Daniel Nephin 168e8da213 Merge pull request #10025 from hashicorp/dnephin/fix-snapshot-auth-methods
snapshot: fix saving of auth methods
2021-04-14 17:25:13 -04:00
Daniel Nephin 477cbb5678 Merge pull request #10014 from hashicorp/dnephin/changelog
Add changelog for enterprise change
2021-04-14 18:10:18 +00:00
Matt Keeler 46de6ba9ca
Backport 10013: Move static token resolution into the ACLResolver (#10013) (#10017)
# Conflicts:
#	agent/acl.go
#	agent/acl_test.go
#	agent/agent.go
#	agent/ui_endpoint.go
2021-04-14 13:04:32 -04:00
R.B. Boyer 89e4e3d534
[1.8.x] command: when generating envoy bootstrap configs to stdout do not mix informational logs into the json (#9985)
Backport of #9980 to `1.8.x`

Conflicts:
- just the generated golden command/ files
- envoy.go and envoy_test.go
2021-04-07 15:00:33 -05:00
John Cowen 24981a6c68 ui: Remove any trailing fullstop/period DNS characters from Gateways UI API (#9752)
Previous to this commit, the API response would include Gateway
Addresses in the form `domain.name.:8080`, which due to the addition of
the port is probably not the expected response.

This commit rightTrims any `.` characters from the end of the domain
before formatting the address to include the port resulting in
`domain.name:8080`
2021-02-25 09:36:43 +00:00
R.B. Boyer 46edc401ad connect: if the token given to the vault provider returns no data avoid a panic (#9806)
Improves #9800
2021-02-22 20:09:25 +00:00
R.B. Boyer 40987a2b69
xds: only try to create an ipv6 expose checks listener if ipv6 is supported by the kernel (#9794)
1.8.x backport of #9765

Conflicts:
- agent/xds/listeners_test.go
- test/integration/connect/envoy/helpers.bash
- agent/xds/testdata (different envoy versions)
2021-02-22 10:45:40 -06:00
R.B. Boyer 22640c9e87
[1.8.x] connect: update supported envoy point releases to 1.14.6, 1.13.7, 1.12.7, 1.11.2 (#9739)
selective backport of #9737
2021-02-10 13:11:51 -06:00
R.B. Boyer 415be133fa
connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate (#9428) (#9734)
1.8.x backport of #9428
2021-02-09 16:55:22 -06:00
Matt Keeler 5b543790d2
Backport to release/1.8.x: #9738 - Stop background refresh of cached data for requests that result in ACL not found errors (#9742) 2021-02-09 11:32:38 -05:00
Freddy c18a218bbb Avoid potential proxycfg/xDS deadlock using non-blocking send 2021-02-08 23:18:38 +00:00
R.B. Boyer 556b8bd1c2 server: use the presense of stored federation state data as a sign that we already activated the federation state feature flag (#9519)
This way we only have to wait for the serf barrier to pass once before
we can make use of federation state APIs Without this patch every
restart needs to re-compute the change.
2021-02-08 19:30:58 +00:00
R.B. Boyer eed2302b43 xds: prevent LDS flaps in mesh gateways due to unstable datacenter lists (#9651)
Also fix a similar issue in Terminating Gateways that was masked by an overzealous test.
2021-02-08 16:20:37 +00:00
R.B. Boyer bb5c2e802b xds: deduplicate mesh gateway listeners in a stable way (#9650)
In a situation where the mesh gateway is configured to bind to multiple
network interfaces, we use a feature called 'tagged addresses'.
Sometimes an address is duplicated across multiple tags such as 'lan'
and 'lan_ipv4'.

There is code to deduplicate these things when creating envoy listeners,
but that code doesn't ensure that the same tag wins every time. If the
winning tag flaps between xDS discovery requests it will cause the
listener to be drained and replaced.
2021-02-05 22:28:57 +00:00
Hans Hasselberg e6584182f2 Add flags to support CA generation for Connect (#9585) 2021-01-27 07:55:31 +00:00
Matt Keeler bb8386316d Add changelog entry for change to the temporary client license duration (#9642) 2021-01-26 21:15:53 +00:00
R.B. Boyer 685c38a1b1 server: initialize mgw-wanfed to use local gateways more on startup (#9528)
Fixes #9342
2021-01-25 23:31:28 +00:00
R.B. Boyer f135c3b64e server: when wan federating via mesh gateways only do heuristic primary DC bypass on the leader (#9366)
Fixes #9341
2021-01-22 16:07:11 +00:00
Matt Keeler 7cddf128e9
Backport #9570 to release/1.8.x: Ensure that CA initialization does not block leader election. (#9571)
Backport of PR: 9570

After fixing that bug I uncovered a couple more:

Fix an issue where we might try to cross sign a cert when we never had a valid root.
Fix a potential issue where reconfiguring the CA could cause either the Vault or AWS PCA CA providers to delete resources that are still required by the new incarnation of the CA.

Ensure that CA initialization does not block leader election.

After fixing that bug I uncovered a couple more:

Fix an issue where we might try to cross sign a cert when we never had a valid root.
Fix a potential issue where reconfiguring the CA could cause either the Vault or AWS PCA CA providers to delete resources that are still required by the new incarnation of the CA.
2021-01-21 09:04:30 -05:00
Matt Keeler 792fb090fe Add changelog for #9487 (#9491) 2021-01-05 18:06:27 +00:00
John Cowen af335e7ecc
ui: Make sure we pass the nspace through to the API for nodes (#9488)
Nodes themselves are not namespaced, so we'd originally assumed we did not need to pass through the ns query parameter when listing or viewing nodes.

As it turns out the API endpoints we use to list and view nodes (and related things) return things that are namespaced, therefore any API requests for nodes do require a the ns query parameter to be passed through to the request.

This PR adds the necessary ns query param to all things Node, apart from the querying for the leader which only returns node related information.
2021-01-05 15:54:23 +00:00
R.B. Boyer 0ecd16a382
acl: global tokens created by auth methods now correctly replicate to secondary datacenters (#9363)
Previously the tokens would fail to insert into the secondary's state
store because the AuthMethod field of the ACLToken did not point to a
known auth method from the primary.

Backport of #9351 to 1.8.x
2020-12-10 08:35:48 -06:00
Matt Keeler 8f79c50dff Add changelog for fixing the namespace replication bug from #9271 (#9347) 2020-12-08 17:05:27 +00:00
Mike Morris 893b34cf70 changelog: add entry for fixing active CA root unset (#9323) 2020-12-03 18:45:48 +00:00
Mike Morris d691d6774f changelog: add entries for secondary datacenter CA fixes (#9322) 2020-12-03 18:34:11 +00:00
Freddy cfd72af36c Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:23 +00:00
Matt Keeler 14cb672790 Add changelog entry for namespace licensing fix (#9203) 2020-11-16 20:46:34 +00:00
Matt Keeler 0c2eea2918
Backport #9156 to 1.8.x (#9164)
The Catalog, Config Entry, KV and Session resources potentially re-validate the input as its coming in. We need to prevent snapshot restoration failures due to missing namespaces or namespaces that are being deleted in enterprise.
2020-11-11 15:12:10 -05:00
Matt Keeler b1aee0a1ed Create _619.txt 2020-11-02 12:05:30 -05:00
Mike Morris 3848804bc8 changelog: fixup formatting for 8774.txt 2020-10-23 17:19:41 -04:00
Mike Morris 3bf05fd6e3 changelog: fixup CVE link for 9024.txt 2020-10-23 16:13:36 -04:00
Mike Morris acfd9fbfea changelog: fixup note.tmpl syntax 2020-10-23 16:10:58 -04:00
R.B. Boyer a155423f29 server: config entry replication now correctly uses namespaces in comparisons (#9024)
Previously config entries sharing a kind & name but in different
namespaces could occasionally cause "stuck states" in replication
because the namespace fields were ignored during the differential
comparison phase.

Example:

Two config entries written to the primary:

    kind=A,name=web,namespace=bar
    kind=A,name=web,namespace=foo

Under the covers these both get saved to memdb, so they are sorted by
all 3 components (kind,name,namespace) during natural iteration. This
means that before the replication code does it's own incomplete sort,
the underlying data IS sorted by namespace ascending (bar comes before
foo).

After one pass of replication the primary and secondary datacenters have
the same set of config entries present. If
"kind=A,name=web,namespace=bar" were to be deleted, then things get
weird. Before replication the two sides look like:

primary: [
    kind=A,name=web,namespace=foo
]
secondary: [
    kind=A,name=web,namespace=bar
    kind=A,name=web,namespace=foo
]

The differential comparison phase walks these two lists in sorted order
and first compares "kind=A,name=web,namespace=foo" vs
"kind=A,name=web,namespace=bar" and falsely determines they are the SAME
and are thus cause an update of "kind=A,name=web,namespace=foo". Then it
compares "<nothing>" with "kind=A,name=web,namespace=foo" and falsely
determines that the latter should be DELETED.

During reconciliation the deletes are processed before updates, and so
for a brief moment in the secondary "kind=A,name=web,namespace=foo" is
erroneously deleted and then immediately restored.

Unfortunately after this replication phase the final state is identical
to the initial state, so when it loops around again (rate limited) it
repeats the same set of operations indefinitely.
2020-10-23 18:42:45 +00:00
R.B. Boyer 3456b57dec
connect: update supported envoy point releases to 1.14.5, 1.13.6, 1.12.7, 1.11.2 for 1.8.x (#8999)
Selective backport of #8944 to 1.8.x
2020-10-22 13:26:51 -05:00