Commit Graph

15481 Commits

Author SHA1 Message Date
Daniel Nephin 6e4ecfd05b docs: clarify acl down policy 2021-09-23 18:13:39 -04:00
Daniel Nephin cd4e70b34c acl: fix default authorizer for down_policy
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632.
2021-09-23 18:12:22 -04:00
Daniel Nephin 6bb7aef15c Remove t.Parallel from TestACLResolver_DownPolicy
These tests run in under 10ms, t.Parallel does nothing but slow them down and
make failures harder to debug when one panics.
2021-09-23 18:12:22 -04:00
Dhia Ayachi e664dbc352
Refactor table index acl phase 2 (#11133)
* extract common methods from oss and ent

* remove unreachable code

* add missing normalize for binding rules

* fix oss to use Query
2021-09-23 15:26:09 -04:00
Daniel Nephin e8ac5fd90b config: Move ACLEnableKeyListPolicy to DeprecatedConfig 2021-09-23 15:15:00 -04:00
Daniel Nephin 5c40b717ed config: move acl_ttl to DeprecatedConfig 2021-09-23 15:14:59 -04:00
Daniel Nephin 977f6d8888 config: move acl_{default,down}_policy to DeprecatedConfig 2021-09-23 15:14:59 -04:00
Daniel Nephin 5eafcea4d4 config: Deprecate EnableACLReplication
replaced by ACL.TokenReplication
2021-09-23 15:14:59 -04:00
Daniel Nephin 5dc16180ad config: move ACL master token and replication to DeprecatedConfig 2021-09-23 15:14:59 -04:00
CJ 978699943f
docs: Fix grammatical errors in glossary (#10751) 2021-09-23 08:36:52 -07:00
Paul Banks 1ecec84fd7
Merge pull request #10903 from hashicorp/feature/ingress-sds
Add Support to for providing TLS certificates for Ingress listeners from an SDS source
2021-09-23 16:19:05 +01:00
Dhia Ayachi 5904e4ac79
Refactor table index (#11131)
* convert tableIndex to use the new pattern

* make `indexFromString` available for oss as well

* refactor `indexUpdateMaxTxn`
2021-09-23 11:06:23 -04:00
Paul Banks 7b4cbe3143 Final readability tweaks from review 2021-09-23 10:17:12 +01:00
Paul Banks e0efb420f7 Add Envoy integration test for split-route SDS case 2021-09-23 10:17:03 +01:00
Paul Banks ab27214a10 Minor improvements to SDS server from review 2021-09-23 10:13:41 +01:00
Paul Banks 70bc89b7f4 Fix subtle loop bug and add test 2021-09-23 10:13:41 +01:00
Paul Banks 07f81991df Refactor SDS validation to make it more contained and readable 2021-09-23 10:13:19 +01:00
Paul Banks 5cfd030d03 Refactor Ingress-specific lister code to separate file 2021-09-23 10:13:19 +01:00
Paul Banks 136928a90f Minor PR typo and cleanup fixes 2021-09-23 10:13:19 +01:00
Paul Banks 20d0bf81f7 Revert abandonned changes to proxycfg for Ent test consistency 2021-09-23 10:13:19 +01:00
Paul Banks a9119e36a5 Fix merge conflict in xds tests 2021-09-23 10:12:37 +01:00
Paul Banks 2b755d7b3f Allow skipping v2 compat tests for SDS as it's only the SDS server integration that doesn't support v2 2021-09-23 10:12:37 +01:00
Paul Banks e01c3585a5 Fix integration tests in CI - serve SDS certs from the Docker image not a mounted path 2021-09-23 10:12:37 +01:00
Paul Banks 843079f33a Fix integration test for older Envoy versions 2021-09-23 10:12:37 +01:00
Paul Banks 2281d883b9 Fix some more Enterprise Normalization issues affecting tests 2021-09-23 10:12:37 +01:00
Paul Banks b5345ea878 Add changelog; Add API package support for new fields. 2021-09-23 10:12:37 +01:00
Paul Banks 9fa60c7472 Remove unused argument to fix lint error 2021-09-23 10:09:11 +01:00
Paul Banks 659321d008 Handle namespaces in route names correctly; add tests for enterprise 2021-09-23 10:09:11 +01:00
Paul Banks cd8ad007fe Add basic integration test for Envoy ingress with SDS 2021-09-23 10:08:02 +01:00
Paul Banks 2a3d3d3c23 Update xDS routes to support ingress services with different TLS config 2021-09-23 10:08:02 +01:00
Paul Banks 16b3b1c737 Update xDS Listeners with SDS support 2021-09-23 10:08:02 +01:00
Paul Banks ccbda0c285 Update proxycfg to hold more ingress config state 2021-09-23 10:08:02 +01:00
Paul Banks 4e39f03d5b Add ingress-gateway config for SDS 2021-09-23 10:08:02 +01:00
Daniel Nephin c84867feda acl: remove ACL.Apply
As part of removing the legacy ACL system.
2021-09-22 18:28:08 -04:00
Daniel Nephin ae05419aea acl: made acl rules in tests slightly more specific
When converting these tests from the legacy ACL system to the new RPC endpoints I
initially changed most things to use _prefix rules, because that was equivalent to
the old legacy rules.

This commit modifies a few of those rules to be a bit more specific by replacing the _prefix
rule with a non-prefix one where possible.
2021-09-22 18:24:56 -04:00
Mark Anderson d88d9e71c2
partitions/authmethod-index work from enterprise (#11056)
* partitions/authmethod-index work from enterprise

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-22 13:19:20 -07:00
Chris S. Kim f972048ebc
connect: Allow upstream listener escape hatch for prepared queries (#11109) 2021-09-22 15:27:10 -04:00
Evan Culver 7e20a5e4f9
connect: remove support for Envoy 1.15 2021-09-22 11:48:50 -07:00
R.B. Boyer 706fc8bcd0
grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters (#11099)
Fixes #11086
2021-09-22 13:14:26 -05:00
Evan Culver 9f79043247
add changelog entry 2021-09-22 10:57:36 -07:00
Evan Culver f7380461c7
update docs to indicate support for envoy 1.19.1 in Consul 1.11.x 2021-09-22 10:57:22 -07:00
John Cowen 6bc8af364f
ui: Add initial i18n docs page (#10888) 2021-09-22 18:51:39 +01:00
John Cowen 61e69a9fe5
ui: Add partition parameter when clearing child-selector forms in ACLs (#11106) 2021-09-22 18:36:09 +01:00
John Cowen ececa7da45
ui: Add an isDestroyed check for the MenuPanel component (#11104)
This solves an occasionally flakey tests I see every so often
2021-09-22 18:33:31 +01:00
John Cowen e088d8674c
ui: Remove legacy ACLs (#11096) 2021-09-22 18:32:51 +01:00
John Cowen 6e396e4456
ui: Gracefully recover from non-existent DC errors (#11077)
* ui: Gracefully recover from non-existent DC errors

This PR fixes what happens in the UI if you try to navigate to a non-existing DC.

When we received a 500 error from an API response due to a non-existent DC, previously we would show a 404 error, which is what we were trying to convey. But in the spirit of the UI being a 'thin client', its probably best to just show the 500 error from the API response, which may help folks to debug any issues better.

* Automatically set the CONSUL_DATACENTER_LOCAL env var for testing
2021-09-22 18:26:36 +01:00
John Cowen cf638ee551
ui: Always show main navigation Key/Value link (#10916)
* ui: Ignore response from API for KV permissions

Currently there is no way for us to use our HTTP authorization API
endpoint to tell us whether a user has access to any KVs (including the
case where a user may not have access to the root KV store, but do have
access to a sub item)

This is a little weird still as in the above case the user would click
on this link and still get a 403 for the root, and then have to manually
type in the URL for the KV they do have access to.

Despite this we think this change makes sense as at least something about KV is
visible in the main navigation.

Once we have the ability to know if any KVs are accessible, we can add
this guard back in.

We'd initially just removed the logic around the button, but then
noticed there may be further related KV issues due to the nested nature
of KVs so we finally decided on simply ignoring the responses from the
HTTP API, essentially reverting the KV area back to being a thin client.
This means when things are revisited in the backend we can undo this
easily change in one place.

* Move acceptance tests to use ACLs perms instead of KV ones
2021-09-22 18:23:59 +01:00
Daniel Nephin 54256fb751 config: Move two more fields to DeprecatedConfig
And add a test for deprecated config fields.
2021-09-22 13:23:03 -04:00
Daniel Nephin 8ed14296ea config: Introduce DeprecatedConfig
This struct allows us to move all the deprecated config options off of
the main config struct, and keeps all the deprecation logic in a single
place, instead of spread across 3+ places.
2021-09-22 13:22:16 -04:00
Daniel Nephin d2274df53f lib/decode: fix hook to work with embedded squash struct
The decode hook is not call for the embedded squashed struct, so we need to recurse when we
find squash tags.

See https://github.com/mitchellh/mapstructure/issues/226
2021-09-22 13:22:16 -04:00