diff --git a/CHANGELOG.md b/CHANGELOG.md index e328ef533..5bcc704bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ IMPROVEMENTS: * agent: Blocking queries on service-specific health and catalog endpoints now return a per-service `X-Consul-Index` improving watch performance on very busy clusters. [[GH-3890](https://github.com/hashicorp/consul/issues/3890)]. **Note this may break blocking clients that relied on undocumented implementation details** as noted in the [upgrade docs](https://github.com/hashicorp/consul/blob/master/website/source/docs/upgrading.html.md#upgrade-from-version-106-to-higher). * agent: All endpoints now respond to OPTIONS requests. [[GH-3885](https://github.com/hashicorp/consul/issues/3885)] * dns: Introduced a new config param to limit the number of A/AAAA records returned. [[GH-3940](https://github.com/hashicorp/consul/issues/3940)] +* agent: supported TLS cipher suites updated to include newer options, [[GH-3962](https://github.com/hashicorp/consul/pull/3962)] BUG FIXES: diff --git a/INTERNALS.md b/INTERNALS.md index 8c67895a0..02eaeaa82 100644 --- a/INTERNALS.md +++ b/INTERNALS.md @@ -38,7 +38,7 @@ The components in this section are only used by Consul servers. | --------- | -------- | | [agent/consul](https://github.com/hashicorp/consul/tree/master/agent/consul) | This is where the Consul server object is defined, and the top-level `consul` package has all of the functionality that's used by server agents. This includes things like the internal RPC endpoints. | | [agent/consul/fsm](https://github.com/hashicorp/consul/tree/master/agent/consul/fsm), [agent/consul/state](https://github.com/hashicorp/consul/tree/master/agent/consul/state) | These components make up Consul's finite state machine (updated by the Raft consensus algorithm) and backed by the state store (based on immutable radix trees). All updates of Consul's consistent state is handled by the finite state machine, and all read queries to the Consul servers are serviced by the state store's data structures. | -| [agent/consul/autopulot](https://github.com/hashicorp/consul/tree/master/agent/consul/autopilot) | This contains a package of functions that provide Consul's [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features. | +| [agent/consul/autopilot](https://github.com/hashicorp/consul/tree/master/agent/consul/autopilot) | This contains a package of functions that provide Consul's [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features. | ### Other Components diff --git a/acl/acl.go b/acl/acl.go index 1b3a3ba10..73bcc4fc3 100644 --- a/acl/acl.go +++ b/acl/acl.go @@ -96,7 +96,7 @@ type ACL interface { // functions can be used. OperatorWrite() bool - // PrepardQueryRead determines if a specific prepared query can be read + // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). PreparedQueryRead(string) bool diff --git a/acl/errors.go b/acl/errors.go index f30004baf..e77afb45c 100644 --- a/acl/errors.go +++ b/acl/errors.go @@ -37,7 +37,7 @@ func IsErrNotFound(err error) bool { return err != nil && strings.Contains(err.Error(), errNotFound) } -// IsErrRootDenied checks if the given error messge is comparable to +// IsErrRootDenied checks if the given error message is comparable to // ErrRootDenied. func IsErrRootDenied(err error) bool { return err != nil && strings.Contains(err.Error(), errRootDenied) diff --git a/agent/ae/ae.go b/agent/ae/ae.go index d177ee776..b150001b6 100644 --- a/agent/ae/ae.go +++ b/agent/ae/ae.go @@ -47,7 +47,7 @@ type SyncState interface { // The state is synchronized on a regular basis or on demand when either // the state has changed or a new Consul server has joined the cluster. // -// The regular state sychronization provides a self-healing mechanism +// The regular state synchronization provides a self-healing mechanism // for the cluster which is also called anti-entropy. type StateSyncer struct { // State contains the data that needs to be synchronized. diff --git a/agent/agent.go b/agent/agent.go index b8cf9178a..2d9a6b6d3 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1204,7 +1204,7 @@ func (a *Agent) ShutdownAgent() error { } // ShutdownEndpoints terminates the HTTP and DNS servers. Should be -// preceeded by ShutdownAgent. +// preceded by ShutdownAgent. func (a *Agent) ShutdownEndpoints() { a.shutdownLock.Lock() defer a.shutdownLock.Unlock() @@ -1400,7 +1400,7 @@ func (a *Agent) reapServicesInternal() { } // See if there's a timeout. - // todo(fs): this looks fishy... why is there anoter data structure in the agent with its own lock? + // todo(fs): this looks fishy... why is there another data structure in the agent with its own lock? a.checkLock.Lock() timeout := a.checkReapAfter[checkID] a.checkLock.Unlock() diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go index 20388a38e..86fb47ee7 100644 --- a/agent/agent_endpoint.go +++ b/agent/agent_endpoint.go @@ -506,7 +506,7 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re } // Check the service address here and in the catalog RPC endpoint - // since service registration isn't sychronous. + // since service registration isn't synchronous. if ipaddr.IsAny(args.Address) { resp.WriteHeader(http.StatusBadRequest) fmt.Fprintf(resp, "Invalid service address") diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 427154f9e..940304b54 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -1228,7 +1228,7 @@ func TestAgent_RegisterService(t *testing.T) { t.Fatalf("bad: %v", obj) } - // Ensure the servie + // Ensure the service if _, ok := a.State.Services()["test"]; !ok { t.Fatalf("missing test service") } diff --git a/agent/config/builder.go b/agent/config/builder.go index bb4ceb952..efcffde89 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -1163,7 +1163,7 @@ func (b *Builder) expandFirstAddr(name string, s *string) net.Addr { return addrs[0] } -// expandFirstIP exapnds the go-sockaddr template in s and returns the +// expandFirstIP expands the go-sockaddr template in s and returns the // first address if it is not a unix socket address. If the template // expands to multiple addresses an error is set and nil is returned. func (b *Builder) expandFirstIP(name string, s *string) *net.IPAddr { diff --git a/agent/config/runtime.go b/agent/config/runtime.go index fd8e012e0..30cc1c656 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -181,7 +181,7 @@ type RuntimeConfig struct { // AutopilotUpgradeVersionTag is the node tag to use for version info when // performing upgrade migrations. If left blank, the Consul version will be used. // - // (Entrprise-only) + // (Enterprise-only) // // hcl: autopilot { upgrade_version_tag = string } AutopilotUpgradeVersionTag string @@ -322,7 +322,7 @@ type RuntimeConfig struct { // metric management is enabled. // Default: none // - // hcl: telemetry { circonous_api_token = string } + // hcl: telemetry { circonus_api_token = string } TelemetryCirconusAPIToken string // TelemetryCirconusAPIURL is the base URL to use for contacting the Circonus API. @@ -359,7 +359,7 @@ type RuntimeConfig struct { // TelemetryCirconusCheckForceMetricActivation will force enabling metrics, as they are encountered, // if the metric already exists and is NOT active. If check management is enabled, the default - // behavior is to add new metrics as they are encoutered. If the metric already exists in the + // behavior is to add new metrics as they are encountered. If the metric already exists in the // check, it will *NOT* be activated. This setting overrides that behavior. // Default: "false" // @@ -1060,7 +1060,7 @@ type RuntimeConfig struct { // name = string // tags = []string // address = string - // check = { check definiton } + // check = { check definition } // checks = [ { check definition}, ... ] // token = string // enable_tag_override = (true|false) @@ -1107,23 +1107,28 @@ type RuntimeConfig struct { // // The values should be a list of the following values: // - // TLS_RSA_WITH_RC4_128_SHA - // TLS_RSA_WITH_3DES_EDE_CBC_SHA - // TLS_RSA_WITH_AES_128_CBC_SHA - // TLS_RSA_WITH_AES_256_CBC_SHA - // TLS_RSA_WITH_AES_128_GCM_SHA256 - // TLS_RSA_WITH_AES_256_GCM_SHA384 - // TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - // TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - // TLS_ECDHE_RSA_WITH_RC4_128_SHA - // TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - // TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 // TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 // TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + // TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + // TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + // TLS_RSA_WITH_AES_128_GCM_SHA256 + // TLS_RSA_WITH_AES_256_GCM_SHA384 + // TLS_RSA_WITH_AES_128_CBC_SHA256 + // TLS_RSA_WITH_AES_128_CBC_SHA + // TLS_RSA_WITH_AES_256_CBC_SHA + // TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + // TLS_RSA_WITH_3DES_EDE_CBC_SHA + // TLS_RSA_WITH_RC4_128_SHA + // TLS_ECDHE_RSA_WITH_RC4_128_SHA + // TLS_ECDHE_ECDSA_WITH_RC4_128_SHA // // todo(fs): IMHO, we should also support the raw 0xNNNN values from // todo(fs): https://golang.org/pkg/crypto/tls/#pkg-constants diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 4e1cd6d4a..2f58b9781 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -2581,7 +2581,7 @@ func TestFullConfig(t *testing.T) { "statsd_address": "drce87cy", "statsite_address": "HpFwKB8R" }, - "tls_cipher_suites": "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "tls_cipher_suites": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "tls_min_version": "pAOWafkR", "tls_prefer_server_cipher_suites": true, "translate_wan_addrs": true, @@ -3017,7 +3017,7 @@ func TestFullConfig(t *testing.T) { statsd_address = "drce87cy" statsite_address = "HpFwKB8R" } - tls_cipher_suites = "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" + tls_cipher_suites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" tls_min_version = "pAOWafkR" tls_prefer_server_cipher_suites = true translate_wan_addrs = true @@ -3575,7 +3575,7 @@ func TestFullConfig(t *testing.T) { TelemetryMetricsPrefix: "ftO6DySn", TelemetryStatsdAddr: "drce87cy", TelemetryStatsiteAddr: "HpFwKB8R", - TLSCipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA}, + TLSCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384}, TLSMinVersion: "pAOWafkR", TLSPreferServerCipherSuites: true, TaggedAddresses: map[string]string{ @@ -3703,7 +3703,7 @@ func nonZero(name string, uniq map[interface{}]string, v interface{}) error { isUnique := func(v interface{}) error { if other := uniq[v]; other != "" { - return fmt.Errorf("%q and %q both use vaule %q", name, other, v) + return fmt.Errorf("%q and %q both use value %q", name, other, v) } uniq[v] = name return nil diff --git a/agent/consul/acl_replication.go b/agent/consul/acl_replication.go index 3a1579cb0..38d5f25fc 100644 --- a/agent/consul/acl_replication.go +++ b/agent/consul/acl_replication.go @@ -255,7 +255,7 @@ func (s *Server) IsACLReplicationEnabled() bool { // updateACLReplicationStatus safely updates the ACL replication status. func (s *Server) updateACLReplicationStatus(status structs.ACLReplicationStatus) { - // Fixup the times to shed some useless precision to ease formattting, + // Fixup the times to shed some useless precision to ease formatting, // and always report UTC. status.LastError = status.LastError.Round(time.Second).UTC() status.LastSuccess = status.LastSuccess.Round(time.Second).UTC() diff --git a/agent/consul/catalog_endpoint.go b/agent/consul/catalog_endpoint.go index 0d6fef4ee..ca92fde57 100644 --- a/agent/consul/catalog_endpoint.go +++ b/agent/consul/catalog_endpoint.go @@ -59,7 +59,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error } // Check the service address here and in the agent endpoint - // since service registration isn't sychronous. + // since service registration isn't synchronous. if ipaddr.IsAny(args.Service.Address) { return fmt.Errorf("Invalid service address") } diff --git a/agent/consul/leader_test.go b/agent/consul/leader_test.go index a7d2c95d1..da2092fda 100644 --- a/agent/consul/leader_test.go +++ b/agent/consul/leader_test.go @@ -441,7 +441,7 @@ func TestLeader_Reconcile_Races(t *testing.T) { }) // Add in some metadata via the catalog (as if the agent synced it - // there). We also set the serfHealth check to failing so the reconile + // there). We also set the serfHealth check to failing so the reconcile // will attempt to flip it back req := structs.RegisterRequest{ Datacenter: s1.config.Datacenter, diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index 3a02308df..3afbb6f07 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -629,7 +629,7 @@ func TestServer_globalRPCErrors(t *testing.T) { t.Fatalf("should have errored") } if !strings.Contains(err.Error(), "Bad.Method") { - t.Fatalf("unexpcted error: %s", err) + t.Fatalf("unexpected error: %s", err) } } @@ -767,10 +767,10 @@ func TestServer_RevokeLeadershipIdempotent(t *testing.T) { dir1, s1 := testServer(t) defer os.RemoveAll(dir1) defer s1.Shutdown() - + testrpc.WaitForLeader(t, s1.RPC, "dc1") - err:= s1.revokeLeadership() + err := s1.revokeLeadership() if err != nil { t.Fatal(err) } diff --git a/agent/consul/state/catalog_test.go b/agent/consul/state/catalog_test.go index 4d4500d64..39eccc478 100644 --- a/agent/consul/state/catalog_test.go +++ b/agent/consul/state/catalog_test.go @@ -2210,10 +2210,10 @@ func ensureIndexForService(t *testing.T, s *Store, ws memdb.WatchSet, serviceNam } } -// TestIndexIndependance test that changes on a given service does not impact the +// TestIndexIndependence test that changes on a given service does not impact the // index of other services. It allows to have huge benefits for watches since // watchers are notified ONLY when there are changes in the given service -func TestIndexIndependance(t *testing.T) { +func TestIndexIndependence(t *testing.T) { s := testStateStore(t) // Querying with no matches gives an empty response diff --git a/agent/consul/state/delay.go b/agent/consul/state/delay.go index 206fe4da6..1a253b641 100644 --- a/agent/consul/state/delay.go +++ b/agent/consul/state/delay.go @@ -7,7 +7,7 @@ import ( // Delay is used to mark certain locks as unacquirable. When a lock is // forcefully released (failing health check, destroyed session, etc.), it is -// subject to the LockDelay impossed by the session. This prevents another +// subject to the LockDelay imposed by the session. This prevents another // session from acquiring the lock for some period of time as a protection // against split-brains. This is inspired by the lock-delay in Chubby. Because // this relies on wall-time, we cannot assume all peers perceive time as flowing diff --git a/agent/coordinate_endpoint_test.go b/agent/coordinate_endpoint_test.go index 688d34503..b07125651 100644 --- a/agent/coordinate_endpoint_test.go +++ b/agent/coordinate_endpoint_test.go @@ -138,7 +138,7 @@ func TestCoordinate_Nodes(t *testing.T) { t.Fatalf("bad: %v", coordinates) } - // Filter on a nonexistant node segment + // Filter on a nonexistent node segment req, _ = http.NewRequest("GET", "/v1/coordinate/nodes?segment=nope", nil) resp = httptest.NewRecorder() obj, err = a.srv.CoordinateNodes(resp, req) @@ -245,7 +245,7 @@ func TestCoordinate_Node(t *testing.T) { t.Fatalf("bad: %v", coordinates) } - // Filter on a nonexistant node segment + // Filter on a nonexistent node segment req, _ = http.NewRequest("GET", "/v1/coordinate/node/foo?segment=nope", nil) resp = httptest.NewRecorder() obj, err = a.srv.CoordinateNode(resp, req) diff --git a/agent/dns_test.go b/agent/dns_test.go index 0f29cda10..eeb058002 100644 --- a/agent/dns_test.go +++ b/agent/dns_test.go @@ -3082,7 +3082,7 @@ func TestDNS_ServiceLookup_ARecordLimits(t *testing.T) { name string aRecordLimit int expectedAResults int - expectedAAAAResuls int + expectedAAAAResults int expectedSRVResults int numNodesTotal int udpSize uint16 diff --git a/agent/local/state.go b/agent/local/state.go index b0adcd53d..af000e3db 100644 --- a/agent/local/state.go +++ b/agent/local/state.go @@ -746,7 +746,7 @@ func (l *State) updateSyncState() error { // and synchronizes the changes. func (l *State) SyncFull() error { // note that we do not acquire the lock here since the methods - // we are calling will do that themself. + // we are calling will do that themselves. // // Also note that we don't hold the lock for the entire operation // but release it between the two calls. This is not an issue since diff --git a/agent/router/router.go b/agent/router/router.go index c41a6a79c..426ca1628 100644 --- a/agent/router/router.go +++ b/agent/router/router.go @@ -308,7 +308,7 @@ func (r *Router) FailServer(areaID types.AreaID, s *metadata.Server) error { // cases this may return a best-effort unhealthy server that can be used for a // connection attempt. If any problem occurs with the given server, the caller // should feed that back to the manager associated with the server, which is -// also returned, by calling NofifyFailedServer(). +// also returned, by calling NotifyFailedServer(). func (r *Router) FindRoute(datacenter string) (*Manager, *metadata.Server, bool) { return r.routeFn(datacenter) } @@ -380,7 +380,7 @@ func (n *datacenterSorter) Less(i, j int) bool { return n.Vec[i] < n.Vec[j] } -// GetDatacentersByDeistance returns a list of datacenters known to the router, +// GetDatacentersByDistance returns a list of datacenters known to the router, // sorted by median RTT from this server to the servers in each datacenter. If // there are multiple areas that reach a given datacenter, this will use the // lowest RTT for the sort. diff --git a/agent/testagent.go b/agent/testagent.go index 2ce611fb7..581143016 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -207,7 +207,7 @@ func (a *TestAgent) Start() *TestAgent { resp := httptest.NewRecorder() _, err := a.httpServers[0].AgentSelf(resp, req) if err != nil || resp.Code != 200 { - r.Fatal(a.Name, "failed OK respose", err) + r.Fatal(a.Name, "failed OK response", err) } } }) @@ -282,7 +282,7 @@ func (a *TestAgent) consulConfig() *consul.Config { // pickRandomPorts selects random ports from fixed size random blocks of // ports. This does not eliminate the chance for port conflict but -// reduces it significanltly with little overhead. Furthermore, asking +// reduces it significantly with little overhead. Furthermore, asking // the kernel for a random port by binding to port 0 prolongs the test // execution (in our case +20sec) while also not fully eliminating the // chance of port conflicts for concurrently executed test binaries. diff --git a/agent/user_event.go b/agent/user_event.go index 24d4bb03d..6087a93e4 100644 --- a/agent/user_event.go +++ b/agent/user_event.go @@ -254,7 +254,7 @@ func (a *Agent) UserEvents() []*UserEvent { return out } -// LastUserEvent is used to return the lastest user event. +// LastUserEvent is used to return the last user event. // This will return nil if there is no recent event. func (a *Agent) LastUserEvent() *UserEvent { a.eventLock.RLock() diff --git a/api/acl.go b/api/acl.go index 6ea0a752e..8ec9aa585 100644 --- a/api/acl.go +++ b/api/acl.go @@ -5,7 +5,7 @@ import ( ) const ( - // ACLCLientType is the client type token + // ACLClientType is the client type token ACLClientType = "client" // ACLManagementType is the management type token diff --git a/api/api.go b/api/api.go index c7a29f503..1cdc21e33 100644 --- a/api/api.go +++ b/api/api.go @@ -137,7 +137,7 @@ type WriteOptions struct { // which overrides the agent's default token. Token string - // RelayFactor is used in keyring operations to cause reponses to be + // RelayFactor is used in keyring operations to cause responses to be // relayed back to the sender through N other random nodes. Must be // a value from 0 to 5 (inclusive). RelayFactor uint8 diff --git a/api/prepared_query.go b/api/prepared_query.go index ff210de3f..9020b720e 100644 --- a/api/prepared_query.go +++ b/api/prepared_query.go @@ -61,7 +61,7 @@ type QueryTemplate struct { Regexp string } -// PrepatedQueryDefinition defines a complete prepared query. +// PreparedQueryDefinition defines a complete prepared query. type PreparedQueryDefinition struct { // ID is this UUID-based ID for the query, always generated by Consul. ID string diff --git a/command/kv/put/kv_put.go b/command/kv/put/kv_put.go index f057f0297..98be3c001 100644 --- a/command/kv/put/kv_put.go +++ b/command/kv/put/kv_put.go @@ -94,7 +94,7 @@ func (c *cmd) Run(args []string) int { } } - // Session is reauired for release or acquire + // Session is required for release or acquire if (c.release || c.acquire) && c.session == "" { c.UI.Error("Error! Missing -session (required with -acquire and -release)") return 1 diff --git a/command/monitor/monitor_test.go b/command/monitor/monitor_test.go index c1d6c8c33..5a5189a83 100644 --- a/command/monitor/monitor_test.go +++ b/command/monitor/monitor_test.go @@ -12,7 +12,7 @@ import ( "github.com/mitchellh/cli" ) -func TestMonitorCommand_exitssOnSignalBeforeLinesArrive(t *testing.T) { +func TestMonitorCommand_exitsOnSignalBeforeLinesArrive(t *testing.T) { t.Parallel() logWriter := logger.NewLogWriter(512) a := &agent.TestAgent{ diff --git a/command/snapshot/inspect/snapshot_inspect_test.go b/command/snapshot/inspect/snapshot_inspect_test.go index 8b43beffd..7bdc059f6 100644 --- a/command/snapshot/inspect/snapshot_inspect_test.go +++ b/command/snapshot/inspect/snapshot_inspect_test.go @@ -12,7 +12,7 @@ import ( "github.com/mitchellh/cli" ) -func TestSnapshotInpectCommand_noTabs(t *testing.T) { +func TestSnapshotInspectCommand_noTabs(t *testing.T) { t.Parallel() if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') { t.Fatal("help has tabs") diff --git a/terraform/digitalocean/variables.tf b/terraform/digitalocean/variables.tf index 79bf8d782..76c2563e1 100644 --- a/terraform/digitalocean/variables.tf +++ b/terraform/digitalocean/variables.tf @@ -21,6 +21,6 @@ variable "centos" { } variable "coreos" { - description = "Defaut Coreos" + description = "Default Coreos" default = "coreos-899.17.0" } diff --git a/testutil/server.go b/testutil/server.go index 4993f13cb..06c0fdfd2 100644 --- a/testutil/server.go +++ b/testutil/server.go @@ -314,7 +314,7 @@ func (s *TestServer) waitForAPI() error { } defer resp.Body.Close() if err := s.requireOK(resp); err != nil { - r.Fatal("failed OK respose", err) + r.Fatal("failed OK response", err) } }) if f.failed { diff --git a/tlsutil/config.go b/tlsutil/config.go index a780d8c20..62ad91038 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -361,23 +361,28 @@ func ParseCiphers(cipherStr string) ([]uint16, error) { ciphers := strings.Split(cipherStr, ",") cipherMap := map[string]uint16{ - "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, - "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, - "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, - "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, + "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, + "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, } for _, cipher := range ciphers { if v, ok := cipherMap[cipher]; ok { diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index efb73a272..11e1a131f 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -513,32 +513,52 @@ func TestConfig_IncomingTLS_TLSMinVersion(t *testing.T) { func TestConfig_ParseCiphers(t *testing.T) { testOk := strings.Join([]string{ - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", }, ",") ciphers := []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_RC4_128_SHA, + tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, } v, err := ParseCiphers(testOk) if err != nil { diff --git a/ui/javascripts/app/models.js b/ui/javascripts/app/models.js index 3cabf0ba8..e8521b9b3 100644 --- a/ui/javascripts/app/models.js +++ b/ui/javascripts/app/models.js @@ -120,7 +120,7 @@ App.Node = Ember.Object.extend({ // A key/value object // App.Key = Ember.Object.extend(Ember.Validations.Mixin, { - // Validates using the Ember.Valdiations library + // Validates using the Ember.Validations library validations: { Key: { presence: true } }, @@ -254,7 +254,7 @@ App.Key = Ember.Object.extend(Ember.Validations.Mixin, { var parts = this.get('keyParts').toArray(); // Remove the last item, essentially going up a level - // in hiearchy + // in hierarchy parts.pop(); return parts.join("/") + "/"; diff --git a/ui/javascripts/app/routes.js b/ui/javascripts/app/routes.js index 74a9ac377..72dbddca2 100644 --- a/ui/javascripts/app/routes.js +++ b/ui/javascripts/app/routes.js @@ -90,7 +90,7 @@ App.DcRoute = App.BaseRoute.extend({ model: function(params) { var token = App.get('settings.token'); - // Return a promise hash to retreieve the + // Return a promise hash to retrieve the // dcs and nodes used in the header return Ember.RSVP.hash({ dc: params.dc, diff --git a/ui/javascripts/fixtures.js b/ui/javascripts/fixtures.js index 04aac6cd4..3c3f1b87e 100644 --- a/ui/javascripts/fixtures.js +++ b/ui/javascripts/fixtures.js @@ -124,7 +124,7 @@ fixtures.services_full = { "Notes": "", "Output": "200 ok", "Status": "passing", - "Name": "Foo Heathly", + "Name": "Foo Healthy", "CheckID": "fooHealth", "Node": "node-10-0-1-102" } diff --git a/website/source/api/health.html.md b/website/source/api/health.html.md index 6f1639bb5..58384d4e7 100644 --- a/website/source/api/health.html.md +++ b/website/source/api/health.html.md @@ -265,7 +265,7 @@ The table below shows this endpoint's support for ### Parameters -- `state` `(string: )` - Specifies the state to query. Spported states +- `state` `(string: )` - Specifies the state to query. Supported states are `any`, `passing`, `warning`, or `critical`. The `any` state is a wildcard that can be used to return all checks. diff --git a/website/source/api/operator/area.html.md b/website/source/api/operator/area.html.md index de9f77ec6..2678d068e 100644 --- a/website/source/api/operator/area.html.md +++ b/website/source/api/operator/area.html.md @@ -52,7 +52,7 @@ The table below shows this endpoint's support for the datacenter of the agent being queried. This is specified as a URL query parameter. -- `PeerDatacenter` `(string: )` - Specifes the name of the Consul +- `PeerDatacenter` `(string: )` - Specifies the name of the Consul datacenter that will be joined the Consul servers in the current datacenter to form the area. Only one area is allowed for each possible `PeerDatacenter`, and a datacenter cannot form an area with itself. @@ -285,7 +285,7 @@ The table below shows this endpoint's support for the datacenter of the agent being queried. This is specified as a URL query parameter. -### Sample Palyoad +### Sample Payload ```json ["10.1.2.3", "10.1.2.4", "10.1.2.5"] diff --git a/website/source/api/operator/autopilot.html.md b/website/source/api/operator/autopilot.html.md index fc623ef8d..e0d64ce37 100644 --- a/website/source/api/operator/autopilot.html.md +++ b/website/source/api/operator/autopilot.html.md @@ -84,7 +84,7 @@ The table below shows this endpoint's support for | Blocking Queries | Consistency Modes | ACL Required | | ---------------- | ----------------- | ---------------- | -| `NO` | `none` | `opreator:write` | +| `NO` | `none` | `operator:write` | ### Parameters @@ -156,7 +156,7 @@ The table below shows this endpoint's support for | Blocking Queries | Consistency Modes | ACL Required | | ---------------- | ----------------- | --------------- | -| `NO` | `none` | `opreator:read` | +| `NO` | `none` | `operator:read` | ### Parameters diff --git a/website/source/api/operator/raft.html.md b/website/source/api/operator/raft.html.md index 5ac180074..eb795ef89 100644 --- a/website/source/api/operator/raft.html.md +++ b/website/source/api/operator/raft.html.md @@ -41,7 +41,7 @@ The table below shows this endpoint's support for - `stale` `(bool: false)` - If the cluster does not currently have a leader an error will be returned. You can use the `?stale` query parameter to read the Raft configuration from any of the Consul servers. Not setting this will choose - the default consistency mode which will forward the reqest to the leader for + the default consistency mode which will forward the request to the leader for processing but not re-confirm the server is still the leader before returning results. See [default consistency](/api/index.html#default) for more details. diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index b503d1886..cad9dd253 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -555,7 +555,7 @@ will exit with an error at startup. - Metadata keys must contain only alphanumeric, `-`, and `_` characters. - Metadata keys must not begin with the `consul-` prefix; that is reserved for internal use by Consul. - Metadata values must be between 0 and 512 (inclusive) characters in length. - - Metadata values for keys begining with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise + - Metadata values for keys beginning with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise the metadata kv-pair is encoded according [RFC1464](https://www.ietf.org/rfc/rfc1464.txt). * `-pid-file` - This flag provides the file @@ -1108,7 +1108,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass performance. By default, Consul will use a lower-performance timing that's suitable - for [minimal Consul servers](/docs/guides/performance.html#minumum), currently equivalent + for [minimal Consul servers](/docs/guides/performance.html#minimum), currently equivalent to setting this to a value of 5 (this default may be changed in future versions of Consul, depending if the target minimum server profile changes). Setting this to a value of 1 will configure Raft to its highest-performance mode, equivalent to the default timing of Consul @@ -1259,7 +1259,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass The Check ID (not **check bundle**) from a previously created HTTPTRAP check. The numeric portion of the `check._cid` field in the Check API object. * `circonus_check_force_metric_activation` - Force activation of metrics which already exist and are not currently active. If check management is enabled, the default behavior is to add new metrics as they are encoutered. If the metric already exists in the check, it will **not** be activated. This setting overrides that behavior. By default, this is set to false. + Force activation of metrics which already exist and are not currently active. If check management is enabled, the default behavior is to add new metrics as they are encountered. If the metric already exists in the check, it will **not** be activated. This setting overrides that behavior. By default, this is set to false. * `circonus_check_instance_id` Uniquely identifies the metrics coming from this *instance*. It can be used to maintain metric continuity with transient or ephemeral instances as they move around within an infrastructure. By default, this is set to hostname:application name (e.g. "host123:consul"). @@ -1341,7 +1341,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass * `tls_cipher_suites` Added in Consul 0.8.2, this specifies the list of supported ciphersuites as a comma-separated-list. The list of all - available ciphersuites is available in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). + supported ciphersuites is available in the [source code](https://github.com/hashicorp/consul/blob/master/tlsutil/config.go#L363). * `tls_prefer_server_cipher_suites` Added in Consul 0.8.2, this will cause Consul to prefer the diff --git a/website/source/docs/commands/operator.html.markdown.erb b/website/source/docs/commands/operator.html.markdown.erb index e89e24e9e..4a67c7275 100644 --- a/website/source/docs/commands/operator.html.markdown.erb +++ b/website/source/docs/commands/operator.html.markdown.erb @@ -22,7 +22,7 @@ if required, so this can be run from any Consul node in a cluster. See the [ACL Guide](/docs/guides/acl.html#operator) for more information. See the [Outage Recovery](/docs/guides/outage.html) guide for some examples of how -this command is used. For an API to perform these operations programatically, +this command is used. For an API to perform these operations programmatically, please see the documentation for the [Operator](/api/operator.html) endpoint. diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index 082325ab9..a78f60b55 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -482,6 +482,28 @@ default. If using [`acl_token`](/docs/agent/options.html#acl_token), then it's likely the anonymous token will have a more restrictive policy than shown in the examples here. +#### Create Tokens for UI Use (Optional) + +If you utilize the Consul UI with a restrictive ACL policy, as above, the UI will +not function fully using the anonymous ACL token. It is recommended +that a UI-specific ACL token is used, which can be set in the UI during the +web browser session to authenticate the interface. + +```text +$ curl \ + --request PUT \ + --header "X-Consul-Token: b1gs33cr3t" \ + --data \ +'{ + "Name": "UI Token", + "Type": "client", + "Rules": "key \"\" { policy = \"write\" } node \"\" { policy = \"read\" } service \"\" { policy = \"read\" }" +}' http://127.0.0.1:8500/v1/acl/create +{"ID":"d0a9f330-2f9d-0a8c-d2af-1e9ceda354e6"} +``` + +The token can then be set on the "settings" page of the UI. + #### Next Steps The examples above configure a basic ACL environment with the ability to see all nodes diff --git a/website/source/docs/guides/bootstrapping.html.md b/website/source/docs/guides/bootstrapping.html.md index 6f98a8ca2..7bf0bc32f 100644 --- a/website/source/docs/guides/bootstrapping.html.md +++ b/website/source/docs/guides/bootstrapping.html.md @@ -52,7 +52,7 @@ To trigger leader election, we must join these machines together and create a cl Choose the method which best suits your environment and specific use case. ~> **Notice:** The hosted version of Consul Enterprise was deprecated on - March 7th, 2017 and the Atlas `auto-join` feature is no longer available. For details, see https://atlas.hashicorp.com/help/consul/alternatives. + March 7th, 2017 and the Atlas `auto-join` feature is no longer available. ### Manually Creating a Cluster diff --git a/website/source/docs/upgrade-specific.html.md b/website/source/docs/upgrade-specific.html.md index 6f8341f8f..06f2126ab 100644 --- a/website/source/docs/upgrade-specific.html.md +++ b/website/source/docs/upgrade-specific.html.md @@ -30,7 +30,7 @@ Consul 1.0 has several important breaking changes that are documented here. Plea The [`-raft-protocol`](/docs/agent/options.html#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](/docs/guides/autopilot.html) features by default. -Raft protocol version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. +Raft protocol version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the latest Raft protocol. See [Manual Recovery Using peers.json](/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. Please note that the Raft protocol is different from Consul's internal protocol as described on the [Protocol Compatibility Promise](/docs/compatibility.html) page, and as is shown in commands like `consul members` and `consul version`. To see the version of the Raft protocol in use on each server, use the `consul operator raft list-peers` command. @@ -299,7 +299,7 @@ configuration: Consul also 0.7 introduced support for tuning Raft performance using a new [performance configuration block](/docs/agent/options.html#performance). Also, the default Raft timing is set to a lower-performance mode suitable for -[minimal Consul servers](/docs/guides/performance.html#minumum). +[minimal Consul servers](/docs/guides/performance.html#minimum). To continue to use the high-performance settings that were the default prior to Consul 0.7 (recommended for production servers), add the following configuration