Most of the groundwork was laid in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server.
This also refactors the auto-config package a bit to split things out into multiple files.
* Add sorting to Intentions with tests
* Skip Intentions url back test
* Create comparator for intention and implement in template
* Add a intentions navigation feature test
This implements a solution for #7863
It does:
Add a new config cache.entry_fetch_rate to limit the number of calls/s for a given cache entry, default value = rate.Inf
Add cache.entry_fetch_max_burst size of rate limit (default value = 2)
The new configuration now supports the following syntax for instance to allow 1 query every 3s:
command line HCL: -hcl 'cache = { entry_fetch_rate = 0.333}'
in JSON
{
"cache": {
"entry_fetch_rate": 0.333
}
}
Previously, the envoy bootstrap config would blindly copy the self_admin
cluster into the list of static clusters when configuring either
ReadyBindAddr, PrometheusBindAddr, or StatsBindAddr.
Since ingress gateways always configure the ReadyBindAddr property,
users ran into this case much more often than previously.
Refactoring of the agentpb package.
First move the whole thing to the top-level proto package name.
Secondly change some things around internally to have sub-packages.
# Conflicts:
# agent/consul/state/acl.go
# agent/consul/state/acl_test.go
The rationale behind removing them is that all of our own code (xDS, builtin connect proxy) use the cache notification mechanism. This ensures that the blocking fetch behind the scenes is always executing. Therefore the only way you might go to get a certificate and have to wait is when 1) the request has never been made for that cert before or 2) you are using the v1/agent/connect/ca/leaf API for retrieving the cert yourself.
In the first case, the refresh change doesn’t alter the behavior. In the second case, it can be mitigated by using blocking queries with that API which just like normal cache notification mechanism will cause the blocking fetch to be initiated and to get leaf certs as soon as needed.
If you are not using blocking queries, or Envoy/xDS, or the builtin connect proxy but are retrieving the certs yourself then the HTTP endpoint might take a little longer to respond.
This also renames the RefreshTimeout field on the register options to QueryTimeout to more accurately reflect that it is used for any type that supports blocking queries.
# Conflicts:
# agent/cache/cache.go
The fallback method would still work but it would get into a state where it would let the certificate expire for 10s before getting a new one. And the new one used the less secure RPC endpoint.
This is also a pretty large refactoring of the auto encrypt code. I was going to write some tests around the certificate monitoring but it was going to be impossible to get a TestAgent configured in such a way that I could write a test that ran in less than an hour or two to exercise the functionality.
Moving the certificate monitoring into its own package will allow for dependency injection and in particular mocking the cache types to control how it hands back certificates and how long those certificates should live. This will allow for exercising the main loop more than would be possible with it coupled so tightly with the Agent.
# Conflicts:
# agent/agent.go
Close#8294. Set overflow to hidden for both x and y axis. This prevents the overflow-y defaulting to auto, and creating scrollbars. Given the text overflow is set to ellipsis, this doesn't change the UI functionality.
* ui: Add new consul-nspace-list component
* ui: Use new consul-nspace-list component
* Fix up other components to use linkable list-collection action
* ui: Remove some dead CSS
* Add components for KV form, KV list and Session form
* Pass through a @label attribute for a human label + don't require error
* Ignore transition aborted errors for if you are re-transitioning
* Make old confirmation dialog more ember-like and tagless
* Make sure data-source and data-sink supports KV and sessions
* Use new components and delete all the things
* Fix up tests
* Make list component tagless
* Add component pageobject and fixup tests from that
* Add eslint warning back in
* Add uri identifiers to all data source things and make them the same
1. Add uri identitifer to data-source service
2. Make <EventSource /> and <DataSource /> as close as possible
3. Add extra `.closed` method to get a list of inactive/closed/closing
data-sources from elsewhere
* Make the connections cleanup the least worst connection when required
* Pass the uri/request id through all the things
* Better user erroring
* Make event sources close on error
* Allow <DataLoader /> data slot to be configurable
* Allow the <DataWriter /> removed state to be configurable
* Don't error if meta is undefined
* Stitch together all the repositories into the data-source/sink
* Use data.source over repositories
* Add missing <EventSource /> components
* Fix up the views/templates
* Disable all the old route based blocking query things
* We still need the repo for the mixin for the moment
* Don't default to default, default != ''
Switch from /v1/agent/self to /v1/status/leader when checking if the test server has come up successfully in the waitForAPI function.
Previously, the test server was relying (probably not intentionally) on the default value of the acl_enforce_version_8 in the TestConfig, which was false. So if you create a test server and enabled ACLs, they would not be enforced and the server would be able to come up pretty quickly because /v1/agent/self would return a 200 status pretty much as soon as the agent is running and most likely before leader election is finished.
Now that we have removed acl_enforce_version_8 property (equivalent to being true by default) if you've created a test server with ACLs enabled, it will need to wait for leader election and for ACLs to be initialized before it'll get a successful response from the /v1/agent/self.
Note: With this change, waitForAPI function no longer requires a 200 response status from the v1/status/leader endpoint. This is because in some tests, namely TestAPI_AgentLeave, we are only running clients, and this endpoint returns a 500 status.
We changed our default definition list layout in
https://github.com/hashicorp/consul/pull/8117.
We replaced the default with a definition-table class but missed one
place where the old default was previously used.
This adds the definition-table class in RTT where it used to use the
default.
* Remove curly brackets and pass through attributes
* yarn upgrade and part manual deps upgrade of non-problematic things
* from-entries from ember-composable helpers receives an array
* PowerSelect destruction bug seems to be fixed upstream
* Ensure all policies have a default 0 date for ember-c-h upgrade
sorting no longer works correctly unless CreateTime has a value
Matt Keeler
Kenia
Pierre Souchay
Kyle Havlovitz
Chris Piraino
R.B. Boyer
Daniel Nephin
Matt Keeler
Nathan Lacey
duncanKr
Ondrej Sika
Joel Watson
Alvin Huang
John Cowen
André
Iryna Shustava
Freddy