This implements a solution for #7863
It does:
Add a new config cache.entry_fetch_rate to limit the number of calls/s for a given cache entry, default value = rate.Inf
Add cache.entry_fetch_max_burst size of rate limit (default value = 2)
The new configuration now supports the following syntax for instance to allow 1 query every 3s:
command line HCL: -hcl 'cache = { entry_fetch_rate = 0.333}'
in JSON
{
"cache": {
"entry_fetch_rate": 0.333
}
}
* Fix typos on commandline flags, updated config opts
- Added anchors to https://github.com/hashicorp/consul/pull/8223
- Fix Typos
Updated to include config file options as well as CLI.
Highlights:
- add new endpoint to query for intentions by exact match
- using this endpoint from the CLI instead of the dump+filter approach
- enforcing that OSS can only read/write intentions with a SourceNS or
DestinationNS field of "default".
- preexisting OSS intentions with now-invalid namespace fields will
delete those intentions on initial election or for wildcard namespaces
an attempt will be made to downgrade them to "default" unless one
exists.
- also allow the '-namespace' CLI arg on all of the intention subcommands
- update lots of docs
This example shows a TLS enabled ingress config on a non-https port.
Currently, that means we require the port to be specified in one of the
host entries to route traffic.
* Updates docs with ingress Host header changes
Clarify that a Host header is required for L7 protocols, and specify
that the default is to use the Consul DNS ingress subdomain
* Add sentence about using '*' by itself for testing
* Add optional step for using L7 routing config
* Note that port numbers may need to be added in the Hosts field
* Formatting spaces between keys in Config entries
* Service Router spacing
* Missing Camel Case proxy-defaults
* Remove extra spaces service-splitter
* Remove extra spsaces service-resolver
* More spaces a la hclfmt
* Nice!
* Oh joy!
* More spaces on proxy-defaults
* Update website/pages/docs/agent/config-entries/proxy-defaults.mdx
Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy).
Half of this commit is for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc.
Matt Keeler
Blake Covarrubias
Pierre Souchay
Freddy
Luke Kysow
Kyle Schochenmaier
Nathan Lacey
Joel Watson
Sabeen Syed
Jeff Escalante
Hans Hasselberg
R.B. Boyer
Matt Keeler
JohnnyB
Daniel Nephin
Seth Hoenig
Jono Sosulska
Rémi Lapeyre
André
Fatih Sarhan
freddygv
Rebecca Zanzig
Mike Morris
Valery V. Vorotyntsev
Chris Piraino
David Yu