12095 Commits

Author SHA1 Message Date
Alvin Huang
52dfa58230 [skip ci] ci: fix trigger-oss-merge yaml spacing (#8916) 2020-12-02 17:57:37 -05:00
Alvin Huang
561636d503 add per commit oss->ent merge on master and release branches (#8740) 2020-12-02 17:54:08 -05:00
Kyle Havlovitz
e51bd34952 Merge pull request #9318 from hashicorp/ca-update-followup
connect: Fix issue with updating config in secondary
2020-12-02 20:18:32 +00:00
Kyle Havlovitz
31199ca426
Merge pull request #9299 from hashicorp/1.8.x-update-secondary-ca
Backport #9009 to 1.8.x
2020-12-02 11:35:09 -08:00
Kyle Havlovitz
6e62166f6d Merge pull request #9009 from hashicorp/update-secondary-ca
connect: Fix an issue with updating CA config in a secondary datacenter
2020-11-30 16:13:12 -08:00
Freddy
5d7158023e
Merge release/1.8.6 back into release/1.8.x 2020-11-19 15:59:04 -07:00
freddygv
545e7379ee Merge branch 'release/1.8.x' into release/1.8.6 2020-11-19 15:45:37 -07:00
hashicorp-ci
4428e3d31e Putting source back into Dev Mode 2020-11-19 22:18:18 +00:00
hashicorp-ci
2fa535b58c
Release v1.8.6 v1.8.6 2020-11-19 20:56:51 +00:00
hashicorp-ci
8967edad2a
update bindata_assetfs.go 2020-11-19 20:56:50 +00:00
freddygv
5a961ef68f Update changelog 2020-11-19 13:34:36 -07:00
Freddy
8ed789766b Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 13:21:51 -07:00
Freddy
cfd72af36c Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:23 +00:00
Matt Keeler
14cb672790 Add changelog entry for namespace licensing fix (#9203) 2020-11-16 20:46:34 +00:00
Mike Morris
6138ed20f0
ci(backport-1.8): publish static assets (#9166)
* ci:add check for bindata_assetfs changes (#8712)

Co-authored-by: John Cowen <jcowen@hashicorp.com>
Co-authored-by: hashicorp-ci <hashicorp-ci@users.noreply.github.com>

* Merge pull request #8776 from hashicorp/ci/fix-auto-bindata

commit a new bindata file if there are changes

* add git config for static assets (#8777)

* add commit sha to static-asset auto commit

* ci: fix bindata autoupdate (#8801)

* update bindata on ui-v2/ changes

* ci: publish bindata_assetfs.go for all release/.x branches (#9158)

Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
Co-authored-by: John Cowen <jcowen@hashicorp.com>
Co-authored-by: hashicorp-ci <hashicorp-ci@users.noreply.github.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2020-11-16 14:40:51 -05:00
Mike Morris
7df79f0988
chore(backport): use HashiCorp Docker mirror (#9167)
* chore: backport Docker mirror for Envoy integration tests

* use hashicorp docker mirror in envoy helper (#9080)

* use hashicorp docker mirror to prevent rate limit (#9070)

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
2020-11-11 18:31:40 -05:00
Matt Keeler
0c2eea2918
Backport #9156 to 1.8.x (#9164)
The Catalog, Config Entry, KV and Session resources potentially re-validate the input as its coming in. We need to prevent snapshot restoration failures due to missing namespaces or namespaces that are being deleted in enterprise.
2020-11-11 15:12:10 -05:00
Daniel Nephin
95ed6ec143 Merge pull request #8976 from joel0/wrap-eof
Wrap rpc error object
2020-11-11 16:51:48 +00:00
Daniel Nephin
52f8ada38e Merge pull request #9149 from joel0/wrap-errors
Use error wrapping to preserve error type info
2020-11-10 23:27:48 +00:00
Mike Morris
76417b2460 chore: update to Go 1.14.11 2020-11-09 16:22:01 -05:00
R.B. Boyer
a9269c2c07 wait_for_namespace should take two args (#9086) 2020-11-02 21:58:25 +00:00
R.B. Boyer
8acca3b261 fix envoy integ test wait_for_namespace to actually work on CI (#9082) 2020-11-02 21:57:14 +00:00
Mike Morris
c45fc85b94 changelog: add note for licensing bug fix to 1.8.5 2020-11-02 12:09:23 -05:00
Matt Keeler
b1aee0a1ed Create _619.txt 2020-11-02 12:05:30 -05:00
R.B. Boyer
cfa5908c8d add namespace waiting function to envoy integration tests (#9051) 2020-10-28 18:24:07 +00:00
Kyle Havlovitz
b72e11aa9c Merge pull request #9053 from hashicorp/vault-token-lookupself
connect: Use the lookup-self endpoint for Vault token
2020-10-27 21:34:37 +00:00
Kevin Pruett
b3ec64c23f Merge pull request #9021 from hashicorp/pruett.alertbanner-exp
Expose `expirationDate` prop in <AlertBanner/>
2020-10-26 20:13:49 +00:00
Kim Ngo
6cbc41d5b5 NIA: add Terraform version compatibility (#9023) 2020-10-26 14:47:50 +00:00
Mike Morris
aca865adc3
Merge pull request #9027 from hashicorp/release/1.8.5
Merge back release/1.8.5
2020-10-23 18:35:26 -04:00
Mike Morris
3848804bc8 changelog: fixup formatting for 8774.txt 2020-10-23 17:19:41 -04:00
hashicorp-ci
18e8949c6f Putting source back into Dev Mode 2020-10-23 21:08:15 +00:00
hashicorp-ci
1e03567d33
Release v1.8.5 v1.8.5 2020-10-23 20:32:14 +00:00
hashicorp-ci
90324f1bac
update bindata_assetfs.go 2020-10-23 20:32:13 +00:00
Mike Morris
8e371c9fd6 changelog: add unreleased entries for 1.8.5 2020-10-23 16:15:09 -04:00
Mike Morris
3bf05fd6e3 changelog: fixup CVE link for 9024.txt 2020-10-23 16:13:36 -04:00
Mike Morris
acfd9fbfea changelog: fixup note.tmpl syntax 2020-10-23 16:10:58 -04:00
R.B. Boyer
a155423f29 server: config entry replication now correctly uses namespaces in comparisons (#9024)
Previously config entries sharing a kind & name but in different
namespaces could occasionally cause "stuck states" in replication
because the namespace fields were ignored during the differential
comparison phase.

Example:

Two config entries written to the primary:

    kind=A,name=web,namespace=bar
    kind=A,name=web,namespace=foo

Under the covers these both get saved to memdb, so they are sorted by
all 3 components (kind,name,namespace) during natural iteration. This
means that before the replication code does it's own incomplete sort,
the underlying data IS sorted by namespace ascending (bar comes before
foo).

After one pass of replication the primary and secondary datacenters have
the same set of config entries present. If
"kind=A,name=web,namespace=bar" were to be deleted, then things get
weird. Before replication the two sides look like:

primary: [
    kind=A,name=web,namespace=foo
]
secondary: [
    kind=A,name=web,namespace=bar
    kind=A,name=web,namespace=foo
]

The differential comparison phase walks these two lists in sorted order
and first compares "kind=A,name=web,namespace=foo" vs
"kind=A,name=web,namespace=bar" and falsely determines they are the SAME
and are thus cause an update of "kind=A,name=web,namespace=foo". Then it
compares "<nothing>" with "kind=A,name=web,namespace=foo" and falsely
determines that the latter should be DELETED.

During reconciliation the deletes are processed before updates, and so
for a brief moment in the secondary "kind=A,name=web,namespace=foo" is
erroneously deleted and then immediately restored.

Unfortunately after this replication phase the final state is identical
to the initial state, so when it loops around again (rate limited) it
repeats the same set of operations indefinitely.
2020-10-23 18:42:45 +00:00
James Light
e0bfd96dc4 Update managed-deprecated.mdx (#9016)
fix typo / spell checker replacing w/ wrong word
2020-10-23 14:55:46 +00:00
R.B. Boyer
3456b57dec
connect: update supported envoy point releases to 1.14.5, 1.13.6, 1.12.7, 1.11.2 for 1.8.x (#8999)
Selective backport of #8944 to 1.8.x
2020-10-22 13:26:51 -05:00
Kim Ngo
4e196b0a16 NIA: document daemon exiting on task errors (#8985) 2020-10-22 18:23:57 +00:00
Daniel Nephin
2ed5b108c5 Merge pull request #8924 from ShimmerGlass/fix-sidecar-deregister-after-restart
Fix: service LocallyRegisteredAsSidecar property is not persisted
2020-10-22 17:27:41 +00:00
Blake Covarrubias
315b68228a Add extraEnvironmentVars and client.affinity to Helm values (#8997)
Document client.extraEnvironmentVars, server.extraEnvironmentVars, and
client.affinity Helm chart values.

Remove deprecated connectInject.imageEnvoy and meshGateway.imageEnvoy
values.
2020-10-22 06:29:25 +00:00
Blake Covarrubias
d2f0cf42c3 docs: Remove sentence about pluggable CAs
Consul's Connect CA documentation mentions future releases will
support a pluggable CA system. This sentence has existed in the docs
for over two years, however there are currently no plans to develop
this feature on the near-term roadmap.

This commit removes this sentence to avoid giving the impression that
this feature will be available in an upcoming release.
2020-10-20 18:52:49 +00:00
Jasmine W
5c1d25df84 Merge pull request #8959 from hashicorp/docs-update-api-cli
Update docs-navigation.js
2020-10-20 15:46:23 +00:00
Sabeen Syed
aa8ab4161b Update links (#8949) 2020-10-19 19:38:49 +00:00
Sabeen Syed
303e1142da Add A10 and Checkpoint TF modules (#8950) 2020-10-15 21:12:17 +00:00
Kit Patella
9c1bbb4b50 Merge pull request #8960 from hashicorp/mkcp/docs/truncate-old-jepsen-log
truncate jepsen.mdx log for length
2020-10-14 20:59:27 +00:00
Sabeen Syed
0335eb1fa0 Remove email address (#8931) 2020-10-13 18:17:30 +00:00
Kim Ngo
b7060f89b8 Add docs on what activates task execution (#8936) 2020-10-13 16:48:09 +00:00
lornasong
62ae98286a Merge pull request #8935 from hashicorp/nia-docs-tfmod
Update Requirements doc: Terraform module links
2020-10-13 15:55:43 +00:00