e808620463
Merge pull request #11118 from hashicorp/eculver/remove-envoy-1.15
...
Remove support for Envoy 1.15
2021-10-04 23:14:24 +02:00
c7747212c3
Merge pull request #11115 from hashicorp/eculver/envoy-1.19.1
...
Add support for Envoy 1.19.1
2021-10-04 23:13:26 +02:00
c7f74deb17
acl: remove updateEnterpriseSerfTags
...
The only remaining caller is a test helper, and the tests don't use the enterprise gossip
pools.
2021-10-04 17:01:51 -04:00
9b1d2685bf
Merge pull request #11126 from hashicorp/dnephin/acl-legacy-remove-resolve-and-get-policy
...
acl: remove ACL.GetPolicy RPC endpoint and ACLResolver.resolveTokenLegacy
2021-10-04 16:29:51 -04:00
c2583a1b7f
Add metrics to count the number of service-mesh config entries
2021-10-04 14:50:17 -05:00
536838b004
Add metrics to count connect native service mesh instances
...
This will add the counts of the service mesh instances tagged by
whether or not it is connect native
2021-10-04 14:37:05 -05:00
46bf882620
Add metrics to count service mesh Kind instance counts
...
This will add the counts of service mesh instances tagged by the
different ServiceKind's.
2021-10-04 14:36:59 -05:00
a1e3fa818c
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Remove the early WaitForLeader in dc2, because with it the test was
failing with ACL not found.
2021-10-01 18:03:10 -04:00
db397d62c5
Add 1.15 versions to too old list
2021-10-01 11:28:26 -07:00
1c9b58a8af
agent: Reject partitions in legacy intention endpoints ( #11181 )
2021-10-01 13:18:57 -04:00
53a35181e5
Support partitions in parseIntentionStringComponent ( #11202 )
2021-10-01 12:36:12 -04:00
a5b09493ab
fix token list by auth method ( #11196 )
...
* add tests to OIDC authmethod and fix entMeta when retrieving auth-methods
* fix oss compilation error
2021-10-01 12:00:43 -04:00
e41830af8a
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-30 11:32:28 -07:00
fdbb742ffd
regenerate more envoy golden files
2021-09-30 10:57:47 -07:00
4faf805716
acl: call stop for the upgrade goroutine when done
...
TestAgentLeaks_Server was reporting a goroutine leak without this. Not sure if it would actually
be a leak in production or if this is due to the test setup, but seems easy enough to call it
this way until we remove legacyACLTokenUpgrade.
2021-09-29 17:36:43 -04:00
02da08ce77
acl: only run startACLUpgrade once
...
Since legacy ACL tokens can no longer be created we only need to run this upgrade a single
time when leadership is estalbished.
2021-09-29 16:22:01 -04:00
3ac910606c
acl: remove reading of serf acl tags
...
We no long need to read the acl serf tag, because servers are always either ACL enabled or
ACL disabled.
We continue to write the tag so that during an upgarde older servers will see the tag.
2021-09-29 15:45:11 -04:00
3d7c07e1e4
acl: fix test failure
...
For some reason removing legacy ACL upgrade requires using an ACL token now
for this WaitForLeader.
2021-09-29 15:21:30 -04:00
5c721832dc
acl: remove legacy ACL upgrades from Server
...
As part of removing the legacy ACL system
2021-09-29 15:19:23 -04:00
94be1835b2
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Use the root token in WaitForLeader, because without it the test was
failing with ACL not found.
2021-09-29 15:15:50 -04:00
8e9773e20b
acl: remove ACL.GetPolicy endpoint and resolve legacy acls
...
And all code that was no longer used once those two were removed.
2021-09-29 14:33:19 -04:00
d12dd48c61
acl: remove ACL upgrading from Clients
...
As part of removing the legacy ACL system ACL upgrading and the flag for
legacy ACLs is removed from Clients.
This commit also removes the 'acls' serf tag from client nodes. The tag is only ever read
from server nodes.
This commit also introduces a constant for the acl serf tag, to make it easier to track where
it is used.
2021-09-29 14:02:38 -04:00
19040586ce
Merge pull request #11136 from hashicorp/dnephin/acl-resolver-fix-default-authz
...
acl: fix default Authorizer for down_policy extend-cache/async-cache
2021-09-29 13:45:12 -04:00
a53fdd68c8
Merge pull request #11110 from hashicorp/dnephin/acl-legacy-remove-initialize
...
acl: remove initializeLegacyACL and the rest of the legacy FSM commands
2021-09-29 13:44:30 -04:00
8f754aba14
Merge pull request #10999 from hashicorp/dnephin/revert-config-xds-port
...
Revert config xds_port
2021-09-29 13:39:15 -04:00
cc310224aa
command/envoy: stop using the DebugConfig from Self endpoint
...
The DebugConfig in the self endpoint can change at any time. It's not a stable API.
This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read
this new field.
It includes support for the old API as well, in case a newer CLI is used with an older API, and
adds a test for both cases.
2021-09-29 13:21:28 -04:00
6e1ebd3df7
acl: remove the last of the legacy FSM
...
Replace it with an implementation that returns an error, and rename some symbols
to use a Deprecated suffix to make it clear.
Also remove the ACLRequest struct, which is no longer referenced.
2021-09-29 12:42:23 -04:00
ed928511ca
acl: remove bootstrap-init FSM operation
2021-09-29 12:42:23 -04:00
dab5d1bdc8
acl: remove initializeLegacyACL from leader init
2021-09-29 12:42:23 -04:00
05f0cc3993
acl: remove ACLDelete FSM command, and state store function
...
These are no longer used now that ACL.Apply has been removed.
2021-09-29 12:42:23 -04:00
966e50e00e
acl: remove legacy field to ACLBoostrap
2021-09-29 12:42:23 -04:00
1502547e38
Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc"
...
This reverts commit 74fb650b6b58bd817336
2021-09-29 12:28:41 -04:00
0330966315
Merge pull request #11101 from hashicorp/dnephin/acl-legacy-remove-rpc-2
...
acl: remove legacy ACL.Apply RPC
2021-09-29 12:23:55 -04:00
ea4a8343cd
Merge pull request #11177 from hashicorp/dnephin/remove-entmeta-methods
...
structs: remove EnterpriseMeta helper methods
2021-09-29 12:08:07 -04:00
4c579a49ed
Merge pull request #10986 from hashicorp/dnephin/acl-legacy-remove-rpc
...
acl: remove legacy ACL RPC - part 1
2021-09-29 12:04:09 -04:00
eb632c53a2
structs: rename the last helper method.
...
This one gets used a bunch, but we can rename it to make the behaviour more obvious.
2021-09-29 11:48:38 -04:00
8d8c1f9d5e
structs: remove another helper
...
We already have a helper funtion.
2021-09-29 11:48:03 -04:00
6d72517682
structs: remove two methods that were only used once each.
...
These methods only called a single function. Wrappers like this end up making code harder to read
because it adds extra ways of doing things.
We already have many helper functions for constructing these types, we don't need additional methods.
2021-09-29 11:47:03 -04:00
8d1378cc1d
Merge pull request #10988 from hashicorp/dnephin/acl-legacy-remove-config
...
acl: isolate deprecated config and warn when they are used
2021-09-29 11:40:14 -04:00
6b33e3bfd7
Merge pull request #9456 from hashicorp/dnephin/config-deprecation
...
config: Use DeprecatedConfig struct for deprecated config fields
2021-09-29 11:37:40 -04:00
60170dfbe7
Merge remote-tracking branch 'origin/eculver/remove-envoy-1.15' into eculver/remove-envoy-1.15
2021-09-28 16:06:36 -07:00
4f1a8d4ea6
Fix typo
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-09-29 01:05:45 +02:00
03e44da9f7
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-28 15:59:43 -07:00
9b73e7319d
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 15:58:20 -07:00
5c37819d09
Cleanup unnecessary normalizing method ( #11169 )
2021-09-28 15:31:12 -04:00
bf2a3f6e79
Merge pull request #11084 from krastin/krastin-autopilot-loggingtypo
...
Fix a tiny typo in logging in autopilot.go
2021-09-28 15:11:11 -04:00
585d9363ed
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 11:54:33 -07:00
e3248c20c9
agent: Clean up unused built-in proxy config ( #11165 )
2021-09-28 11:29:10 -04:00
cd4e70b34c
acl: fix default authorizer for down_policy
...
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632 .
2021-09-23 18:12:22 -04:00
6bb7aef15c
Remove t.Parallel from TestACLResolver_DownPolicy
...
These tests run in under 10ms, t.Parallel does nothing but slow them down and
make failures harder to debug when one panics.
2021-09-23 18:12:22 -04:00
e664dbc352
Refactor table index acl phase 2 ( #11133 )
...
* extract common methods from oss and ent
* remove unreachable code
* add missing normalize for binding rules
* fix oss to use Query
2021-09-23 15:26:09 -04:00
e8ac5fd90b
config: Move ACLEnableKeyListPolicy to DeprecatedConfig
2021-09-23 15:15:00 -04:00
5c40b717ed
config: move acl_ttl to DeprecatedConfig
2021-09-23 15:14:59 -04:00
977f6d8888
config: move acl_{default,down}_policy to DeprecatedConfig
2021-09-23 15:14:59 -04:00
5eafcea4d4
config: Deprecate EnableACLReplication
...
replaced by ACL.TokenReplication
2021-09-23 15:14:59 -04:00
5dc16180ad
config: move ACL master token and replication to DeprecatedConfig
2021-09-23 15:14:59 -04:00
1ecec84fd7
Merge pull request #10903 from hashicorp/feature/ingress-sds
...
Add Support to for providing TLS certificates for Ingress listeners from an SDS source
2021-09-23 16:19:05 +01:00
5904e4ac79
Refactor table index ( #11131 )
...
* convert tableIndex to use the new pattern
* make `indexFromString` available for oss as well
* refactor `indexUpdateMaxTxn`
2021-09-23 11:06:23 -04:00
7b4cbe3143
Final readability tweaks from review
2021-09-23 10:17:12 +01:00
70bc89b7f4
Fix subtle loop bug and add test
2021-09-23 10:13:41 +01:00
07f81991df
Refactor SDS validation to make it more contained and readable
2021-09-23 10:13:19 +01:00
5cfd030d03
Refactor Ingress-specific lister code to separate file
2021-09-23 10:13:19 +01:00
136928a90f
Minor PR typo and cleanup fixes
2021-09-23 10:13:19 +01:00
20d0bf81f7
Revert abandonned changes to proxycfg for Ent test consistency
2021-09-23 10:13:19 +01:00
a9119e36a5
Fix merge conflict in xds tests
2021-09-23 10:12:37 +01:00
2281d883b9
Fix some more Enterprise Normalization issues affecting tests
2021-09-23 10:12:37 +01:00
9fa60c7472
Remove unused argument to fix lint error
2021-09-23 10:09:11 +01:00
659321d008
Handle namespaces in route names correctly; add tests for enterprise
2021-09-23 10:09:11 +01:00
2a3d3d3c23
Update xDS routes to support ingress services with different TLS config
2021-09-23 10:08:02 +01:00
16b3b1c737
Update xDS Listeners with SDS support
2021-09-23 10:08:02 +01:00
ccbda0c285
Update proxycfg to hold more ingress config state
2021-09-23 10:08:02 +01:00
4e39f03d5b
Add ingress-gateway config for SDS
2021-09-23 10:08:02 +01:00
c84867feda
acl: remove ACL.Apply
...
As part of removing the legacy ACL system.
2021-09-22 18:28:08 -04:00
ae05419aea
acl: made acl rules in tests slightly more specific
...
When converting these tests from the legacy ACL system to the new RPC endpoints I
initially changed most things to use _prefix rules, because that was equivalent to
the old legacy rules.
This commit modifies a few of those rules to be a bit more specific by replacing the _prefix
rule with a non-prefix one where possible.
2021-09-22 18:24:56 -04:00
d88d9e71c2
partitions/authmethod-index work from enterprise ( #11056 )
...
* partitions/authmethod-index work from enterprise
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-22 13:19:20 -07:00
f972048ebc
connect: Allow upstream listener escape hatch for prepared queries ( #11109 )
2021-09-22 15:27:10 -04:00
7e20a5e4f9
connect: remove support for Envoy 1.15
2021-09-22 11:48:50 -07:00
706fc8bcd0
grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters ( #11099 )
...
Fixes #11086
2021-09-22 13:14:26 -05:00
54256fb751
config: Move two more fields to DeprecatedConfig
...
And add a test for deprecated config fields.
2021-09-22 13:23:03 -04:00
8ed14296ea
config: Introduce DeprecatedConfig
...
This struct allows us to move all the deprecated config options off of
the main config struct, and keeps all the deprecation logic in a single
place, instead of spread across 3+ places.
2021-09-22 13:22:16 -04:00
2d23f92b35
add 1.19.x versions to test config
2021-09-22 09:30:45 -07:00
1e3ba26223
Merge pull request #11090 from hashicorp/clly/kv-usage-metrics
...
Add KVUsage to consul state usage metrics
2021-09-22 11:26:56 -05:00
ba706501e1
Strip out go 1.17 bits
2021-09-22 11:04:48 -05:00
a6a359cc80
Add a mock Agent delegate to ease/improve some types of testing
2021-09-22 10:23:01 -04:00
47b99d0b78
auto-updated agent/uiserver/bindata_assetfs.go from commit 9c0233cf5
2021-09-22 13:05:38 +00:00
7efb015ca9
auto-updated agent/uiserver/bindata_assetfs.go from commit cfbd1bb84
2021-09-22 09:26:14 +00:00
72f2199ea1
acl: remove remaining tests that use ACL.Apply
...
In preparation for removing ACL.Apply.
Tests for ACL.Apply, ACL.GetPolicy, and ACL upgrades were removed
because all 3 of those will be removed shortly.
The forth test appears to be for the ACLResolver cache, so the test was moved to the correct
test file, and the name was updated to make it obvious what is being tested.
2021-09-21 19:35:26 -04:00
2798383dbc
regenerate envoy golden files
2021-09-21 16:21:00 -07:00
7605dff46e
add envoy 1.19.1
2021-09-21 15:39:36 -07:00
eb991c18c2
fsm: restore the legacy commands
...
and emit a helpful error message.
2021-09-21 18:35:12 -04:00
fa4b33ab8f
Convert tests to the new ACL system
...
In preparation for removing ACL.Apply
2021-09-21 18:35:12 -04:00
5779af1f62
config: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
d64409f66f
catalog: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
3b9578d7eb
Update 4 non-acl tests that used the legacy ACL.Apply
...
These tests don't really care about the endpoint, they just need some way to create an ACL token.
2021-09-21 17:57:29 -04:00
746f67b3a1
acl: remove two commented out tests for legacy ACL replication
...
They were commented out in 2018.
2021-09-21 17:57:29 -04:00
abd9cd0e15
acl: replace legacy Get and List RPCs with an error impl
...
These endpoints are being removed as part of the legacy ACL system.
2021-09-21 17:57:29 -04:00
e7c63004a8
acl: remove a couple legacy ACL operation constants
...
structs.ACLForceSet was deprecated 4 years ago, it should be safe to remove now.
ACLBootstrapNow was removed in a recent commit. While it is technically possible that a cluster with mixed version
could still attempt a legacy boostrap, we documented that the legacy system was deprecated in 1.4, so no
clusters that are being upgraded should be attempting a legacy boostrap.
2021-09-21 17:57:29 -04:00
868bfc7a0a
acl: Remove unused ACLPolicyIDType
2021-09-21 17:57:29 -04:00
aee8a9511d
Merge pull request #10985 from hashicorp/dnephin/acl-legacy-remove-replication
...
acl: remove legacy ACL replication
2021-09-21 17:56:54 -04:00
1ddee0680c
Apply suggestions from code review
...
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-09-21 10:52:46 -05:00
b2d17ac448
xds: fix representation of incremental xDS subscriptions ( #10987 )
...
Fixes #10563
The `resourceVersion` map was doing two jobs prior to this PR. The first job was
to track what version of every resource we know envoy currently has. The
second was to track subscriptions to those resources (by way of the empty
string for a version). This mostly works out fine, but occasionally leads to
consul removing a resource and accidentally (effectively) unsubscribing at the
same time.
The fix separates these two jobs. When all of the resources for a subscription
are removed we continue to track the subscription until envoy explicitly
unsubscribes
2021-09-21 09:58:56 -05:00
ae3457b96a
Fix test
2021-09-20 13:44:43 -05:00
052f224ee5
Add KVUsage to consul state usage metrics
...
This change will add the number of entries in the consul KV store to the
already existing usage metrics.
2021-09-20 12:41:54 -05:00
5fe613dd05
xds: ensure the active streams counters are 64 bit aligned on 32 bit systems ( #11085 )
2021-09-20 11:07:11 -05:00
f7b0938633
Update autopilot.go
...
Fixing a minuscule typo in logging
2021-09-20 14:40:58 +02:00
8591620b5d
Merge pull request #11071 from hashicorp/partitions/ixn-decisions
2021-09-16 15:18:23 -06:00
49248a0802
Fixup proxycfg tproxy case
2021-09-16 15:05:28 -06:00
fc8fc060a7
Remove ent checks from oss test
2021-09-16 14:53:28 -06:00
faa6fd0919
acl: ensure the global management policy grants all necessary partition privileges ( #11072 )
2021-09-16 15:53:10 -05:00
bf7a1358d6
Ensure partition is defaulted in authz
2021-09-16 14:39:01 -06:00
47109e0c0c
Default the partition in ixn check
2021-09-16 14:39:01 -06:00
82d2caa288
Fixup test
2021-09-16 14:39:01 -06:00
95a6db9cfa
Account for partitions in ixn match/decision
2021-09-16 14:39:01 -06:00
2dc62aa0c4
Bump `go-discover` to fix broken dep tree ( #10898 )
2021-09-16 15:31:22 -04:00
42b7fd3e60
auto-updated agent/uiserver/bindata_assetfs.go from commit 1d9d3349c
2021-09-16 17:31:08 +00:00
ca73abdea1
acl: fix intention:*:write checks ( #11061 )
...
This is a partial revert of #10793
2021-09-16 11:08:45 -05:00
cd08a36ce0
Merge pull request #11051 from hashicorp/partitions/fixes
2021-09-16 09:29:00 -06:00
fcef19f94b
acl: small resolver changes to account for partitions ( #11052 )
...
Also refactoring the enterprise side of a test to make it easier to reason about.
2021-09-16 09:17:02 -05:00
3f3a61c6e1
Fixup manager tests
2021-09-15 17:24:05 -06:00
99c6e4fe41
Default partition in match endpoint
2021-09-15 17:23:52 -06:00
77681b9f6c
Pass partition to intention match query
2021-09-15 17:23:52 -06:00
9cd30e8650
Ensure partition is used for SAN validation
2021-09-15 17:23:48 -06:00
9f12fbd3cc
ACL Binding Rules table partitioning ( #11044 )
...
* ACL Binding Rules table partitioning
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 13:26:08 -07:00
02051c141e
auto-updated agent/uiserver/bindata_assetfs.go from commit fc14a412f
2021-09-15 18:55:29 +00:00
0eb4a98fab
auto-updated agent/uiserver/bindata_assetfs.go from commit b16a6fa03
2021-09-15 17:14:42 +00:00
af21578039
use const instead of literals for `tableIndex` ( #11039 )
2021-09-15 10:24:04 -04:00
6be54052f7
Refactor `indexAuthMethod` in `tableACLBindingRules` ( #11029 )
...
* Port consul-enterprise #1123 to OSS
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* Fixup missing query field
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* change to re-trigger ci system
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 09:34:19 -04:00
ce04ce13dd
Merge pull request #11024 from hashicorp/partitions/rbac
2021-09-14 11:18:19 -06:00
e18f3c1f6d
Update error texts ( #11022 )
...
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-09-14 11:08:06 -06:00
d90e30f009
Update spiffe ID patterns used for RBAC
2021-09-14 11:00:03 -06:00
5e54f253d7
Expand testing of simplifyNotSourceSlice for partitions
2021-09-14 10:55:15 -06:00
19da23be28
Expand testing of removeSameSourceIntentions for partitions
2021-09-14 10:55:09 -06:00
beab0cd962
Account for partition when matching src intentions
2021-09-14 10:55:02 -06:00
1f9479603c
Add failures_before_warning to checks ( #10969 )
...
Signed-off-by: Jakub Sokołowski <jakub@status.im>
* agent: add failures_before_warning setting
The new setting allows users to specify the number of check failures
that have to happen before a service status us updated to be `warning`.
This allows for more visibility for detected issues without creating
alerts and pinging administrators. Unlike the previous behavior, which
caused the service status to not update until it reached the configured
`failures_before_critical` setting, now Consul updates the Web UI view
with the `warning` state and the output of the service check when
`failures_before_warning` is breached.
The default value of `FailuresBeforeWarning` is the same as the value of
`FailuresBeforeCritical`, which allows for retaining the previous default
behavior of not triggering a warning.
When `FailuresBeforeWarning` is set to a value higher than that of
`FailuresBeforeCritical it has no effect as `FailuresBeforeCritical`
takes precedence.
Resolves: https://github.com/hashicorp/consul/issues/10680
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Co-authored-by: Jakub Sokołowski <jakub@status.im>
2021-09-14 12:47:52 -04:00
b4d5860197
convert expiration indexed in ACLToken table to use `indexerSingle` ( #11018 )
...
* move intFromBool to be available for oss
* add expiry indexes
* remove dead code: `TokenExpirationIndex`
* fix remove indexer `TokenExpirationIndex`
* fix rebase issue
2021-09-13 14:37:16 -04:00
11f44dfcf8
add locality indexer partitioning ( #11016 )
...
* convert `Roles` index to use `indexerSingle`
* split authmethod write indexer to oss and ent
* add index locality
* add locality unit tests
* move intFromBool to be available for oss
* use Bool func
* refactor `aclTokenList` to merge func
2021-09-13 11:53:00 -04:00
ba4ee6e67c
convert `indexAuthMethod` index to use `indexerSingle` ( #11014 )
...
* convert `Roles` index to use `indexerSingle`
* fix oss build
* split authmethod write indexer to oss and ent
* add auth method unit tests
2021-09-10 16:56:56 -04:00
b38e84df63
Include namespace and partition in error messages when validating ingress header manip
2021-09-10 21:11:00 +01:00
1079089f20
Refactor HTTPHeaderModifiers.MergeDefaults based on feedback
2021-09-10 21:11:00 +01:00
9e4e204e96
Fix enterprise test failures caused by differences in normalizing EnterpriseMeta
2021-09-10 21:11:00 +01:00
3004eadd08
Fix enterprise discovery chain tests; Fix multi-level split merging
2021-09-10 21:11:00 +01:00
b5ae00d753
Remove unnecessary check
2021-09-10 21:09:24 +01:00
f1c0876b4c
Fix discovery chain test fixtures
2021-09-10 21:09:24 +01:00
1b9632531a
Integration tests for all new header manip features
2021-09-10 21:09:24 +01:00
e22cc9c53a
Header manip for split legs plumbing
2021-09-10 21:09:24 +01:00
83fc8723a3
Header manip for service-router plumbed through
2021-09-10 21:09:24 +01:00
f439dfc04f
Ingress gateway header manip plumbing
2021-09-10 21:09:24 +01:00
d776a2d236
Add HTTP header manip for router and splitter entries
2021-09-10 21:09:24 +01:00
46e4041283
Header manip and validation added for ingress-gateway entries
2021-09-10 21:09:24 +01:00
6cac30aa22
convert `Roles` index to use `indexerMulti` ( #11013 )
...
* convert `Roles` index to use `indexerMulti`
* add role test in oss
* fix oss to use the right index func
* preallocate slice
2021-09-10 16:04:33 -04:00
f3f0654038
convert indexPolicies in ACLTokens table to the new index ( #11011 )
2021-09-10 14:57:37 -04:00
584faec6e3
convert indexSecret to the new index ( #11007 )
2021-09-10 09:10:11 -04:00
6e6cf1c043
convert indexAccessor to the new index ( #11002 )
2021-09-09 16:28:04 -04:00
13238dbab6
tls: consider presented intermediates during server connection tls handshake. ( #10964 )
...
* use intermediates when verifying
* extract connection state
* remove useless import
* add changelog entry
* golint
* better error
* wording
* collect errors
* use SAN.DNSName instead of CommonName
* Add test for unknown intermediate
* improve changelog entry
2021-09-09 21:48:54 +02:00
9bbfa048a2
Sync enterprise changes to oss ( #10994 )
...
This commit updates OSS with files for enterprise-specific admin partitions feature work
2021-09-08 11:59:30 -04:00
a14950025a
Merge pull request #10984 from hashicorp/mesh-resource
...
acl: adding a new mesh resource
2021-09-07 15:06:20 -07:00
bc0e4f2f46
partition dicovery chains ( #10983 )
...
* partition dicovery chains
* fix default partition for OSS
2021-09-07 16:29:32 -04:00
f063402b29
acl: remove ACL.IsSame
...
The only caller of this method was removed in a recent commit along with replication.
2021-09-03 12:59:12 -04:00
d63cef1219
acl: remove legacy ACL replication
2021-09-03 12:42:06 -04:00
ee372a854a
acl: adding a new mesh resource
2021-09-03 09:12:03 -04:00
ced8329d80
try to infer command partition from node partition ( #10981 )
2021-09-03 08:37:23 -04:00
09197c989c
add partition to SNI when partition is non default ( #10917 )
2021-09-01 10:35:39 -04:00
8d83d27674
connect: update envoy supported versions to latest patch release
...
(#10961 )
Relevant advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h
2021-08-31 10:39:18 -06:00
79c7e73618
rpc: authorize raft requests ( #10925 )
2021-08-26 15:04:32 -07:00
cd3333ad6a
auto-updated agent/uiserver/bindata_assetfs.go from commit eeeb91bea
2021-08-26 18:13:08 +00:00
1a9b2f09dd
ent->oss test fix ( #10926 )
2021-08-26 14:06:49 -04:00
2d66c4ea13
auto-updated agent/uiserver/bindata_assetfs.go from commit a907e1d87
2021-08-26 18:02:18 +00:00
a163051dbb
auto-updated agent/uiserver/bindata_assetfs.go from commit a0b0ed2bc
2021-08-26 16:06:09 +00:00
45dcc8b553
api: expose upstream routing configurations in topology view ( #10811 )
...
Some users are defining routing configurations that do not have associated services. This commit surfaces these configs in the topology visualization. Also fixes a minor internal bug with non-transparent proxy upstream/downstream references.
2021-08-25 15:20:32 -04:00
a6d22efb49
acl: some acl authz refactors for nodes ( #10909 )
2021-08-25 13:43:11 -05:00
11b1dc1f97
auto-updated agent/uiserver/bindata_assetfs.go from commit a777b0a9b
2021-08-25 13:46:51 +00:00
5e31421602
auto-updated agent/uiserver/bindata_assetfs.go from commit 8192dde48
2021-08-25 11:39:14 +00:00
5b6d96d27d
grpc: ensure that streaming gRPC requests work over mesh gateway based wan federation ( #10838 )
...
Fixes #10796
2021-08-24 16:28:44 -05:00
4993d877d9
auto-updated agent/uiserver/bindata_assetfs.go from commit 05a28c311
2021-08-24 16:04:24 +00:00
01936ddb70
Avoid passing zero value into variadic
2021-08-20 17:40:33 -06:00
f52bd80f6d
Update comment for test function
2021-08-20 17:40:33 -06:00
af52d21884
Update prepared query cluster SAN validation
...
Previously SAN validation for prepared queries was broken because we
validated against the name, namespace, and datacenter for prepared
queries.
However, prepared queries can target:
- Services with a name that isn't their own
- Services in multiple datacenters
This means that the SpiffeID to validate needs to be based on the
prepared query endpoints, and not the prepared query's upstream
definition.
This commit updates prepared query clusters to account for that.
2021-08-20 17:40:33 -06:00
85878685b7
Fixup proxy config test fixtures
...
- The TestNodeService helper created services with the fixed name "web",
and now that name is overridable.
- The discovery chain snapshot didn't have prepared query endpoints so
the endpoints tests were missing data for prepared queries
2021-08-20 17:38:57 -06:00
fb27c1b24f
agent: add partition labels to catalog API metrics where appropriate ( #10890 )
2021-08-20 15:09:39 -05:00
d66a43f5f2
fixing various bits of enterprise meta plumbing to be more correct ( #10889 )
2021-08-20 14:34:23 -05:00
1950ebbe1f
oss portion of ent #1069 ( #10883 )
2021-08-20 12:57:45 -04:00
ac41e30614
state: partition the nodes.uuid and nodes.meta indexes as well ( #10882 )
2021-08-19 16:17:59 -05:00
097e1645e3
agent: ensure that most agent behavior correctly respects partition configuration ( #10880 )
2021-08-19 15:09:42 -05:00
271352dbb7
Merge pull request #10849 from hashicorp/dnephin/contrib-doc-xds-auth
...
xds: document how authorization works
2021-08-18 13:25:16 -04:00
e44bce3c4f
state: partition the usage metrics subsystem ( #10867 )
2021-08-18 09:27:15 -05:00
8252a2691c
xds: document how authorization works
2021-08-17 19:26:34 -04:00
613dd7d053
state: adjust streaming event generation to account for partitioned nodes ( #10860 )
...
Also re-enabled some tests that had to be disabled in the prior PR.
2021-08-17 16:49:26 -05:00
310e775a8a
state: partition nodes and coordinates in the state store ( #10859 )
...
Additionally:
- partitioned the catalog indexes appropriately for partitioning
- removed a stray reference to a non-existent index named "node.checks"
2021-08-17 13:29:39 -05:00
01bf115c2b
acl: small improvements to ACLResolver disable due to RPC error
...
Remove the error return, so that not handling is not reported as an
error by errcheck. It was returning the error passed as an arg
unmodified so there is no reason to return the same value that was
passed in.
Remove the term upstreams to remove any confusion with the term used in
service mesh.
Remove the AutoDisable field, and replace it with the TTL value, using 0
to indicate the setting is turned off.
Replace "not Before" with "After".
Add some test coverage to show the behaviour is still correct.
2021-08-17 13:34:18 -04:00
d5498770fa
acl: make ACLDisabledTTL a constant
...
This field was never user-configurable. We always overwrote the value with 120s from
NonUserSource. However, we also never copied the value from RuntimeConfig to consul.Config,
So the value in NonUserSource was always ignored, and we used the default value of 30s
set by consul.DefaultConfig.
All of this code is an unnecessary distraction because a user can not actually configure
this value.
This commit removes the fields and uses a constant value instad. Someone attempting to set
acl.disabled_ttl in their config will now get an error about an unknown field, but previously
the value was completely ignored, so the new behaviour seems more correct.
We have to keep this field in the AutoConfig response for backwards compatibility, but the value
will be ignored by the client, so it doesn't really matter what value we set.
2021-08-17 13:34:18 -04:00
abd2e160f9
Fix test failures
...
Tests only specified one of the fields, but in production we copy the
value from a single place, so we can do the same in tests.
The AutoConfig test broke because of the problem noticed in a previous
commit. The DisabledTTL is not wired up properly so it reports 0s here.
Changed the test to use an explicit value.
2021-08-17 13:32:52 -04:00
17841248dd
config: remove ACLResolver settings from RuntimeConfig
2021-08-17 13:32:52 -04:00
31e034215f
acl: remove ACLResolver config fields from consul.Config
2021-08-17 13:32:52 -04:00
d4701903f6
acl: replace ACLResolver.Config with its own struct
...
This is step toward decoupling ACLResolver from the agent/consul
package.
2021-08-17 13:32:52 -04:00
c2b24adb5f
acl: remove ACLRulesTranslateLegacyToken API endpoint
2021-08-17 13:10:02 -04:00
b7bced9bcf
acl: remove legacy bootstrap
...
Return an explicit error from the RPC, and remove the flag from the HTTP API.
2021-08-17 13:10:00 -04:00
858071d55a
agent: update some tests that were using legacy ACL endpoints
...
The tests were updated to use the new ACL endpoints now that the legacy ones have been removed.
2021-08-17 13:09:30 -04:00
7ecd2e5466
http: update legacy ACL endpoints to return an error
...
Also move a test for the ACLReplicationStatus endpoint into the correct file.
2021-08-17 13:09:29 -04:00
9671dd6b97
acl: add some notes about removing legacy ACL system
2021-08-17 13:08:29 -04:00
887d11923b
Merge pull request #10792 from hashicorp/dnephin/rename-authz-vars
...
acl: use authz consistently as the variable name for an acl.Authorizer
2021-08-17 13:07:17 -04:00
Evan Culver
Daniel Nephin
Connor Kelly
Evan Culver
Chris S. Kim
Dhia Ayachi
Paul Banks
Paul Banks
Mark Anderson
R.B. Boyer
Matt Keeler
hc-github-team-consul-core
Krastin Krastev
Freddy
freddygv
Jeff Widman
Hans Hasselberg
Kyle Havlovitz
R.B. Boyer