12081 Commits

Author SHA1 Message Date
Hans Hasselberg
e6584182f2 Add flags to support CA generation for Connect (#9585) 2021-01-27 07:55:31 +00:00
Matt Keeler
bb8386316d Add changelog entry for change to the temporary client license duration (#9642) 2021-01-26 21:15:53 +00:00
R.B. Boyer
685c38a1b1 server: initialize mgw-wanfed to use local gateways more on startup (#9528)
Fixes #9342
2021-01-25 23:31:28 +00:00
R.B. Boyer
17e16f708f
chore: [1.8.x] regenerate envoy golden files (#9635)
Backport of #9634
2021-01-25 15:34:50 -06:00
hashicorp-ci
dd110e8c74 Merge branch 'release/1.8.8' into remote-x 2021-01-22 20:17:04 +00:00
hashicorp-ci
6bb9524dd8 Putting source back into Dev Mode 2021-01-22 20:16:59 +00:00
hashicorp-ci
1a7f21a061
Release v1.8.8 v1.8.8 2021-01-22 18:50:03 +00:00
hashicorp-ci
e2f9307430
update bindata_assetfs.go 2021-01-22 18:50:02 +00:00
Mike Morris
a2da08bd6b changelog: add unreleased entries for v1.8.8 2021-01-22 11:44:54 -05:00
Alvin Huang
6976289413 ci: fix logic for check-vendor (#9619) 2021-01-22 11:39:09 -05:00
Alvin Huang
acb9b4ccaa ci: fix logic for check-vendor (#9619) 2021-01-22 16:37:23 +00:00
R.B. Boyer
f135c3b64e server: when wan federating via mesh gateways only do heuristic primary DC bypass on the leader (#9366)
Fixes #9341
2021-01-22 16:07:11 +00:00
Alvin Huang
4d470f9822 ci: change check-vendor to verify git status has no changes (#9615) 2021-01-21 23:30:07 +00:00
Matt Keeler
7cddf128e9
Backport #9570 to release/1.8.x: Ensure that CA initialization does not block leader election. (#9571)
Backport of PR: 9570

After fixing that bug I uncovered a couple more:

Fix an issue where we might try to cross sign a cert when we never had a valid root.
Fix a potential issue where reconfiguring the CA could cause either the Vault or AWS PCA CA providers to delete resources that are still required by the new incarnation of the CA.

Ensure that CA initialization does not block leader election.

After fixing that bug I uncovered a couple more:

Fix an issue where we might try to cross sign a cert when we never had a valid root.
Fix a potential issue where reconfiguring the CA could cause either the Vault or AWS PCA CA providers to delete resources that are still required by the new incarnation of the CA.
2021-01-21 09:04:30 -05:00
Matt Keeler
87f7bb475c Fix flaky test by marking mock expectations as optional (#9596)
These expectations are optional because in a slow CI environment the deadline to cancell the context might occur before the go routine reaches issuing the RPC. Either way we are successfully ensuring context cancellation is working.
2021-01-20 15:59:13 +00:00
Alvin Huang
7bb043a42d rename envoy job names for circleci config linter 2021-01-19 13:19:26 -05:00
Alvin Huang
383dd32bdf modify aws assume role circleci command 2021-01-19 13:17:14 -05:00
Daniel Nephin
d399690ae4
Merge pull request #9520 from hashicorp/dnephin/1.8.x-fix-integration-test-fail
[1.8.x] Pin alpine/socat image to a version
2021-01-07 11:59:37 -05:00
Daniel Nephin
eeb3b85122 Pin alpine/socat image to a version.
To fix failing integration tests. The latest version (`1.7.4.0-r0`)
appears to not be catting all the bytes, so the expected metrics are
missing in the output.
2021-01-06 18:44:02 -05:00
Matt Keeler
792fb090fe Add changelog for #9487 (#9491) 2021-01-05 18:06:27 +00:00
John Cowen
af335e7ecc
ui: Make sure we pass the nspace through to the API for nodes (#9488)
Nodes themselves are not namespaced, so we'd originally assumed we did not need to pass through the ns query parameter when listing or viewing nodes.

As it turns out the API endpoints we use to list and view nodes (and related things) return things that are namespaced, therefore any API requests for nodes do require a the ns query parameter to be passed through to the request.

This PR adds the necessary ns query param to all things Node, apart from the querying for the leader which only returns node related information.
2021-01-05 15:54:23 +00:00
Matt Keeler
0d4b710c4a Special case the error returned when we have a Raft leader but are not tracking it in the ServerLookup (#9487)
This can happen when one other node in the cluster such as a client is unable to communicate with the leader server and sees it as failed. When that happens its failing status eventually gets propagated to the other servers in the cluster and eventually this can result in RPCs returning “No cluster leader” error.

That error is misleading and unhelpful for determing the root cause of the issue as its not raft stability but rather and client -> server networking issue. Therefore this commit will add a new error that will be returned in that case to differentiate between the two cases.
2021-01-04 19:05:58 +00:00
Mike Morris
ceb4a9874e
ci(1.8.x): update to Go 1.14.13 (#9374) 2021-01-04 12:56:21 -05:00
hashicorp-ci
78d344c95e Putting source back into Dev Mode 2020-12-10 23:23:31 +00:00
hashicorp-ci
cbe8f01e9a
Release v1.8.7 v1.8.7 2020-12-10 21:46:52 +00:00
hashicorp-ci
bf98530f78
update bindata_assetfs.go 2020-12-10 21:46:51 +00:00
Mike Morris
86be641c3d changelog: add unreleased v1.8.7 entries, remove v1.8.7-beta1 section 2020-12-10 15:57:06 -05:00
R.B. Boyer
0ecd16a382
acl: global tokens created by auth methods now correctly replicate to secondary datacenters (#9363)
Previously the tokens would fail to insert into the secondary's state
store because the AuthMethod field of the ACLToken did not point to a
known auth method from the primary.

Backport of #9351 to 1.8.x
2020-12-10 08:35:48 -06:00
Matt Keeler
8f79c50dff Add changelog for fixing the namespace replication bug from #9271 (#9347) 2020-12-08 17:05:27 +00:00
Mike Morris
6800906334 changelog: update 1.8.0 goroutine leak to note increasing memory usage (#9328) 2020-12-04 17:48:22 +00:00
hashicorp-ci
c7189780ea Putting source back into Dev Mode 2020-12-03 20:17:03 +00:00
hashicorp-ci
de692123db
Release v1.8.7-beta1 v1.8.7-beta1 2020-12-03 19:11:42 +00:00
hashicorp-ci
0b1d1323d7
update bindata_assetfs.go 2020-12-03 19:11:42 +00:00
Mike Morris
aa7f8baecc changelog: add entries for unreleased 1.8.7-beta1 2020-12-03 14:03:41 -05:00
Mike Morris
893b34cf70 changelog: add entry for fixing active CA root unset (#9323) 2020-12-03 18:45:48 +00:00
Mike Morris
d691d6774f changelog: add entries for secondary datacenter CA fixes (#9322) 2020-12-03 18:34:11 +00:00
Alvin Huang
52dfa58230 [skip ci] ci: fix trigger-oss-merge yaml spacing (#8916) 2020-12-02 17:57:37 -05:00
Alvin Huang
561636d503 add per commit oss->ent merge on master and release branches (#8740) 2020-12-02 17:54:08 -05:00
Kyle Havlovitz
e51bd34952 Merge pull request #9318 from hashicorp/ca-update-followup
connect: Fix issue with updating config in secondary
2020-12-02 20:18:32 +00:00
Kyle Havlovitz
31199ca426
Merge pull request #9299 from hashicorp/1.8.x-update-secondary-ca
Backport #9009 to 1.8.x
2020-12-02 11:35:09 -08:00
Kyle Havlovitz
6e62166f6d Merge pull request #9009 from hashicorp/update-secondary-ca
connect: Fix an issue with updating CA config in a secondary datacenter
2020-11-30 16:13:12 -08:00
Freddy
5d7158023e
Merge release/1.8.6 back into release/1.8.x 2020-11-19 15:59:04 -07:00
freddygv
545e7379ee Merge branch 'release/1.8.x' into release/1.8.6 2020-11-19 15:45:37 -07:00
hashicorp-ci
4428e3d31e Putting source back into Dev Mode 2020-11-19 22:18:18 +00:00
hashicorp-ci
2fa535b58c
Release v1.8.6 v1.8.6 2020-11-19 20:56:51 +00:00
hashicorp-ci
8967edad2a
update bindata_assetfs.go 2020-11-19 20:56:50 +00:00
freddygv
5a961ef68f Update changelog 2020-11-19 13:34:36 -07:00
Freddy
8ed789766b Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 13:21:51 -07:00
Freddy
cfd72af36c Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:23 +00:00
Matt Keeler
14cb672790 Add changelog entry for namespace licensing fix (#9203) 2020-11-16 20:46:34 +00:00