Commit Graph

10883 Commits

Author SHA1 Message Date
Blake Covarrubias 91245622db docs: Indent secretName and secretKey under aclSyncToken
These are sub-parameters under aclSyncToken. Fix indentation so that
they are properly displayed under that top-level key.
2020-02-06 10:40:33 -08:00
Matt Keeler 9e5fd7f925
OSS Changes for various config entry namespacing bugs (#7226) 2020-02-06 10:52:25 -05:00
Hans Hasselberg 6a18f01b42
agent: ensure node info sync and full sync. (#7189)
This fixes #7020.

There are two problems this PR solves:
  * if the node info changes it is highly likely to get service and check registration permission errors unless those service tokens have node:write. Hopefully services you register don’t have this permission.
  * the timer for a full sync gets reset for every partial sync which means that many partial syncs are preventing a full sync from happening

Instead of syncing node info last, after services and checks, and possibly saving one RPC because it is included in every service sync, I am syncing node info first. It is only ever going to be a single RPC that we are only doing when node info has changed. This way we are guaranteed to sync node info even when something goes wrong with services or checks which is more likely because there are more syncs happening for them.
2020-02-06 15:30:58 +01:00
Fredrik Hoem Grelland d364a64f9a
docs: namespaces has erroneous HCL example (#7228) 2020-02-06 06:33:07 -06:00
R.B. Boyer 36982d5274
cli: fix typo in -namespace help text (#7225) 2020-02-05 14:43:25 -06:00
R.B. Boyer 0ecb4538c1
agent: differentiate wan vs lan loggers in memberlist and serf (#7205)
This should be a helpful change until memberlist and serf can be
properly switched to native hclog.
2020-02-05 09:52:43 -06:00
Matt Keeler dceb107325
Fix disco chain graph validation for namespaces (#7217)
Previously this happened to be validating only the chains in the default namespace. Now it will validate all chains in all namespaces when the global proxy-defaults is changed.
2020-02-05 10:06:27 -05:00
Matt Keeler 228da48f5d
Minor Non-Functional Updates (#7215)
* Cleanup the discovery chain compilation route handling

Nothing functionally should be different here. The real difference is that when creating new targets or handling route destinations we use the router config entries name and namespace instead of that of the top level request. Today they SHOULD always be the same but that may not always be the case. This hopefully also makes it easier to understand how the router entries are handled.

* Refactor a small bit of the service manager tests in oss

We used to use the stringHash function to compute part of the filename where things would get persisted to. This has been changed in the core code to calling the StringHash method on the ServiceID type. It just so happens that the new method will output the same value for anything in the default namespace (by design actually). However, logically this filename computation in the test should do the same thing as the core code itself so I updated it here.

Also of note is that newer enterprise-only tests for the service manager cannot use the old stringHash function at all because it will produce incorrect results for non-default namespaces.
2020-02-05 10:06:11 -05:00
Freddy cb77fc6d01
Add managed service provider token (#7218)
Stubs for enterprise-only ACL token to be used by managed service providers.
2020-02-04 13:58:56 -07:00
Hans Hasselberg f6ec8ed92b
agent: increase watchLimit to 8192. (#7200)
The previous value was too conservative and users with many instances
were having problems because of it. This change increases the limit to
8192 which reportedly fixed most of the issues with that.

Related: #4984, #4986, #5050.
2020-02-04 13:11:30 +01:00
Paul Banks df8db89f65
Update CHANGELOG.md 2020-02-03 17:24:44 +00:00
Paul Banks 5642805f1c
Update CHANGELOG.md 2020-02-03 17:21:27 +00:00
Hans Hasselberg fe49ea404d
build: update to golang 1.12.16 (#7153) 2020-02-03 18:20:03 +01:00
Paschalis Tsilias a335aa57c5
Expose Envoy's /stats for statsd agents (#7173)
* Expose Envoy /stats for statsd agents; Add testcases

* Remove merge conflict leftover

* Add support for prefix instead of path; Fix docstring to mirror these changes

* Add new config field to docs; Add testcases to check that /stats/prometheus is exposed as well

* Parametrize matchType (prefix or path) and value

* Update website/source/docs/connect/proxies/envoy.md

Co-Authored-By: Paul Banks <banks@banksco.de>

Co-authored-by: Paul Banks <banks@banksco.de>
2020-02-03 17:19:34 +00:00
R.B. Boyer 6404967034
add 'make go-mod-tidy' to serially run tidy on all submodules in the correct order (#7179)
- also make go-mod-tidy a dependency of update-vendor
2020-02-03 10:12:26 -06:00
Anudeep Reddy b5b4226d4f
[docs] Enabling connect requires server restarts (#6904) 2020-02-03 09:58:12 -06:00
Matt Keeler dfb0177dbc
Testing updates to support namespaced testing of the agent/xds… (#7185)
* Various testing updates to support namespaced testing of the agent/xds package

* agent/proxycfg package updates to support better namespace testing
2020-02-03 09:26:47 -05:00
Mohammad Gufran 47cc162ca3
docs: add Flightpath to the list of community tools (#7176) 2020-02-03 13:16:21 +01:00
Stuart Williams 3eb76691df
docs: rate limiting applies to Consul agents in server mode (#6932) 2020-02-03 13:10:47 +01:00
Chris Arcand d40b9f3501
docs: update available Sentinel imports (#6920) 2020-02-03 11:44:25 +01:00
Hans Hasselberg 649ffcb66f
memberlist: vendor v0.1.6 to pull in new state: stateLeft (#7184) 2020-02-03 11:02:13 +01:00
Michael Hofer 4ab3af0ede
docs: add missing Autopilot -min-quorum documentation (#7192) 2020-02-03 10:59:53 +01:00
Blake Covarrubias e158922615 Fix org name in Helm chart's imageEnvoy description
Update the description for the Helm chart's connectInject.imageEnvoy
parameter to reflect the correct organization name for images published by
EnvoyProxy.io.
2020-02-03 01:46:58 -08:00
Davor Kapsa 3cb4def563
auto_encrypt: check previously ignored error (#6604) 2020-02-03 10:35:11 +01:00
Alexandru Matei 5a6e602b86
docs: add detailed documentation about Health Checking specific service using the gRPC method (#6574) 2020-02-03 10:19:06 +01:00
Lars Lehtonen 699d1b2acb
cli: check previously ignored errors when updating a policy (#6565) 2020-02-03 10:14:30 +01:00
Fouad Zaryouh ef6399928d
api: add replace-existing-checks param to the api package (#7136) 2020-02-03 10:11:40 +01:00
Anthony Scalisi 1565351a5c
docs: fix typos, IDs are UUIDs, /acl/token endpoints manage ACL tokens (#5736) 2020-02-03 09:41:54 +01:00
hashicorp-ci 1f62d5c9ce Release v1.7.0-beta4 2020-01-31 21:38:38 +00:00
hashicorp-ci 1fcf4bfc10 update bindata_assetfs.go 2020-01-31 21:38:38 +00:00
Sarah Christoff 92f64892ab
Revert "Update question.md" (#7183) 2020-01-31 13:45:05 -06:00
Matt Keeler d1fcf1e950
Add replace directive to prevent contacting istio.io during the… (#7194)
They keep having TLS handshake timeouts. Its pointed at github instead.
2020-01-31 13:57:54 -05:00
Matt Keeler 004be6450c
Update CHANGELOG.md 2020-01-31 11:56:34 -05:00
Matt Keeler 884cf1628b
Update CHANGELOG.md 2020-01-31 11:51:00 -05:00
Matt Keeler c14866204c
Update CHANGELOG.md 2020-01-31 11:24:48 -05:00
Hans Hasselberg 5531678e9e
Security fixes (#7182)
* Mitigate HTTP/RPC Services Allow Unbounded Resource Usage

Fixes #7159.

Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-31 11:19:37 -05:00
Matt Keeler d5f9268222
ACL enforcement for the agent/health/services endpoints (#7191)
ACL enforcement for the agent/health/services endpoints
2020-01-31 11:16:24 -05:00
R.B. Boyer 18a1626d79 update changelog 2020-01-31 10:13:40 -06:00
R.B. Boyer cf29bd4dcf
cli: improve the file safety of 'consul tls' subcommands (#7186)
- also fixing the signature of file.WriteAtomicWithPerms
2020-01-31 10:12:36 -06:00
Matt Keeler d8c0be2c84
agent: add ACL enforcement to the v1/agent/health/service/* endpoints
This adds acl enforcement to the two endpoints that were missing it.

Note that in the case of getting a services health by its id, we still
must first lookup the service so we still "leak" information about a
service with that ID existing. There isn't really a way around it though
as ACLs are meant to check service names.
2020-01-31 09:57:38 -05:00
Matt Keeler 3a46e1d15f
Make PatchSliceOfMaps case insensitive
This fixes some case-sensitivity issues with using camel case in configuration files.
2020-01-31 09:56:02 -05:00
Kenia 1b74a68780
Update CHANGELOG.md 2020-01-31 09:09:02 -05:00
Kenia bf492d2678
Merge pull request #7177 from hashicorp/ui-staging
ui: UI Release Merge (ui-staging merge)
2020-01-30 16:08:35 -05:00
Hans Hasselberg 83aeabd748
Add 1.6.3 2020-01-30 21:01:08 +01:00
John Cowen a8504802db
ui: Split splitter names in the discovery-chain (#7180)
Previous to 1.7 splitter names didn't include the namespace name

i.e. 'service-name'

as of 1.7 they now include the namespace

i.e. 'service-name.namespace'

This commit take account of that
2020-01-30 19:08:45 +00:00
Sarah Christoff fbb9120894
[docs] Clarify retry-join (#7078) 2020-01-30 12:52:58 -06:00
Matt Keeler 6855a778c2
Updates to the Txn API for namespaces (#7172)
* Updates to the Txn API for namespaces

* Update agent/consul/txn_endpoint.go

Co-Authored-By: R.B. Boyer <rb@hashicorp.com>

Co-authored-by: R.B. Boyer <public@richardboyer.net>
2020-01-30 13:12:26 -05:00
John Cowen 3eec5edadf
ui: Discovery-Chain: Cope with some edge case configs (#7174)
* ui: Discovery-Chain: Cope with redirects that have failovers

We found a few stranger configurations for discovery-chain, one of which
was redirects that can then failover.

We altered the parsing here to include 2 passes, one to organize the
nodes into resolvers and children/subsets based on the nodes themselves, which
includes adding the failovers to resolvers and subsets.

We then do a second pass which can more reliably figure out whether a
target is a redirect or a failover (target failovers don't have a
corresponding node), this then adds the redirect children to the already
exising resolver (from the first pass) and then checks if the redirect
also has failovers and adds those if so.

* ui: Check to see if we have a user configured default route or not

...if we don't add one so the visualization looks complete
2020-01-30 16:09:05 +00:00
Sarah Christoff 74c277f5e1
Update question.md (#6778) 2020-01-30 08:09:37 -06:00
Matt Keeler cf27dff62f
Add some better waits to prevent CA is nil test flakes (#7171) 2020-01-29 22:23:11 -05:00