Commit Graph

15243 Commits

Author SHA1 Message Date
Daniel Nephin e1f04e8c96
Merge pull request #10742 from hashicorp/dnephin/acl-resolver
acl: move agent/consul vet functions
2021-08-05 15:36:49 -04:00
Daniel Nephin b837ba35a0 acl: remove Server.ResolveTokenIdentityAndDefaultMeta
This method suffered from similar naming to a couple other methods on Server, and had not great
re-use (2 callers). By copying a few of the lines into one of the callers we can move the
implementation into the second caller.

Once moved, we can see that ResolveTokenAndDefaultMeta is identical in both Client and Server, and
likely should be further refactored, possibly into ACLResolver.

This change is being made to make ACL resolution easier to trace.
2021-08-05 15:20:13 -04:00
Daniel Nephin 6cf6e7c5fe acl: remove Server.ResolveTokenToIdentityAndAuthorizer
This method was an alias for ACLResolver.ResolveTokenToIdentityAndAuthorizer. By removing the
method that does nothing the code becomes easier to trace.
2021-08-05 15:20:13 -04:00
Daniel Nephin cc4f155801 acl: recouple acl filtering from ACLResolver
ACL filtering only needs an authorizer and a logger. We can decouple filtering from
the ACLResolver by passing in the necessary logger.

This change is being made in preparation for moving the ACLResolver into an acl package
2021-08-05 15:20:13 -04:00
Daniel Nephin 111f3620a8 acl: remove unused error return
filterACLWithAuthorizer could never return an error. This change moves us a little bit
closer to being able to enable errcheck and catch problems caused by unhandled error
return values.
2021-08-05 15:20:13 -04:00
Daniel Nephin c0100543d0 acl: rename acl.Authorizer vars to authz
For consistency
2021-08-05 15:19:47 -04:00
Daniel Nephin 4f5477ccfa acl: move vet functions
These functions are moved to the one place they are called to improve code locality.

They are being moved out of agent/consul/acl.go in preparation for moving
ACLResolver to an acl package.
2021-08-05 15:19:24 -04:00
Daniel Nephin c4eadb6b96 acl: move vetRegisterWithACL and vetDeregisterWithACL
These functions are used in only one place. Move the functions next to their one caller
to improve code locality.

This change is being made in preparation for moving the ACLResolver into an
acl package. The moved functions were previously in the same file as the ACLResolver.
By moving them out of that file we may be able to move the entire file
with fewer modifications.
2021-08-05 15:17:54 -04:00
Daniel Nephin 1deba421c7
Merge pull request #10770 from hashicorp/dnephin/log-cert-expiration
telemetry: add log message when certs are about to expire
2021-08-05 15:17:20 -04:00
Daniel Nephin 0c42b38c92
Merge pull request #10793 from hashicorp/dnephin/acl-intentions
acl: small cleanup of a couple Authorization flows
2021-08-05 15:16:49 -04:00
Dhia Ayachi b495036823
defer setting the state before returning to avoid stuck in `INITIALIZING` state (#10630)
* defer setting the state before returning to avoid being stuck in `INITIALIZING` state

* add changelog

* move comment with the right if statement

* ca: report state transition error from setSTate

* update comment to reflect state transition

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-05 14:51:19 -04:00
sridhar 8b4672f644
Update website/content/docs/k8s/connect/ingress-gateways.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-04 16:25:36 -07:00
Daniel Nephin e94016872a
Merge pull request #10768 from hashicorp/dnephin/agent-tls-cert-expiration-metric
telemetry: add Agent TLS Certificate expiration metric
2021-08-04 18:42:02 -04:00
Daniel Nephin c718de730b acl: remove special handling of services in txn_endpoint
Follow up to: https://github.com/hashicorp/consul/pull/10738#discussion_r680190210

Previously we were passing an Authorizer that would always allow the
operation, then later checking the authorization using vetServiceTxnOp.

On the surface this seemed strange, but I think it was actually masking
a bug as well. Over time `servicePreApply` was changed to add additional
authorization for `service.Proxy.DestinationServiceName`, but because
we were passing a nil Authorizer, that authorization was not handled on
the txn_endpoint.

`TxnServiceOp.FillAuthzContext` has some special handling in enterprise,
so we need to make sure to continue to use that from the Txn endpoint.

This commit removes the `vetServiceTxnOp` function, and passes in the
`FillAuthzContext` function so that `servicePreApply` can be used by
both the catalog and txn endpoints. This should be much less error prone
and prevent bugs like this in the future.
2021-08-04 18:32:20 -04:00
hc-github-team-consul-core af9acf4943 auto-updated agent/uiserver/bindata_assetfs.go from commit bcd53e73a 2021-08-04 22:27:44 +00:00
Kenia bcd53e73a2
ui: Add Vault as a Service External Source (#10769) 2021-08-04 18:22:43 -04:00
Daniel Nephin 5b2e5882b4 acl: move check for Intention.DestinationName into Authorizer
Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445

Move the check for the Intention.DestinationName into the Authorizer to remove the
need to check what kind of Authorizer is being used.

It sounds like this check is only for legacy ACLs, so is probably just a safeguard
.
2021-08-04 18:06:44 -04:00
Daniel Nephin bbce192b4d
Merge pull request #10738 from hashicorp/dnephin/remove-authorizer-nil-checks-2
acl: remove the last of the authz == nil checks
2021-08-04 17:41:40 -04:00
Daniel Nephin 9cdd823ffc
Merge pull request #10737 from hashicorp/dnephin/remove-authorizer-nil-checks
acl: remove authz == nil checks
2021-08-04 17:39:34 -04:00
trujillo-adam c5824a834b
Merge pull request #10763 from hashicorp/docs-proxy-integration-improvements
general language and readability improvements to proxy integration docs
2021-08-04 14:36:47 -07:00
Daniel Nephin 4979b712b5
Merge pull request #10727 from hashicorp/dependabot-configuration
Add initial Dependabot configuration
2021-08-04 17:09:17 -04:00
trujillo-adam 5913aca502 Applying more feedback from @black and @karl-cardenas-coding 2021-08-04 14:02:42 -07:00
trujillo-adam 8ec29432d2 Applying feedback from @blake 2021-08-04 11:29:21 -07:00
Daniel Nephin 0e58e1ac4b telemetry: add log message when certs are about to expire 2021-08-04 14:18:59 -04:00
Daniel Nephin 9420506fae telemetry: fix a couple bugs in cert expiry metrics
1. do not emit the metric if Query fails
2. properly check for PrimaryUsersIntermediate, the logic was inverted

Also improve the logging by including the metric name in the log message
2021-08-04 13:51:44 -04:00
Daniel Nephin 8c575445da telemetry: add a metric for agent TLS cert expiry 2021-08-04 13:51:44 -04:00
trujillo-adam ee1de179ed
Update website/content/docs/connect/proxies/integrate.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-04 10:44:06 -07:00
Dhia Ayachi cfa9cf6d84
fix state index for `CAOpSetRootsAndConfig` op (#10675)
* fix state index for `CAOpSetRootsAndConfig` op

* add changelog

* Update changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* remove the change log as it's not needed

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-04 13:07:49 -04:00
hc-github-team-consul-core 2f6c95011b auto-updated agent/uiserver/bindata_assetfs.go from commit 8ad1ab9c0 2021-08-04 16:47:13 +00:00
Kenia 8ad1ab9c08
ui: Fix Health Checks in K/V form Lock Sessions Info section (#10767) 2021-08-04 12:41:41 -04:00
trujillo-adam 31b9058602 general language and readability improvements to proxy integration docs 2021-08-03 15:56:56 -07:00
Evan Culver 710bd90ef7
checks: Add Interval and Timeout to API response (#10717) 2021-08-03 15:26:49 -07:00
Daniel Nephin 8ecf26af6e
Merge pull request #10601 from hashicorp/joshwolfer-patch-1
docs: link to config entries from enable_central_service_config
2021-08-03 16:35:23 -04:00
joshwolfer 63a650028e Update options.mdx
add service config link to description of enable_central_service_config.
2021-08-03 15:36:51 -04:00
Blake Covarrubias 370a76ff3e
docs: Fix service checks docs on session endpoint (#10759)
The ServiceChecks parameter was incorrectly documented in e515c9d44 to
state that it accepted a list of string values, when actually the API
requires an array of ServiceCheck objects.

This commit updates the docs for the parameter to correctly reflect
the fields required by the API.

Resolves #10752
2021-08-03 09:57:31 -07:00
Matt Explosion 06f27fa088 Updated link to repo for native Scala Consul client Helm 2021-08-02 22:01:05 -07:00
Blake Covarrubias 734fd1949f
docs: Note proxy-defaults can globally set service protocol (#10649)
Add a note to the docs for the service defaults config entry which
informs users that the service protocol can be configured for all
services using the proxy defaults config entry.

Resolves #8279

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-08-02 13:23:58 -07:00
Blake Covarrubias 17e18df81e
docs: Document supported `consul connect` env vars (#10667)
Document the ability to specify `-sidecar-for` and `-proxy-id` flags
via environment variables.
2021-08-02 12:50:51 -07:00
Blake Covarrubias e1c4088ba3 website: Add redirect for /connect/ingress-gateways
Add redirect /docs/connect/ingress-gateways, which currently returns
404, to /docs/connect/gateways/ingress-gateway.

Fixes #10748
2021-08-02 11:58:49 -07:00
Blake Covarrubias 46b1de8467
docs: Add namespace parameter to additional HTTP endpoints (#10731)
Document the namespace parameter can be specified on HTTP Check,
Connect CA leaf, and Discovery Chain API endpoints.

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-08-02 11:55:23 -07:00
Blake Covarrubias b710d60043 docs: Add /v1/agent/host endpoint
Document /v1/agent/host endpoint which is used by `consul debug`.
Originally added in #4754.
2021-08-02 10:29:39 -07:00
Mike Wickett 1dfdecb237
chore: upgrade react-consent-manager (#10749) 2021-08-02 12:41:58 -04:00
Daniel Nephin 8cf1aa1bda acl: Remove the remaining authz == nil checks
These checks were a bit more involved. They were previously skipping some code paths
when the authorizer was nil. After looking through these it seems correct to remove the
authz == nil check, since it will never evaluate to true.
2021-07-30 14:55:35 -04:00
Daniel Nephin dc50b36b0f acl: remove acl == nil checks 2021-07-30 14:28:19 -04:00
Daniel Nephin 4f1a36629a acl: remove authz == nil checks
These case are already impossible conditions, because most of these functions already start
with a check for ACLs being disabled. So the code path being removed could never be reached.

The one other case (ConnectAuthorized) was already changed in a previous commit. This commit
removes an impossible branch because authz == nil can never be true.
2021-07-30 13:58:35 -04:00
Daniel Nephin f497d5ab30 acl: remove many instances of authz == nil 2021-07-30 13:58:35 -04:00
Daniel Nephin b8ae00c23b agent: remove unused agent methods
These methods are no longer used. Remove the methods, and update the
tests to use actual method used by production code.

Also removes the 'authz == nil' check is no longer a possible code path
now that we are returning a non-nil acl.Authorizer when ACLs are disabled.
2021-07-30 13:58:35 -04:00
Daniel Nephin 9dd6d26d05 acl: remove rule == nil checks 2021-07-30 13:58:35 -04:00
hc-github-team-consul-core 323039dd06 auto-updated agent/uiserver/bindata_assetfs.go from commit 2ee501be8 2021-07-30 17:58:27 +00:00
Kenia 2ee501be8d
ui: Add copy button for Secret ID in Tokens list page (#10735) 2021-07-30 13:52:37 -04:00