ebdda17a30
Add CA config set to fsm operations
2018-06-14 09:41:58 -07:00
f7ff16669f
Add the Connect CA config to the state store
2018-06-14 09:41:58 -07:00
a90f69faa4
Adds `api` client code and tests for new Proxy Config endpoint, registering with proxy and seeing proxy config in /agent/services list.
2018-06-14 09:41:58 -07:00
9d11cd9bf4
Fix various test failures and vet warnings.
...
Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix.
2018-06-14 09:41:58 -07:00
8a4410b549
Refactor localBlockingQuery to use memdb.WatchSet. Much simpler and correct as a bonus!
2018-06-14 09:41:58 -07:00
aed5e5b03e
Super ugly hack to get TeamCity build to work for this PR without adding a vendor that is being added elsewhere and will conflict...
2018-06-14 09:41:58 -07:00
cbd8606651
Add X-Consul-ContentHash header; implement removing all proxies; add load/unload test.
2018-06-14 09:41:57 -07:00
44afb5c699
Agent Connect Proxy config endpoint with hash-based blocking
2018-06-14 09:41:57 -07:00
c2266b134a
HTTP agent registration allows proxy to be defined.
2018-06-14 09:41:57 -07:00
78e48fd547
Added connect proxy config and local agent state setup on boot.
2018-06-14 09:41:57 -07:00
280382c25f
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works.
...
Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-06-14 09:41:57 -07:00
adc5589329
Allow duplicate source or destination, but enforce uniqueness across all four.
2018-06-14 09:41:57 -07:00
51b1bc028d
Rework connect/proxy and command/connect/proxy. End to end demo working again
2018-06-14 09:41:57 -07:00
2d6a2ce1e3
connect.Service based implementation after review feedback.
2018-06-14 09:41:56 -07:00
62b746c380
agent: rename authorize param ClientID to ClientCertURI
2018-06-14 09:41:56 -07:00
94e7a0a3c1
agent: add TODO for verification
2018-06-14 09:41:55 -07:00
f983978fb8
acl: IntentionDefault => IntentionDefaultAllow
2018-06-14 09:41:55 -07:00
b3584b6355
agent: ACL checks for authorize, default behavior
2018-06-14 09:41:55 -07:00
3e0e0a94a7
agent/structs: String format for Intention, used for logging
2018-06-14 09:41:55 -07:00
3f80808379
agent: bolster commenting for clearer understandability
2018-06-14 09:41:55 -07:00
c6269cda37
agent: default deny on connect authorize endpoint
2018-06-14 09:41:54 -07:00
5364a8cd90
agent: /v1/agent/connect/authorize is functional, with tests
2018-06-14 09:41:54 -07:00
7af99667b6
agent/connect: Authorize for CertURI
2018-06-14 09:41:54 -07:00
68fa4a83b1
agent: get rid of method checks since they're done in the http layer
2018-06-14 09:41:54 -07:00
894ee3c5b0
Add Connect agent, catalog and health endpoints to api Client
2018-06-14 09:41:54 -07:00
1985655dff
agent/consul/state: ensure exactly one active CA exists when setting
2018-06-14 09:41:54 -07:00
9d93c52098
agent/connect: support any values in the URL
2018-06-14 09:41:54 -07:00
8934f00d03
agent/connect: support SpiffeIDSigning
2018-06-14 09:41:53 -07:00
da1bc48372
agent/connect: rename SpiffeID to CertURI
2018-06-14 09:41:53 -07:00
b0315811b9
agent/connect: use proper keyusage fields for CA and leaf
2018-06-14 09:41:53 -07:00
434d8750ae
agent/connect: address PR feedback for the CA.go file
2018-06-14 09:41:53 -07:00
e0562f1c21
agent: implement an always-200 authorize endpoint
2018-06-14 09:41:53 -07:00
2026cf3753
agent/consul: encode issued cert serial number as hex encoded
2018-06-14 09:41:53 -07:00
deb55c436d
agent/structs: hide some fields from JSON
2018-06-14 09:41:52 -07:00
746f80639a
agent: /v1/connect/ca/configuration PUT for setting configuration
2018-06-14 09:41:52 -07:00
2dfca5dbc2
agent/consul/fsm,state: snapshot/restore for CA roots
2018-06-14 09:41:52 -07:00
17d6b437d2
agent/consul/fsm,state: tests for CA root related changes
2018-06-14 09:41:52 -07:00
a8510f8224
agent/consul: set more fields on the issued cert
2018-06-14 09:41:52 -07:00
58b6f476e8
agent: /v1/connect/ca/leaf/:service_id
2018-06-14 09:41:52 -07:00
748a0bb824
agent: CA root HTTP endpoints
2018-06-14 09:41:51 -07:00
80a058a573
agent/consul: CAS operations for setting the CA root
2018-06-14 09:41:51 -07:00
712888258b
agent/consul: tests for CA endpoints
2018-06-14 09:41:51 -07:00
1928c07d0c
agent/consul: key the public key of the CSR, verify in test
2018-06-14 09:41:51 -07:00
9a8653f45e
agent/consul: test for ConnectCA.Sign
2018-06-14 09:41:51 -07:00
a360c5cca4
agent/consul: basic sign endpoint not tested yet
2018-06-14 09:41:51 -07:00
6550ff9492
agent/connect: package for agent-related Connect, parse SPIFFE IDs
2018-06-14 09:41:50 -07:00
f433f61fdf
agent/structs: json omit QueryMeta
2018-06-14 09:41:50 -07:00
9ad2a12441
agent: /v1/connect/ca/roots
2018-06-14 09:41:50 -07:00
24830f4cfa
agent/consul: RPC endpoints to list roots
2018-06-14 09:41:50 -07:00
cfb62677c0
agent/consul/state: CARoot structs and initial state store
2018-06-14 09:41:49 -07:00
7e8d606717
agent: address PR feedback
2018-06-14 09:41:49 -07:00
767d2eaef6
agent: commenting some tests
2018-06-14 09:41:49 -07:00
f9a55aa7e0
agent: clarified a number of comments per PR feedback
2018-06-14 09:41:49 -07:00
62cbb892e3
agent/consul: Health.ServiceNodes ACL check for Connect
2018-06-14 09:41:49 -07:00
641c982480
agent/consul: Catalog endpoint ACL requirements for Connect proxies
2018-06-14 09:41:49 -07:00
4cc4de1ff6
agent: remove ConnectProxyServiceName
2018-06-14 09:41:49 -07:00
566c98b2fc
agent/consul: require name for proxies
2018-06-14 09:41:48 -07:00
4207bb42c0
agent: validate service entry on register
2018-06-14 09:41:48 -07:00
b5fd3017bb
agent/structs: tests for PartialClone and IsSame for proxy fields
2018-06-14 09:41:48 -07:00
c43ccd024a
agent/local: anti-entropy for connect proxy services
2018-06-14 09:41:48 -07:00
daaa6e2403
agent: clean up connect/non-connect duplication by using shared methods
2018-06-14 09:41:48 -07:00
3d82d261bd
agent: /v1/health/connect/:service
2018-06-14 09:41:48 -07:00
119ffe3ed9
agent/consul: implement Health.ServiceNodes for Connect, DNS works
2018-06-14 09:41:47 -07:00
a5fe6204d5
agent: working DNS for Connect queries, I think, but have to
...
implement Health endpoints to be sure
2018-06-14 09:41:47 -07:00
fa4f0d353b
agent: /v1/catalog/connect/:service
2018-06-14 09:41:47 -07:00
253256352c
agent/consul: Catalog.ServiceNodes supports Connect filtering
2018-06-14 09:41:47 -07:00
06957f6d7f
agent/consul/state: ConnectServiceNodes
2018-06-14 09:41:47 -07:00
200100d3f4
agent/consul: enforce ACL on ProxyDestination
2018-06-14 09:41:47 -07:00
8a72826483
agent/consul: proxy registration and tests
2018-06-14 09:41:46 -07:00
6cd9e0e37c
agent: /v1/agent/services test with connect proxies (works w/ no change)
2018-06-14 09:41:46 -07:00
8777ff139c
agent: test /v1/catalog/node/:node to list connect proxies
2018-06-14 09:41:46 -07:00
761b561946
agent: /v1/catalog/service/:service works with proxies
2018-06-14 09:41:46 -07:00
58bff8dd05
agent/consul/state: convert proxy test to testify/assert
2018-06-14 09:41:46 -07:00
09568ce7b5
agent/consul/state: service registration with proxy works
2018-06-14 09:41:46 -07:00
23ee0888ec
agent/consul: convert intention ACLs to testify/assert
2018-06-14 09:41:46 -07:00
6a8bba7d48
agent/consul,structs: add tests for ACL filter and prefix for intentions
2018-06-14 09:41:45 -07:00
3e10a1ae7a
agent/consul: Intention.Match ACLs
2018-06-14 09:41:45 -07:00
db44a98a2d
agent/consul: Intention.Get ACLs
2018-06-14 09:41:45 -07:00
fd840da97a
agent/consul: Intention.Apply ACL on rename
2018-06-14 09:41:45 -07:00
14ca93e09c
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-06-14 09:41:45 -07:00
c54be9bc09
agent/consul: Basic ACL on Intention.Apply
2018-06-14 09:41:44 -07:00
1d0b4ceedb
agent: convert all intention tests to testify/assert
2018-06-14 09:41:44 -07:00
f07340e94f
agent/consul/fsm,state: snapshot/restore for intentions
2018-06-14 09:41:44 -07:00
6f33b2d070
agent: use UTC time for intention times, move empty list check to
...
agent/consul
2018-06-14 09:41:43 -07:00
67b017c95c
agent/consul/fsm: switch tests to use structs.TestIntention
2018-06-14 09:41:43 -07:00
3a00564411
agent/consul/state: need to set Meta for intentions for tests
2018-06-14 09:41:43 -07:00
027dad8672
agent/consul/state: remove TODO
2018-06-14 09:41:43 -07:00
37f66e47ed
agent: use testing intention to get valid intentions
2018-06-14 09:41:43 -07:00
04bd4af99c
agent/consul: set default intention SourceType, validate it
2018-06-14 09:41:43 -07:00
8e2462e301
agent/structs: Intention validation
2018-06-14 09:41:42 -07:00
d34ee200de
agent/consul: support intention description, meta is non-nil
2018-06-14 09:41:42 -07:00
e81d1c88b7
agent/consul/fsm: add tests for intention requests
2018-06-14 09:41:42 -07:00
2b047fb09b
agent,agent/consul: set default namespaces
2018-06-14 09:41:42 -07:00
e630d65d9d
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-06-14 09:41:42 -07:00
237da67da5
agent: GET /v1/connect/intentions/match
2018-06-14 09:41:42 -07:00
e9d208bcb6
agent/consul: RPC endpoint for Intention.Match
2018-06-14 09:41:42 -07:00
987b7ce0a2
agent/consul/state: IntentionMatch for performing match resolution
2018-06-14 09:41:41 -07:00
231f7328bd
agent/structs: IntentionPrecedenceSorter for sorting based on precedence
2018-06-14 09:41:41 -07:00
a91fadb971
agent: PUT /v1/connect/intentions/:id
2018-06-14 09:41:41 -07:00
cae7bca448
agent: DELETE /v1/connect/intentions/:id
2018-06-14 09:41:41 -07:00
Kyle Havlovitz