Merge branch 'enable-security-scan' of github.com:hashicorp/consul into enable-security-scan
This commit is contained in:
commit
1908e98c66
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
structs: prohibit config entries from referencing more than one partition at a time
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
connect: include optional partition prefixes in SPIFFE identifiers
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
config: add agent config flag for enterprise clients to indicate they wish to join a particular partition
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
api: Improve error message if service or health check not found by stating that the entity must be referred to by ID, not name
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
api: add partition field to acl structs
|
||||
```
|
|
@ -1,4 +0,0 @@
|
|||
```release-note:improvement
|
||||
ui: Add initial support for partitions to intentions
|
||||
```
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Added initial support for admin partition CRUD
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
acl: **(Enterprise only)** Fix bug in 'consul members' filtering with partitions.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
acl: **(Enterprise only)** ensure that auth methods with namespace rules work with partitions
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:enhancement
|
||||
api: URL-encode/decode resource names for v1/agent endpoints in API
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
agent: refactor the agent delegate interface to be partition friendly
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
connect: **(Enterprise only)** add support for dialing upstreams in remote partitions through mesh gateways.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
connect: **(Enterprise only)** updates ServiceRead and NodeRead to account for the partition-exports config entry.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
agent: for various /v1/agent endpoints parse the partition parameter on the request
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
cli: update consul members output to display partitions and sort the results usefully
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
ui: When switching partitions reset the namespace back to the tokens default namespace or default
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
partitions: Prevent writing partition-exports entries to secondary DCs.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
connect: **(Enterprise only)** Allow ingress gateways to target services in another partition
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:feature
|
||||
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
ui: Ensure the UI stores the default partition for the users token
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
ui: Add partition support for SSO
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Include `Service.Partition` into available variables for `dashboard_url_templates`
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Don't offer a 'Valid Datacenters' option when editing policies for non-default partitions
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Upgrade Lock Sessions to use partitions
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Add documentation link to Partition empty state
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Adds support for partitions to the Routing visualization.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
server: block enterprise-specific partition-exports config entry from being used in OSS Consul.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Adds support for partitions to Service and Node Identity template visuals.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
auto-config: ensure the feature works properly with partitions
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Adds basic support for showing Services exported from another partition.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
partitions: **(Enterprise only)** rename APIs, commands, and public types to use "partition" rather than "admin partition".
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
connect: **(Enterprise only)** add support for cross-partition transparent proxying.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
api: **(Enterprise Only)** rename partition-exports config entry to exported-services.
|
||||
```
|
|
@ -1,4 +0,0 @@
|
|||
```release-note:feature
|
||||
ui: Add basic partition tooltips to failovers and redirects in the routing
|
||||
visualization
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
connect: **(Enterprise only)** add support for targeting partitions in discovery chain routes, splits, and redirects.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
rpc: unset partition before forwarding to remote datacenter
|
||||
```
|
|
@ -0,0 +1,4 @@
|
|||
```release-note:bug
|
||||
ui: Differentiate between Service Meta and Node Meta when choosing search fields
|
||||
in Service Instance listings
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
cli: when creating a private key, save the file with mode 0600 so that only the user has read permission.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
acl: **(Enterprise only)** ensure that the agent recovery token is properly partitioned
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
connect: update SNI label extraction to support new taxonomy for partitions
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
http: when a user attempts to access the UI but can't because it's disabled, explain this and how to fix it
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:breaking-change
|
||||
sdk: several changes to the testutil configuration structs (removed `ACLMasterToken`, renamed `Master` to `InitialManagement`, and `AgentMaster` to `AgentRecovery`)
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bugfix
|
||||
ui: Fixes an issue with the version footer wandering when scrolling
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:security
|
||||
ci: Upgrade golang.org/x/net to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716)
|
||||
```
|
|
@ -0,0 +1,4 @@
|
|||
```release-note:feature
|
||||
Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the
|
||||
[Admin Partition](https://www.consul.io/docs/enterprise/admin-partitions) documentation.
|
||||
```
|
|
@ -0,0 +1,5 @@
|
|||
```release-note:bug
|
||||
ui: Fix an issue where attempting to delete a policy from the policy detail page when
|
||||
attached to a token would result in the delete button disappearing and no
|
||||
deletion being attempted
|
||||
```
|
|
@ -0,0 +1,4 @@
|
|||
```release-note:bug
|
||||
ui: Fixes an issue where once a 403 page is displayed in some circumstances its
|
||||
diffcult to click back to where you where before receiving a 403
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
ui: Ensure a login buttons appear for some error states, plus text amends
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
connect: update Envoy supported version of 1.20 to 1.20.1
|
||||
```
|
|
@ -0,0 +1,4 @@
|
|||
```release-note:bug
|
||||
ui: Fixes a bug where proxy service health checks would sometimes not appear
|
||||
until refresh
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
ui: Prevent disconnection notice appearing with auth change on certain pages
|
||||
```
|
|
@ -0,0 +1,6 @@
|
|||
```release-note:bug
|
||||
config: include all config errors in the error message, previously some could be hidden.
|
||||
```
|
||||
```release-note:bug
|
||||
snapshot: the `snapshot save` command now saves the snapshot with read permission for only the current user.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
cli: Display assigned node identities in output of `consul acl token list`.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
ui: Fixes a bug with URL decoding within KV area
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
ui: Fixes an issue saving intentions when editing per service intentions
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
Mutate `NodeService` struct properly to avoid a data race.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
api: Return 404 when de-registering a non-existent check
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
Upgrade to raft `1.3.3` which fixes a bug where a read replica node can trigger a raft election and become a leader.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
ui: Fixes a visual issue with some border colors
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
windows: Fixes a bug with empty log files when Consul is run as a Windows Service
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
ui: Temporarily remove KV pre-flight check for KV list permissions
|
||||
```
|
|
@ -0,0 +1,4 @@
|
|||
```release-note:bug
|
||||
ui: Ensure partition query parameter is passed through to all OIDC related API
|
||||
requests
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
ui: Added a notice for non-primary intention creation
|
||||
```
|
|
@ -0,0 +1,4 @@
|
|||
```release-note:bug
|
||||
memberlist: fixes a bug which prevented members from joining a cluster with
|
||||
large amounts of churn [[GH-253](https://github.com/hashicorp/memberlist/issues/253)]
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
connect: Add support for connecting to services behind a terminating gateway when using a transparent proxy.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
serf: update serf v0.9.7, complete the leave process if broadcasting leave timeout.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:enhancement
|
||||
streaming: Improved performance when the server is handling many concurrent subscriptions and has a high number of CPU cores
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
ui: Fixed a bug with creating multiple nested KVs in one interaction
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
sdk: Add support for `Partition` and `RetryJoin` to the TestServerConfig struct.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:deprecation
|
||||
acl: The `consul.acl.ResolveTokenToIdentity` metric is no longer reported. The values that were previous reported as part of this metric will now be part of the `consul.acl.ResolveToken` metric.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
xds: fix for delta xDS reconnect bug in LDS/CDS
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:enhancement
|
||||
systemd: Support starting/stopping the systemd service for linux packages when the optional EnvironmentFile does not exist.
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:enhancement
|
||||
ui: Use @hashicorp/flight icons for all our icons.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
partitions: **(Enterprise only)** segment serf LAN gossip between nodes in different partitions
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
state: reads of partitions now accept an optional memdb.WatchSet
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
state: **(Enterprise Only)** ensure partition delete triggers namespace deletes
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
partitions: **(Enterprise only)** fix panic when forwarding delete operations to the leader
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:improvement
|
||||
namespaces: **(Enterprise only)** policy and role defaults can reference policies in any namespace in the same partition by ID
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
partitions: **(Enterprise only)** Ensure partitions and serf-based WAN federation are mutually exclusive.
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:bug
|
||||
namespaces: **(Enterprise only)** ensure namespace deletion is partition-safe
|
||||
```
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
partitions: **(Enterprise only)** Do not leave a serf partition when the partition is deleted
|
||||
```
|
|
@ -1,3 +0,0 @@
|
|||
```release-note:feature
|
||||
partitions: **(Enterprise only)** Adds admin partitions, a new feature to enhance Consul's multitenancy capabilites.
|
||||
```
|
|
@ -568,7 +568,7 @@ jobs:
|
|||
|
||||
algolia-index:
|
||||
docker:
|
||||
- image: docker.mirror.hashicorp.services/node:12
|
||||
- image: docker.mirror.hashicorp.services/node:14
|
||||
steps:
|
||||
- checkout
|
||||
- run:
|
||||
|
@ -579,6 +579,7 @@ jobs:
|
|||
exit 0
|
||||
fi
|
||||
cd website/
|
||||
npm install -g npm@latest
|
||||
npm install
|
||||
node scripts/index_search_content.js
|
||||
- run: *notify-slack-failure
|
||||
|
@ -688,11 +689,20 @@ jobs:
|
|||
if ! git diff --quiet --exit-code HEAD^! ui/; then
|
||||
git config --local user.email "github-team-consul-core@hashicorp.com"
|
||||
git config --local user.name "hc-github-team-consul-core"
|
||||
|
||||
|
||||
# stash newly built bindata_assetfs.go
|
||||
git stash push
|
||||
|
||||
# checkout the CI branch and merge latest from main
|
||||
git checkout ci/main-assetfs-build
|
||||
git merge --no-edit main
|
||||
|
||||
git stash pop
|
||||
|
||||
short_sha=$(git rev-parse --short HEAD)
|
||||
git add agent/uiserver/bindata_assetfs.go
|
||||
git commit -m "auto-updated agent/uiserver/bindata_assetfs.go from commit ${short_sha}"
|
||||
git push origin main
|
||||
git push origin ci/main-assetfs-build
|
||||
else
|
||||
echo "no UI changes so no static assets to publish"
|
||||
fi
|
||||
|
@ -836,10 +846,10 @@ jobs:
|
|||
environment:
|
||||
ENVOY_VERSION: "1.19.1"
|
||||
|
||||
envoy-integration-test-1_20_0:
|
||||
envoy-integration-test-1_20_1:
|
||||
<<: *ENVOY_TESTS
|
||||
environment:
|
||||
ENVOY_VERSION: "1.20.0"
|
||||
ENVOY_VERSION: "1.20.1"
|
||||
|
||||
# run integration tests for the connect ca providers
|
||||
test-connect-ca-providers:
|
||||
|
@ -1090,7 +1100,7 @@ workflows:
|
|||
- envoy-integration-test-1_19_1:
|
||||
requires:
|
||||
- dev-build
|
||||
- envoy-integration-test-1_20_0:
|
||||
- envoy-integration-test-1_20_1:
|
||||
requires:
|
||||
- dev-build
|
||||
|
||||
|
@ -1104,7 +1114,6 @@ workflows:
|
|||
only:
|
||||
- main
|
||||
- algolia-index:
|
||||
context: consul-docs
|
||||
filters:
|
||||
branches:
|
||||
only:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: gomod
|
||||
open-pull-requests-limit: 5
|
||||
open-pull-requests-limit: 10
|
||||
directory: "/"
|
||||
labels:
|
||||
- "go"
|
||||
|
@ -9,33 +9,6 @@ updates:
|
|||
- "pr/no-changelog"
|
||||
schedule:
|
||||
interval: daily
|
||||
- package-ecosystem: gomod
|
||||
open-pull-requests-limit: 5
|
||||
directory: "/api"
|
||||
labels:
|
||||
- "go"
|
||||
- "dependencies"
|
||||
- "pr/no-changelog"
|
||||
schedule:
|
||||
interval: daily
|
||||
- package-ecosystem: gomod
|
||||
open-pull-requests-limit: 5
|
||||
directory: "/sdk"
|
||||
labels:
|
||||
- "go"
|
||||
- "dependencies"
|
||||
- "pr/no-changelog"
|
||||
schedule:
|
||||
interval: daily
|
||||
- package-ecosystem: npm
|
||||
open-pull-requests-limit: 5
|
||||
directory: "/ui"
|
||||
labels:
|
||||
- "javascript"
|
||||
- "dependencies"
|
||||
- "pr/no-changelog"
|
||||
schedule:
|
||||
interval: daily
|
||||
- package-ecosystem: npm
|
||||
open-pull-requests-limit: 5
|
||||
directory: "/website"
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
#!/usr/bin/env bash
|
||||
set -uo pipefail
|
||||
|
||||
### This script checks if any metric behavior has been modified.
|
||||
### The checks rely on the git diff against origin/main
|
||||
### It is still up to the reviewer to make sure that any tests added are needed and meaningful.
|
||||
|
||||
# search for any "new" or modified metric emissions
|
||||
metrics_modified=$(git --no-pager diff HEAD origin/main | grep -i "SetGauge\|EmitKey\|IncrCounter\|AddSample\|MeasureSince\|UpdateFilter")
|
||||
# search for PR body or title metric references
|
||||
metrics_in_pr_body=$(echo "${PR_BODY-""}" | grep -i "metric")
|
||||
metrics_in_pr_title=$(echo "${PR_TITLE-""}" | grep -i "metric")
|
||||
|
||||
# if there have been code changes to any metric or mention of metrics in the pull request body
|
||||
if [ "$metrics_modified" ] || [ "$metrics_in_pr_body" ] || [ "$metrics_in_pr_title" ]; then
|
||||
# need to check if there are modifications to metrics_test
|
||||
test_files_regex="*_test.go"
|
||||
modified_metrics_test_files=$(git --no-pager diff HEAD "$(git merge-base HEAD "origin/main")" -- "$test_files_regex" | grep -i "metric")
|
||||
if [ "$modified_metrics_test_files" ]; then
|
||||
# 1 happy path: metrics_test has been modified bc we modified metrics behavior
|
||||
echo "PR seems to modify metrics behavior. It seems it may have added tests to the metrics as well."
|
||||
exit 0
|
||||
else
|
||||
echo "PR seems to modify metrics behavior. It seems no tests or test behavior has been modified."
|
||||
echo "Please update the PR with any relevant updated testing or add a pr/no-metrics-test label to skip this check."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
else
|
||||
# no metrics modified in code, nothing to check
|
||||
echo "No metric behavior seems to be modified."
|
||||
exit 0
|
||||
fi
|
|
@ -23,13 +23,15 @@ jobs:
|
|||
- name: get product version
|
||||
id: get-product-version
|
||||
run: |
|
||||
IFS="-"; OUTPUT=$(build-support/scripts/version.sh -r);
|
||||
read -a V <<< "$OUTPUT"; unset IFS;
|
||||
|
||||
VERSION=${V[0]}
|
||||
PREREL_VERSION=${V[1]}
|
||||
|
||||
echo "::set-output name=product-version::${VERSION}-${PREREL_VERSION}"
|
||||
CONSUL_VERSION=$(build-support/scripts/version.sh -r)
|
||||
## TODO: This assumes `make version` outputs 1.1.1+ent-prerel
|
||||
IFS="+" read VERSION _other <<< "$CONSUL_VERSION"
|
||||
IFS="-" read _other PREREL_VERSION <<< "$CONSUL_VERSION"
|
||||
## TODO: this assumes `version.sh` outputs in the expected ordering of
|
||||
## [version]+ent{-prerelease} If we need to transition to
|
||||
## [version]{-prerelease}+ent before then, we'll need to add
|
||||
## logic to handle presense/absence of the prerelease
|
||||
echo "::set-output name=product-version::${CONSUL_VERSION}"
|
||||
echo "::set-output name=pre-version::${PREREL_VERSION}"
|
||||
echo "::set-output name=pkg-version::${VERSION}"
|
||||
|
||||
|
@ -143,6 +145,7 @@ jobs:
|
|||
config_dir: ".release/linux/package"
|
||||
preinstall: ".release/linux/preinstall"
|
||||
postinstall: ".release/linux/postinstall"
|
||||
preremove: ".release/linux/preremove"
|
||||
postremove: ".release/linux/postremove"
|
||||
|
||||
- name: Set Package Names
|
||||
|
@ -169,7 +172,7 @@ jobs:
|
|||
strategy:
|
||||
matrix:
|
||||
goos: [ darwin ]
|
||||
goarch: [ "amd64" ]
|
||||
goarch: [ "amd64", "arm64" ]
|
||||
go: [ "1.17.5" ]
|
||||
fail-fast: true
|
||||
|
||||
|
@ -216,7 +219,7 @@ jobs:
|
|||
GOLDFLAGS: "${{ needs.get-product-version.outputs.shared-ldflags }}"
|
||||
run: |
|
||||
mkdir dist out
|
||||
go build -ldflags="$GOLDFLAGS" -o dist/ .
|
||||
go build -ldflags="$GOLDFLAGS" -tags netcgo -o dist/ .
|
||||
zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/
|
||||
|
||||
- uses: actions/upload-artifact@v2
|
||||
|
@ -247,4 +250,4 @@ jobs:
|
|||
arch: ${{matrix.arch}}
|
||||
tags: |
|
||||
docker.io/hashicorp/${{env.repo}}:${{env.version}}
|
||||
ecr.public.aws/hashicorp/${{env.repo}}:${{env.version}}
|
||||
public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}}
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
name: "Check for metrics tests"
|
||||
on:
|
||||
pull_request:
|
||||
types: [ opened, synchronize, labeled ]
|
||||
# Runs on PRs to main
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
metrics_test_check:
|
||||
if: "!contains(github.event.pull_request.labels.*.name, 'pr/no-metrics-test')"
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
name: "checkout repo"
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
fetch-depth: 0 # by default the checkout action doesn't checkout all branches
|
||||
- name: "Check for metrics modifications"
|
||||
run: ./.github/scripts/metrics_checker.sh
|
||||
# as of now, cannot use github vars in "external" scripts; ref: https://github.community/t/using-github-action-environment-variables-in-shell-script/18330
|
||||
env:
|
||||
PR_TITLE: ${{ github.event.pull_request.title }}
|
||||
PR_BODY: ${{ github.event.pull_request.body }}
|
||||
shell: bash
|
|
@ -21,8 +21,10 @@ on:
|
|||
jobs:
|
||||
# checks that a 'type/docs-cherrypick' label is attached to PRs with website/ changes
|
||||
website-check:
|
||||
# If there's a `type/docs-cherrypick` label we ignore this check
|
||||
if: "!contains(github.event.pull_request.labels.*.name, 'type/docs-cherrypick')"
|
||||
# If there's already a `type/docs-cherrypick` label or an explicit `pr/no-docs` label, we ignore this check
|
||||
if: >-
|
||||
!contains(github.event.pull_request.labels.*.name, 'type/docs-cherrypick') ||
|
||||
!contains(github.event.pull_request.labels.*.name, 'pr/no-docs')
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
@ -40,7 +42,7 @@ jobs:
|
|||
# post PR comment to GitHub to check if a 'type/docs-cherrypick' label needs to be applied to the PR
|
||||
echo "website-check: Did not find a 'type/docs-cherrypick' label, posting a reminder in the PR"
|
||||
github_message="🤔 This PR has changes in the \`website/\` directory but does not have a \`type/docs-cherrypick\` label. If the changes are for the next version, this can be ignored. If they are updates to current docs, attach the label to auto cherrypick to the \`stable-website\` branch after merging."
|
||||
curl -f -s -H "Authorization: token ${{ secrets.PR_COMMENT_TOKEN }}" \
|
||||
curl -s -H "Authorization: token ${{ secrets.PR_COMMENT_TOKEN }}" \
|
||||
-X POST \
|
||||
-d "{ \"body\": \"${github_message}\"}" \
|
||||
"https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${{ github.event.pull_request.number }}/comments"
|
||||
|
|
|
@ -7,6 +7,7 @@ linters:
|
|||
- staticcheck
|
||||
- ineffassign
|
||||
- unparam
|
||||
- forbidigo
|
||||
|
||||
issues:
|
||||
# Disable the default exclude list so that all excludes are explicitly
|
||||
|
@ -57,6 +58,14 @@ issues:
|
|||
linters-settings:
|
||||
gofmt:
|
||||
simplify: true
|
||||
forbidigo:
|
||||
# Forbid the following identifiers (list of regexp).
|
||||
forbid:
|
||||
- '\brequire\.New\b(# Use package-level functions with explicit TestingT)?'
|
||||
- '\bassert\.New\b(# Use package-level functions with explicit TestingT)?'
|
||||
# Exclude godoc examples from forbidigo checks.
|
||||
# Default: true
|
||||
exclude_godoc_examples: false
|
||||
|
||||
run:
|
||||
timeout: 10m
|
||||
|
|
|
@ -6,7 +6,7 @@ After=network-online.target
|
|||
ConditionFileNotEmpty=/etc/consul.d/consul.hcl
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=/etc/consul.d/consul.env
|
||||
EnvironmentFile=-/etc/consul.d/consul.env
|
||||
User=consul
|
||||
Group=consul
|
||||
ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d/
|
||||
|
|
|
@ -1,14 +1,19 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ "$1" = "purge" ]
|
||||
then
|
||||
userdel consul
|
||||
if [ -d "/run/systemd/system" ]; then
|
||||
systemctl --system daemon-reload >/dev/null || :
|
||||
fi
|
||||
|
||||
if [ "$1" == "upgrade" ] && [ -d /run/systemd/system ]; then
|
||||
systemctl --system daemon-reload >/dev/null || true
|
||||
systemctl restart consul >/dev/null || true
|
||||
fi
|
||||
case "$1" in
|
||||
purge | 0)
|
||||
userdel consul
|
||||
;;
|
||||
|
||||
upgrade | [1-9]*)
|
||||
if [ -d "/run/systemd/system" ]; then
|
||||
systemctl try-restart consul.service >/dev/null || :
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
case "$1" in
|
||||
remove | 0)
|
||||
if [ -d "/run/systemd/system" ]; then
|
||||
systemctl --no-reload disable consul.service > /dev/null || :
|
||||
systemctl stop consul.service > /dev/null || :
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
435
CHANGELOG.md
435
CHANGELOG.md
|
@ -1,247 +1,235 @@
|
|||
## 1.11.0-rc (December 08, 2021)
|
||||
|
||||
BREAKING CHANGES:
|
||||
|
||||
* cli: `consul acl set-agent-token master` has been replaced with `consul acl set-agent-token recovery` [[GH-11669](https://github.com/hashicorp/consul/issues/11669)]
|
||||
## 1.11.2 (January 12, 2022)
|
||||
|
||||
FEATURES:
|
||||
|
||||
* partitions: **(Enterprise only)** Ensure partitions and serf-based WAN federation are mutually exclusive.
|
||||
* ui: Add documentation link to Partition empty state [[GH-11668](https://github.com/hashicorp/consul/issues/11668)]
|
||||
* ui: Adds basic support for showing Services exported from another partition. [[GH-11702](https://github.com/hashicorp/consul/issues/11702)]
|
||||
* ui: Adds support for partitions to Service and Node Identity template visuals. [[GH-11696](https://github.com/hashicorp/consul/issues/11696)]
|
||||
* ui: Adds support for partitions to the Routing visualization. [[GH-11679](https://github.com/hashicorp/consul/issues/11679)]
|
||||
* ui: Don't offer a 'Valid Datacenters' option when editing policies for non-default partitions [[GH-11656](https://github.com/hashicorp/consul/issues/11656)]
|
||||
* ui: Include `Service.Partition` into available variables for `dashboard_url_templates` [[GH-11654](https://github.com/hashicorp/consul/issues/11654)]
|
||||
* ui: Upgrade Lock Sessions to use partitions [[GH-11666](https://github.com/hashicorp/consul/issues/11666)]
|
||||
* ingress: allow setting TLS min version and cipher suites in ingress gateway config entries [[GH-11576](https://github.com/hashicorp/consul/issues/11576)]
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* agent: **(Enterprise only)** purge service/check registration files for incorrect partitions on reload [[GH-11607](https://github.com/hashicorp/consul/issues/11607)]
|
||||
* agent: add variation of force-leave that exclusively works on the WAN [[GH-11722](https://github.com/hashicorp/consul/issues/11722)]
|
||||
* api: **(Enterprise Only)** rename partition-exports config entry to exported-services. [[GH-11739](https://github.com/hashicorp/consul/issues/11739)]
|
||||
* auto-config: ensure the feature works properly with partitions [[GH-11699](https://github.com/hashicorp/consul/issues/11699)]
|
||||
* connect: **(Enterprise only)** add support for cross-partition transparent proxying. [[GH-11738](https://github.com/hashicorp/consul/issues/11738)]
|
||||
* connect: **(Enterprise only)** add support for targeting partitions in discovery chain routes, splits, and redirects. [[GH-11757](https://github.com/hashicorp/consul/issues/11757)]
|
||||
* connect: Consul will now generate a unique virtual IP for each connect-enabled service (this will also differ across namespace/partition in Enterprise). [[GH-11724](https://github.com/hashicorp/consul/issues/11724)]
|
||||
* connect: Support Vault auth methods for the Connect CA Vault provider. Currently, we support any non-deprecated auth methods
|
||||
the latest version of Vault supports (v1.8.5), which include AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud,
|
||||
JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. [[GH-11573](https://github.com/hashicorp/consul/issues/11573)]
|
||||
* dns: Added a `virtual` endpoint for querying the assigned virtual IP for a service. [[GH-11725](https://github.com/hashicorp/consul/issues/11725)]
|
||||
* partitions: **(Enterprise only)** rename APIs, commands, and public types to use "partition" rather than "admin partition". [[GH-11737](https://github.com/hashicorp/consul/issues/11737)]
|
||||
* raft: Added a configuration to disable boltdb freelist syncing [[GH-11720](https://github.com/hashicorp/consul/issues/11720)]
|
||||
* raft: Emit boltdb related performance metrics [[GH-11720](https://github.com/hashicorp/consul/issues/11720)]
|
||||
* raft: Use bbolt instead of the legacy boltdb implementation [[GH-11720](https://github.com/hashicorp/consul/issues/11720)]
|
||||
* sentinel: **(Enterprise Only)** Sentinel now uses SHA256 to generate policy ids
|
||||
* server: block enterprise-specific partition-exports config entry from being used in OSS Consul. [[GH-11680](https://github.com/hashicorp/consul/issues/11680)]
|
||||
* types: add TLSVersion and TLSCipherSuite [[GH-11645](https://github.com/hashicorp/consul/issues/11645)]
|
||||
* ui: Add partition support for SSO [[GH-11604](https://github.com/hashicorp/consul/issues/11604)]
|
||||
* ui: Update global notification styling [[GH-11577](https://github.com/hashicorp/consul/issues/11577)]
|
||||
|
||||
DEPRECATIONS:
|
||||
|
||||
* api: `/v1/agent/token/agent_master` is deprecated and will be removed in a future major release - use `/v1/agent/token/agent_recovery` instead [[GH-11669](https://github.com/hashicorp/consul/issues/11669)]
|
||||
* config: `acl.tokens.master` has been renamed to `acl.tokens.initial_management`, and `acl.tokens.agent_master` has been renamed to `acl.tokens.agent_recovery` - the old field names are now deprecated and will be removed in a future major release [[GH-11665](https://github.com/hashicorp/consul/issues/11665)]
|
||||
* api: Return 404 when de-registering a non-existent check [[GH-11950](https://github.com/hashicorp/consul/issues/11950)]
|
||||
* connect: Add support for connecting to services behind a terminating gateway when using a transparent proxy. [[GH-12049](https://github.com/hashicorp/consul/issues/12049)]
|
||||
* http: when a user attempts to access the UI but can't because it's disabled, explain this and how to fix it [[GH-11820](https://github.com/hashicorp/consul/issues/11820)]
|
||||
* ui: Added a notice for non-primary intention creation [[GH-11985](https://github.com/hashicorp/consul/issues/11985)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* areas: **(Enterprise Only)** Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time. [[GH-1368](https://github.com/hashicorp/consul/issues/1368)]
|
||||
* areas: **(Enterprise only)** make the gRPC server tracker network area aware [[GH-11748](https://github.com/hashicorp/consul/issues/11748)]
|
||||
* ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [[GH-11693](https://github.com/hashicorp/consul/issues/11693)]
|
||||
* ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [[GH-11672](https://github.com/hashicorp/consul/issues/11672)]
|
||||
* ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [[GH-11671](https://github.com/hashicorp/consul/issues/11671)]
|
||||
* ui: Fix inline-code brand styling [[GH-11578](https://github.com/hashicorp/consul/issues/11578)]
|
||||
* ui: Fix visual issue with slight table header overflow [[GH-11670](https://github.com/hashicorp/consul/issues/11670)]
|
||||
* ui: Fixes an issue where under some circumstances after logging we present the
|
||||
data loaded previous to you logging in. [[GH-11681](https://github.com/hashicorp/consul/issues/11681)]
|
||||
* ui: Include `Service.Namespace` into available variables for `dashboard_url_templates` [[GH-11640](https://github.com/hashicorp/consul/issues/11640)]
|
||||
* Mutate `NodeService` struct properly to avoid a data race. [[GH-11940](https://github.com/hashicorp/consul/issues/11940)]
|
||||
* Upgrade to raft `1.3.3` which fixes a bug where a read replica node can trigger a raft election and become a leader. [[GH-11958](https://github.com/hashicorp/consul/issues/11958)]
|
||||
* cli: Display assigned node identities in output of `consul acl token list`. [[GH-11926](https://github.com/hashicorp/consul/issues/11926)]
|
||||
* cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [[GH-11781](https://github.com/hashicorp/consul/issues/11781)]
|
||||
* config: include all config errors in the error message, previously some could be hidden. [[GH-11918](https://github.com/hashicorp/consul/issues/11918)]
|
||||
* memberlist: fixes a bug which prevented members from joining a cluster with
|
||||
large amounts of churn [[GH-253](https://github.com/hashicorp/memberlist/issues/253)] [[GH-12042](https://github.com/hashicorp/consul/issues/12042)]
|
||||
* snapshot: the `snapshot save` command now saves the snapshot with read permission for only the current user. [[GH-11918](https://github.com/hashicorp/consul/issues/11918)]
|
||||
* ui: Differentiate between Service Meta and Node Meta when choosing search fields
|
||||
in Service Instance listings [[GH-11774](https://github.com/hashicorp/consul/issues/11774)]
|
||||
* ui: Ensure a login buttons appear for some error states, plus text amends [[GH-11892](https://github.com/hashicorp/consul/issues/11892)]
|
||||
* ui: Ensure partition query parameter is passed through to all OIDC related API
|
||||
requests [[GH-11979](https://github.com/hashicorp/consul/issues/11979)]
|
||||
* ui: Fix an issue where attempting to delete a policy from the policy detail page when
|
||||
attached to a token would result in the delete button disappearing and no
|
||||
deletion being attempted [[GH-11868](https://github.com/hashicorp/consul/issues/11868)]
|
||||
* ui: Fixes a bug where proxy service health checks would sometimes not appear
|
||||
until refresh [[GH-11903](https://github.com/hashicorp/consul/issues/11903)]
|
||||
* ui: Fixes a bug with URL decoding within KV area [[GH-11931](https://github.com/hashicorp/consul/issues/11931)]
|
||||
* ui: Fixes a visual issue with some border colors [[GH-11959](https://github.com/hashicorp/consul/issues/11959)]
|
||||
* ui: Fixes an issue saving intentions when editing per service intentions [[GH-11937](https://github.com/hashicorp/consul/issues/11937)]
|
||||
* ui: Fixes an issue where once a 403 page is displayed in some circumstances its
|
||||
diffcult to click back to where you where before receiving a 403 [[GH-11891](https://github.com/hashicorp/consul/issues/11891)]
|
||||
* ui: Prevent disconnection notice appearing with auth change on certain pages [[GH-11905](https://github.com/hashicorp/consul/issues/11905)]
|
||||
* ui: Temporarily remove KV pre-flight check for KV list permissions [[GH-11968](https://github.com/hashicorp/consul/issues/11968)]
|
||||
* windows: Fixes a bug with empty log files when Consul is run as a Windows Service [[GH-11960](https://github.com/hashicorp/consul/issues/11960)]
|
||||
* xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [[GH-11924](https://github.com/hashicorp/consul/issues/11924)]
|
||||
|
||||
## 1.11.0-beta3 (November 17, 2021)
|
||||
## 1.11.1 (December 15, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* agent: Use SHA256 instead of MD5 to generate persistence file names. [[GH-11491](https://github.com/hashicorp/consul/issues/11491)]
|
||||
* namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
|
||||
* ci: Upgrade golang.org/x/net to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) [[GH-11854](https://github.com/hashicorp/consul/issues/11854)]
|
||||
|
||||
FEATURES:
|
||||
|
||||
* ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [[GH-11428](https://github.com/hashicorp/consul/issues/11428)]
|
||||
* ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [[GH-11449](https://github.com/hashicorp/consul/issues/11449)]
|
||||
* health-checks: add support for h2c in http2 ping health checks [[GH-10690](https://github.com/hashicorp/consul/issues/10690)]
|
||||
* partitions: **(Enterprise only)** segment serf LAN gossip between nodes in different partitions
|
||||
* ui: Adding support of Consul API Gateway as an external source. [[GH-11371](https://github.com/hashicorp/consul/issues/11371)]
|
||||
* ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [[GH-11280](https://github.com/hashicorp/consul/issues/11280)]
|
||||
* Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the
|
||||
[Admin Partition](https://www.consul.io/docs/enterprise/admin-partitions) documentation. [[GH-11855](https://github.com/hashicorp/consul/issues/11855)]
|
||||
* networking: **(Enterprise Only)** Make `segment_limit` configurable, cap at 256.
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* ci: Artifact builds will now only run on merges to the release branches or to `main` [[GH-11417](https://github.com/hashicorp/consul/issues/11417)]
|
||||
* ci: The Linux packages are now available for all supported Linux architectures including arm, arm64, 386, and amd64 [[GH-11417](https://github.com/hashicorp/consul/issues/11417)]
|
||||
* ci: The Linux packaging service configs and pre/post install scripts are now available under [.release/linux] [[GH-11417](https://github.com/hashicorp/consul/issues/11417)]
|
||||
* config: warn the user if client_addr is empty because client services won't be listening [[GH-11461](https://github.com/hashicorp/consul/issues/11461)]
|
||||
* connect/ca: Return an error when querying roots from uninitialized CA. [[GH-11514](https://github.com/hashicorp/consul/issues/11514)]
|
||||
* connect: **(Enterprise only)** Allow ingress gateways to target services in another partition [[GH-11566](https://github.com/hashicorp/consul/issues/11566)]
|
||||
* connect: add Namespace configuration setting for Vault CA provider [[GH-11477](https://github.com/hashicorp/consul/issues/11477)]
|
||||
* namespaces: **(Enterprise only)** policy and role defaults can reference policies in any namespace in the same partition by ID
|
||||
* partitions: Prevent writing partition-exports entries to secondary DCs. [[GH-11541](https://github.com/hashicorp/consul/issues/11541)]
|
||||
* sdk: Add support for iptable rules that allow DNS lookup redirection to Consul DNS. [[GH-11480](https://github.com/hashicorp/consul/issues/11480)]
|
||||
* segments: **(Enterprise only)** ensure that the serf_lan_allowed_cidrs applies to network segments [[GH-11495](https://github.com/hashicorp/consul/issues/11495)]
|
||||
* ui: Add upstream icons for upstreams and upstream instances [[GH-11556](https://github.com/hashicorp/consul/issues/11556)]
|
||||
* ui: Update UI browser support to 'roughly ~2 years back' [[GH-11505](https://github.com/hashicorp/consul/issues/11505)]
|
||||
* ui: When switching partitions reset the namespace back to the tokens default namespace or default [[GH-11479](https://github.com/hashicorp/consul/issues/11479)]
|
||||
* ui: added copy to clipboard button in code editor toolbars [[GH-11474](https://github.com/hashicorp/consul/issues/11474)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* acl: **(Enterprise only)** fix namespace and namespace_prefix policy evaluation when both govern an authz request
|
||||
* api: ensure new partition fields are omit empty for compatibility with older versions of consul [[GH-11585](https://github.com/hashicorp/consul/issues/11585)]
|
||||
* connect/ca: Allow secondary initialization to resume after being deferred due to unreachable or incompatible primary DC servers. [[GH-11514](https://github.com/hashicorp/consul/issues/11514)]
|
||||
* connect: fix issue with attempting to generate an invalid upstream cluster from UpstreamConfig.Defaults. [[GH-11245](https://github.com/hashicorp/consul/issues/11245)]
|
||||
* macos: fixes building with a non-Apple LLVM (such as installed via Homebrew) [[GH-11586](https://github.com/hashicorp/consul/issues/11586)]
|
||||
* namespaces: **(Enterprise only)** ensure the namespace replicator doesn't replicate deleted namespaces
|
||||
* partitions: **(Enterprise only)** fix panic when forwarding delete operations to the leader
|
||||
* snapshot: **(Enterprise only)** fixed a bug where the snapshot agent would ignore the `license_path` setting in config files
|
||||
* snapshot: **(Enterprise only)** snapshot agent no longer attempts to refresh its license from the server when a local license is provided (i.e. via config or an environment variable)
|
||||
* state: **(Enterprise Only)** ensure partition delete triggers namespace deletes
|
||||
* ui: **(Enterprise only)** When no namespace is selected, make sure to default to the tokens default namespace when requesting permissions [[GH-11472](https://github.com/hashicorp/consul/issues/11472)]
|
||||
* ui: Ensure the UI stores the default partition for the users token [[GH-11591](https://github.com/hashicorp/consul/issues/11591)]
|
||||
* ui: Ensure we check intention permissions for specific services when deciding
|
||||
whether to show action buttons for per service intention actions [[GH-11409](https://github.com/hashicorp/consul/issues/11409)]
|
||||
* ui: Filter the global intentions list by the currently selected parition rather
|
||||
than a wildcard [[GH-11475](https://github.com/hashicorp/consul/issues/11475)]
|
||||
* ui: Revert to depending on the backend, 'post-user-action', to report
|
||||
permissions errors rather than using UI capabilities 'pre-user-action' [[GH-11520](https://github.com/hashicorp/consul/issues/11520)]
|
||||
* ui: code editor styling (layout consistency + wide screen support) [[GH-11474](https://github.com/hashicorp/consul/issues/11474)]
|
||||
* windows: fixes arm and arm64 builds [[GH-11586](https://github.com/hashicorp/consul/issues/11586)]
|
||||
* xds: fixes a bug where replacing a mesh gateway node used for WAN federation (with another that has a different IP) could leave gateways in the other DC unable to re-establish the connection [[GH-11522](https://github.com/hashicorp/consul/issues/11522)]
|
||||
|
||||
## 1.11.0-beta2 (November 02, 2021)
|
||||
## 1.11.0 (December 14, 2021)
|
||||
|
||||
BREAKING CHANGES:
|
||||
|
||||
* acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the [Migrate Legacy ACL Tokens Learn Guide](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) for more information. [[GH-11232](https://github.com/hashicorp/consul/issues/11232)]
|
||||
* cli: `consul acl set-agent-token master` has been replaced with `consul acl set-agent-token recovery` [[GH-11669](https://github.com/hashicorp/consul/issues/11669)]
|
||||
|
||||
IMPROVEMENTS:
|
||||
SECURITY:
|
||||
|
||||
* agent: for various /v1/agent endpoints parse the partition parameter on the request [[GH-11444](https://github.com/hashicorp/consul/issues/11444)]
|
||||
* agent: refactor the agent delegate interface to be partition friendly [[GH-11429](https://github.com/hashicorp/consul/issues/11429)]
|
||||
* cli: Add `-cas` and `-modify-index` flags to the `consul config delete` command to support Check-And-Set (CAS) deletion of config entries [[GH-11419](https://github.com/hashicorp/consul/issues/11419)]
|
||||
* cli: update consul members output to display partitions and sort the results usefully [[GH-11446](https://github.com/hashicorp/consul/issues/11446)]
|
||||
* config: Allow ${} style interpolation for UI Dashboard template URLs [[GH-11328](https://github.com/hashicorp/consul/issues/11328)]
|
||||
* config: Support Check-And-Set (CAS) deletion of config entries [[GH-11419](https://github.com/hashicorp/consul/issues/11419)]
|
||||
* connect: **(Enterprise only)** add support for dialing upstreams in remote partitions through mesh gateways. [[GH-11431](https://github.com/hashicorp/consul/issues/11431)]
|
||||
* connect: **(Enterprise only)** updates ServiceRead and NodeRead to account for the partition-exports config entry. [[GH-11433](https://github.com/hashicorp/consul/issues/11433)]
|
||||
* connect: ingress gateways may now enable built-in TLS for a subset of listeners. [[GH-11163](https://github.com/hashicorp/consul/issues/11163)]
|
||||
* connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [[GH-11293](https://github.com/hashicorp/consul/issues/11293)]
|
||||
* connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [[GH-11277](https://github.com/hashicorp/consul/issues/11277)]
|
||||
|
||||
DEPRECATIONS:
|
||||
|
||||
* tls: With the upgrade to Go 1.17, the ordering of `tls_cipher_suites` will no longer be honored, and `tls_prefer_server_cipher_suites` is now ignored. [[GH-11364](https://github.com/hashicorp/consul/issues/11364)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* api: fixed backwards compatibility issue with AgentService SocketPath field. [[GH-11318](https://github.com/hashicorp/consul/issues/11318)]
|
||||
* dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [[GH-11348](https://github.com/hashicorp/consul/issues/11348)]
|
||||
* raft: do not trigger an election if not part of the servers list. [[GH-11375](https://github.com/hashicorp/consul/issues/11375)]
|
||||
* rpc: only attempt to authorize the DNSName in the client cert when verify_incoming_rpc=true [[GH-11255](https://github.com/hashicorp/consul/issues/11255)]
|
||||
* telemetry: fixes a bug with Prometheus consul_autopilot_failure_tolerance metric where 0 is reported instead of NaN on follower servers. [[GH-11399](https://github.com/hashicorp/consul/issues/11399)]
|
||||
* ui: Ensure dc selector correctly shows the currently selected dc [[GH-11380](https://github.com/hashicorp/consul/issues/11380)]
|
||||
* ui: Ensure we filter tokens by policy when showing which tokens use a certain
|
||||
policy whilst editing a policy [[GH-11311](https://github.com/hashicorp/consul/issues/11311)]
|
||||
|
||||
## 1.11.0-beta1 (October 15, 2021)
|
||||
* namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
|
||||
* rpc: authorize raft requests [CVE-2021-37219](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37219) [[GH-10925](https://github.com/hashicorp/consul/issues/10925)]
|
||||
|
||||
FEATURES:
|
||||
|
||||
* partitions: allow for partition queries to be forwarded [[GH-11099](https://github.com/hashicorp/consul/issues/11099)]
|
||||
* sso/oidc: **(Enterprise only)** Add support for providing acr_values in OIDC auth flow [[GH-11026](https://github.com/hashicorp/consul/issues/11026)]
|
||||
* ui: Added initial support for admin partition CRUD [[GH-11188](https://github.com/hashicorp/consul/issues/11188)]
|
||||
* Admin Partitions (Consul Enterprise only) This version adds admin partitions, a new entity defining administrative and networking boundaries within a Consul deployment. For more information refer to the [Admin Partition](https://www.consul.io/docs/enterprise/admin-partitions) documentation.
|
||||
* ca: Add a configurable TTL for Connect CA root certificates. The configuration is supported by the Vault and Consul providers. [[GH-11428](https://github.com/hashicorp/consul/issues/11428)]
|
||||
* ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate. [[GH-11449](https://github.com/hashicorp/consul/issues/11449)]
|
||||
* health-checks: add support for h2c in http2 ping health checks [[GH-10690](https://github.com/hashicorp/consul/issues/10690)]
|
||||
* ui: Add UI support to use Vault as an external source for a service [[GH-10769](https://github.com/hashicorp/consul/issues/10769)]
|
||||
* ui: Adding support of Consul API Gateway as an external source. [[GH-11371](https://github.com/hashicorp/consul/issues/11371)]
|
||||
* ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [[GH-10735](https://github.com/hashicorp/consul/issues/10735)]
|
||||
* ui: Adds visible Consul version information [[GH-11803](https://github.com/hashicorp/consul/issues/11803)]
|
||||
* ui: Topology - New views for scenarios where no dependencies exist or ACLs are disabled [[GH-11280](https://github.com/hashicorp/consul/issues/11280)]
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* api: add partition field to acl structs [[GH-11080](https://github.com/hashicorp/consul/issues/11080)]
|
||||
* audit-logging: **(Enterprise Only)** Audit logs will now include select HTTP headers in each logs payload. Those headers are: `Forwarded`, `Via`, `X-Forwarded-For`, `X-Forwarded-Host` and `X-Forwarded-Proto`. [[GH-11107](https://github.com/hashicorp/consul/issues/11107)]
|
||||
* acl: replication routine to report the last error message. [[GH-10612](https://github.com/hashicorp/consul/issues/10612)]
|
||||
* agent: add variation of force-leave that exclusively works on the WAN [[GH-11722](https://github.com/hashicorp/consul/issues/11722)]
|
||||
* api: Enable setting query options on agent health and maintenance endpoints. [[GH-10691](https://github.com/hashicorp/consul/issues/10691)]
|
||||
* checks: add failures_before_warning setting for interval checks. [[GH-10969](https://github.com/hashicorp/consul/issues/10969)]
|
||||
* ci: Upgrade to use Go 1.17.5 [[GH-11799](https://github.com/hashicorp/consul/issues/11799)]
|
||||
* cli: Add `-cas` and `-modify-index` flags to the `consul config delete` command to support Check-And-Set (CAS) deletion of config entries [[GH-11419](https://github.com/hashicorp/consul/issues/11419)]
|
||||
* config: **(Enterprise Only)** Allow specifying permission mode for audit logs. [[GH-10732](https://github.com/hashicorp/consul/issues/10732)]
|
||||
* config: Support Check-And-Set (CAS) deletion of config entries [[GH-11419](https://github.com/hashicorp/consul/issues/11419)]
|
||||
* config: add `dns_config.recursor_strategy` flag to control the order which DNS recursors are queried [[GH-10611](https://github.com/hashicorp/consul/issues/10611)]
|
||||
* config: warn the user if client_addr is empty because client services won't be listening [[GH-11461](https://github.com/hashicorp/consul/issues/11461)]
|
||||
* connect/ca: cease including the common name field in generated x509 non-CA certificates [[GH-10424](https://github.com/hashicorp/consul/issues/10424)]
|
||||
* connect: Add low-level feature to allow an Ingress to retrieve TLS certificates from SDS. [[GH-10903](https://github.com/hashicorp/consul/issues/10903)]
|
||||
* connect: Consul will now generate a unique virtual IP for each connect-enabled service (this will also differ across namespace/partition in Enterprise). [[GH-11724](https://github.com/hashicorp/consul/issues/11724)]
|
||||
* connect: Support Vault auth methods for the Connect CA Vault provider. Currently, we support any non-deprecated auth methods
|
||||
the latest version of Vault supports (v1.8.5), which include AppRole, AliCloud, AWS, Azure, Cloud Foundry, GitHub, Google Cloud,
|
||||
JWT/OIDC, Kerberos, Kubernetes, LDAP, Oracle Cloud Infrastructure, Okta, Radius, TLS Certificates, and Username & Password. [[GH-11573](https://github.com/hashicorp/consul/issues/11573)]
|
||||
* connect: Support manipulating HTTP headers in the mesh. [[GH-10613](https://github.com/hashicorp/consul/issues/10613)]
|
||||
* connect: add Namespace configuration setting for Vault CA provider [[GH-11477](https://github.com/hashicorp/consul/issues/11477)]
|
||||
* connect: ingress gateways may now enable built-in TLS for a subset of listeners. [[GH-11163](https://github.com/hashicorp/consul/issues/11163)]
|
||||
* connect: service-resolver subset filters are validated for valid go-bexpr syntax on write [[GH-11293](https://github.com/hashicorp/consul/issues/11293)]
|
||||
* connect: update supported envoy versions to 1.19.1, 1.18.4, 1.17.4, 1.16.5 [[GH-11115](https://github.com/hashicorp/consul/issues/11115)]
|
||||
* state: reads of partitions now accept an optional memdb.WatchSet
|
||||
* telemetry: Add new metrics for the count of KV entries in the Consul store. [[GH-11090](https://github.com/hashicorp/consul/issues/11090)]
|
||||
* telemetry: Add new metrics for the count of connect service instances and configuration entries. [[GH-11222](https://github.com/hashicorp/consul/issues/11222)]
|
||||
* ui: Add initial support for partitions to intentions [[GH-11129](https://github.com/hashicorp/consul/issues/11129)]
|
||||
* connect: update supported envoy versions to 1.20.0, 1.19.1, 1.18.4, 1.17.4 [[GH-11277](https://github.com/hashicorp/consul/issues/11277)]
|
||||
* debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [[GH-10399](https://github.com/hashicorp/consul/issues/10399)]
|
||||
* debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [[GH-10804](https://github.com/hashicorp/consul/issues/10804)]
|
||||
* dns: Added a `virtual` endpoint for querying the assigned virtual IP for a service. [[GH-11725](https://github.com/hashicorp/consul/issues/11725)]
|
||||
* http: when a URL path is not found, include a message with the 404 status code to help the user understand why (e.g., HTTP API endpoint path not prefixed with /v1/) [[GH-11818](https://github.com/hashicorp/consul/issues/11818)]
|
||||
* raft: Added a configuration to disable boltdb freelist syncing [[GH-11720](https://github.com/hashicorp/consul/issues/11720)]
|
||||
* raft: Emit boltdb related performance metrics [[GH-11720](https://github.com/hashicorp/consul/issues/11720)]
|
||||
* raft: Use bbolt instead of the legacy boltdb implementation [[GH-11720](https://github.com/hashicorp/consul/issues/11720)]
|
||||
* sdk: Add support for iptable rules that allow DNS lookup redirection to Consul DNS. [[GH-11480](https://github.com/hashicorp/consul/issues/11480)]
|
||||
* segments: **(Enterprise only)** ensure that the serf_lan_allowed_cidrs applies to network segments [[GH-11495](https://github.com/hashicorp/consul/issues/11495)]
|
||||
* telemetry: add a new `agent.tls.cert.expiry` metric for tracking when the Agent TLS certificate expires. [[GH-10768](https://github.com/hashicorp/consul/issues/10768)]
|
||||
* telemetry: add a new `mesh.active-root-ca.expiry` metric for tracking when the root certificate expires. [[GH-9924](https://github.com/hashicorp/consul/issues/9924)]
|
||||
* types: add TLSVersion and TLSCipherSuite [[GH-11645](https://github.com/hashicorp/consul/issues/11645)]
|
||||
* ui: Add upstream icons for upstreams and upstream instances [[GH-11556](https://github.com/hashicorp/consul/issues/11556)]
|
||||
* ui: Add uri guard to prevent future URL encoding issues [[GH-11117](https://github.com/hashicorp/consul/issues/11117)]
|
||||
* ui: Move the majority of our SASS variables to use native CSS custom
|
||||
properties [[GH-11200](https://github.com/hashicorp/consul/issues/11200)]
|
||||
* ui: Removed informational panel from the namespace selector menu when editing
|
||||
namespaces [[GH-11130](https://github.com/hashicorp/consul/issues/11130)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* acl: **(Enterprise only)** Fix bug in 'consul members' filtering with partitions. [[GH-11263](https://github.com/hashicorp/consul/issues/11263)]
|
||||
* acl: **(Enterprise only)** ensure that auth methods with namespace rules work with partitions [[GH-11323](https://github.com/hashicorp/consul/issues/11323)]
|
||||
* acl: fixes the fallback behaviour of down_policy with setting extend-cache/async-cache when the token is not cached. [[GH-11136](https://github.com/hashicorp/consul/issues/11136)]
|
||||
* connect: Fix upstream listener escape hatch for prepared queries [[GH-11109](https://github.com/hashicorp/consul/issues/11109)]
|
||||
* grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters [[GH-11099](https://github.com/hashicorp/consul/issues/11099)]
|
||||
* server: **(Enterprise only)** Ensure that servers leave network segments when leaving other gossip pools
|
||||
* telemetry: Consul Clients no longer emit Autopilot metrics. [[GH-11241](https://github.com/hashicorp/consul/issues/11241)]
|
||||
* telemetry: fixes a bug with Prometheus consul_autopilot_healthy metric where 0 is reported instead of NaN on servers. [[GH-11231](https://github.com/hashicorp/consul/issues/11231)]
|
||||
* ui: **(Enterprise Only)** Fix saving intentions with namespaced source/destination [[GH-11095](https://github.com/hashicorp/consul/issues/11095)]
|
||||
* ui: Don't show a CRD warning for read-only intentions [[GH-11149](https://github.com/hashicorp/consul/issues/11149)]
|
||||
* ui: Ensure all types of data get reconciled with the backend data [[GH-11237](https://github.com/hashicorp/consul/issues/11237)]
|
||||
* ui: Fixed styling of Role remove dialog on the Token edit page [[GH-11298](https://github.com/hashicorp/consul/issues/11298)]
|
||||
* ui: Gracefully recover from non-existant DC errors [[GH-11077](https://github.com/hashicorp/consul/issues/11077)]
|
||||
* ui: Ignore reported permissions for KV area meaning the KV is always enabled
|
||||
for both read/write access if the HTTP API allows. [[GH-10916](https://github.com/hashicorp/consul/issues/10916)]
|
||||
* ui: Topology - Fix up Default Allow and Permissive Intentions notices [[GH-11216](https://github.com/hashicorp/consul/issues/11216)]
|
||||
* ui: hide create button for policies/roles/namespace if users token has no write permissions to those areas [[GH-10914](https://github.com/hashicorp/consul/issues/10914)]
|
||||
* xds: ensure the active streams counters are 64 bit aligned on 32 bit systems [[GH-11085](https://github.com/hashicorp/consul/issues/11085)]
|
||||
* xds: fixed a bug where Envoy sidecars could enter a state where they failed to receive xds updates from Consul [[GH-10987](https://github.com/hashicorp/consul/issues/10987)]
|
||||
* Fixing SOA record to return proper domain when alt domain in use. [[GH-10431]](https://github.com/hashicorp/consul/pull/10431)
|
||||
|
||||
## 1.11.0-alpha (September 16, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* rpc: authorize raft requests [CVE-2021-37219](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37219) [[GH-10925](https://github.com/hashicorp/consul/issues/10925)]
|
||||
|
||||
FEATURES:
|
||||
|
||||
* config: add agent config flag for enterprise clients to indicate they wish to join a particular partition [[GH-10572](https://github.com/hashicorp/consul/issues/10572)]
|
||||
* connect: include optional partition prefixes in SPIFFE identifiers [[GH-10507](https://github.com/hashicorp/consul/issues/10507)]
|
||||
* partitions: **(Enterprise only)** Adds admin partitions, a new feature to enhance Consul's multitenancy capabilites.
|
||||
* ui: Add UI support to use Vault as an external source for a service [[GH-10769](https://github.com/hashicorp/consul/issues/10769)]
|
||||
* ui: Adds a copy button to each composite row in tokens list page, if Secret ID returns an actual ID [[GH-10735](https://github.com/hashicorp/consul/issues/10735)]
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* acl: replication routine to report the last error message. [[GH-10612](https://github.com/hashicorp/consul/issues/10612)]
|
||||
* api: Enable setting query options on agent health and maintenance endpoints. [[GH-10691](https://github.com/hashicorp/consul/issues/10691)]
|
||||
* checks: add failures_before_warning setting for interval checks. [[GH-10969](https://github.com/hashicorp/consul/issues/10969)]
|
||||
* config: **(Enterprise Only)** Allow specifying permission mode for audit logs. [[GH-10732](https://github.com/hashicorp/consul/issues/10732)]
|
||||
* config: add `dns_config.recursor_strategy` flag to control the order which DNS recursors are queried [[GH-10611](https://github.com/hashicorp/consul/issues/10611)]
|
||||
* connect/ca: cease including the common name field in generated x509 non-CA certificates [[GH-10424](https://github.com/hashicorp/consul/issues/10424)]
|
||||
* connect: Support manipulating HTTP headers in the mesh. [[GH-10613](https://github.com/hashicorp/consul/issues/10613)]
|
||||
* connect: update supported envoy versions to 1.18.4, 1.17.4, 1.16.5 [[GH-10961](https://github.com/hashicorp/consul/issues/10961)]
|
||||
* debug: Add a new /v1/agent/metrics/stream API endpoint for streaming of metrics [[GH-10399](https://github.com/hashicorp/consul/issues/10399)]
|
||||
* debug: rename cluster capture target to members, to be more consistent with the terms used by the API. [[GH-10804](https://github.com/hashicorp/consul/issues/10804)]
|
||||
* structs: prohibit config entries from referencing more than one partition at a time [[GH-10478](https://github.com/hashicorp/consul/issues/10478)]
|
||||
* telemetry: add a new `agent.tls.cert.expiry` metric for tracking when the Agent TLS certificate expires. [[GH-10768](https://github.com/hashicorp/consul/issues/10768)]
|
||||
* telemetry: add a new `mesh.active-root-ca.expiry` metric for tracking when the root certificate expires. [[GH-9924](https://github.com/hashicorp/consul/issues/9924)]
|
||||
* ui: Update UI browser support to 'roughly ~2 years back' [[GH-11505](https://github.com/hashicorp/consul/issues/11505)]
|
||||
* ui: Update global notification styling [[GH-11577](https://github.com/hashicorp/consul/issues/11577)]
|
||||
* ui: added copy to clipboard button in code editor toolbars [[GH-11474](https://github.com/hashicorp/consul/issues/11474)]
|
||||
|
||||
DEPRECATIONS:
|
||||
|
||||
* config: the `ports.grpc` and `addresses.grpc` configuration settings have been renamed to `ports.xds` and `addresses.xds` to better match their function. [[GH-10588](https://github.com/hashicorp/consul/issues/10588)]
|
||||
* api: `/v1/agent/token/agent_master` is deprecated and will be removed in a future major release - use `/v1/agent/token/agent_recovery` instead [[GH-11669](https://github.com/hashicorp/consul/issues/11669)]
|
||||
* config: `acl.tokens.master` has been renamed to `acl.tokens.initial_management`, and `acl.tokens.agent_master` has been renamed to `acl.tokens.agent_recovery` - the old field names are now deprecated and will be removed in a future major release [[GH-11665](https://github.com/hashicorp/consul/issues/11665)]
|
||||
* tls: With the upgrade to Go 1.17, the ordering of `tls_cipher_suites` will no longer be honored, and `tls_prefer_server_cipher_suites` is now ignored. [[GH-11364](https://github.com/hashicorp/consul/issues/11364)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* acl: **(Enterprise only)** fix namespace and namespace_prefix policy evaluation when both govern an authz request
|
||||
* api: Fix default values used for optional fields in autopilot configuration update (POST to `/v1/operator/autopilot/configuration`) [[GH-10558](https://github.com/hashicorp/consul/issues/10558)] [[GH-10559](https://github.com/hashicorp/consul/issues/10559)]
|
||||
* api: Revert early out errors from license APIs to allow v1.10+ clients to
|
||||
manage licenses on older servers [[GH-10952](https://github.com/hashicorp/consul/issues/10952)]
|
||||
* api: ensure new partition fields are omit empty for compatibility with older versions of consul [[GH-11585](https://github.com/hashicorp/consul/issues/11585)]
|
||||
* areas: **(Enterprise Only)** Fixes a bug when using Yamux pool ( for servers version 1.7.3 and later), the entire pool was locked while connecting to a remote location, which could potentially take a long time.
|
||||
* areas: **(Enterprise only)** make the gRPC server tracker network area aware [[GH-11748](https://github.com/hashicorp/consul/issues/11748)]
|
||||
* ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [[GH-11693](https://github.com/hashicorp/consul/issues/11693)]
|
||||
* ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [[GH-11672](https://github.com/hashicorp/consul/issues/11672)]
|
||||
* ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [[GH-11671](https://github.com/hashicorp/consul/issues/11671)]
|
||||
* check root and intermediate CA expiry before using it to sign a leaf certificate. [[GH-10500](https://github.com/hashicorp/consul/issues/10500)]
|
||||
* connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots [[GH-10330](https://github.com/hashicorp/consul/issues/10330)]
|
||||
* connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider [[GH-10331](https://github.com/hashicorp/consul/issues/10331)]
|
||||
* connect: fix race causing xDS generation to lock up when discovery chains are tracked for services that are no longer upstreams. [[GH-11826](https://github.com/hashicorp/consul/issues/11826)]
|
||||
* dns: Fixed an issue where on DNS requests made with .alt_domain response was returned as .domain [[GH-11348](https://github.com/hashicorp/consul/issues/11348)]
|
||||
* dns: return an empty answer when asked for an addr dns with type other then A and AAAA. [[GH-10401](https://github.com/hashicorp/consul/issues/10401)]
|
||||
* tls: consider presented intermediates during server connection tls handshake. [[GH-10964](https://github.com/hashicorp/consul/issues/10964)]
|
||||
* use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries
|
||||
* macos: fixes building with a non-Apple LLVM (such as installed via Homebrew) [[GH-11586](https://github.com/hashicorp/consul/issues/11586)]
|
||||
* namespaces: **(Enterprise only)** ensure the namespace replicator doesn't replicate deleted namespaces
|
||||
* proxycfg: ensure all of the watches are canceled if they are cancelable [[GH-11824](https://github.com/hashicorp/consul/issues/11824)]
|
||||
* snapshot: **(Enterprise only)** fixed a bug where the snapshot agent would ignore the `license_path` setting in config files
|
||||
* ui: Ensure all types of data get reconciled with the backend data [[GH-11237](https://github.com/hashicorp/consul/issues/11237)]
|
||||
* ui: Ensure dc selector correctly shows the currently selected dc [[GH-11380](https://github.com/hashicorp/consul/issues/11380)]
|
||||
* ui: Ensure we check intention permissions for specific services when deciding
|
||||
whether to show action buttons for per service intention actions [[GH-11409](https://github.com/hashicorp/consul/issues/11409)]
|
||||
* ui: Ensure we filter tokens by policy when showing which tokens use a certain
|
||||
policy whilst editing a policy [[GH-11311](https://github.com/hashicorp/consul/issues/11311)]
|
||||
* ui: Ensure we show a readonly designed page for readonly intentions [[GH-11767](https://github.com/hashicorp/consul/issues/11767)]
|
||||
* ui: Filter the global intentions list by the currently selected parition rather
|
||||
than a wildcard [[GH-11475](https://github.com/hashicorp/consul/issues/11475)]
|
||||
* ui: Fix inline-code brand styling [[GH-11578](https://github.com/hashicorp/consul/issues/11578)]
|
||||
* ui: Fix visual issue with slight table header overflow [[GH-11670](https://github.com/hashicorp/consul/issues/11670)]
|
||||
* ui: Fixes an issue where under some circumstances after logging we present the
|
||||
data loaded previous to you logging in. [[GH-11681](https://github.com/hashicorp/consul/issues/11681)]
|
||||
* ui: Gracefully recover from non-existant DC errors [[GH-11077](https://github.com/hashicorp/consul/issues/11077)]
|
||||
* ui: Include `Service.Namespace` into available variables for `dashboard_url_templates` [[GH-11640](https://github.com/hashicorp/consul/issues/11640)]
|
||||
* ui: Revert to depending on the backend, 'post-user-action', to report
|
||||
permissions errors rather than using UI capabilities 'pre-user-action' [[GH-11520](https://github.com/hashicorp/consul/issues/11520)]
|
||||
* ui: Topology - Fix up Default Allow and Permissive Intentions notices [[GH-11216](https://github.com/hashicorp/consul/issues/11216)]
|
||||
* ui: code editor styling (layout consistency + wide screen support) [[GH-11474](https://github.com/hashicorp/consul/issues/11474)]
|
||||
* use the MaxQueryTime instead of RPCHoldTimeout for blocking RPC queries
|
||||
[[GH-8978](https://github.com/hashicorp/consul/pull/8978)]. [[GH-10299](https://github.com/hashicorp/consul/issues/10299)]
|
||||
* windows: fixes arm and arm64 builds [[GH-11586](https://github.com/hashicorp/consul/issues/11586)]
|
||||
|
||||
NOTES:
|
||||
|
||||
* Renamed the `agent_master` field to `agent_recovery` in the `acl-tokens.json` file in which tokens are persisted on-disk (when `acl.enable_token_persistence` is enabled) [[GH-11744](https://github.com/hashicorp/consul/issues/11744)]
|
||||
|
||||
## 1.10.7 (January 12, 2022)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
|
||||
|
||||
FEATURES:
|
||||
|
||||
* ui: Adds visible Consul version information [[GH-11803](https://github.com/hashicorp/consul/issues/11803)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* Mutate `NodeService` struct properly to avoid a data race. [[GH-11940](https://github.com/hashicorp/consul/issues/11940)]
|
||||
* Upgrade to raft `1.3.3` which fixes a bug where a read replica node can trigger a raft election and become a leader. [[GH-11958](https://github.com/hashicorp/consul/issues/11958)]
|
||||
* ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [[GH-11693](https://github.com/hashicorp/consul/issues/11693)]
|
||||
* ca: fixes a bug that caused the SigningKeyID to be wrong in the primary DC, when the Vault provider is used, after a CA config creates a new root. [[GH-11672](https://github.com/hashicorp/consul/issues/11672)]
|
||||
* ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [[GH-11671](https://github.com/hashicorp/consul/issues/11671)]
|
||||
* cli: Display assigned node identities in output of `consul acl token list`. [[GH-11926](https://github.com/hashicorp/consul/issues/11926)]
|
||||
* cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [[GH-11781](https://github.com/hashicorp/consul/issues/11781)]
|
||||
* snapshot: **(Enterprise only)** fixed a bug where the snapshot agent would ignore the `license_path` setting in config files
|
||||
* structs: **(Enterprise only)** Remove partition field parsing from 1.10 to prevent further 1.11 upgrade compatibility issues.
|
||||
* ui: Differentiate between Service Meta and Node Meta when choosing search fields
|
||||
in Service Instance listings [[GH-11774](https://github.com/hashicorp/consul/issues/11774)]
|
||||
* ui: Ensure we show a readonly designed page for readonly intentions [[GH-11767](https://github.com/hashicorp/consul/issues/11767)]
|
||||
* ui: Fix an issue where attempting to delete a policy from the policy detail page when
|
||||
attached to a token would result in the delete button disappearing and no
|
||||
deletion being attempted [[GH-11868](https://github.com/hashicorp/consul/issues/11868)]
|
||||
* ui: Fix visual issue with slight table header overflow [[GH-11670](https://github.com/hashicorp/consul/issues/11670)]
|
||||
* ui: Fixes an issue where once a 403 page is displayed in some circumstances its
|
||||
diffcult to click back to where you where before receiving a 403 [[GH-11891](https://github.com/hashicorp/consul/issues/11891)]
|
||||
* ui: Fixes an issue where under some circumstances after logging we present the
|
||||
data loaded previous to you logging in. [[GH-11681](https://github.com/hashicorp/consul/issues/11681)]
|
||||
* ui: Include `Service.Namespace` into available variables for `dashboard_url_templates` [[GH-11640](https://github.com/hashicorp/consul/issues/11640)]
|
||||
* ui: Revert to depending on the backend, 'post-user-action', to report
|
||||
permissions errors rather than using UI capabilities 'pre-user-action' [[GH-11520](https://github.com/hashicorp/consul/issues/11520)]
|
||||
* ui: Temporarily remove KV pre-flight check for KV list permissions [[GH-11968](https://github.com/hashicorp/consul/issues/11968)]
|
||||
* windows: Fixes a bug with empty log files when Consul is run as a Windows Service [[GH-11960](https://github.com/hashicorp/consul/issues/11960)]
|
||||
* xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [[GH-11924](https://github.com/hashicorp/consul/issues/11924)]
|
||||
|
||||
## 1.10.6 (December 15, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* ci: Upgrade golang.org/x/net to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) [[GH-11856](https://github.com/hashicorp/consul/issues/11856)]
|
||||
|
||||
## 1.10.5 (December 13, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* ci: Upgrade to Go 1.16.12 to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) [[GH-11808](https://github.com/hashicorp/consul/issues/11808)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* agent: **(Enterprise only)** fix bug where 1.10.x agents would deregister serf checks from 1.11.x servers [[GH-11700](https://github.com/hashicorp/consul/issues/11700)]
|
||||
|
||||
## 1.10.4 (November 11, 2021)
|
||||
|
||||
|
@ -511,6 +499,41 @@ NOTES:
|
|||
|
||||
* legal: **(Enterprise only)** Enterprise binary downloads will now include a copy of the EULA and Terms of Evaluation in the zip archive
|
||||
|
||||
## 1.9.14 (January 12, 2022)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* ca: fixes a bug that caused non blocking leaf cert queries to return the same cached response regardless of ca rotation or leaf cert expiry [[GH-11693](https://github.com/hashicorp/consul/issues/11693)]
|
||||
* ca: fixes a bug that caused the intermediate cert used to sign leaf certs to be missing from the /connect/ca/roots API response when the Vault provider was used. [[GH-11671](https://github.com/hashicorp/consul/issues/11671)]
|
||||
* cli: Display assigned node identities in output of `consul acl token list`. [[GH-11926](https://github.com/hashicorp/consul/issues/11926)]
|
||||
* cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. [[GH-11781](https://github.com/hashicorp/consul/issues/11781)]
|
||||
* snapshot: **(Enterprise only)** fixed a bug where the snapshot agent would ignore the `license_path` setting in config files
|
||||
* ui: Differentiate between Service Meta and Node Meta when choosing search fields
|
||||
in Service Instance listings [[GH-11774](https://github.com/hashicorp/consul/issues/11774)]
|
||||
* ui: Fixes an issue where under some circumstances after logging we present the
|
||||
data loaded previous to you logging in. [[GH-11681](https://github.com/hashicorp/consul/issues/11681)]
|
||||
* ui: Fixes an issue where under some circumstances the namespace selector could
|
||||
become 'stuck' on the default namespace [[GH-11830](https://github.com/hashicorp/consul/issues/11830)]
|
||||
* ui: Include `Service.Namespace` into available variables for `dashboard_url_templates` [[GH-11640](https://github.com/hashicorp/consul/issues/11640)]
|
||||
* ui: Prevent disconnection notice appearing with auth change on certain pages [[GH-11905](https://github.com/hashicorp/consul/issues/11905)]
|
||||
* xds: fix a deadlock when the snapshot channel already have a snapshot to be consumed. [[GH-11924](https://github.com/hashicorp/consul/issues/11924)]
|
||||
|
||||
## 1.9.13 (December 15, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* ci: Upgrade golang.org/x/net to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) [[GH-11858](https://github.com/hashicorp/consul/issues/11858)]
|
||||
|
||||
## 1.9.12 (December 13, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* ci: Upgrade to Go 1.16.12 to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) [[GH-11807](https://github.com/hashicorp/consul/issues/11807)]
|
||||
|
||||
## 1.9.11 (November 11, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
@ -891,6 +914,26 @@ BUG FIXES:
|
|||
* telemetry: fixed a bug that caused logs to be flooded with `[WARN] agent.router: Non-server in server-only area` [[GH-8685](https://github.com/hashicorp/consul/issues/8685)]
|
||||
* ui: show correct datacenter for gateways [[GH-8704](https://github.com/hashicorp/consul/issues/8704)]
|
||||
|
||||
## 1.8.19 (December 15, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* ci: Upgrade golang.org/x/net to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) [[GH-11857](https://github.com/hashicorp/consul/issues/11857)]
|
||||
|
||||
## 1.8.18 (December 13, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* ci: Upgrade to Go 1.16.12 to address [CVE-2021-44716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716) [[GH-11806](https://github.com/hashicorp/consul/issues/11806)]
|
||||
* namespaces: **(Enterprise only)** Creating or editing namespaces that include default ACL policies or ACL roles now requires `acl:write` permission in the default namespace. This change fixes CVE-2021-41805.
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* snapshot: **(Enterprise only)** fixed a bug where the snapshot agent would ignore the `license_path` setting in config files
|
||||
* ui: Fixes an issue where under some circumstances after logging we present the
|
||||
data loaded previous to you logging in. [[GH-11681](https://github.com/hashicorp/consul/issues/11681)]
|
||||
* ui: Include `Service.Namespace` into available variables for `dashboard_url_templates` [[GH-11640](https://github.com/hashicorp/consul/issues/11640)]
|
||||
|
||||
## 1.8.17 (November 11, 2021)
|
||||
|
||||
SECURITY:
|
||||
|
|
|
@ -1516,30 +1516,28 @@ func TestMergePolicies(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
req := require.New(t)
|
||||
|
||||
for _, tcase := range tests {
|
||||
t.Run(tcase.name, func(t *testing.T) {
|
||||
act := MergePolicies(tcase.input)
|
||||
exp := tcase.expected
|
||||
req.Equal(exp.ACL, act.ACL)
|
||||
req.Equal(exp.Keyring, act.Keyring)
|
||||
req.Equal(exp.Operator, act.Operator)
|
||||
req.Equal(exp.Mesh, act.Mesh)
|
||||
req.ElementsMatch(exp.Agents, act.Agents)
|
||||
req.ElementsMatch(exp.AgentPrefixes, act.AgentPrefixes)
|
||||
req.ElementsMatch(exp.Events, act.Events)
|
||||
req.ElementsMatch(exp.EventPrefixes, act.EventPrefixes)
|
||||
req.ElementsMatch(exp.Keys, act.Keys)
|
||||
req.ElementsMatch(exp.KeyPrefixes, act.KeyPrefixes)
|
||||
req.ElementsMatch(exp.Nodes, act.Nodes)
|
||||
req.ElementsMatch(exp.NodePrefixes, act.NodePrefixes)
|
||||
req.ElementsMatch(exp.PreparedQueries, act.PreparedQueries)
|
||||
req.ElementsMatch(exp.PreparedQueryPrefixes, act.PreparedQueryPrefixes)
|
||||
req.ElementsMatch(exp.Services, act.Services)
|
||||
req.ElementsMatch(exp.ServicePrefixes, act.ServicePrefixes)
|
||||
req.ElementsMatch(exp.Sessions, act.Sessions)
|
||||
req.ElementsMatch(exp.SessionPrefixes, act.SessionPrefixes)
|
||||
require.Equal(t, exp.ACL, act.ACL)
|
||||
require.Equal(t, exp.Keyring, act.Keyring)
|
||||
require.Equal(t, exp.Operator, act.Operator)
|
||||
require.Equal(t, exp.Mesh, act.Mesh)
|
||||
require.ElementsMatch(t, exp.Agents, act.Agents)
|
||||
require.ElementsMatch(t, exp.AgentPrefixes, act.AgentPrefixes)
|
||||
require.ElementsMatch(t, exp.Events, act.Events)
|
||||
require.ElementsMatch(t, exp.EventPrefixes, act.EventPrefixes)
|
||||
require.ElementsMatch(t, exp.Keys, act.Keys)
|
||||
require.ElementsMatch(t, exp.KeyPrefixes, act.KeyPrefixes)
|
||||
require.ElementsMatch(t, exp.Nodes, act.Nodes)
|
||||
require.ElementsMatch(t, exp.NodePrefixes, act.NodePrefixes)
|
||||
require.ElementsMatch(t, exp.PreparedQueries, act.PreparedQueries)
|
||||
require.ElementsMatch(t, exp.PreparedQueryPrefixes, act.PreparedQueryPrefixes)
|
||||
require.ElementsMatch(t, exp.Services, act.Services)
|
||||
require.ElementsMatch(t, exp.ServicePrefixes, act.ServicePrefixes)
|
||||
require.ElementsMatch(t, exp.Sessions, act.Sessions)
|
||||
require.ElementsMatch(t, exp.SessionPrefixes, act.SessionPrefixes)
|
||||
})
|
||||
}
|
||||
|
||||
|
|
21
agent/acl.go
21
agent/acl.go
|
@ -15,7 +15,7 @@ import (
|
|||
// critical purposes, such as logging. Therefore we interpret all errors as empty-string
|
||||
// so we can safely log it without handling non-critical errors at the usage site.
|
||||
func (a *Agent) aclAccessorID(secretID string) string {
|
||||
ident, err := a.delegate.ResolveTokenToIdentity(secretID)
|
||||
ident, err := a.delegate.ResolveTokenAndDefaultMeta(secretID, nil, nil)
|
||||
if acl.IsErrNotFound(err) {
|
||||
return ""
|
||||
}
|
||||
|
@ -23,10 +23,7 @@ func (a *Agent) aclAccessorID(secretID string) string {
|
|||
a.logger.Debug("non-critical error resolving acl token accessor for logging", "error", err)
|
||||
return ""
|
||||
}
|
||||
if ident == nil {
|
||||
return ""
|
||||
}
|
||||
return ident.ID()
|
||||
return ident.AccessorID()
|
||||
}
|
||||
|
||||
// vetServiceRegister makes sure the service registration action is allowed by
|
||||
|
@ -84,7 +81,13 @@ func (a *Agent) vetServiceUpdateWithAuthorizer(authz acl.Authorizer, serviceID s
|
|||
structs.ServiceIDString(existing.Service, &existing.EnterpriseMeta))
|
||||
}
|
||||
} else {
|
||||
return NotFoundError{Reason: fmt.Sprintf("Unknown service %q", serviceID)}
|
||||
// Take care if modifying this error message.
|
||||
// agent/local/state.go's deleteService assumes the Catalog.Deregister RPC call
|
||||
// will include "Unknown service"in the error if deregistration fails due to a
|
||||
// service with that ID not existing.
|
||||
return NotFoundError{Reason: fmt.Sprintf(
|
||||
"Unknown service ID %q. Ensure that the service ID is passed, not the service name.",
|
||||
serviceID)}
|
||||
}
|
||||
|
||||
return nil
|
||||
|
@ -143,7 +146,9 @@ func (a *Agent) vetCheckUpdateWithAuthorizer(authz acl.Authorizer, checkID struc
|
|||
}
|
||||
}
|
||||
} else {
|
||||
return fmt.Errorf("Unknown check %q", checkID.String())
|
||||
return NotFoundError{Reason: fmt.Sprintf(
|
||||
"Unknown check ID %q. Ensure that the check ID is passed, not the check name.",
|
||||
checkID.String())}
|
||||
}
|
||||
|
||||
return nil
|
||||
|
@ -166,7 +171,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
|||
if authz.NodeRead(node, &authzContext) == acl.Allow {
|
||||
continue
|
||||
}
|
||||
accessorID := a.aclAccessorID(token)
|
||||
accessorID := authz.AccessorID()
|
||||
a.logger.Debug("dropping node from result due to ACLs", "node", node, "accessorID", accessorID)
|
||||
m = append(m[:i], m[i+1:]...)
|
||||
i--
|
||||
|
|
|
@ -16,23 +16,22 @@ type aclBootstrapResponse struct {
|
|||
structs.ACLToken
|
||||
}
|
||||
|
||||
var aclDisabled = UnauthorizedError{Reason: "ACL support disabled"}
|
||||
|
||||
// checkACLDisabled will return a standard response if ACLs are disabled. This
|
||||
// returns true if they are disabled and we should not continue.
|
||||
func (s *HTTPHandlers) checkACLDisabled(resp http.ResponseWriter, _req *http.Request) bool {
|
||||
func (s *HTTPHandlers) checkACLDisabled() bool {
|
||||
if s.agent.config.ACLsEnabled {
|
||||
return false
|
||||
}
|
||||
|
||||
resp.WriteHeader(http.StatusUnauthorized)
|
||||
fmt.Fprint(resp, "ACL support disabled")
|
||||
return true
|
||||
}
|
||||
|
||||
// ACLBootstrap is used to perform a one-time ACL bootstrap operation on
|
||||
// a cluster to get the first management token.
|
||||
func (s *HTTPHandlers) ACLBootstrap(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
args := structs.DCSpecificRequest{
|
||||
|
@ -42,9 +41,7 @@ func (s *HTTPHandlers) ACLBootstrap(resp http.ResponseWriter, req *http.Request)
|
|||
err := s.agent.RPC("ACL.BootstrapTokens", &args, &out)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), structs.ACLBootstrapNotAllowedErr.Error()) {
|
||||
resp.WriteHeader(http.StatusForbidden)
|
||||
fmt.Fprint(resp, acl.PermissionDeniedError{Cause: err.Error()}.Error())
|
||||
return nil, nil
|
||||
return nil, acl.PermissionDeniedError{Cause: err.Error()}
|
||||
} else {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -53,8 +50,8 @@ func (s *HTTPHandlers) ACLBootstrap(resp http.ResponseWriter, req *http.Request)
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLReplicationStatus(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
// Note that we do not forward to the ACL DC here. This is a query for
|
||||
|
@ -74,8 +71,8 @@ func (s *HTTPHandlers) ACLReplicationStatus(resp http.ResponseWriter, req *http.
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLPolicyList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var args structs.ACLPolicyListRequest
|
||||
|
@ -105,8 +102,8 @@ func (s *HTTPHandlers) ACLPolicyList(resp http.ResponseWriter, req *http.Request
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLPolicyCRUD(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var fn func(resp http.ResponseWriter, req *http.Request, policyID string) (interface{}, error)
|
||||
|
@ -125,7 +122,10 @@ func (s *HTTPHandlers) ACLPolicyCRUD(resp http.ResponseWriter, req *http.Request
|
|||
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
||||
}
|
||||
|
||||
policyID := strings.TrimPrefix(req.URL.Path, "/v1/acl/policy/")
|
||||
policyID, err := getPathSuffixUnescaped(req.URL.Path, "/v1/acl/policy/")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if policyID == "" && req.Method != "PUT" {
|
||||
return nil, BadRequestError{Reason: "Missing policy ID"}
|
||||
}
|
||||
|
@ -166,11 +166,14 @@ func (s *HTTPHandlers) ACLPolicyRead(resp http.ResponseWriter, req *http.Request
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLPolicyReadByName(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
policyName := strings.TrimPrefix(req.URL.Path, "/v1/acl/policy/name/")
|
||||
policyName, err := getPathSuffixUnescaped(req.URL.Path, "/v1/acl/policy/name/")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if policyName == "" {
|
||||
return nil, BadRequestError{Reason: "Missing policy Name"}
|
||||
}
|
||||
|
@ -183,8 +186,8 @@ func (s *HTTPHandlers) ACLPolicyReadByID(resp http.ResponseWriter, req *http.Req
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLPolicyCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
return s.aclPolicyWriteInternal(resp, req, "", true)
|
||||
|
@ -248,8 +251,8 @@ func (s *HTTPHandlers) ACLPolicyDelete(resp http.ResponseWriter, req *http.Reque
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLTokenList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
args := &structs.ACLTokenListRequest{
|
||||
|
@ -285,8 +288,8 @@ func (s *HTTPHandlers) ACLTokenList(resp http.ResponseWriter, req *http.Request)
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLTokenCRUD(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var fn func(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error)
|
||||
|
@ -305,7 +308,10 @@ func (s *HTTPHandlers) ACLTokenCRUD(resp http.ResponseWriter, req *http.Request)
|
|||
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
||||
}
|
||||
|
||||
tokenID := strings.TrimPrefix(req.URL.Path, "/v1/acl/token/")
|
||||
tokenID, err := getPathSuffixUnescaped(req.URL.Path, "/v1/acl/token/")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if strings.HasSuffix(tokenID, "/clone") && req.Method == "PUT" {
|
||||
tokenID = tokenID[:len(tokenID)-6]
|
||||
fn = s.ACLTokenClone
|
||||
|
@ -318,8 +324,8 @@ func (s *HTTPHandlers) ACLTokenCRUD(resp http.ResponseWriter, req *http.Request)
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLTokenSelf(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
args := structs.ACLTokenGetRequest{
|
||||
|
@ -351,8 +357,8 @@ func (s *HTTPHandlers) ACLTokenSelf(resp http.ResponseWriter, req *http.Request)
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLTokenCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
return s.aclTokenSetInternal(req, "", true)
|
||||
|
@ -442,8 +448,8 @@ func (s *HTTPHandlers) ACLTokenDelete(resp http.ResponseWriter, req *http.Reques
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLTokenClone(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
args := structs.ACLTokenSetRequest{
|
||||
|
@ -471,8 +477,8 @@ func (s *HTTPHandlers) ACLTokenClone(resp http.ResponseWriter, req *http.Request
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLRoleList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var args structs.ACLRoleListRequest
|
||||
|
@ -504,8 +510,8 @@ func (s *HTTPHandlers) ACLRoleList(resp http.ResponseWriter, req *http.Request)
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLRoleCRUD(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var fn func(resp http.ResponseWriter, req *http.Request, roleID string) (interface{}, error)
|
||||
|
@ -524,7 +530,10 @@ func (s *HTTPHandlers) ACLRoleCRUD(resp http.ResponseWriter, req *http.Request)
|
|||
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
||||
}
|
||||
|
||||
roleID := strings.TrimPrefix(req.URL.Path, "/v1/acl/role/")
|
||||
roleID, err := getPathSuffixUnescaped(req.URL.Path, "/v1/acl/role/")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if roleID == "" && req.Method != "PUT" {
|
||||
return nil, BadRequestError{Reason: "Missing role ID"}
|
||||
}
|
||||
|
@ -533,11 +542,14 @@ func (s *HTTPHandlers) ACLRoleCRUD(resp http.ResponseWriter, req *http.Request)
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLRoleReadByName(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
roleName := strings.TrimPrefix(req.URL.Path, "/v1/acl/role/name/")
|
||||
roleName, err := getPathSuffixUnescaped(req.URL.Path, "/v1/acl/role/name/")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if roleName == "" {
|
||||
return nil, BadRequestError{Reason: "Missing role Name"}
|
||||
}
|
||||
|
@ -581,8 +593,8 @@ func (s *HTTPHandlers) ACLRoleRead(resp http.ResponseWriter, req *http.Request,
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLRoleCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
return s.ACLRoleWrite(resp, req, "")
|
||||
|
@ -634,8 +646,8 @@ func (s *HTTPHandlers) ACLRoleDelete(resp http.ResponseWriter, req *http.Request
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLBindingRuleList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var args structs.ACLBindingRuleListRequest
|
||||
|
@ -668,8 +680,8 @@ func (s *HTTPHandlers) ACLBindingRuleList(resp http.ResponseWriter, req *http.Re
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLBindingRuleCRUD(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var fn func(resp http.ResponseWriter, req *http.Request, bindingRuleID string) (interface{}, error)
|
||||
|
@ -688,7 +700,10 @@ func (s *HTTPHandlers) ACLBindingRuleCRUD(resp http.ResponseWriter, req *http.Re
|
|||
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
||||
}
|
||||
|
||||
bindingRuleID := strings.TrimPrefix(req.URL.Path, "/v1/acl/binding-rule/")
|
||||
bindingRuleID, err := getPathSuffixUnescaped(req.URL.Path, "/v1/acl/binding-rule/")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if bindingRuleID == "" && req.Method != "PUT" {
|
||||
return nil, BadRequestError{Reason: "Missing binding rule ID"}
|
||||
}
|
||||
|
@ -728,8 +743,8 @@ func (s *HTTPHandlers) ACLBindingRuleRead(resp http.ResponseWriter, req *http.Re
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLBindingRuleCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
return s.ACLBindingRuleWrite(resp, req, "")
|
||||
|
@ -781,8 +796,8 @@ func (s *HTTPHandlers) ACLBindingRuleDelete(resp http.ResponseWriter, req *http.
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLAuthMethodList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var args structs.ACLAuthMethodListRequest
|
||||
|
@ -812,8 +827,8 @@ func (s *HTTPHandlers) ACLAuthMethodList(resp http.ResponseWriter, req *http.Req
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLAuthMethodCRUD(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
var fn func(resp http.ResponseWriter, req *http.Request, methodName string) (interface{}, error)
|
||||
|
@ -832,7 +847,10 @@ func (s *HTTPHandlers) ACLAuthMethodCRUD(resp http.ResponseWriter, req *http.Req
|
|||
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
||||
}
|
||||
|
||||
methodName := strings.TrimPrefix(req.URL.Path, "/v1/acl/auth-method/")
|
||||
methodName, err := getPathSuffixUnescaped(req.URL.Path, "/v1/acl/auth-method/")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if methodName == "" && req.Method != "PUT" {
|
||||
return nil, BadRequestError{Reason: "Missing auth method name"}
|
||||
}
|
||||
|
@ -872,8 +890,8 @@ func (s *HTTPHandlers) ACLAuthMethodRead(resp http.ResponseWriter, req *http.Req
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLAuthMethodCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
return s.ACLAuthMethodWrite(resp, req, "")
|
||||
|
@ -928,8 +946,8 @@ func (s *HTTPHandlers) ACLAuthMethodDelete(resp http.ResponseWriter, req *http.R
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLLogin(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
args := &structs.ACLLoginRequest{
|
||||
|
@ -954,8 +972,8 @@ func (s *HTTPHandlers) ACLLogin(resp http.ResponseWriter, req *http.Request) (in
|
|||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLLogout(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
args := structs.ACLLogoutRequest{
|
||||
|
@ -1014,8 +1032,8 @@ func (s *HTTPHandlers) ACLAuthorize(resp http.ResponseWriter, req *http.Request)
|
|||
// policy.
|
||||
const maxRequests = 64
|
||||
|
||||
if s.checkACLDisabled(resp, req) {
|
||||
return nil, nil
|
||||
if s.checkACLDisabled() {
|
||||
return nil, aclDisabled
|
||||
}
|
||||
|
||||
request := structs.RemoteACLAuthorizationRequest{
|
||||
|
|
|
@ -70,10 +70,8 @@ func TestACL_Disabled_Response(t *testing.T) {
|
|||
req, _ := http.NewRequest("PUT", "/should/not/care", nil)
|
||||
resp := httptest.NewRecorder()
|
||||
obj, err := tt.fn(resp, req)
|
||||
require.NoError(t, err)
|
||||
require.Nil(t, obj)
|
||||
require.Equal(t, http.StatusUnauthorized, resp.Code)
|
||||
require.Contains(t, resp.Body.String(), "ACL support disabled")
|
||||
require.ErrorIs(t, err, UnauthorizedError{Reason: "ACL support disabled"})
|
||||
})
|
||||
}
|
||||
}
|
||||
|
@ -119,9 +117,6 @@ func TestACL_Bootstrap(t *testing.T) {
|
|||
if tt.token && err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if got, want := resp.Code, tt.code; got != want {
|
||||
t.Fatalf("got %d want %d", got, want)
|
||||
}
|
||||
if tt.token {
|
||||
wrap, ok := out.(*aclBootstrapResponse)
|
||||
if !ok {
|
||||
|
@ -854,10 +849,10 @@ func TestACL_HTTP(t *testing.T) {
|
|||
tokens, ok := raw.(structs.ACLTokenListStubs)
|
||||
require.True(t, ok)
|
||||
|
||||
// 3 tokens created but 1 was deleted + master token + anon token
|
||||
// 3 tokens created but 1 was deleted + initial management token + anon token
|
||||
require.Len(t, tokens, 4)
|
||||
|
||||
// this loop doesn't verify anything about the master token
|
||||
// this loop doesn't verify anything about the initial management token
|
||||
for tokenID, expected := range tokenMap {
|
||||
found := false
|
||||
for _, actual := range tokens {
|
||||
|
@ -1885,7 +1880,7 @@ func TestACL_Authorize(t *testing.T) {
|
|||
var localToken structs.ACLToken
|
||||
require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken))
|
||||
|
||||
t.Run("master-token", func(t *testing.T) {
|
||||
t.Run("initial-management-token", func(t *testing.T) {
|
||||
request := []structs.ACLAuthorizationRequest{
|
||||
{
|
||||
Resource: "acl",
|
||||
|
@ -2021,7 +2016,7 @@ func TestACL_Authorize(t *testing.T) {
|
|||
resp := responses[idx]
|
||||
|
||||
require.Equal(t, req, resp.ACLAuthorizationRequest)
|
||||
require.True(t, resp.Allow, "should have allowed all access for master token")
|
||||
require.True(t, resp.Allow, "should have allowed all access for initial management token")
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -2282,7 +2277,7 @@ func TestACL_Authorize(t *testing.T) {
|
|||
type rpcFn func(string, interface{}, interface{}) error
|
||||
|
||||
func upsertTestCustomizedAuthMethod(
|
||||
rpc rpcFn, masterToken string, datacenter string,
|
||||
rpc rpcFn, initialManagementToken string, datacenter string,
|
||||
modify func(method *structs.ACLAuthMethod),
|
||||
) (*structs.ACLAuthMethod, error) {
|
||||
name, err := uuid.GenerateUUID()
|
||||
|
@ -2296,7 +2291,7 @@ func upsertTestCustomizedAuthMethod(
|
|||
Name: "test-method-" + name,
|
||||
Type: "testing",
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: masterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: initialManagementToken},
|
||||
}
|
||||
|
||||
if modify != nil {
|
||||
|
@ -2313,11 +2308,11 @@ func upsertTestCustomizedAuthMethod(
|
|||
return &out, nil
|
||||
}
|
||||
|
||||
func upsertTestCustomizedBindingRule(rpc rpcFn, masterToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
|
||||
func upsertTestCustomizedBindingRule(rpc rpcFn, initialManagementToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
|
||||
req := structs.ACLBindingRuleSetRequest{
|
||||
Datacenter: datacenter,
|
||||
BindingRule: structs.ACLBindingRule{},
|
||||
WriteRequest: structs.WriteRequest{Token: masterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: initialManagementToken},
|
||||
}
|
||||
|
||||
if modify != nil {
|
||||
|
|
|
@ -39,6 +39,12 @@ type TestACLAgent struct {
|
|||
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
|
||||
t.Helper()
|
||||
|
||||
if resolveIdent == nil {
|
||||
resolveIdent = func(s string) (structs.ACLIdentity, error) {
|
||||
return nil, nil
|
||||
}
|
||||
}
|
||||
|
||||
a := &TestACLAgent{resolveAuthzFn: resolveAuthz, resolveIdentFn: resolveIdent}
|
||||
|
||||
dataDir := testutil.TempDir(t, "acl-agent")
|
||||
|
@ -86,26 +92,15 @@ func (a *TestACLAgent) ResolveToken(secretID string) (acl.Authorizer, error) {
|
|||
return authz, err
|
||||
}
|
||||
|
||||
func (a *TestACLAgent) ResolveTokenToIdentityAndAuthorizer(secretID string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
if a.resolveAuthzFn == nil {
|
||||
return nil, nil, fmt.Errorf("ResolveTokenToIdentityAndAuthorizer call is unexpected - no authz resolver callback set")
|
||||
}
|
||||
|
||||
return a.resolveAuthzFn(secretID)
|
||||
}
|
||||
|
||||
func (a *TestACLAgent) ResolveTokenToIdentity(secretID string) (structs.ACLIdentity, error) {
|
||||
if a.resolveIdentFn == nil {
|
||||
return nil, fmt.Errorf("ResolveTokenToIdentity call is unexpected - no ident resolver callback set")
|
||||
}
|
||||
|
||||
return a.resolveIdentFn(secretID)
|
||||
}
|
||||
|
||||
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||
identity, authz, err := a.ResolveTokenToIdentityAndAuthorizer(secretID)
|
||||
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
|
||||
authz, err := a.ResolveToken(secretID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return consul.ACLResolveResult{}, err
|
||||
}
|
||||
|
||||
identity, err := a.resolveIdentFn(secretID)
|
||||
if err != nil {
|
||||
return consul.ACLResolveResult{}, err
|
||||
}
|
||||
|
||||
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
||||
|
@ -119,7 +114,7 @@ func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *stru
|
|||
// Use the meta to fill in the ACL authorization context
|
||||
entMeta.FillAuthzContext(authzContext)
|
||||
|
||||
return authz, err
|
||||
return consul.ACLResolveResult{Authorizer: authz, ACLIdentity: identity}, err
|
||||
}
|
||||
|
||||
// All of these are stubs to satisfy the interface
|
||||
|
@ -523,22 +518,3 @@ func TestACL_filterChecksWithAuthorizer(t *testing.T) {
|
|||
_, ok = checks["my-other"]
|
||||
require.False(t, ok)
|
||||
}
|
||||
|
||||
// TODO: remove?
|
||||
func TestACL_ResolveIdentity(t *testing.T) {
|
||||
t.Parallel()
|
||||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), nil, catalogIdent)
|
||||
|
||||
// this test is meant to ensure we are calling the correct function
|
||||
// which is ResolveTokenToIdentity on the Agent delegate. Our
|
||||
// nil authz resolver will cause it to emit an error if used
|
||||
ident, err := a.delegate.ResolveTokenToIdentity(nodeROSecret)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, ident)
|
||||
|
||||
// just double checkingto ensure if we had used the wrong function
|
||||
// that an error would be produced
|
||||
_, err = a.delegate.ResolveTokenAndDefaultMeta(nodeROSecret, nil, nil)
|
||||
require.Error(t, err)
|
||||
|
||||
}
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue