Commit Graph

30 Commits

Author SHA1 Message Date
Kyle Havlovitz 658e6a97bb Merge pull request #9672 from hashicorp/ca-force-skip-xc
connect/ca: Allow ForceWithoutCrossSigning for all providers
2021-04-20 15:41:32 -05:00
Freddy cfd72af36c Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:23 +00:00
Matt Keeler 6cae442ef4 Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774)
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2020-10-09 14:43:59 +00:00
Hans Hasselberg f88600320d Update API docs for GET /operator/keyring (#8691)
The response includes a new field: PrimaryKeys that lists the installed
primary keys.
2020-09-15 19:39:15 +00:00
Mike Morris 91ee7990cc
website: 1.8.x catchup (#8648)
* website: purge existing directory

* website: bulk update from master with changes specific to the upcoming 1.9 release excluded

* test: revert envoy_version to 1.14.2 for existing-ca-path golden file
2020-09-10 13:32:06 -04:00
Blake Covarrubias b3ca781602 docs: Fix rendering of link under service config endpoint
HTML and markdown cannot be present in the same line. Change markdown
link to HTML anchor element.
2020-09-09 00:44:17 +00:00
Freddy f88f5105bd
Add docs for using namespaces with intentions (#8594) 2020-09-01 12:29:41 -06:00
Seth Hoenig 870097646e api/agent: enable setting SuccessBeforePassing and FailuresBeforeCritical in API (#7949)
Fixes #7764

Until now these two fields could only be set through on-disk agent configuration.
This change adds the fields to the agent API struct definition so that they can
be set using the agent HTTP API.
2020-06-29 12:53:38 +00:00
Matt Keeler 3c4413cbed ACL Node Identities (#7970)
A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy).

Half of this commit is for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc.
2020-06-16 16:55:01 +00:00
Freddy 2af14433be Merge pull request #8099 from hashicorp/gateway-services-endpoint 2020-06-12 21:15:25 +00:00
R.B. Boyer 5404155d36 acl: allow auth methods created in the primary datacenter to optionally create global tokens (#7899) 2020-06-01 16:45:22 +00:00
Chris Piraino 98005a79c4
Ingress and Terminating Gateway docs (#7710)
This PR contains documentation additions for ingress and terminating gateways. New pages for the config-entries and overall feature description were added, as well as various additions to related pages.

Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com>
Co-authored-by: freddygv <gh@freddygv.xyz>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
Co-authored-by: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2020-05-13 16:29:40 -05:00
R.B. Boyer 44d10e4894
docs: docs for jwt and oidc auth methods (#7847) 2020-05-13 14:14:03 -05:00
krishna sindhur 3698e03e7a
docs: header payload type change (#7763)
* changed the header type from string to list as mentioned in doc in [website/pages/api-docs/agent/check.mdx, website/pages/docs/agent/checks.mdx]
2020-05-12 11:48:48 +02:00
Jono Sosulska 9b363e9f23
Fix spelling of deregister (#7804) 2020-05-08 10:03:45 -04:00
R.B. Boyer a854e4d9c5
acl: oss plumbing to support auth method namespace rules in enterprise (#7794)
This includes website docs updates.
2020-05-06 13:48:04 -05:00
R.B. Boyer 22eb016153
acl: add MaxTokenTTL field to auth methods (#7779)
When set to a non zero value it will limit the ExpirationTime of all
tokens created via the auth method.
2020-05-04 17:02:57 -05:00
R.B. Boyer ca52ba7068
acl: add DisplayName field to auth methods (#7769)
Also add a few missing acl fields in the api.
2020-05-04 15:18:25 -05:00
Blake Covarrubias bf4ef056af
Add callouts to Enterprise features (#7548)
Label all enterprise-related content with Enterprise badge/callout.

Resolves #6887

Co-authored-by: Jeff Escalante <jescalan@users.noreply.github.com>
2020-04-28 12:53:29 -04:00
Jeff Escalante cc19b88288
a couple more anchor link fixes 2020-04-28 12:53:26 -04:00
Jeff Escalante 57c5118a83
update deps, add no-index category, fix downloads page 2020-04-28 12:53:25 -04:00
Jeff Escalante 6907c7e3db
fix broken links 2020-04-28 12:53:25 -04:00
Jeff Escalante 4a5d67a24e
add k8s/consul alias back, fix react prop name 2020-04-28 12:53:24 -04:00
Jeff Escalante a8a3c76983
remove 'sidebar_current' from frontmatter 2020-04-28 12:53:24 -04:00
Jeff Escalante 21ea5287b3
fix new syntax error 2020-04-28 12:53:22 -04:00
Jeff Escalante 2bfa64f903
replace internal .html link extensions 2020-04-28 12:53:20 -04:00
Jeff Escalante 9cd0b95f24
remove internal /index.html 2020-04-28 12:53:20 -04:00
Jeff Escalante 711352bcf1
docs rendering 2020-04-28 12:53:18 -04:00
Jeff Escalante 6bd1a51413
intro and api navigation converted 2020-04-28 12:52:44 -04:00
Jeff Escalante 93bc85dc4f
initial 2020-04-28 12:52:43 -04:00