Commit Graph

2667 Commits

Author SHA1 Message Date
Daniel Nephin bac369b0f4 Merge pull request #9249 from hashicorp/dnephin/config-tags
config: use fields to detect enterprise-only settings
2021-01-08 00:50:15 +00:00
Daniel Nephin 156c14ae14 Merge pull request #9251 from hashicorp/dnephin/config-cleanup-flags-and-opts
config: move testing shims and cleanup some defaults
2021-01-08 00:22:03 +00:00
Daniel Nephin 223b85f89e Merge pull request #7583 from hashicorp/dnephin/id-printing
Fix printing of ID types
2021-01-08 00:02:59 +00:00
Daniel Nephin 36193c17d1 Merge pull request #9461 from hashicorp/dnephin/xds-server
xds: enable race detector and some small cleanup
2021-01-07 23:35:32 +00:00
Daniel Nephin 7292fe7db0 Merge pull request #9213 from hashicorp/dnephin/resolve-tokens-take-2
acl: Remove some unused things and document delegate method
2021-01-06 23:52:17 +00:00
Daniel Nephin 84a9ac1589 Merge pull request #9512 from pierresouchay/streaming_fix_grpc_tls2
[Streaming][bugfix] handle TLS signalisation when TLS is disabled on client side (alternative to #9494)
2021-01-06 22:11:21 +00:00
Daniel Nephin c18234cba1 Merge pull request #9067 from naemono/6074-allow-config-MaxHeaderBytes
Adds option to configure HTTP Server's MaxHeaderBytes
2021-01-05 17:29:33 +00:00
Matt Keeler 3faee062a5 Special case the error returned when we have a Raft leader but are not tracking it in the ServerLookup (#9487)
This can happen when one other node in the cluster such as a client is unable to communicate with the leader server and sees it as failed. When that happens its failing status eventually gets propagated to the other servers in the cluster and eventually this can result in RPCs returning “No cluster leader” error.

That error is misleading and unhelpful for determing the root cause of the issue as its not raft stability but rather and client -> server networking issue. Therefore this commit will add a new error that will be returned in that case to differentiate between the two cases.
2021-01-04 19:05:53 +00:00
R.B. Boyer 85205a63e8 server: deletions of intentions by name using the intention API is now idempotent (#9278)
Restoring a behavior inadvertently changed while fixing #9254
2021-01-04 17:27:50 +00:00
John Cowen 6cd7ad3952 api: Ensure the internal/ui/service endpoint responds with an array (#9397)
In some circumstances this endpoint will have no results in it (dues to
ACLs, Namespaces or filtering).

This ensures that the response is at least an empty array (`[]`) rather
than `null`
2020-12-15 16:52:37 +00:00
hashicorp-ci 8b9b803589
update bindata_assetfs.go 2020-12-11 03:26:04 +00:00
R.B. Boyer aa03e9979e acl: global tokens created by auth methods now correctly replicate to secondary datacenters (#9351)
Previously the tokens would fail to insert into the secondary's state
store because the AuthMethod field of the ACLToken did not point to a
known auth method from the primary.
2020-12-09 21:27:24 +00:00
Kenia 0ee745c899 Create consul version metric with version label (#9350)
* create consul version metric with version label

* agent/agent.go: add pre-release Version as well as label

Co-Authored-By: Radha13 <kumari.radha3@gmail.com>

* verion and pre-release version labels.

* hyphen/- breaks prometheus

* Add Prometheus gauge defintion for version metric

* Add new metric to telemetry docs

Co-authored-by: Radha Kumari <kumari.radha3@gmail.com>
Co-authored-by: Aestek <thib.gilles@gmail.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2020-12-09 14:17:51 +00:00
Kyle Havlovitz 38bbf32a9c Merge pull request #9318 from hashicorp/ca-update-followup
connect: Fix issue with updating config in secondary
2020-12-02 20:18:26 +00:00
Kyle Havlovitz ff93919034 Merge pull request #9009 from hashicorp/update-secondary-ca
connect: Fix an issue with updating CA config in a secondary datacenter
2020-11-30 22:50:26 +00:00
Daniel Nephin 60d7f30169 Merge pull request #9284 from hashicorp/dnephin/agent-service-register
local: mark service as InSync when added to local agent state
2020-11-27 20:50:53 +00:00
Hans Hasselberg b3a0b8edd9 fix serf_wan documentation (#9289)
WAN config is different than LAN config, source of truth is
f72d2042a8/config.go (L315-L326)
and now the docs are correct.
2020-11-27 19:51:04 +00:00
Daniel Nephin d230cea541 Merge pull request #9247 from pierresouchay/streaming_predictible_order_for_health
[Streaming] Predictable order for results of /health/service/:serviceName to mimic memdb
2020-11-25 20:55:00 +00:00
Mike Morris 3ee6d1c14f
Merge branch 'release/1.9.x' into release/1.9.0 2020-11-24 14:50:39 -05:00
Mike Morris dbb1249f13 Merge branch 'stable-website' into release/1.9.0 2020-11-24 14:44:53 -05:00
hashicorp-ci 79bb27a363
update bindata_assetfs.go 2020-11-24 19:05:48 +00:00
R.B. Boyer 7467ffbff3 server: fix panic when deleting a non existent intention (#9254)
* server: fix panic when deleting a non existent intention

* add changelog

* Always return an error when deleting non-existent ixn

Co-authored-by: freddygv <gh@freddygv.xyz>
2020-11-24 18:44:58 +00:00
R.B. Boyer 3c7cf0216d server: fix panic when deleting a non existent intention (#9254)
* server: fix panic when deleting a non existent intention

* add changelog

* Always return an error when deleting non-existent ixn

Co-authored-by: freddygv <gh@freddygv.xyz>
2020-11-24 13:44:45 -05:00
Kit Patella 727780140e Merge pull request #9261 from hashicorp/telemetry/fix-missing-and-stale-docs-2
Telemetry/fix missing and stale docs
2020-11-23 21:34:59 +00:00
Kit Patella 146466a708 Merge pull request #9261 from hashicorp/telemetry/fix-missing-and-stale-docs-2
Telemetry/fix missing and stale docs
2020-11-23 21:34:55 +00:00
Freddy ff5215d882 Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-23 06:27:20 -07:00
Kit Patella fe6ef7e414 Merge pull request #9245 from hashicorp/telemetry/fix-missing-and-stale-docs
Telemetry/fix missing and stale docs
2020-11-20 20:55:51 +00:00
Kit Patella 6e607d7cd3 Merge pull request #9245 from hashicorp/telemetry/fix-missing-and-stale-docs
Telemetry/fix missing and stale docs
2020-11-20 20:55:45 +00:00
Freddy 4e44341d36 Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 16:50:17 -07:00
R.B. Boyer 140c220131
[1.9.0] command: when generating envoy bootstrap configs use the datacenter returned from the agent services endpoint (#9230)
Manual backport of #9229 into 1.9.0 branch

Fixes #9215
2020-11-19 15:33:41 -06:00
R.B. Boyer 32f6d17e5d command: when generating envoy bootstrap configs use the datacenter returned from the agent services endpoint (#9229)
Fixes #9215
2020-11-19 21:28:09 +00:00
Freddy 5137e4501d Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:17 +00:00
Daniel Nephin 6e5f062593 Merge pull request #9224 from hashicorp/dnephin/fix-multiple-http-listeners
agent: fix bug with multiple listeners
2020-11-18 21:53:27 +00:00
Daniel Nephin b2c5e2d059 Use freeport
To prevent other tests which already use freeport from flaking when port 0 steals their reserved port.
2020-11-18 16:07:00 -05:00
Daniel Nephin c6381b7e2b agent: fix bug with multiple listeners
Previously the listener was being passed to a closure in a loop without
capturing the loop variable. The result is only the last listener is
used, so the http/https servers only listen on one address.

This problem is fixed by capturing the variable by passing it into a
function.
2020-11-18 14:39:26 -05:00
Daniel Nephin 6a42641eb2 Merge pull request #9160 from hashicorp/dnephin/go-test-race-in-to-out-list
ci: change go-test-race package list to exclude list
2020-11-17 18:14:09 +00:00
hashicorp-ci 2dfe2401ec Merge branch 'release/1.9.0-rc1' into remote-x 2020-11-17 17:43:03 +00:00
hashicorp-ci 15ef28f57a
update bindata_assetfs.go 2020-11-17 16:28:08 +00:00
Matt Keeler dfaaa0b73a Refactor to call non-voting servers read replicas (#9191)
Co-authored-by: Kit Patella <kit@jepsen.io>
2020-11-17 15:54:38 +00:00
Freddy ef7ee6840a Add DC and NS support for Envoy metrics (#9207)
This PR updates the tags that we generate for Envoy stats.

Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
2020-11-16 19:55:18 -07:00
Kit Patella 88b013be99 Merge pull request #9198 from hashicorp/mkcp/telemetry/add-all-metric-definitions
Add metric definitions for all metrics known at Consul start
2020-11-16 16:26:16 -08:00
Kit Patella 82e7363b90 Merge pull request #9198 from hashicorp/mkcp/telemetry/add-all-metric-definitions
Add metric definitions for all metrics known at Consul start
2020-11-17 00:13:51 +00:00
Freddy 4d39305442 Add DC and NS support for Envoy metrics (#9207)
This PR updates the tags that we generate for Envoy stats.

Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
2020-11-16 23:37:50 +00:00
Matt Keeler dd857bfa37
Prevent panic if autopilot health is requested prior to leader establishment finishing. (#9204) 2020-11-16 17:14:56 -05:00
Matt Keeler e421da3b59 Prevent panic if autopilot health is requested prior to leader establishment finishing. (#9204) 2020-11-16 22:08:44 +00:00
Daniel Nephin 9b904de406 Merge pull request #9114 from hashicorp/dnephin/filtering-in-stream
stream: improve naming of Payload methods
2020-11-16 19:21:20 +00:00
R.B. Boyer 2747b5145a server: intentions CRUD requires connect to be enabled (#9194)
Fixes #9123
2020-11-13 22:19:47 +00:00
R.B. Boyer fee0c44ab2 server: remove config entry CAS in legacy intention API bridge code (#9151)
Change so line-item intention edits via the API are handled via the state store instead of via CAS operations.

Fixes #9143
2020-11-13 20:42:57 +00:00
R.B. Boyer a955705e5e server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 19:57:12 +00:00
Mike Morris 0ba0391bdd ci: update to Go 1.15.4 and alpine:3.12 (#9036)
* ci: stop building darwin/386 binaries

Go 1.15 drops support for 32-bit binaries on Darwin https://golang.org/doc/go1.15#darwin

* tls: ConnectionState::NegotiatedProtocolIsMutual is deprecated in Go 1.15, this value is always true

* correct error messages that changed slightly

* Completely regenerate some TLS test data

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2020-11-13 18:03:37 +00:00