Commit Graph

9880 Commits

Author SHA1 Message Date
kaitlincarter-hc 9b1bc8d96d
[Docs] Production Guide for ACLs (#5385)
* New guide for ACLs

* Fixing some formatting issues.

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Resolving PR comments.

* Closing the rest of the PR comments

* Updates for persistence.

* Updating commands.

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Update website/source/docs/guides/production-acls.html.md

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2019-03-06 10:46:07 -06:00
Chip Vaughn f658748a79
Merge pull request #5420 from hashicorp/f-catalog-changes
Catalog API Doc Changes
2019-03-06 11:00:37 -05:00
Chip Vaughn ea38ad18f1 Update to registering services via Catalog API 2019-03-06 09:41:12 -05:00
Chip Vaughn ad25767416 Update to registering services via Catalog API 2019-03-06 09:23:37 -05:00
Hans Hasselberg eb0895c5fb
tlsutil: don't use `server_name` config for RPC connections (#5394)
* server name only for outgoing https for checks
2019-03-05 21:35:43 +01:00
R.B. Boyer 2ffbea41c8 improve flaky LANReap tests by expliciting configuring the tombstone timeout
In TestServer_LANReap autopilot is running, so the alternate flow
through the serf reaping function is possible. In that situation the
ReconnectTimeout is not relevant so for parity also override the
TombstoneTimeout value as well.

For additional parity update the TestServer_WANReap and
TestClient_LANReap versions of this test in the same way even though
autopilot is irrelevant here .
2019-03-05 14:34:03 -06:00
R.B. Boyer 5bea49ecb0 tests: avoid leaking child processes from agent/proxyprocess package 2019-03-05 14:29:25 -06:00
R.B. Boyer a99f7aaa25 website: fix broken links 2019-03-05 14:24:33 -06:00
Hans Hasselberg feaece034b
website: fix gemfile.lock (#5429) 2019-03-05 20:55:04 +01:00
Matt Keeler a4e2fe67eb Putting source back into Dev Mode 2019-03-05 19:26:42 +00:00
Matt Keeler 9e7d0ff2d4 Merge branch 'master' of https://github.com/hashicorp/consul 2019-03-05 19:05:53 +00:00
novotnyr aa6a392489 [docs] Add IntelliJ Consul to the list of community tools (#5379) 2019-03-05 13:58:03 +01:00
Matt Keeler 567e41ff6b
Release v1.4.3 2019-03-04 19:21:20 +00:00
Matt Keeler 67f4633134 Update Changelog 2019-03-04 19:18:25 +00:00
Matt Keeler 90040f8bff Fixes for CVE-2019-8336
Fix error in detecting raft replication errors.

Detect redacted token secrets and prevent attempting to insert.

Add a Redacted field to the TokenBatchRead and TokenRead RPC endpoints

This will indicate whether token secrets have been redacted.

Ensure any token with a redacted secret in secondary datacenters is removed.

Test that redacted tokens cannot be replicated.
2019-03-04 19:13:24 +00:00
Chip Vaughn ae8f273a92 Update to registering services via Catalog API 2019-03-04 09:46:37 -05:00
Chip Vaughn 9e91906664 Update to registering services via Catalog API 2019-03-04 09:45:24 -05:00
Matt Keeler 59cca0b975
Update CHANGELOG.md 2019-03-04 09:43:51 -05:00
Hans Hasselberg d35824b1fa default to tls 1.2 as promised. (#5340) 2019-03-04 09:42:04 -05:00
Matt Keeler 7a418f70cf
Update CHANGELOG.md 2019-03-04 09:35:13 -05:00
Aestek 2aac4d5168 Register and deregisters services and their checks atomically in the local state (#5012)
Prevent race between register and deregister requests by saving them
together in the local state on registration.
Also adds more cleaning in case of failure when registering services
/ checks.
2019-03-04 09:34:05 -05:00
Matt Keeler 219e9f8297
Update CHANGELOG.md 2019-03-04 09:29:54 -05:00
Matt Keeler 6e6910ea11
Dont modify memdb owned token data for get/list requests of tokens (#5412)
Previously we were fixing up the token links directly on the *ACLToken returned by memdb. This invalidated some assumptions that a snapshot is immutable as well as potentially being able to cause a crash.

The fix here is to give the policy link fixing function copy on write semantics. When no fixes are necessary we can return the memdb object directly, otherwise we copy it and create a new list of links.

Eventually we might find a better way to keep those policy links in sync but for now this fixes the issue.
2019-03-04 09:28:46 -05:00
Aestek 02f991843f Fix race condition in DNS when using cache (#5398)
* Fix race condition in DNS when using cache

The healty node filtering was modifying the result from the cache, which
caused a crash when multiple queries were made to the same service
simultaneously.
We now copy the node slice before filtering to ensure we do not modify
the data stored in the cache.

* Fix wording in dns cache config doc

s/dns_max_age/cache_max_age/
2019-03-04 09:22:01 -05:00
Matt Keeler 767b8c22ea
Update CHANGELOG.md 2019-03-04 09:20:58 -05:00
Matt Keeler 200c0fb3e9
Call RemoveServer for reap events (#5317)
This ensures that servers are removed from RPC routing when they are reaped.
2019-03-04 09:19:35 -05:00
R.B. Boyer 409c901f8e test: fix concurrent map access when setting up test vault 2019-03-01 14:30:19 -06:00
R.B. Boyer 6955186239 fix ignored errors in state store internals as reported by errcheck 2019-03-01 14:18:00 -06:00
R.B. Boyer c7067645dd fix a few leap-year related clock math inaccuracies and failing tests 2019-03-01 13:51:49 -06:00
Hans Hasselberg e64c5c5899 typo (#5407) 2019-03-01 08:51:37 -06:00
Matt Keeler 4833c5dee5
Update CHANGELOG.md 2019-02-27 14:29:41 -05:00
Matt Keeler 118adbb123
ACL Token Persistence and Reloading (#5328)
This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

* Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
* Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. 
* Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents.
* Docs updated to reflect the API additions and to show using the new endpoints.
* Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 14:28:31 -05:00
Kyle Havlovitz f07e928afc
Merge pull request #5325 from hashicorp/consul-ca-panic
connect/ca: fix a potential panic in the Consul provider
2019-02-27 09:43:44 -08:00
Hans Hasselberg 80e7d63fc2
Centralise tls configuration part 2 (#5374)
This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually!

This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 10:14:59 +01:00
danielehc f3610df40b Add more details on SkipNodeUpdate option (#5345)
* Add more details on SkipNodeUpdate option

* Updating the language for the entire parameter.
2019-02-26 11:00:23 -06:00
Hans Hasselberg 786b3b1095
Centralise tls configuration part 1 (#5366)
In order to be able to reload the TLS configuration, we need one way to generate the different configurations.

This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`.

This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 16:52:07 +01:00
Jack Pearkes cce1c14fac
website: update bootstrap-saas depenency (#5387)
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
2019-02-25 11:52:00 -08:00
Matt Keeler 6645d714d7
Update CHANGELOG.md 2019-02-25 14:07:14 -05:00
Aestek f1cdfbe40e Allow DNS interface to use agent cache (#5300)
Adds two new configuration parameters "dns_config.use_cache" and
"dns_config.cache_max_age" controlling how DNS requests use the agent
cache when querying servers.
2019-02-25 14:06:01 -05:00
Alvin Huang 77eecf1046 add wait to TestClient_JoinLAN 2019-02-22 17:34:45 -05:00
Alvin Huang 136df63e2c add retry to TestResetSessionTimerLocked 2019-02-22 17:34:45 -05:00
Alvin Huang a7180f715a add serf check to testDNSServiceLookupResponseLimits, checkDNSService 2019-02-22 17:34:45 -05:00
Alvin Huang d10b5a396b add wait to TestOperator_AutopilotCASConfiguration 2019-02-22 17:34:45 -05:00
Alvin Huang dc200daf21 add wait to TestSnapshot 2019-02-22 17:34:45 -05:00
Alvin Huang e999e404da add serf check to TestAPI_ACLToken_List 2019-02-22 17:34:45 -05:00
Alvin Huang aed9d123fa add serf check to various api/agent tests 2019-02-22 17:34:45 -05:00
Alvin Huang 8124f5889c add serf check to TestAPI_CatalogNodes 2019-02-22 17:34:45 -05:00
Alvin Huang 9780892ebe add serf check to TestAPI_ConnectCARoots_empty, TestAPI_ConnectCAConfig_get_set 2019-02-22 17:34:45 -05:00
Alvin Huang 7b4fb32545 add serf check to TestAPI_CoordinateUpdate 2019-02-22 17:34:45 -05:00
Alvin Huang a2eb3c204d add serf check to TestAPI_HealthChecks_NodeMetaFilter, TestAPI_HealthConnect 2019-02-22 17:34:45 -05:00