Commit Graph

10764 Commits

Author SHA1 Message Date
David Yu 94e8a3b306
Adding links to Kubernetes install
Adding links to Kubernetes deployment guide and minikube install for visibility
2020-01-21 14:55:21 -08:00
R.B. Boyer c91d0fa2c9
make TestCatalogNodes_Blocking less flaky (#7074)
- Explicitly wait to start the test until the initial AE sync of the node.

- Run the blocking query in the main goroutine to cut down on possible
poor goroutine scheduling issues being to blame for delays.

- If the blocking query is woken up with no index change, rerun the
query. This may happen if the CI server is loaded and time dilation is
happening.
2020-01-21 14:58:50 -06:00
R.B. Boyer e2eb9f0585
test: ensure we don't ask vault to sign a leaf that outlives its CA when acting as a secondary (#7100) 2020-01-21 14:55:21 -06:00
R.B. Boyer 4af5c2d6dd
fix the submodule go.mod and go.sum files (#7098) 2020-01-21 14:49:26 -06:00
R.B. Boyer 98e0cbdebe
test: run both the TestVaultProvider and TestVaultCAProvider tests in CI (#7097) 2020-01-21 12:01:35 -06:00
Hans Hasselberg f0fc9aea7f
tests: fix autopilot test (#7092) 2020-01-21 14:09:51 +01:00
Paul Banks 1807af552e
Fix TestAPI_DiscoveryChain_Get flake (#7082) 2020-01-20 14:56:56 +00:00
Aestek 8fc736038a agent: remove service sidecars in Agent.cleanupRegistration (#7022)
Sidecar proxies were left behind when cleaning up after an unsuccessful
registration. There are now also removed when the service is cleanup up.
2020-01-20 14:01:40 +01:00
Hans Hasselberg 9c1361c02b
raft: update raft to v1.1.2 (#7079)
* update raft
* use hclogger for raft.
2020-01-20 13:58:02 +01:00
Luke Kysow c9dbcc31ec
Merge pull request #6970 from hashicorp/k8s-docs-refactor
Kubernetes docs reorganization
2020-01-18 19:08:26 -06:00
Luke Kysow e0aff262cf
Reorg kube docs 2020-01-18 19:07:53 -06:00
Hans Hasselberg 804eb17094
connect: check if intermediate cert needs to be renewed. (#6835)
Currently when using the built-in CA provider for Connect, root certificates are valid for 10 years, however secondary DCs get intermediates that are valid for only 1 year. There is no mechanism currently short of rotating the root in the primary that will cause the secondary DCs to renew their intermediates.
This PR adds a check that renews the cert if it is half way through its validity period.

In order to be able to test these changes, a new configuration option was added: IntermediateCertTTL which is set extremely low in the tests.
2020-01-17 23:27:13 +01:00
Hans Hasselberg 87f32c8ba6
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944)
* Add CreateCSRWithSAN
* Use CreateCSRWithSAN in auto_encrypt and cache
* Copy DNSNames and IPAddresses to cert
* Verify auto_encrypt.sign returns cert with SAN
* provide configuration options for auto_encrypt dnssan and ipsan
* rename CreateCSRWithSAN to CreateCSR
2020-01-17 23:25:26 +01:00
Kit Patella 44280103ee
.gitignore: cut IDE-specific entries, cleanup (#7083)
* .gitignore: add vscode and MacOS-specific files. add a little org

* .gitignore: remove IDE-specific ignores, add docs
2020-01-17 11:06:33 -08:00
Matt Keeler 3027923229
Update CHANGELOG.md 2020-01-17 09:55:59 -05:00
Aestek ba8fd8296f Add support for dual stack IPv4/IPv6 network (#6640)
* Use consts for well known tagged adress keys

* Add ipv4 and ipv6 tagged addresses for node lan and wan

* Add ipv4 and ipv6 tagged addresses for service lan and wan

* Use IPv4 and IPv6 address in DNS
2020-01-17 09:54:17 -05:00
Aestek 5dc8875bd3 agent: do not deregister service checks twice (#6168)
Deregistering a service from the catalog automatically deregisters its
checks, however the agent still performs a deregister call for each
service checks even after the service has been deregistered.
With ACLs enabled this results in logs like:
"message:consul: "Catalog.Deregister" RPC failed to server
server_ip:8300: rpc error making call: rpc error making call: Unknown
check 'check_id'"
This change removes associated checks from the agent state when
deregistering a service, which results in less calls to the servers and
supresses the error logs.
2020-01-17 14:26:53 +01:00
Matej Urbas ce023359fe agent: configurable MaxQueryTime and DefaultQueryTime. (#3777) 2020-01-17 14:20:57 +01:00
neillyt a2ab9b4aee Fix Namespace Typo (#7030) 2020-01-16 20:34:04 -07:00
Matt Keeler 8673bc2236
Update CHANGELOG.md 2020-01-15 11:58:19 -05:00
John Cowen bc86002be9
docs: Add note about using valid DNS labels for service names (#7035)
Add note about using valid DNS labels for service names
2020-01-15 15:36:17 +00:00
Kit Patella 8be67b777a
Small improvements to Connect docs (#6910)
* docs/connect add link to intentions and minor phrasing change

* docs/connect pluralize 'applications'

* Update website/source/docs/connect/connect-internals.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>
2020-01-14 14:59:27 -08:00
Freddy 015c6e81e9
Update CHANGELOG.md 2020-01-14 15:44:03 -07:00
Freddy e635b24215
Update force-leave ACL requirement to operator:write (#7033) 2020-01-14 15:40:34 -07:00
Matt Keeler 663cf1e9a8
AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 10:09:29 -05:00
Paul Banks 86692f958f
Add contributing dir with Config file checklist (#7017)
* Add contributing dir with Config file checklist and modify contribution guides

* Apply suggestions from code review

Co-Authored-By: Chris Piraino <cpiraino@hashicorp.com>

Co-authored-by: Chris Piraino <piraino.chris@gmail.com>
2020-01-14 12:24:03 +00:00
Matt Keeler 8bd34e126f
Intentions ACL enforcement updates (#7028)
* Renamed structs.IntentionWildcard to structs.WildcardSpecifier

* Refactor ACL Config

Get rid of remnants of enterprise only renaming.

Add a WildcardName field for specifying what string should be used to indicate a wildcard.

* Add wildcard support in the ACL package

For read operations they can call anyAllowed to determine if any read access to the given resource would be granted.

For write operations they can call allAllowed to ensure that write access is granted to everything.

* Make v1/agent/connect/authorize namespace aware

* Update intention ACL enforcement

This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior.

Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself.

* Refactor Intention.Apply to make things easier to follow.
2020-01-13 15:51:40 -05:00
Pierre Souchay 3bf2e640c7 rpc: log method when a server/server RPC call fails (#4548)
Sometimes, we have lots of errors in cross calls between DCs (several hundreds / sec)
Enrich the log in order to help diagnose the root cause of issue.
2020-01-13 19:55:29 +01:00
Matt Keeler 27f49eede9
Move where the service-resolver watch is done so that it happen… (#7025)
Before we were issuing 1 watch for every service in the services listing which would have caused the agent to process many more identical events simultaneously.
2020-01-10 10:30:13 -05:00
Hans Hasselberg ab2f2484ad
connect: use inline_string instead for envoy ca(#7024) 2020-01-10 15:57:54 +01:00
R.B. Boyer 10f04a8c4a connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index (#7011) 2020-01-09 16:32:19 +01:00
R.B. Boyer 50c879923c connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison (#7012)
Fixes #6886
2020-01-09 16:28:16 +01:00
danielehc 6ae75f6063
added disclaimer about network segments due to Serf limitations (#7004)
* added disclaimer about network segments due to Serf limitations

using work made at https://github.com/hashicorp/consul/pull/6558 by @thepomeranian

* Lowercasing functionality name

* Update website/source/docs/enterprise/network-segments/index.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

Co-authored-by: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2020-01-09 10:41:31 +01:00
danielehc a207f1a147
Update docs to point to new learn guide (#7003)
* Changed the link to point to new guide
* Removed querystring from link
2020-01-09 10:26:47 +01:00
DevOps Rob 0785bcc8df Azure MSI for cloud auto-join (#7000)
* Azure MSI documentation

Adding in note about support for Azure MSI authentication method for Cloud auto-join

* fixing text formatting

fixing text formatting

* missing word

missing word - variable

* Update website/source/docs/agent/cloud-auto-join.html.md

Language change to be specific about where the security risk mitigation is concerned

Co-Authored-By: Jack Pearkes <jackpearkes@gmail.com>

Co-authored-by: Jack Pearkes <jackpearkes@gmail.com>
2020-01-08 20:43:45 -05:00
kaitlincarter-hc 15f070231a
updating the ent docs to mention GCP (#7001) 2020-01-07 13:19:34 -08:00
tehmoon 43ab78fe5a docs: Fix extraVolumes mount paths in helm.html.md (#7008) 2020-01-07 12:13:09 -08:00
Rémi Lapeyre ec591a5b77 docs: fix typo in ACL legacy documentation (#7006) 2020-01-07 14:33:56 +01:00
kaitlincarter-hc 6e2ae79552
[docs] Managing ACL Policies (#6573)
* New Acl policy guide

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

* Update website/source/docs/guides/managing-acl-policies.html.md

Co-Authored-By: Paul Banks <banks@banksco.de>

Co-authored-by: Paul Banks <banks@banksco.de>
2020-01-06 15:44:17 -08:00
kaitlincarter-hc 2e1a8acb45
[docs] New Replication Guide (#5823)
* new replication guide

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* fixing list

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* fixing another list

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: R.B. Boyer <public@richardboyer.net>

* fixing formating

* Updating based on feedback.

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Matt Keeler <mkeeler@users.noreply.github.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* updating introduction based on feedback

* Update website/source/docs/guides/acl-replication.md

* updating intro based on feedback

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* updating based on feedback

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Update website/source/docs/guides/acl-replication.md

Co-Authored-By: Judith Malnick <judith@hashicorp.com>

* Additional note about servers

Co-authored-by: R.B. Boyer <public@richardboyer.net>
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
Co-authored-by: Judith Malnick <judith@hashicorp.com>
2020-01-06 15:35:59 -08:00
kaitlincarter-hc 88a4950a78
New Connect guide for new users (#6749) 2020-01-06 15:17:24 -08:00
Matt Keeler fa2003d7cb
Move Session.CheckIDs into OSS only code. (#6993) 2020-01-03 15:51:19 -05:00
Luke Kysow 62a111f7b6
Merge pull request #6978 from hashicorp/docs/helm-move-bootstrapacls-under-global
Move bootstrapACLs under global key in Helm docs
2019-12-23 08:46:08 -08:00
Blake Covarrubias b52ce19e8f Move bootstrapACLs under global key in Helm docs
The global.bootstrapACLs key in the Helm chart docs was inadvertently
moved to a top-level key in commit 12e6ef8, which is incorrect.

This commit reverts that error.
2019-12-21 18:47:42 -08:00
hashicorp-ci e01f691351
Release v1.7.0-beta2 2019-12-20 17:16:53 +00:00
hashicorp-ci 5e45e3470b
update bindata_assetfs.go 2019-12-20 17:16:51 +00:00
Matt Keeler c276e2a634
Revert "Remove docs refs to NS inference from ACL token" (#6976)
This reverts commit 3a8426de9c.

# Conflicts:
#	command/flags/http.go
#	website/source/api/acl/binding-rules.html.md
#	website/source/api/acl/policies.html.md
#	website/source/api/acl/roles.html.md
#	website/source/api/acl/tokens.html.md
#	website/source/api/kv.html.md
#	website/source/api/session.html.md
#	website/source/docs/commands/_http_api_namespace_options.html.md
2019-12-20 11:52:50 -05:00
John Cowen 9f406cc10f
Update CHANGELOG.md 2019-12-20 15:35:00 +00:00
John Cowen 95a71bba04
Merge pull request #6966 from hashicorp/ui-staging
ui: UI Release Merge (ui-staging merge)
2019-12-20 15:30:43 +00:00
John Cowen 99fae9d65a
ui: Make sure that the namespace is passed when changing a token via [Use] (#6973)
* Pass the namespace parameter through to the repo when using a token
* Refresh the namespace menu when somebody [Use]s a token
2019-12-20 14:57:10 +00:00