From 4e0d2291913d312e607626673c32157b55ee19c1 Mon Sep 17 00:00:00 2001 From: Sergei Ryabkov Date: Fri, 2 Mar 2018 18:22:19 -0500 Subject: [PATCH 01/12] Highlighting the dead link I am proposing to remove a dead link (https://atlas.hashicorp.com/help/consul/alternatives). If the page has moved and the new location is known, it would be of course better to update the link. --- website/source/docs/guides/bootstrapping.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/guides/bootstrapping.html.md b/website/source/docs/guides/bootstrapping.html.md index 6f98a8ca2..7bf0bc32f 100644 --- a/website/source/docs/guides/bootstrapping.html.md +++ b/website/source/docs/guides/bootstrapping.html.md @@ -52,7 +52,7 @@ To trigger leader election, we must join these machines together and create a cl Choose the method which best suits your environment and specific use case. ~> **Notice:** The hosted version of Consul Enterprise was deprecated on - March 7th, 2017 and the Atlas `auto-join` feature is no longer available. For details, see https://atlas.hashicorp.com/help/consul/alternatives. + March 7th, 2017 and the Atlas `auto-join` feature is no longer available. ### Manually Creating a Cluster From 089ceff264aa8be9801f9deafffba300e0da71cd Mon Sep 17 00:00:00 2001 From: Devin Canterberry Date: Tue, 13 Mar 2018 09:25:03 -0700 Subject: [PATCH 02/12] =?UTF-8?q?=F0=9F=93=9D=20Clarify=20the=20list=20of?= =?UTF-8?q?=20supported=20TLS=20cipher=20suites?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, the documentation linked to Golang's source code, which can drift from the list of cipher suites supported by Consul. Consul has a hard-coded mapping of string values to Golang cipher suites, so this is a more direct source of truth to help users understand which string values are accepted in the `tls_cipher_suites` configuration value. --- website/source/docs/agent/options.html.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index b503d1886..931b0a805 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -1341,7 +1341,8 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass * `tls_cipher_suites` Added in Consul 0.8.2, this specifies the list of supported ciphersuites as a comma-separated-list. The list of all - available ciphersuites is available in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). + supported ciphersuites is available in the [`tlsutil.ParseCiphers` source as the keys of the `cipherMap` + map](https://github.com/hashicorp/consul/blob/6378d607fd887327cfd1aadccf1ccb683da745b6/tlsutil/config.go#L363). * `tls_prefer_server_cipher_suites` Added in Consul 0.8.2, this will cause Consul to prefer the From 9a911bba0c91568044d77f01ad2381b034f26842 Mon Sep 17 00:00:00 2001 From: Jack Pearkes Date: Wed, 14 Mar 2018 16:46:04 -0700 Subject: [PATCH 03/12] website: add section on securing the UI with ACLs Figured it would be worth documenting due to #3931. --- website/source/docs/guides/acl.html.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index 082325ab9..0318888bd 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -482,6 +482,26 @@ default. If using [`acl_token`](/docs/agent/options.html#acl_token), then it's likely the anonymous token will have a more restrictive policy than shown in the examples here. +#### Create Tokens for UI Use (Optional) + +If you utilize the Consul UI with a restrictive ACL policy, as above, the UI will +not function fully using the anonymous ACL token. It is recommended +that a UI-specific ACL token is used, which can be set in the UI during the +web browser session to authenticate the interface. + +```text +$ curl \ + --request PUT \ + --header "X-Consul-Token: b1gs33cr3t" \ + --data \ +'{ + "Name": "UI Token", + "Type": "client", + "Rules": "key \"\" { policy = \"write\" } node \"\" { policy = \"read\" } service \"\" { policy = \"read\" }" +}' http://127.0.0.1:8500/v1/acl/create +{"ID":"d0a9f330-2f9d-0a8c-d2af-1e9ceda354e6"} +``` + #### Next Steps The examples above configure a basic ACL environment with the ability to see all nodes From da7f8ab59d9a135353f07c0ba26dae3ded715e43 Mon Sep 17 00:00:00 2001 From: Jack Pearkes Date: Wed, 14 Mar 2018 16:50:04 -0700 Subject: [PATCH 04/12] website: clarify where ACL token is set in the UI --- website/source/docs/guides/acl.html.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index 0318888bd..a78f60b55 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -502,6 +502,8 @@ $ curl \ {"ID":"d0a9f330-2f9d-0a8c-d2af-1e9ceda354e6"} ``` +The token can then be set on the "settings" page of the UI. + #### Next Steps The examples above configure a basic ACL environment with the ability to see all nodes From ece32fce537a76bf2f21af1609240de22c5120bd Mon Sep 17 00:00:00 2001 From: Devin Canterberry Date: Tue, 13 Mar 2018 09:50:41 -0700 Subject: [PATCH 05/12] =?UTF-8?q?=F0=9F=94=92=20Update=20supported=20TLS?= =?UTF-8?q?=20cipher=20suites?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/) --- agent/config/runtime.go | 31 ++++++++++++--------- agent/config/runtime_test.go | 2 +- tlsutil/config.go | 31 ++++++++++++--------- tlsutil/config_test.go | 52 +++++++++++++++++++++++++----------- 4 files changed, 73 insertions(+), 43 deletions(-) diff --git a/agent/config/runtime.go b/agent/config/runtime.go index fd8e012e0..d7bafe57e 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1107,23 +1107,28 @@ type RuntimeConfig struct { // // The values should be a list of the following values: // - // TLS_RSA_WITH_RC4_128_SHA - // TLS_RSA_WITH_3DES_EDE_CBC_SHA - // TLS_RSA_WITH_AES_128_CBC_SHA - // TLS_RSA_WITH_AES_256_CBC_SHA - // TLS_RSA_WITH_AES_128_GCM_SHA256 - // TLS_RSA_WITH_AES_256_GCM_SHA384 - // TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - // TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - // TLS_ECDHE_RSA_WITH_RC4_128_SHA - // TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - // TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 // TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 // TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + // TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + // TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + // TLS_RSA_WITH_AES_128_GCM_SHA256 + // TLS_RSA_WITH_AES_256_GCM_SHA384 + // TLS_RSA_WITH_AES_128_CBC_SHA256 + // TLS_RSA_WITH_AES_128_CBC_SHA + // TLS_RSA_WITH_AES_256_CBC_SHA + // TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + // TLS_RSA_WITH_3DES_EDE_CBC_SHA + // TLS_RSA_WITH_RC4_128_SHA + // TLS_ECDHE_RSA_WITH_RC4_128_SHA + // TLS_ECDHE_ECDSA_WITH_RC4_128_SHA // // todo(fs): IMHO, we should also support the raw 0xNNNN values from // todo(fs): https://golang.org/pkg/crypto/tls/#pkg-constants diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 4e1cd6d4a..9c5ac4033 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -2581,7 +2581,7 @@ func TestFullConfig(t *testing.T) { "statsd_address": "drce87cy", "statsite_address": "HpFwKB8R" }, - "tls_cipher_suites": "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "tls_cipher_suites": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "tls_min_version": "pAOWafkR", "tls_prefer_server_cipher_suites": true, "translate_wan_addrs": true, diff --git a/tlsutil/config.go b/tlsutil/config.go index a780d8c20..73b8fa362 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -361,23 +361,28 @@ func ParseCiphers(cipherStr string) ([]uint16, error) { ciphers := strings.Split(cipherStr, ",") cipherMap := map[string]uint16{ - "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, - "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, - "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, - "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, + "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, + "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA } for _, cipher := range ciphers { if v, ok := cipherMap[cipher]; ok { diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index efb73a272..ab4a85046 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -513,32 +513,52 @@ func TestConfig_IncomingTLS_TLSMinVersion(t *testing.T) { func TestConfig_ParseCiphers(t *testing.T) { testOk := strings.Join([]string{ - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" }, ",") ciphers := []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_RC4_128_SHA, + tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA } v, err := ParseCiphers(testOk) if err != nil { From 881d20c6064930c1932a03c6c1a4a0f3d588c7c4 Mon Sep 17 00:00:00 2001 From: Devin Canterberry Date: Tue, 13 Mar 2018 10:30:18 -0700 Subject: [PATCH 06/12] =?UTF-8?q?=F0=9F=90=9B=20Formatting=20changes=20onl?= =?UTF-8?q?y;=20add=20missing=20trailing=20commas?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- agent/consul/server_test.go | 4 ++-- tlsutil/config.go | 2 +- tlsutil/config_test.go | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index 3a02308df..d681d85cf 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -767,10 +767,10 @@ func TestServer_RevokeLeadershipIdempotent(t *testing.T) { dir1, s1 := testServer(t) defer os.RemoveAll(dir1) defer s1.Shutdown() - + testrpc.WaitForLeader(t, s1.RPC, "dc1") - err:= s1.revokeLeadership() + err := s1.revokeLeadership() if err != nil { t.Fatal(err) } diff --git a/tlsutil/config.go b/tlsutil/config.go index 73b8fa362..62ad91038 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -382,7 +382,7 @@ func ParseCiphers(cipherStr string) ([]uint16, error) { "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, } for _, cipher := range ciphers { if v, ok := cipherMap[cipher]; ok { diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index ab4a85046..11e1a131f 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -534,7 +534,7 @@ func TestConfig_ParseCiphers(t *testing.T) { "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", }, ",") ciphers := []uint16{ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, @@ -558,7 +558,7 @@ func TestConfig_ParseCiphers(t *testing.T) { tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, } v, err := ParseCiphers(testOk) if err != nil { From 2001b9f35f9a2cfd5581c80f9b62deaed3528e9f Mon Sep 17 00:00:00 2001 From: Devin Canterberry Date: Thu, 15 Mar 2018 09:37:32 -0700 Subject: [PATCH 07/12] =?UTF-8?q?=E2=9C=85=20Match=20expectation=20of=20TL?= =?UTF-8?q?SCipherSuites=20to=20values=20of=20tls=5Fcipher=5Fsuites?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- agent/config/runtime_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 9c5ac4033..a3b2e4451 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -3017,7 +3017,7 @@ func TestFullConfig(t *testing.T) { statsd_address = "drce87cy" statsite_address = "HpFwKB8R" } - tls_cipher_suites = "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" + tls_cipher_suites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" tls_min_version = "pAOWafkR" tls_prefer_server_cipher_suites = true translate_wan_addrs = true @@ -3575,7 +3575,7 @@ func TestFullConfig(t *testing.T) { TelemetryMetricsPrefix: "ftO6DySn", TelemetryStatsdAddr: "drce87cy", TelemetryStatsiteAddr: "HpFwKB8R", - TLSCipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA}, + TLSCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384}, TLSMinVersion: "pAOWafkR", TLSPreferServerCipherSuites: true, TaggedAddresses: map[string]string{ From bd11f567c4670795550b01805c8de73a955bb233 Mon Sep 17 00:00:00 2001 From: Devin Canterberry Date: Thu, 15 Mar 2018 10:25:27 -0700 Subject: [PATCH 08/12] =?UTF-8?q?=F0=9F=93=9D=20Prefer=20brevity=20at=20th?= =?UTF-8?q?e=20cost=20of=20some=20ambiguity?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- website/source/docs/agent/options.html.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 931b0a805..d8241ea8d 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -1341,8 +1341,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass * `tls_cipher_suites` Added in Consul 0.8.2, this specifies the list of supported ciphersuites as a comma-separated-list. The list of all - supported ciphersuites is available in the [`tlsutil.ParseCiphers` source as the keys of the `cipherMap` - map](https://github.com/hashicorp/consul/blob/6378d607fd887327cfd1aadccf1ccb683da745b6/tlsutil/config.go#L363). + supported ciphersuites is available in the [source code](https://github.com/hashicorp/consul/blob/6378d607fd887327cfd1aadccf1ccb683da745b6/tlsutil/config.go#L363). * `tls_prefer_server_cipher_suites` Added in Consul 0.8.2, this will cause Consul to prefer the From 8a5df6ecc3da1f272ae7c46dfd5d5c30e83b685e Mon Sep 17 00:00:00 2001 From: Devin Canterberry Date: Thu, 15 Mar 2018 10:30:38 -0700 Subject: [PATCH 09/12] =?UTF-8?q?=F0=9F=8E=A8=20Formatting=20changes=20onl?= =?UTF-8?q?y;=20convert=20leading=20space=20to=20tabs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- agent/config/runtime_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index a3b2e4451..dc48be8f9 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -3017,7 +3017,7 @@ func TestFullConfig(t *testing.T) { statsd_address = "drce87cy" statsite_address = "HpFwKB8R" } - tls_cipher_suites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + tls_cipher_suites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" tls_min_version = "pAOWafkR" tls_prefer_server_cipher_suites = true translate_wan_addrs = true From b86de4c2e3ff5dfc1e98b826851314e95386419f Mon Sep 17 00:00:00 2001 From: Paul Banks Date: Mon, 19 Mar 2018 16:50:52 +0000 Subject: [PATCH 10/12] Use master --- website/source/docs/agent/options.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index d8241ea8d..16150ae5e 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -1341,7 +1341,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass * `tls_cipher_suites` Added in Consul 0.8.2, this specifies the list of supported ciphersuites as a comma-separated-list. The list of all - supported ciphersuites is available in the [source code](https://github.com/hashicorp/consul/blob/6378d607fd887327cfd1aadccf1ccb683da745b6/tlsutil/config.go#L363). + supported ciphersuites is available in the [source code](https://github.com/hashicorp/consul/blob/master/tlsutil/config.go#L363). * `tls_prefer_server_cipher_suites` Added in Consul 0.8.2, this will cause Consul to prefer the From 1dd8c378b91f25fa5a8baa4811d58ad364912083 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Mon, 19 Mar 2018 12:56:00 -0400 Subject: [PATCH 11/12] Spelling (#3958) * spelling: another * spelling: autopilot * spelling: beginning * spelling: circonus * spelling: default * spelling: definition * spelling: distance * spelling: encountered * spelling: enterprise * spelling: expands * spelling: exits * spelling: formatting * spelling: health * spelling: hierarchy * spelling: imposed * spelling: independence * spelling: inspect * spelling: last * spelling: latest * spelling: client * spelling: message * spelling: minimum * spelling: notify * spelling: nonexistent * spelling: operator * spelling: payload * spelling: preceded * spelling: prepared * spelling: programmatically * spelling: required * spelling: reconcile * spelling: responses * spelling: request * spelling: response * spelling: results * spelling: retrieve * spelling: service * spelling: significantly * spelling: specifies * spelling: supported * spelling: synchronization * spelling: synchronous * spelling: themselves * spelling: unexpected * spelling: validations * spelling: value --- INTERNALS.md | 2 +- acl/acl.go | 2 +- acl/errors.go | 2 +- agent/ae/ae.go | 2 +- agent/agent.go | 4 ++-- agent/agent_endpoint.go | 2 +- agent/agent_endpoint_test.go | 2 +- agent/config/builder.go | 2 +- agent/config/runtime.go | 8 ++++---- agent/config/runtime_test.go | 2 +- agent/consul/acl_replication.go | 2 +- agent/consul/catalog_endpoint.go | 2 +- agent/consul/leader_test.go | 2 +- agent/consul/server_test.go | 2 +- agent/consul/state/catalog_test.go | 4 ++-- agent/consul/state/delay.go | 2 +- agent/coordinate_endpoint_test.go | 4 ++-- agent/dns_test.go | 2 +- agent/local/state.go | 2 +- agent/router/router.go | 4 ++-- agent/testagent.go | 4 ++-- agent/user_event.go | 2 +- api/acl.go | 2 +- api/api.go | 2 +- api/prepared_query.go | 2 +- command/kv/put/kv_put.go | 2 +- command/monitor/monitor_test.go | 2 +- command/snapshot/inspect/snapshot_inspect_test.go | 2 +- terraform/digitalocean/variables.tf | 2 +- testutil/server.go | 2 +- ui/javascripts/app/models.js | 4 ++-- ui/javascripts/app/routes.js | 2 +- ui/javascripts/fixtures.js | 2 +- website/source/api/health.html.md | 2 +- website/source/api/operator/area.html.md | 4 ++-- website/source/api/operator/autopilot.html.md | 4 ++-- website/source/api/operator/raft.html.md | 2 +- website/source/docs/agent/options.html.md | 6 +++--- website/source/docs/commands/operator.html.markdown.erb | 2 +- website/source/docs/upgrade-specific.html.md | 4 ++-- 40 files changed, 54 insertions(+), 54 deletions(-) diff --git a/INTERNALS.md b/INTERNALS.md index 8c67895a0..02eaeaa82 100644 --- a/INTERNALS.md +++ b/INTERNALS.md @@ -38,7 +38,7 @@ The components in this section are only used by Consul servers. | --------- | -------- | | [agent/consul](https://github.com/hashicorp/consul/tree/master/agent/consul) | This is where the Consul server object is defined, and the top-level `consul` package has all of the functionality that's used by server agents. This includes things like the internal RPC endpoints. | | [agent/consul/fsm](https://github.com/hashicorp/consul/tree/master/agent/consul/fsm), [agent/consul/state](https://github.com/hashicorp/consul/tree/master/agent/consul/state) | These components make up Consul's finite state machine (updated by the Raft consensus algorithm) and backed by the state store (based on immutable radix trees). All updates of Consul's consistent state is handled by the finite state machine, and all read queries to the Consul servers are serviced by the state store's data structures. | -| [agent/consul/autopulot](https://github.com/hashicorp/consul/tree/master/agent/consul/autopilot) | This contains a package of functions that provide Consul's [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features. | +| [agent/consul/autopilot](https://github.com/hashicorp/consul/tree/master/agent/consul/autopilot) | This contains a package of functions that provide Consul's [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features. | ### Other Components diff --git a/acl/acl.go b/acl/acl.go index 1b3a3ba10..73bcc4fc3 100644 --- a/acl/acl.go +++ b/acl/acl.go @@ -96,7 +96,7 @@ type ACL interface { // functions can be used. OperatorWrite() bool - // PrepardQueryRead determines if a specific prepared query can be read + // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). PreparedQueryRead(string) bool diff --git a/acl/errors.go b/acl/errors.go index f30004baf..e77afb45c 100644 --- a/acl/errors.go +++ b/acl/errors.go @@ -37,7 +37,7 @@ func IsErrNotFound(err error) bool { return err != nil && strings.Contains(err.Error(), errNotFound) } -// IsErrRootDenied checks if the given error messge is comparable to +// IsErrRootDenied checks if the given error message is comparable to // ErrRootDenied. func IsErrRootDenied(err error) bool { return err != nil && strings.Contains(err.Error(), errRootDenied) diff --git a/agent/ae/ae.go b/agent/ae/ae.go index d177ee776..b150001b6 100644 --- a/agent/ae/ae.go +++ b/agent/ae/ae.go @@ -47,7 +47,7 @@ type SyncState interface { // The state is synchronized on a regular basis or on demand when either // the state has changed or a new Consul server has joined the cluster. // -// The regular state sychronization provides a self-healing mechanism +// The regular state synchronization provides a self-healing mechanism // for the cluster which is also called anti-entropy. type StateSyncer struct { // State contains the data that needs to be synchronized. diff --git a/agent/agent.go b/agent/agent.go index b8cf9178a..2d9a6b6d3 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1204,7 +1204,7 @@ func (a *Agent) ShutdownAgent() error { } // ShutdownEndpoints terminates the HTTP and DNS servers. Should be -// preceeded by ShutdownAgent. +// preceded by ShutdownAgent. func (a *Agent) ShutdownEndpoints() { a.shutdownLock.Lock() defer a.shutdownLock.Unlock() @@ -1400,7 +1400,7 @@ func (a *Agent) reapServicesInternal() { } // See if there's a timeout. - // todo(fs): this looks fishy... why is there anoter data structure in the agent with its own lock? + // todo(fs): this looks fishy... why is there another data structure in the agent with its own lock? a.checkLock.Lock() timeout := a.checkReapAfter[checkID] a.checkLock.Unlock() diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go index 20388a38e..86fb47ee7 100644 --- a/agent/agent_endpoint.go +++ b/agent/agent_endpoint.go @@ -506,7 +506,7 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re } // Check the service address here and in the catalog RPC endpoint - // since service registration isn't sychronous. + // since service registration isn't synchronous. if ipaddr.IsAny(args.Address) { resp.WriteHeader(http.StatusBadRequest) fmt.Fprintf(resp, "Invalid service address") diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 427154f9e..940304b54 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -1228,7 +1228,7 @@ func TestAgent_RegisterService(t *testing.T) { t.Fatalf("bad: %v", obj) } - // Ensure the servie + // Ensure the service if _, ok := a.State.Services()["test"]; !ok { t.Fatalf("missing test service") } diff --git a/agent/config/builder.go b/agent/config/builder.go index bb4ceb952..efcffde89 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -1163,7 +1163,7 @@ func (b *Builder) expandFirstAddr(name string, s *string) net.Addr { return addrs[0] } -// expandFirstIP exapnds the go-sockaddr template in s and returns the +// expandFirstIP expands the go-sockaddr template in s and returns the // first address if it is not a unix socket address. If the template // expands to multiple addresses an error is set and nil is returned. func (b *Builder) expandFirstIP(name string, s *string) *net.IPAddr { diff --git a/agent/config/runtime.go b/agent/config/runtime.go index d7bafe57e..30cc1c656 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -181,7 +181,7 @@ type RuntimeConfig struct { // AutopilotUpgradeVersionTag is the node tag to use for version info when // performing upgrade migrations. If left blank, the Consul version will be used. // - // (Entrprise-only) + // (Enterprise-only) // // hcl: autopilot { upgrade_version_tag = string } AutopilotUpgradeVersionTag string @@ -322,7 +322,7 @@ type RuntimeConfig struct { // metric management is enabled. // Default: none // - // hcl: telemetry { circonous_api_token = string } + // hcl: telemetry { circonus_api_token = string } TelemetryCirconusAPIToken string // TelemetryCirconusAPIURL is the base URL to use for contacting the Circonus API. @@ -359,7 +359,7 @@ type RuntimeConfig struct { // TelemetryCirconusCheckForceMetricActivation will force enabling metrics, as they are encountered, // if the metric already exists and is NOT active. If check management is enabled, the default - // behavior is to add new metrics as they are encoutered. If the metric already exists in the + // behavior is to add new metrics as they are encountered. If the metric already exists in the // check, it will *NOT* be activated. This setting overrides that behavior. // Default: "false" // @@ -1060,7 +1060,7 @@ type RuntimeConfig struct { // name = string // tags = []string // address = string - // check = { check definiton } + // check = { check definition } // checks = [ { check definition}, ... ] // token = string // enable_tag_override = (true|false) diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index dc48be8f9..2f58b9781 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -3703,7 +3703,7 @@ func nonZero(name string, uniq map[interface{}]string, v interface{}) error { isUnique := func(v interface{}) error { if other := uniq[v]; other != "" { - return fmt.Errorf("%q and %q both use vaule %q", name, other, v) + return fmt.Errorf("%q and %q both use value %q", name, other, v) } uniq[v] = name return nil diff --git a/agent/consul/acl_replication.go b/agent/consul/acl_replication.go index 3a1579cb0..38d5f25fc 100644 --- a/agent/consul/acl_replication.go +++ b/agent/consul/acl_replication.go @@ -255,7 +255,7 @@ func (s *Server) IsACLReplicationEnabled() bool { // updateACLReplicationStatus safely updates the ACL replication status. func (s *Server) updateACLReplicationStatus(status structs.ACLReplicationStatus) { - // Fixup the times to shed some useless precision to ease formattting, + // Fixup the times to shed some useless precision to ease formatting, // and always report UTC. status.LastError = status.LastError.Round(time.Second).UTC() status.LastSuccess = status.LastSuccess.Round(time.Second).UTC() diff --git a/agent/consul/catalog_endpoint.go b/agent/consul/catalog_endpoint.go index 0d6fef4ee..ca92fde57 100644 --- a/agent/consul/catalog_endpoint.go +++ b/agent/consul/catalog_endpoint.go @@ -59,7 +59,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error } // Check the service address here and in the agent endpoint - // since service registration isn't sychronous. + // since service registration isn't synchronous. if ipaddr.IsAny(args.Service.Address) { return fmt.Errorf("Invalid service address") } diff --git a/agent/consul/leader_test.go b/agent/consul/leader_test.go index a7d2c95d1..da2092fda 100644 --- a/agent/consul/leader_test.go +++ b/agent/consul/leader_test.go @@ -441,7 +441,7 @@ func TestLeader_Reconcile_Races(t *testing.T) { }) // Add in some metadata via the catalog (as if the agent synced it - // there). We also set the serfHealth check to failing so the reconile + // there). We also set the serfHealth check to failing so the reconcile // will attempt to flip it back req := structs.RegisterRequest{ Datacenter: s1.config.Datacenter, diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index d681d85cf..3afbb6f07 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -629,7 +629,7 @@ func TestServer_globalRPCErrors(t *testing.T) { t.Fatalf("should have errored") } if !strings.Contains(err.Error(), "Bad.Method") { - t.Fatalf("unexpcted error: %s", err) + t.Fatalf("unexpected error: %s", err) } } diff --git a/agent/consul/state/catalog_test.go b/agent/consul/state/catalog_test.go index b22b82fed..39cd81d60 100644 --- a/agent/consul/state/catalog_test.go +++ b/agent/consul/state/catalog_test.go @@ -2199,10 +2199,10 @@ func ensureIndexForService(t *testing.T, s *Store, ws memdb.WatchSet, serviceNam } } -// TestIndexIndependance test that changes on a given service does not impact the +// TestIndexIndependence test that changes on a given service does not impact the // index of other services. It allows to have huge benefits for watches since // watchers are notified ONLY when there are changes in the given service -func TestIndexIndependance(t *testing.T) { +func TestIndexIndependence(t *testing.T) { s := testStateStore(t) // Querying with no matches gives an empty response diff --git a/agent/consul/state/delay.go b/agent/consul/state/delay.go index 206fe4da6..1a253b641 100644 --- a/agent/consul/state/delay.go +++ b/agent/consul/state/delay.go @@ -7,7 +7,7 @@ import ( // Delay is used to mark certain locks as unacquirable. When a lock is // forcefully released (failing health check, destroyed session, etc.), it is -// subject to the LockDelay impossed by the session. This prevents another +// subject to the LockDelay imposed by the session. This prevents another // session from acquiring the lock for some period of time as a protection // against split-brains. This is inspired by the lock-delay in Chubby. Because // this relies on wall-time, we cannot assume all peers perceive time as flowing diff --git a/agent/coordinate_endpoint_test.go b/agent/coordinate_endpoint_test.go index 688d34503..b07125651 100644 --- a/agent/coordinate_endpoint_test.go +++ b/agent/coordinate_endpoint_test.go @@ -138,7 +138,7 @@ func TestCoordinate_Nodes(t *testing.T) { t.Fatalf("bad: %v", coordinates) } - // Filter on a nonexistant node segment + // Filter on a nonexistent node segment req, _ = http.NewRequest("GET", "/v1/coordinate/nodes?segment=nope", nil) resp = httptest.NewRecorder() obj, err = a.srv.CoordinateNodes(resp, req) @@ -245,7 +245,7 @@ func TestCoordinate_Node(t *testing.T) { t.Fatalf("bad: %v", coordinates) } - // Filter on a nonexistant node segment + // Filter on a nonexistent node segment req, _ = http.NewRequest("GET", "/v1/coordinate/node/foo?segment=nope", nil) resp = httptest.NewRecorder() obj, err = a.srv.CoordinateNode(resp, req) diff --git a/agent/dns_test.go b/agent/dns_test.go index 0f29cda10..eeb058002 100644 --- a/agent/dns_test.go +++ b/agent/dns_test.go @@ -3082,7 +3082,7 @@ func TestDNS_ServiceLookup_ARecordLimits(t *testing.T) { name string aRecordLimit int expectedAResults int - expectedAAAAResuls int + expectedAAAAResults int expectedSRVResults int numNodesTotal int udpSize uint16 diff --git a/agent/local/state.go b/agent/local/state.go index b0adcd53d..af000e3db 100644 --- a/agent/local/state.go +++ b/agent/local/state.go @@ -746,7 +746,7 @@ func (l *State) updateSyncState() error { // and synchronizes the changes. func (l *State) SyncFull() error { // note that we do not acquire the lock here since the methods - // we are calling will do that themself. + // we are calling will do that themselves. // // Also note that we don't hold the lock for the entire operation // but release it between the two calls. This is not an issue since diff --git a/agent/router/router.go b/agent/router/router.go index c41a6a79c..426ca1628 100644 --- a/agent/router/router.go +++ b/agent/router/router.go @@ -308,7 +308,7 @@ func (r *Router) FailServer(areaID types.AreaID, s *metadata.Server) error { // cases this may return a best-effort unhealthy server that can be used for a // connection attempt. If any problem occurs with the given server, the caller // should feed that back to the manager associated with the server, which is -// also returned, by calling NofifyFailedServer(). +// also returned, by calling NotifyFailedServer(). func (r *Router) FindRoute(datacenter string) (*Manager, *metadata.Server, bool) { return r.routeFn(datacenter) } @@ -380,7 +380,7 @@ func (n *datacenterSorter) Less(i, j int) bool { return n.Vec[i] < n.Vec[j] } -// GetDatacentersByDeistance returns a list of datacenters known to the router, +// GetDatacentersByDistance returns a list of datacenters known to the router, // sorted by median RTT from this server to the servers in each datacenter. If // there are multiple areas that reach a given datacenter, this will use the // lowest RTT for the sort. diff --git a/agent/testagent.go b/agent/testagent.go index 2ce611fb7..581143016 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -207,7 +207,7 @@ func (a *TestAgent) Start() *TestAgent { resp := httptest.NewRecorder() _, err := a.httpServers[0].AgentSelf(resp, req) if err != nil || resp.Code != 200 { - r.Fatal(a.Name, "failed OK respose", err) + r.Fatal(a.Name, "failed OK response", err) } } }) @@ -282,7 +282,7 @@ func (a *TestAgent) consulConfig() *consul.Config { // pickRandomPorts selects random ports from fixed size random blocks of // ports. This does not eliminate the chance for port conflict but -// reduces it significanltly with little overhead. Furthermore, asking +// reduces it significantly with little overhead. Furthermore, asking // the kernel for a random port by binding to port 0 prolongs the test // execution (in our case +20sec) while also not fully eliminating the // chance of port conflicts for concurrently executed test binaries. diff --git a/agent/user_event.go b/agent/user_event.go index 24d4bb03d..6087a93e4 100644 --- a/agent/user_event.go +++ b/agent/user_event.go @@ -254,7 +254,7 @@ func (a *Agent) UserEvents() []*UserEvent { return out } -// LastUserEvent is used to return the lastest user event. +// LastUserEvent is used to return the last user event. // This will return nil if there is no recent event. func (a *Agent) LastUserEvent() *UserEvent { a.eventLock.RLock() diff --git a/api/acl.go b/api/acl.go index 6ea0a752e..8ec9aa585 100644 --- a/api/acl.go +++ b/api/acl.go @@ -5,7 +5,7 @@ import ( ) const ( - // ACLCLientType is the client type token + // ACLClientType is the client type token ACLClientType = "client" // ACLManagementType is the management type token diff --git a/api/api.go b/api/api.go index c7a29f503..1cdc21e33 100644 --- a/api/api.go +++ b/api/api.go @@ -137,7 +137,7 @@ type WriteOptions struct { // which overrides the agent's default token. Token string - // RelayFactor is used in keyring operations to cause reponses to be + // RelayFactor is used in keyring operations to cause responses to be // relayed back to the sender through N other random nodes. Must be // a value from 0 to 5 (inclusive). RelayFactor uint8 diff --git a/api/prepared_query.go b/api/prepared_query.go index ff210de3f..9020b720e 100644 --- a/api/prepared_query.go +++ b/api/prepared_query.go @@ -61,7 +61,7 @@ type QueryTemplate struct { Regexp string } -// PrepatedQueryDefinition defines a complete prepared query. +// PreparedQueryDefinition defines a complete prepared query. type PreparedQueryDefinition struct { // ID is this UUID-based ID for the query, always generated by Consul. ID string diff --git a/command/kv/put/kv_put.go b/command/kv/put/kv_put.go index f057f0297..98be3c001 100644 --- a/command/kv/put/kv_put.go +++ b/command/kv/put/kv_put.go @@ -94,7 +94,7 @@ func (c *cmd) Run(args []string) int { } } - // Session is reauired for release or acquire + // Session is required for release or acquire if (c.release || c.acquire) && c.session == "" { c.UI.Error("Error! Missing -session (required with -acquire and -release)") return 1 diff --git a/command/monitor/monitor_test.go b/command/monitor/monitor_test.go index c1d6c8c33..5a5189a83 100644 --- a/command/monitor/monitor_test.go +++ b/command/monitor/monitor_test.go @@ -12,7 +12,7 @@ import ( "github.com/mitchellh/cli" ) -func TestMonitorCommand_exitssOnSignalBeforeLinesArrive(t *testing.T) { +func TestMonitorCommand_exitsOnSignalBeforeLinesArrive(t *testing.T) { t.Parallel() logWriter := logger.NewLogWriter(512) a := &agent.TestAgent{ diff --git a/command/snapshot/inspect/snapshot_inspect_test.go b/command/snapshot/inspect/snapshot_inspect_test.go index 8b43beffd..7bdc059f6 100644 --- a/command/snapshot/inspect/snapshot_inspect_test.go +++ b/command/snapshot/inspect/snapshot_inspect_test.go @@ -12,7 +12,7 @@ import ( "github.com/mitchellh/cli" ) -func TestSnapshotInpectCommand_noTabs(t *testing.T) { +func TestSnapshotInspectCommand_noTabs(t *testing.T) { t.Parallel() if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') { t.Fatal("help has tabs") diff --git a/terraform/digitalocean/variables.tf b/terraform/digitalocean/variables.tf index 79bf8d782..76c2563e1 100644 --- a/terraform/digitalocean/variables.tf +++ b/terraform/digitalocean/variables.tf @@ -21,6 +21,6 @@ variable "centos" { } variable "coreos" { - description = "Defaut Coreos" + description = "Default Coreos" default = "coreos-899.17.0" } diff --git a/testutil/server.go b/testutil/server.go index 4993f13cb..06c0fdfd2 100644 --- a/testutil/server.go +++ b/testutil/server.go @@ -314,7 +314,7 @@ func (s *TestServer) waitForAPI() error { } defer resp.Body.Close() if err := s.requireOK(resp); err != nil { - r.Fatal("failed OK respose", err) + r.Fatal("failed OK response", err) } }) if f.failed { diff --git a/ui/javascripts/app/models.js b/ui/javascripts/app/models.js index 3cabf0ba8..e8521b9b3 100644 --- a/ui/javascripts/app/models.js +++ b/ui/javascripts/app/models.js @@ -120,7 +120,7 @@ App.Node = Ember.Object.extend({ // A key/value object // App.Key = Ember.Object.extend(Ember.Validations.Mixin, { - // Validates using the Ember.Valdiations library + // Validates using the Ember.Validations library validations: { Key: { presence: true } }, @@ -254,7 +254,7 @@ App.Key = Ember.Object.extend(Ember.Validations.Mixin, { var parts = this.get('keyParts').toArray(); // Remove the last item, essentially going up a level - // in hiearchy + // in hierarchy parts.pop(); return parts.join("/") + "/"; diff --git a/ui/javascripts/app/routes.js b/ui/javascripts/app/routes.js index 74a9ac377..72dbddca2 100644 --- a/ui/javascripts/app/routes.js +++ b/ui/javascripts/app/routes.js @@ -90,7 +90,7 @@ App.DcRoute = App.BaseRoute.extend({ model: function(params) { var token = App.get('settings.token'); - // Return a promise hash to retreieve the + // Return a promise hash to retrieve the // dcs and nodes used in the header return Ember.RSVP.hash({ dc: params.dc, diff --git a/ui/javascripts/fixtures.js b/ui/javascripts/fixtures.js index 04aac6cd4..3c3f1b87e 100644 --- a/ui/javascripts/fixtures.js +++ b/ui/javascripts/fixtures.js @@ -124,7 +124,7 @@ fixtures.services_full = { "Notes": "", "Output": "200 ok", "Status": "passing", - "Name": "Foo Heathly", + "Name": "Foo Healthy", "CheckID": "fooHealth", "Node": "node-10-0-1-102" } diff --git a/website/source/api/health.html.md b/website/source/api/health.html.md index 6f1639bb5..58384d4e7 100644 --- a/website/source/api/health.html.md +++ b/website/source/api/health.html.md @@ -265,7 +265,7 @@ The table below shows this endpoint's support for ### Parameters -- `state` `(string: )` - Specifies the state to query. Spported states +- `state` `(string: )` - Specifies the state to query. Supported states are `any`, `passing`, `warning`, or `critical`. The `any` state is a wildcard that can be used to return all checks. diff --git a/website/source/api/operator/area.html.md b/website/source/api/operator/area.html.md index de9f77ec6..2678d068e 100644 --- a/website/source/api/operator/area.html.md +++ b/website/source/api/operator/area.html.md @@ -52,7 +52,7 @@ The table below shows this endpoint's support for the datacenter of the agent being queried. This is specified as a URL query parameter. -- `PeerDatacenter` `(string: )` - Specifes the name of the Consul +- `PeerDatacenter` `(string: )` - Specifies the name of the Consul datacenter that will be joined the Consul servers in the current datacenter to form the area. Only one area is allowed for each possible `PeerDatacenter`, and a datacenter cannot form an area with itself. @@ -285,7 +285,7 @@ The table below shows this endpoint's support for the datacenter of the agent being queried. This is specified as a URL query parameter. -### Sample Palyoad +### Sample Payload ```json ["10.1.2.3", "10.1.2.4", "10.1.2.5"] diff --git a/website/source/api/operator/autopilot.html.md b/website/source/api/operator/autopilot.html.md index fc623ef8d..e0d64ce37 100644 --- a/website/source/api/operator/autopilot.html.md +++ b/website/source/api/operator/autopilot.html.md @@ -84,7 +84,7 @@ The table below shows this endpoint's support for | Blocking Queries | Consistency Modes | ACL Required | | ---------------- | ----------------- | ---------------- | -| `NO` | `none` | `opreator:write` | +| `NO` | `none` | `operator:write` | ### Parameters @@ -156,7 +156,7 @@ The table below shows this endpoint's support for | Blocking Queries | Consistency Modes | ACL Required | | ---------------- | ----------------- | --------------- | -| `NO` | `none` | `opreator:read` | +| `NO` | `none` | `operator:read` | ### Parameters diff --git a/website/source/api/operator/raft.html.md b/website/source/api/operator/raft.html.md index 5ac180074..eb795ef89 100644 --- a/website/source/api/operator/raft.html.md +++ b/website/source/api/operator/raft.html.md @@ -41,7 +41,7 @@ The table below shows this endpoint's support for - `stale` `(bool: false)` - If the cluster does not currently have a leader an error will be returned. You can use the `?stale` query parameter to read the Raft configuration from any of the Consul servers. Not setting this will choose - the default consistency mode which will forward the reqest to the leader for + the default consistency mode which will forward the request to the leader for processing but not re-confirm the server is still the leader before returning results. See [default consistency](/api/index.html#default) for more details. diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 16150ae5e..cad9dd253 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -555,7 +555,7 @@ will exit with an error at startup. - Metadata keys must contain only alphanumeric, `-`, and `_` characters. - Metadata keys must not begin with the `consul-` prefix; that is reserved for internal use by Consul. - Metadata values must be between 0 and 512 (inclusive) characters in length. - - Metadata values for keys begining with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise + - Metadata values for keys beginning with `rfc1035-` are encoded verbatim in DNS TXT requests, otherwise the metadata kv-pair is encoded according [RFC1464](https://www.ietf.org/rfc/rfc1464.txt). * `-pid-file` - This flag provides the file @@ -1108,7 +1108,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass performance. By default, Consul will use a lower-performance timing that's suitable - for [minimal Consul servers](/docs/guides/performance.html#minumum), currently equivalent + for [minimal Consul servers](/docs/guides/performance.html#minimum), currently equivalent to setting this to a value of 5 (this default may be changed in future versions of Consul, depending if the target minimum server profile changes). Setting this to a value of 1 will configure Raft to its highest-performance mode, equivalent to the default timing of Consul @@ -1259,7 +1259,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass The Check ID (not **check bundle**) from a previously created HTTPTRAP check. The numeric portion of the `check._cid` field in the Check API object. * `circonus_check_force_metric_activation` - Force activation of metrics which already exist and are not currently active. If check management is enabled, the default behavior is to add new metrics as they are encoutered. If the metric already exists in the check, it will **not** be activated. This setting overrides that behavior. By default, this is set to false. + Force activation of metrics which already exist and are not currently active. If check management is enabled, the default behavior is to add new metrics as they are encountered. If the metric already exists in the check, it will **not** be activated. This setting overrides that behavior. By default, this is set to false. * `circonus_check_instance_id` Uniquely identifies the metrics coming from this *instance*. It can be used to maintain metric continuity with transient or ephemeral instances as they move around within an infrastructure. By default, this is set to hostname:application name (e.g. "host123:consul"). diff --git a/website/source/docs/commands/operator.html.markdown.erb b/website/source/docs/commands/operator.html.markdown.erb index e89e24e9e..4a67c7275 100644 --- a/website/source/docs/commands/operator.html.markdown.erb +++ b/website/source/docs/commands/operator.html.markdown.erb @@ -22,7 +22,7 @@ if required, so this can be run from any Consul node in a cluster. See the [ACL Guide](/docs/guides/acl.html#operator) for more information. See the [Outage Recovery](/docs/guides/outage.html) guide for some examples of how -this command is used. For an API to perform these operations programatically, +this command is used. For an API to perform these operations programmatically, please see the documentation for the [Operator](/api/operator.html) endpoint. diff --git a/website/source/docs/upgrade-specific.html.md b/website/source/docs/upgrade-specific.html.md index 6f8341f8f..06f2126ab 100644 --- a/website/source/docs/upgrade-specific.html.md +++ b/website/source/docs/upgrade-specific.html.md @@ -30,7 +30,7 @@ Consul 1.0 has several important breaking changes that are documented here. Plea The [`-raft-protocol`](/docs/agent/options.html#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](/docs/guides/autopilot.html) features by default. -Raft protocol version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. +Raft protocol version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the latest Raft protocol. See [Manual Recovery Using peers.json](/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. Please note that the Raft protocol is different from Consul's internal protocol as described on the [Protocol Compatibility Promise](/docs/compatibility.html) page, and as is shown in commands like `consul members` and `consul version`. To see the version of the Raft protocol in use on each server, use the `consul operator raft list-peers` command. @@ -299,7 +299,7 @@ configuration: Consul also 0.7 introduced support for tuning Raft performance using a new [performance configuration block](/docs/agent/options.html#performance). Also, the default Raft timing is set to a lower-performance mode suitable for -[minimal Consul servers](/docs/guides/performance.html#minumum). +[minimal Consul servers](/docs/guides/performance.html#minimum). To continue to use the high-performance settings that were the default prior to Consul 0.7 (recommended for production servers), add the following configuration From d659e034fe2433335a69ac83435648cca293ef39 Mon Sep 17 00:00:00 2001 From: Paul Banks Date: Mon, 19 Mar 2018 21:51:14 +0000 Subject: [PATCH 12/12] Note TLS cipher suite support changes --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e328ef533..5bcc704bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ IMPROVEMENTS: * agent: Blocking queries on service-specific health and catalog endpoints now return a per-service `X-Consul-Index` improving watch performance on very busy clusters. [[GH-3890](https://github.com/hashicorp/consul/issues/3890)]. **Note this may break blocking clients that relied on undocumented implementation details** as noted in the [upgrade docs](https://github.com/hashicorp/consul/blob/master/website/source/docs/upgrading.html.md#upgrade-from-version-106-to-higher). * agent: All endpoints now respond to OPTIONS requests. [[GH-3885](https://github.com/hashicorp/consul/issues/3885)] * dns: Introduced a new config param to limit the number of A/AAAA records returned. [[GH-3940](https://github.com/hashicorp/consul/issues/3940)] +* agent: supported TLS cipher suites updated to include newer options, [[GH-3962](https://github.com/hashicorp/consul/pull/3962)] BUG FIXES: