Commit graph

15 commits

Author SHA1 Message Date
Iryna Shustava daff8f82dc docs: update ACL perms for the /connect/ca/roots endpoint (#7155) 2020-01-28 20:01:25 +01:00
Hans Hasselberg 315ba7d6ad
connect: check if intermediate cert needs to be renewed. (#6835)
Currently when using the built-in CA provider for Connect, root certificates are valid for 10 years, however secondary DCs get intermediates that are valid for only 1 year. There is no mechanism currently short of rotating the root in the primary that will cause the secondary DCs to renew their intermediates.
This PR adds a check that renews the cert if it is half way through its validity period.

In order to be able to test these changes, a new configuration option was added: IntermediateCertTTL which is set extremely low in the tests.
2020-01-17 23:27:13 +01:00
Paul Banks 1197b43c7b
Support Connect CAs that can't cross sign (#6726)
* Support Connect CAs that can't cross sign

* revert spurios mod changes from make tools

* Add log warning when forcing CA rotation

* Fixup SupportsCrossSigning to report errors and work with Plugin interface (fixes tests)

* Fix failing snake_case test

* Remove misleading comment

* Revert "Remove misleading comment"

This reverts commit bc4db9cabed8ad5d0e39b30e1fe79196d248349c.

* Remove misleading comment

* Regen proto files messed up by rebase
2019-11-11 21:36:22 +00:00
Paul Banks 5f405c3277
Fix support for RSA CA keys in Connect. (#6638)
* Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs.

* Ensure key type ad bits are populated from CA cert and clean up tests

* Add integration test and fix error when initializing secondary CA with RSA key.

* Add more tests, fix review feedback

* Update docs with key type config and output

* Apply suggestions from code review

Co-Authored-By: R.B. Boyer <rb@hashicorp.com>
2019-11-01 13:20:26 +00:00
R.B. Boyer cc889443a5
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492)
The fields in the certs are meant to hold the original binary
representation of this data, not some ascii-encoded version.

The only time we should be colon-hex-encoding fields is for display
purposes or marshaling through non-TLS mediums (like RPC).
2019-09-23 12:52:35 -05:00
kaitlincarter-hc 4a2ad7d36a
[docs] Fixing API broken links (#5732)
* starting broken link fixes

* Updating the other links for ACLs

* Updating the rest of the links

* fixing acl required links.

* update a bunch of other links

* updated a couple more broken links based on Alvins checker

* removed the extra s
2019-04-30 12:20:51 -05:00
Paul Banks 5b0d4db6bc Support Agent Caching for Service Discovery Results (#4541)
* Add cache types for catalog/services and health/services and basic test that caching works

* Support non-blocking cache types with Cache-Control semantics.

* Update API docs to include caching info for every endpoint.

* Comment updates per PR feedback.

* Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear.

* Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
2018-10-10 16:55:34 +01:00
Jack Pearkes a1bd33da11
website: use 127.0.0.1 instead of consul.rocks (#4523)
By default, the Consul agent listens on the local interface
at port 8500 for API requests. This change makes the API examples
using `curl` copy-pasteable for this default configuration.
2018-08-28 09:07:15 -07:00
Paul Banks cb340cefea
Intention ACL API clarification (#4547) 2018-08-20 20:33:15 +01:00
jjshanks 12342e0d0e Update intentions documentation to clarify ACL behavior (#4546)
* Update intentions documentation to clarify ACL behavior

* Incorprate @banks suggestions into docs

* Fix my own typos!
2018-08-20 20:03:53 +01:00
Kyle Havlovitz ce29660245
website: update docs for leaf cert TTL option 2018-07-16 13:33:42 -07:00
Jack Pearkes d3cec142d4 website: fix an assortment of broken links 2018-06-25 12:26:24 -07:00
Kyle Havlovitz 837f23441d connect/ca: hide the RotationPeriod config field since it isn't used yet 2018-06-25 12:26:18 -07:00
Mitchell Hashimoto 2244844bee website: document the precedence table 2018-06-25 12:24:16 -07:00
Mitchell Hashimoto 8dbe0017bb Starting Docs (#46)
* website: first stab at Connect docs

* website: lots more various stuff (bad commit messages)

* website: getting started page for Connect

* website: intentions

* website: intention APIs

* website: agent API docs

* website: document agent/catalog proxy kind service values

* website: /v1/catalog/connect/:service

* website: intention CLI docs

* website: custom proxy docs

* website: remove dedicated getting started guide

* website: add docs for CA API endpoints

* website: add docs for connect ca commands

* website: add proxy CLI docs

* website: clean up proxy command, add dev docs

* website: todo pages

* website: connect security
2018-06-25 12:24:05 -07:00