freddygv
4d4ccedb3a
Update locality check in proxycfg
2021-11-01 13:58:53 -06:00
Daniel Nephin
7337cfd6dc
Merge pull request #11340 from hashicorp/dnephin/ca-manager-provider
...
ca: split the Provider interface into Primary/Secondary
2021-11-01 14:11:15 -04:00
Daniel Nephin
eee598e91c
Merge pull request #11338 from hashicorp/dnephin/ca-manager-isolate-secondary
...
ca: clearly identify methods that are primary-only or secondary-only
2021-11-01 14:10:31 -04:00
Daniel Upton
d47b7311b8
Support Check-And-Set deletion of config entries ( #11419 )
...
Implements #11372
2021-11-01 16:42:01 +00:00
Dhia Ayachi
2801785710
regenerate expired certs ( #11462 )
...
* regenerate expired certs
* add documentation to generate tests certificates
2021-11-01 11:40:16 -04:00
Jared Kirschner
0854e1d684
Merge pull request #11348 from kbabuadze/fix-answers-alt-domain
...
Fix answers for alt domain
2021-10-29 17:09:20 -04:00
R.B. Boyer
c8cafb7654
agent: for various /v1/agent endpoints parse the partition parameter on the request ( #11444 )
...
Also update the corresponding CLI commands to send the parameter
appropriately.
NOTE: Behavioral changes are not happening in this PR.
2021-10-28 16:44:38 -05:00
R.B. Boyer
af9ffc214d
agent: add a clone function for duplicating the serf lan configuration ( #11443 )
2021-10-28 16:11:26 -05:00
Daniel Nephin
367b664318
Add tests for cert expiry metrics
2021-10-28 14:38:57 -04:00
Daniel Nephin
210d37e4ab
Merge pull request #10671 from hashicorp/dnephin/fix-subscribe-test-flake
...
subscribe: improve TestSubscribeBackend_IntegrationWithServer_DeliversAllMessages
2021-10-28 12:57:09 -04:00
Evan Culver
61be9371f5
connect: Remove support for Envoy 1.16 ( #11354 )
2021-10-27 18:51:35 -07:00
Evan Culver
bec08f4ec3
connect: Add support for Envoy 1.20 ( #11277 )
2021-10-27 18:38:10 -07:00
freddygv
ac96ce6552
Ensure partition-exports kind gets marshalled
...
The api module has decoding functions that rely on 'kind' being present
of payloads. This is so that we can decode into the appropriate api type
for the config entry.
This commit ensures that a static kind is marshalled in responses from
Consul's api endpoints so that the api module can decode them.
2021-10-27 15:01:26 -06:00
Daniel Nephin
a8e2e1c365
agent: move agent tls metric monitor to a more appropriate place
...
And add a test for it
2021-10-27 16:26:09 -04:00
Daniel Nephin
c92513ec16
telemetry: set cert expiry metrics to NaN on start
...
So that followers do not report 0, which would make alerting difficult.
2021-10-27 15:19:25 -04:00
Daniel Nephin
9264ce89d2
telemetry: fix cert expiry metrics by removing labels
...
These labels should be set by whatever process scrapes Consul (for
prometheus), or by the agent that receives them (for datadog/statsd).
We need to remove them here because the labels are part of the "metric
key", so we'd have to pre-declare the metrics with the labels. We could
do that, but that is extra work for labels that should be added from
elsewhere.
Also renames the closure to be more descriptive.
2021-10-27 15:19:25 -04:00
Daniel Nephin
7948720bbb
telemetry: only emit leader cert expiry metrics on the servers
2021-10-27 15:19:25 -04:00
Daniel Nephin
7fe60e5989
telemetry: prevent stale values from cert monitors
...
Prometheus scrapes metrics from each process, so when leadership transfers to a different node
the previous leader would still be reporting the old cached value.
By setting NaN, I believe we should zero-out the value, so that prometheus should only consider the
value from the new leader.
2021-10-27 15:19:25 -04:00
Daniel Nephin
0cc58f54de
telemetry: improve cert expiry metrics
...
Emit the metric immediately so that after restarting an agent, the new expiry time will be
emitted. This is particularly important when this metric is being monitored, because we want
the alert to resovle itself immediately.
Also fixed a bug that was exposed in one of these metrics. The CARoot can be nil, so we have
to handle that case.
2021-10-27 15:19:25 -04:00
Daniel Nephin
a3c781682d
subscribe: attempt to fix a flaky test
...
TestSubscribeBackend_IntegrationWithServer_DeliversAllMessages has been
flaking a few times. This commit cleans up the test a bit, and improves
the failure output.
I don't believe this actually fixes the flake, but I'm not able to
reproduce it reliably.
The failure appears to be that the event with Port=0 is being sent in
both the snapshot and as the first event after the EndOfSnapshot event.
Hopefully the improved logging will show us if these are really
duplicate events, or actually different events with different indexes.
2021-10-27 15:09:09 -04:00
Freddy
fbcf9f3f6c
Merge pull request #11435 from hashicorp/ent-authorizer-refactor
...
[OSS] Export ACLs refactor
2021-10-27 13:04:40 -06:00
Freddy
303532825f
Merge pull request #11432 from hashicorp/ap/exports-mgw
...
[OSS] Update mesh gateways to handle partitions
2021-10-27 12:54:53 -06:00
freddygv
43360eb216
Rework acl exports interface
2021-10-27 12:50:39 -06:00
Freddy
ec7e94d129
Merge pull request #11433 from hashicorp/exported-service-acls
...
[OSS] acl: Expand ServiceRead and NodeRead to account for partition exports
2021-10-27 12:48:08 -06:00
freddygv
e93c144d2f
Update comments
2021-10-27 12:36:44 -06:00
Freddy
a8762be529
Merge pull request #11431 from hashicorp/ap/exports-proxycfg
...
[OSS] Update partitioned mesh gw handling for connect proxies
2021-10-27 11:27:43 -06:00
Freddy
b1b6f682e1
Merge pull request #11416 from hashicorp/ap/exports-update
...
Rename service-exports to partition-exports
2021-10-27 11:27:31 -06:00
freddygv
3a2061544d
Fixup partitions assertion
2021-10-27 11:15:25 -06:00
freddygv
9480670b72
Fixup imports
2021-10-27 11:15:25 -06:00
freddygv
c72bbb6e8d
Split up locality check from hostname check
2021-10-27 11:15:25 -06:00
freddygv
d28b9052b2
Move the exportingpartitions constant to enterprise
2021-10-27 11:15:25 -06:00
freddygv
448701dbd8
Replace default partition check
2021-10-27 11:15:25 -06:00
freddygv
12923f5ebc
PR comments
2021-10-27 11:15:25 -06:00
freddygv
327e6bff25
Leave todo about default name
2021-10-27 11:15:25 -06:00
freddygv
5bf2497f71
Add oss impl of registerEntCache
2021-10-27 11:15:25 -06:00
freddygv
954d21c6ba
Register the ExportingPartitions cache type
2021-10-27 11:15:25 -06:00
freddygv
a33b6923e0
Account for partitions in xds gen for mesh gw
...
This commit avoids skipping gateways in remote partitions of the local
DC when generating listeners/clusters/endpoints.
2021-10-27 11:15:25 -06:00
freddygv
935112a47a
Account for partition in SNI for gateways
2021-10-27 11:15:25 -06:00
freddygv
110fae820a
Update xds pkg to account for GatewayKey
2021-10-27 09:03:56 -06:00
freddygv
7e65678c52
Update mesh gateway proxy watches for partitions
...
This commit updates mesh gateway watches for cross-partitions
communication.
* Mesh gateways are keyed by partition and datacenter.
* Mesh gateways will now watch gateways in partitions that export
services to their partition.
* Mesh gateways in non-default partitions will not have cross-datacenter
watches. They are not involved in traditional WAN federation.
2021-10-27 09:03:56 -06:00
freddygv
aa931682ea
Avoid mixing named and unnamed params
2021-10-26 23:42:25 -06:00
freddygv
bf350224a0
Avoid passing nil config pointer
2021-10-26 23:42:25 -06:00
freddygv
df7b5af6f0
Avoid panic on nil partitionAuthorizer config
...
partitionAuthorizer.config can be nil if it wasn't provided on calls to
newPartitionAuthorizer outside of the ACLResolver. This usage happens
often in tests.
This commit: adds a nil check when the config is going to be used,
updates non-test usage of NewPolicyAuthorizerWithDefaults to pass a
non-nil config, and dettaches setEnterpriseConf from the ACLResolver.
2021-10-26 23:42:25 -06:00
freddygv
22bdf279d1
Update NodeRead for partition-exports
...
When issuing cross-partition service discovery requests, ACL filtering
often checks for NodeRead privileges. This is because the common return
type is a CheckServiceNode, which contains node data.
2021-10-26 23:42:11 -06:00
Kyle Havlovitz
65c9109396
acl: pass PartitionInfo through ent ACLConfig
2021-10-26 23:41:52 -06:00
Kyle Havlovitz
d03f849e49
acl: Expand ServiceRead logic to look at service-exports for cross-partition
2021-10-26 23:41:32 -06:00
freddygv
8006c6df73
Swap in structs.EqualPartitions for cmp
2021-10-26 23:36:01 -06:00
freddygv
37a16e9487
Replace Split with SplitN
2021-10-26 23:36:01 -06:00
freddygv
b9b6447977
Finish removing useInDatacenter
2021-10-26 23:36:01 -06:00
freddygv
e1691d1627
Update XDS for sidecars dialing through gateways
2021-10-26 23:35:48 -06:00
freddygv
62e0fc62c1
Configure sidecars to watch gateways in partitions
...
Previously the datacenter of the gateway was the key identifier, now it
is the datacenter and partition.
When dialing services in other partitions or datacenters we now watch
the appropriate partition.
2021-10-26 23:35:37 -06:00
freddygv
eacb73cb78
Remove useInDatacenter from disco chain requests
...
useInDatacenter was used to determine whether the mesh gateway mode of
the upstream should be returned in the discovery chain target. This
commit makes it so that the mesh gateway mode is returned every time,
and it is up to the caller to decide whether mesh gateways should be
watched or used.
2021-10-26 23:35:21 -06:00
R.B. Boyer
ef559dfdd4
agent: refactor the agent delegate interface to be partition friendly ( #11429 )
2021-10-26 15:08:55 -05:00
Chris S. Kim
fa293362be
agent: Ensure partition is considered in agent endpoints ( #11427 )
2021-10-26 15:20:57 -04:00
Konstantine
55599d0b41
remove spaces
2021-10-26 12:38:13 -04:00
Konstantine
ce85d2eada
fix altDomain responses for services where address is IP, added tests
2021-10-26 12:38:13 -04:00
Konstantine
a7e8c51f80
fix encodeIPAsFqdn to return alt-domain when requested, added test case
2021-10-26 12:38:12 -04:00
Konstantine
ffb00f01b5
fixed altDomain response for NS type queries, and added test
2021-10-26 12:38:12 -04:00
Konstantine
a828c45a62
edited TestDNS_AltDomains_Service to test responses for altDomains, and added TXT additional section check
2021-10-26 12:38:12 -04:00
Konstantine
0864bfdb71
fixed alt-domain answer for SRV records, and TXT records in additional section
2021-10-26 12:38:12 -04:00
Chris S. Kim
76bbeb3baf
ui: Pass primary dc through to uiserver ( #11317 )
...
Co-authored-by: John Cowen <johncowen@users.noreply.github.com>
2021-10-26 10:30:17 -04:00
freddygv
8aefdc31da
Remove outdated partition label from test
2021-10-25 18:47:02 -06:00
freddygv
5c24ed61a8
Rename service-exports to partition-exports
...
Existing config entries prefixed by service- are specific to individual
services. Since this config entry applies to partitions it is being
renamed.
Additionally, the Partition label was changed to Name because using
Partition at the top-level and in the enterprise meta was leading to the
enterprise meta partition being dropped by msgpack.
2021-10-25 17:58:48 -06:00
Daniel Nephin
4ae2c8de9d
Merge pull request #11232 from hashicorp/dnephin/acl-legacy-remove-docs
...
acl: add docs and changelog for the removal of the legacy ACL system
2021-10-25 18:38:00 -04:00
Daniel Nephin
5d41b4d2f4
Update agent/consul/acl_client.go
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-10-25 17:25:14 -04:00
Daniel Nephin
65d48e5042
state: remove support for updating legacy ACL tokens
2021-10-25 17:25:14 -04:00
Daniel Nephin
0784a31e85
acl: remove init check for legacy anon token
...
This token should always already be migrated from a previous version.
2021-10-25 17:25:14 -04:00
Daniel Nephin
daba3c2309
acl: remove legacy parameter to ACLDatacenter
...
It is no longer used now that legacy ACLs have been removed.
2021-10-25 17:25:14 -04:00
Daniel Nephin
3390f85ab4
acl: remove ACLTokenTypeManagement
2021-10-25 17:25:14 -04:00
Daniel Nephin
32b4ad42ac
acl: remove ACLTokenTypeClient,
...
along with the last test referencing it.
2021-10-25 17:25:14 -04:00
Daniel Nephin
aea4cc5a6d
acl: remove legacy arg to store.ACLTokenSet
...
And remove the tests for legacy=true
2021-10-25 17:25:14 -04:00
Daniel Nephin
c77e5747b1
acl: remove EmbeddedPolicy
...
This method is no longer. It only existed for legacy tokens, which are no longer supported.
2021-10-25 17:25:14 -04:00
Daniel Nephin
121431bf17
acl: remove tests for resolving legacy tokens
...
The code for this was already removed, which suggests this is not actually testing what it claims.
I'm guessing these are still resolving because the tokens are converted to non-legacy tokens?
2021-10-25 17:25:14 -04:00
Daniel Nephin
0d0761927a
acl: stop replication on leadership lost
...
It seems like this was missing. Previously this was only called by init of ACLs during an upgrade.
Now that legacy ACLs are removed, nothing was calling stop.
Also remove an unused method from client.
2021-10-25 17:24:12 -04:00
Daniel Nephin
98823e573f
Remove incorrect TODO
2021-10-25 17:20:06 -04:00
Daniel Nephin
1344137ce2
acl: move the legacy ACL struct to the one package where it is used
...
It is now only used for restoring snapshots. We can remove it in phase 2.
2021-10-25 17:20:06 -04:00
Daniel Nephin
531f2f8a3f
acl: remove most of the rest of structs/acl_legacy.go
2021-10-25 17:20:06 -04:00
Paul Banks
954b283fec
Merge pull request #11163 from hashicorp/feature/ingress-tls-mixed
...
Add support for enabling connect-based ingress TLS per listener.
2021-10-25 21:36:01 +01:00
FFMMM
fea6f08bf9
fix autopilot_failure_tolerance, add autopilot metrics test case ( #11399 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-25 10:55:59 -07:00
FFMMM
0954d261ae
use *telemetry.MetricsPrefix as prometheus.PrometheusOpts.Name ( #11290 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-21 13:33:01 -07:00
Dhia Ayachi
58f5686c08
fix leadership transfer on leave suggestions ( #11387 )
...
* add suggestions
* set isLeader to false when leadership transfer succeed
2021-10-21 14:02:26 -04:00
Dhia Ayachi
f424faffdd
try to perform a leadership transfer when leaving ( #11376 )
...
* try to perform a leadership transfer when leaving
* add a changelog
2021-10-21 12:44:31 -04:00
Kyle Havlovitz
04cd2c983e
Add new service-exports config entry
2021-10-20 12:24:18 -07:00
Jared Kirschner
14af8cb7a9
Merge pull request #11293 from bisakhmondal/service_filter
...
expression validation of service-resolver subset filter
2021-10-20 08:57:37 -04:00
Paul Banks
c891f30c24
Rebase and rebuild golden files for Envoy version bump
2021-10-19 21:37:58 +01:00
Paul Banks
6faf85bccd
Refactor `resolveListenerSDSConfig` to pass in whole config
2021-10-19 20:58:29 +01:00
Paul Banks
78a00f2e1c
Add support for enabling connect-based ingress TLS per listener.
2021-10-19 20:58:28 +01:00
Giulio Micheloni
a3fb665b88
Restored comment.
2021-10-16 18:05:32 +01:00
Giulio Micheloni
fecce25658
Separete test file and no stack trace in ret error
2021-10-16 18:02:03 +01:00
Giulio Micheloni
0c78ddacde
Merge branch 'main' of https://github.com/hashicorp/consul into hashicorp-main
2021-10-16 16:59:32 +01:00
R.B. Boyer
cc2abb79ba
acl: small OSS refactors to help ensure that auth methods with namespace rules work with partitions ( #11323 )
2021-10-14 15:38:05 -05:00
freddygv
e22f0cc033
Use stored entmeta to fill authzContext
2021-10-14 08:57:40 -06:00
freddygv
53ea1f634a
Ensure partition is handled by auto-encrypt
2021-10-14 08:32:45 -06:00
FFMMM
62980ffaa2
fix: only add prom autopilot gauges to servers ( #11241 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-13 09:25:30 -07:00
Chris S. Kim
c6906b4d37
Update Intentions.List with partitions ( #11299 )
2021-10-13 10:47:12 -04:00
R.B. Boyer
0c94095dfd
acl: fix bug in 'consul members' filtering with partitions ( #11263 )
2021-10-13 09:18:16 -05:00
Bisakh Mondal
a350a383d3
add service resolver subset filter validation
2021-10-13 02:56:04 +05:30
Connor
257d00c908
Merge pull request #11222 from hashicorp/clly/service-mesh-metrics
...
Start tracking connect service mesh usage metrics
2021-10-11 14:35:03 -05:00
Connor Kelly
786d2896ff
Replace fmt.Sprintf with function
2021-10-11 12:43:38 -05:00
tarat44
166269f93b
preload json values in structs to determine defaults
2021-10-10 17:52:26 -04:00
Daniel Nephin
b2f49279e2
ca: split Primary/Secondary Provider
...
To make it more clear which methods are necessary for each scenario. This can
also prevent problems which force all DCs to use the same Vault instance, which
is currently a problem.
2021-10-10 15:48:02 -04:00
Daniel Nephin
1d14889eca
ca: extract primaryUpdateRootCA
...
This function is only run when the CAManager is a primary. Extracting this function
makes it clear which parts of UpdateConfiguration are run only in the primary and
also makes the cleanup logic simpler. Instead of both a defer and a local var we
can call the cleanup function in two places.
2021-10-10 15:26:55 -04:00
Daniel Nephin
0bc812a8e5
ca: rename functions to use a primary or secondary prefix
...
This commit renames functions to use a consistent pattern for identifying the functions that
can only be called when the Manager is run as the primary or secondary.
This is a step toward eventually creating separate types and moving these methods off of CAManager.
2021-10-10 15:26:55 -04:00
Daniel Nephin
eaea56c7b2
ca: make receiver variable name consistent
...
Every other method uses c not ca
2021-10-10 15:26:55 -04:00
tarat44
3fe637156c
add test cases for h2ping_use_tls default behavior
2021-10-09 17:12:52 -04:00
FFMMM
a0bba9171d
fix consul_autopilot_healthy metric emission ( #11231 )
...
https://github.com/hashicorp/consul/issues/10730
2021-10-08 10:31:50 -07:00
Connor Kelly
a5cf4a9b57
Rename ConfigUsageEnterprise to EnterpriseConfigEntryUsage
2021-10-08 10:53:34 -05:00
Connor Kelly
8c519d5458
Rename and prefix ConfigEntry in Usage table
...
Rename ConfigUsage functions to ConfigEntry
prefix ConfigEntry kinds with the ConfigEntry table name to prevent
potential conflicts
2021-10-07 16:19:55 -05:00
Connor Kelly
533e7dbe85
Add connect specific prefix to Usage table
...
Ensure that connect Kind's are separate from ConfigEntry Kind's to
prevent miscounting
2021-10-07 16:16:23 -05:00
tarat44
ecdcfd6360
only set default on H2PingUseTLS if H2PING is set
2021-10-06 22:13:01 -04:00
Daniel Nephin
b4e3367e63
docs: add notice that legacy ACLs have been removed.
...
Add changelog
Also remove a metric that is no longer emitted that was missed in a
previous step.
2021-10-05 18:30:22 -04:00
Daniel Nephin
18b3ac33e8
acl: remove unused translate rules endpoint
...
The CLI command does not use this endpoint, so we can remove it. It was missed in an
earlier pass.
2021-10-05 18:26:05 -04:00
Connor Kelly
024715eb11
Add changelog, website and metric docs
...
Add changelog to document what changed.
Add entry to telemetry section of the website to document what changed
Add docs to the usagemetric endpoint to help document the metrics in code
2021-10-05 13:34:24 -05:00
Joshua Montgomery
8eb5915f7d
Fixing SOA record to use alt domain when alt domain in use ( #10431 )
2021-10-05 10:47:27 -04:00
tarat44
c5479cefe6
fix test
2021-10-05 00:48:09 -04:00
tarat44
ca2e7c2039
fix formatting
2021-10-05 00:15:04 -04:00
tarat44
1e8e44d442
fix formatting
2021-10-05 00:12:23 -04:00
tarat44
c1ed3a9a94
change config option to H2PingUseTLS
2021-10-05 00:12:21 -04:00
tarat44
3c9f5a73d9
add support for h2c in h2 ping health checks
2021-10-04 22:51:08 -04:00
Daniel Nephin
ab587f5221
Merge pull request #11182 from hashicorp/dnephin/acl-legacy-remove-upgrade
...
acl: remove upgrade from legacy, start in non-legacy mode
2021-10-04 17:25:39 -04:00
Evan Culver
e808620463
Merge pull request #11118 from hashicorp/eculver/remove-envoy-1.15
...
Remove support for Envoy 1.15
2021-10-04 23:14:24 +02:00
Evan Culver
c7747212c3
Merge pull request #11115 from hashicorp/eculver/envoy-1.19.1
...
Add support for Envoy 1.19.1
2021-10-04 23:13:26 +02:00
Daniel Nephin
c7f74deb17
acl: remove updateEnterpriseSerfTags
...
The only remaining caller is a test helper, and the tests don't use the enterprise gossip
pools.
2021-10-04 17:01:51 -04:00
Daniel Nephin
9b1d2685bf
Merge pull request #11126 from hashicorp/dnephin/acl-legacy-remove-resolve-and-get-policy
...
acl: remove ACL.GetPolicy RPC endpoint and ACLResolver.resolveTokenLegacy
2021-10-04 16:29:51 -04:00
Connor Kelly
c2583a1b7f
Add metrics to count the number of service-mesh config entries
2021-10-04 14:50:17 -05:00
Connor Kelly
536838b004
Add metrics to count connect native service mesh instances
...
This will add the counts of the service mesh instances tagged by
whether or not it is connect native
2021-10-04 14:37:05 -05:00
Connor Kelly
46bf882620
Add metrics to count service mesh Kind instance counts
...
This will add the counts of service mesh instances tagged by the
different ServiceKind's.
2021-10-04 14:36:59 -05:00
Daniel Nephin
a1e3fa818c
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Remove the early WaitForLeader in dc2, because with it the test was
failing with ACL not found.
2021-10-01 18:03:10 -04:00
Evan Culver
db397d62c5
Add 1.15 versions to too old list
2021-10-01 11:28:26 -07:00
Chris S. Kim
1c9b58a8af
agent: Reject partitions in legacy intention endpoints ( #11181 )
2021-10-01 13:18:57 -04:00
Chris S. Kim
53a35181e5
Support partitions in parseIntentionStringComponent ( #11202 )
2021-10-01 12:36:12 -04:00
Dhia Ayachi
a5b09493ab
fix token list by auth method ( #11196 )
...
* add tests to OIDC authmethod and fix entMeta when retrieving auth-methods
* fix oss compilation error
2021-10-01 12:00:43 -04:00
Evan Culver
e41830af8a
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-30 11:32:28 -07:00
Evan Culver
fdbb742ffd
regenerate more envoy golden files
2021-09-30 10:57:47 -07:00
Daniel Nephin
4faf805716
acl: call stop for the upgrade goroutine when done
...
TestAgentLeaks_Server was reporting a goroutine leak without this. Not sure if it would actually
be a leak in production or if this is due to the test setup, but seems easy enough to call it
this way until we remove legacyACLTokenUpgrade.
2021-09-29 17:36:43 -04:00
Daniel Nephin
02da08ce77
acl: only run startACLUpgrade once
...
Since legacy ACL tokens can no longer be created we only need to run this upgrade a single
time when leadership is estalbished.
2021-09-29 16:22:01 -04:00
Daniel Nephin
3ac910606c
acl: remove reading of serf acl tags
...
We no long need to read the acl serf tag, because servers are always either ACL enabled or
ACL disabled.
We continue to write the tag so that during an upgarde older servers will see the tag.
2021-09-29 15:45:11 -04:00
Daniel Nephin
3d7c07e1e4
acl: fix test failure
...
For some reason removing legacy ACL upgrade requires using an ACL token now
for this WaitForLeader.
2021-09-29 15:21:30 -04:00
Daniel Nephin
5c721832dc
acl: remove legacy ACL upgrades from Server
...
As part of removing the legacy ACL system
2021-09-29 15:19:23 -04:00
Daniel Nephin
94be1835b2
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Use the root token in WaitForLeader, because without it the test was
failing with ACL not found.
2021-09-29 15:15:50 -04:00
Daniel Nephin
8e9773e20b
acl: remove ACL.GetPolicy endpoint and resolve legacy acls
...
And all code that was no longer used once those two were removed.
2021-09-29 14:33:19 -04:00
Daniel Nephin
d12dd48c61
acl: remove ACL upgrading from Clients
...
As part of removing the legacy ACL system ACL upgrading and the flag for
legacy ACLs is removed from Clients.
This commit also removes the 'acls' serf tag from client nodes. The tag is only ever read
from server nodes.
This commit also introduces a constant for the acl serf tag, to make it easier to track where
it is used.
2021-09-29 14:02:38 -04:00
Daniel Nephin
19040586ce
Merge pull request #11136 from hashicorp/dnephin/acl-resolver-fix-default-authz
...
acl: fix default Authorizer for down_policy extend-cache/async-cache
2021-09-29 13:45:12 -04:00
Daniel Nephin
a53fdd68c8
Merge pull request #11110 from hashicorp/dnephin/acl-legacy-remove-initialize
...
acl: remove initializeLegacyACL and the rest of the legacy FSM commands
2021-09-29 13:44:30 -04:00
Daniel Nephin
8f754aba14
Merge pull request #10999 from hashicorp/dnephin/revert-config-xds-port
...
Revert config xds_port
2021-09-29 13:39:15 -04:00
Daniel Nephin
cc310224aa
command/envoy: stop using the DebugConfig from Self endpoint
...
The DebugConfig in the self endpoint can change at any time. It's not a stable API.
This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read
this new field.
It includes support for the old API as well, in case a newer CLI is used with an older API, and
adds a test for both cases.
2021-09-29 13:21:28 -04:00
Daniel Nephin
6e1ebd3df7
acl: remove the last of the legacy FSM
...
Replace it with an implementation that returns an error, and rename some symbols
to use a Deprecated suffix to make it clear.
Also remove the ACLRequest struct, which is no longer referenced.
2021-09-29 12:42:23 -04:00
Daniel Nephin
ed928511ca
acl: remove bootstrap-init FSM operation
2021-09-29 12:42:23 -04:00
Daniel Nephin
dab5d1bdc8
acl: remove initializeLegacyACL from leader init
2021-09-29 12:42:23 -04:00
Daniel Nephin
05f0cc3993
acl: remove ACLDelete FSM command, and state store function
...
These are no longer used now that ACL.Apply has been removed.
2021-09-29 12:42:23 -04:00
Daniel Nephin
966e50e00e
acl: remove legacy field to ACLBoostrap
2021-09-29 12:42:23 -04:00
Daniel Nephin
1502547e38
Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc"
...
This reverts commit 74fb650b6b
, reversing
changes made to 58bd817336
.
2021-09-29 12:28:41 -04:00
Daniel Nephin
0330966315
Merge pull request #11101 from hashicorp/dnephin/acl-legacy-remove-rpc-2
...
acl: remove legacy ACL.Apply RPC
2021-09-29 12:23:55 -04:00
Daniel Nephin
ea4a8343cd
Merge pull request #11177 from hashicorp/dnephin/remove-entmeta-methods
...
structs: remove EnterpriseMeta helper methods
2021-09-29 12:08:07 -04:00
Daniel Nephin
4c579a49ed
Merge pull request #10986 from hashicorp/dnephin/acl-legacy-remove-rpc
...
acl: remove legacy ACL RPC - part 1
2021-09-29 12:04:09 -04:00
Daniel Nephin
eb632c53a2
structs: rename the last helper method.
...
This one gets used a bunch, but we can rename it to make the behaviour more obvious.
2021-09-29 11:48:38 -04:00
Daniel Nephin
8d8c1f9d5e
structs: remove another helper
...
We already have a helper funtion.
2021-09-29 11:48:03 -04:00
Daniel Nephin
6d72517682
structs: remove two methods that were only used once each.
...
These methods only called a single function. Wrappers like this end up making code harder to read
because it adds extra ways of doing things.
We already have many helper functions for constructing these types, we don't need additional methods.
2021-09-29 11:47:03 -04:00
Daniel Nephin
8d1378cc1d
Merge pull request #10988 from hashicorp/dnephin/acl-legacy-remove-config
...
acl: isolate deprecated config and warn when they are used
2021-09-29 11:40:14 -04:00
Daniel Nephin
6b33e3bfd7
Merge pull request #9456 from hashicorp/dnephin/config-deprecation
...
config: Use DeprecatedConfig struct for deprecated config fields
2021-09-29 11:37:40 -04:00
Evan Culver
60170dfbe7
Merge remote-tracking branch 'origin/eculver/remove-envoy-1.15' into eculver/remove-envoy-1.15
2021-09-28 16:06:36 -07:00
Evan Culver
4f1a8d4ea6
Fix typo
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-09-29 01:05:45 +02:00
Evan Culver
03e44da9f7
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-28 15:59:43 -07:00
Evan Culver
9b73e7319d
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 15:58:20 -07:00
Chris S. Kim
5c37819d09
Cleanup unnecessary normalizing method ( #11169 )
2021-09-28 15:31:12 -04:00
Daniel Nephin
bf2a3f6e79
Merge pull request #11084 from krastin/krastin-autopilot-loggingtypo
...
Fix a tiny typo in logging in autopilot.go
2021-09-28 15:11:11 -04:00
Evan Culver
585d9363ed
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 11:54:33 -07:00
Chris S. Kim
e3248c20c9
agent: Clean up unused built-in proxy config ( #11165 )
2021-09-28 11:29:10 -04:00
Daniel Nephin
cd4e70b34c
acl: fix default authorizer for down_policy
...
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632 .
2021-09-23 18:12:22 -04:00
Daniel Nephin
6bb7aef15c
Remove t.Parallel from TestACLResolver_DownPolicy
...
These tests run in under 10ms, t.Parallel does nothing but slow them down and
make failures harder to debug when one panics.
2021-09-23 18:12:22 -04:00
Dhia Ayachi
e664dbc352
Refactor table index acl phase 2 ( #11133 )
...
* extract common methods from oss and ent
* remove unreachable code
* add missing normalize for binding rules
* fix oss to use Query
2021-09-23 15:26:09 -04:00
Daniel Nephin
e8ac5fd90b
config: Move ACLEnableKeyListPolicy to DeprecatedConfig
2021-09-23 15:15:00 -04:00
Daniel Nephin
5c40b717ed
config: move acl_ttl to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Daniel Nephin
977f6d8888
config: move acl_{default,down}_policy to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Daniel Nephin
5eafcea4d4
config: Deprecate EnableACLReplication
...
replaced by ACL.TokenReplication
2021-09-23 15:14:59 -04:00
Daniel Nephin
5dc16180ad
config: move ACL master token and replication to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Paul Banks
1ecec84fd7
Merge pull request #10903 from hashicorp/feature/ingress-sds
...
Add Support to for providing TLS certificates for Ingress listeners from an SDS source
2021-09-23 16:19:05 +01:00
Dhia Ayachi
5904e4ac79
Refactor table index ( #11131 )
...
* convert tableIndex to use the new pattern
* make `indexFromString` available for oss as well
* refactor `indexUpdateMaxTxn`
2021-09-23 11:06:23 -04:00
Paul Banks
7b4cbe3143
Final readability tweaks from review
2021-09-23 10:17:12 +01:00
Paul Banks
70bc89b7f4
Fix subtle loop bug and add test
2021-09-23 10:13:41 +01:00
Paul Banks
07f81991df
Refactor SDS validation to make it more contained and readable
2021-09-23 10:13:19 +01:00
Paul Banks
5cfd030d03
Refactor Ingress-specific lister code to separate file
2021-09-23 10:13:19 +01:00
Paul Banks
136928a90f
Minor PR typo and cleanup fixes
2021-09-23 10:13:19 +01:00
Paul Banks
20d0bf81f7
Revert abandonned changes to proxycfg for Ent test consistency
2021-09-23 10:13:19 +01:00
Paul Banks
a9119e36a5
Fix merge conflict in xds tests
2021-09-23 10:12:37 +01:00
Paul Banks
2281d883b9
Fix some more Enterprise Normalization issues affecting tests
2021-09-23 10:12:37 +01:00
Paul Banks
9fa60c7472
Remove unused argument to fix lint error
2021-09-23 10:09:11 +01:00
Paul Banks
659321d008
Handle namespaces in route names correctly; add tests for enterprise
2021-09-23 10:09:11 +01:00
Paul Banks
2a3d3d3c23
Update xDS routes to support ingress services with different TLS config
2021-09-23 10:08:02 +01:00
Paul Banks
16b3b1c737
Update xDS Listeners with SDS support
2021-09-23 10:08:02 +01:00
Paul Banks
ccbda0c285
Update proxycfg to hold more ingress config state
2021-09-23 10:08:02 +01:00
Paul Banks
4e39f03d5b
Add ingress-gateway config for SDS
2021-09-23 10:08:02 +01:00
Daniel Nephin
c84867feda
acl: remove ACL.Apply
...
As part of removing the legacy ACL system.
2021-09-22 18:28:08 -04:00
Daniel Nephin
ae05419aea
acl: made acl rules in tests slightly more specific
...
When converting these tests from the legacy ACL system to the new RPC endpoints I
initially changed most things to use _prefix rules, because that was equivalent to
the old legacy rules.
This commit modifies a few of those rules to be a bit more specific by replacing the _prefix
rule with a non-prefix one where possible.
2021-09-22 18:24:56 -04:00
Mark Anderson
d88d9e71c2
partitions/authmethod-index work from enterprise ( #11056 )
...
* partitions/authmethod-index work from enterprise
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-22 13:19:20 -07:00
Chris S. Kim
f972048ebc
connect: Allow upstream listener escape hatch for prepared queries ( #11109 )
2021-09-22 15:27:10 -04:00
Evan Culver
7e20a5e4f9
connect: remove support for Envoy 1.15
2021-09-22 11:48:50 -07:00
R.B. Boyer
706fc8bcd0
grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters ( #11099 )
...
Fixes #11086
2021-09-22 13:14:26 -05:00
Daniel Nephin
54256fb751
config: Move two more fields to DeprecatedConfig
...
And add a test for deprecated config fields.
2021-09-22 13:23:03 -04:00
Daniel Nephin
8ed14296ea
config: Introduce DeprecatedConfig
...
This struct allows us to move all the deprecated config options off of
the main config struct, and keeps all the deprecation logic in a single
place, instead of spread across 3+ places.
2021-09-22 13:22:16 -04:00