d279c60010
Merge pull request #11115 from hashicorp/eculver/envoy-1.19.1
...
Add support for Envoy 1.19.1
2021-10-04 23:13:26 +02:00
b9f0014d70
acl: remove updateEnterpriseSerfTags
...
The only remaining caller is a test helper, and the tests don't use the enterprise gossip
pools.
2021-10-04 17:01:51 -04:00
5ac360b22d
Merge pull request #11126 from hashicorp/dnephin/acl-legacy-remove-resolve-and-get-policy
...
acl: remove ACL.GetPolicy RPC endpoint and ACLResolver.resolveTokenLegacy
2021-10-04 16:29:51 -04:00
ed5693b537
Add metrics to count the number of service-mesh config entries
2021-10-04 14:50:17 -05:00
9c487389cf
Add metrics to count connect native service mesh instances
...
This will add the counts of the service mesh instances tagged by
whether or not it is connect native
2021-10-04 14:37:05 -05:00
8000ea45ca
Add metrics to count service mesh Kind instance counts
...
This will add the counts of service mesh instances tagged by the
different ServiceKind's.
2021-10-04 14:36:59 -05:00
b6435259c3
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Remove the early WaitForLeader in dc2, because with it the test was
failing with ACL not found.
2021-10-01 18:03:10 -04:00
e74ce0fb2e
Add 1.15 versions to too old list
2021-10-01 11:28:26 -07:00
3c8ca0dbd2
agent: Reject partitions in legacy intention endpoints ( #11181 )
2021-10-01 13:18:57 -04:00
bf94949d48
Support partitions in parseIntentionStringComponent ( #11202 )
2021-10-01 12:36:12 -04:00
8bd52995d1
fix token list by auth method ( #11196 )
...
* add tests to OIDC authmethod and fix entMeta when retrieving auth-methods
* fix oss compilation error
2021-10-01 12:00:43 -04:00
4cdcaf3658
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-30 11:32:28 -07:00
7b157bba4e
regenerate more envoy golden files
2021-09-30 10:57:47 -07:00
ec935a2486
acl: call stop for the upgrade goroutine when done
...
TestAgentLeaks_Server was reporting a goroutine leak without this. Not sure if it would actually
be a leak in production or if this is due to the test setup, but seems easy enough to call it
this way until we remove legacyACLTokenUpgrade.
2021-09-29 17:36:43 -04:00
0c077d0527
acl: only run startACLUpgrade once
...
Since legacy ACL tokens can no longer be created we only need to run this upgrade a single
time when leadership is estalbished.
2021-09-29 16:22:01 -04:00
f21097beda
acl: remove reading of serf acl tags
...
We no long need to read the acl serf tag, because servers are always either ACL enabled or
ACL disabled.
We continue to write the tag so that during an upgarde older servers will see the tag.
2021-09-29 15:45:11 -04:00
b866e3c4f4
acl: fix test failure
...
For some reason removing legacy ACL upgrade requires using an ACL token now
for this WaitForLeader.
2021-09-29 15:21:30 -04:00
ebb2388605
acl: remove legacy ACL upgrades from Server
...
As part of removing the legacy ACL system
2021-09-29 15:19:23 -04:00
41a97360ca
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Use the root token in WaitForLeader, because without it the test was
failing with ACL not found.
2021-09-29 15:15:50 -04:00
b73b68d696
acl: remove ACL.GetPolicy endpoint and resolve legacy acls
...
And all code that was no longer used once those two were removed.
2021-09-29 14:33:19 -04:00
b8da06a34d
acl: remove ACL upgrading from Clients
...
As part of removing the legacy ACL system ACL upgrading and the flag for
legacy ACLs is removed from Clients.
This commit also removes the 'acls' serf tag from client nodes. The tag is only ever read
from server nodes.
This commit also introduces a constant for the acl serf tag, to make it easier to track where
it is used.
2021-09-29 14:02:38 -04:00
33a5448604
Merge pull request #11136 from hashicorp/dnephin/acl-resolver-fix-default-authz
...
acl: fix default Authorizer for down_policy extend-cache/async-cache
2021-09-29 13:45:12 -04:00
afb1dd5827
Merge pull request #11110 from hashicorp/dnephin/acl-legacy-remove-initialize
...
acl: remove initializeLegacyACL and the rest of the legacy FSM commands
2021-09-29 13:44:30 -04:00
a9ac148c92
Merge pull request #10999 from hashicorp/dnephin/revert-config-xds-port
...
Revert config xds_port
2021-09-29 13:39:15 -04:00
bd28d23b55
command/envoy: stop using the DebugConfig from Self endpoint
...
The DebugConfig in the self endpoint can change at any time. It's not a stable API.
This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read
this new field.
It includes support for the old API as well, in case a newer CLI is used with an older API, and
adds a test for both cases.
2021-09-29 13:21:28 -04:00
2995ac61f2
acl: remove the last of the legacy FSM
...
Replace it with an implementation that returns an error, and rename some symbols
to use a Deprecated suffix to make it clear.
Also remove the ACLRequest struct, which is no longer referenced.
2021-09-29 12:42:23 -04:00
a8358f7575
acl: remove bootstrap-init FSM operation
2021-09-29 12:42:23 -04:00
ea2e0ad2ec
acl: remove initializeLegacyACL from leader init
2021-09-29 12:42:23 -04:00
4e36442583
acl: remove ACLDelete FSM command, and state store function
...
These are no longer used now that ACL.Apply has been removed.
2021-09-29 12:42:23 -04:00
7e37c9a765
acl: remove legacy field to ACLBoostrap
2021-09-29 12:42:23 -04:00
402d3792b6
Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc"
...
This reverts commit 74fb650b6b966588f8faeec26935a858af2b8bb5, reversing
changes made to 58bd8173364effb98b9fd9f9b98d31dd887a9bac.
2021-09-29 12:28:41 -04:00
d4c48a3f23
Merge pull request #11101 from hashicorp/dnephin/acl-legacy-remove-rpc-2
...
acl: remove legacy ACL.Apply RPC
2021-09-29 12:23:55 -04:00
69a83aefcf
Merge pull request #11177 from hashicorp/dnephin/remove-entmeta-methods
...
structs: remove EnterpriseMeta helper methods
2021-09-29 12:08:07 -04:00
acb62aa896
Merge pull request #10986 from hashicorp/dnephin/acl-legacy-remove-rpc
...
acl: remove legacy ACL RPC - part 1
2021-09-29 12:04:09 -04:00
1bc07c5166
structs: rename the last helper method.
...
This one gets used a bunch, but we can rename it to make the behaviour more obvious.
2021-09-29 11:48:38 -04:00
93b3e110b6
structs: remove another helper
...
We already have a helper funtion.
2021-09-29 11:48:03 -04:00
17652227f6
structs: remove two methods that were only used once each.
...
These methods only called a single function. Wrappers like this end up making code harder to read
because it adds extra ways of doing things.
We already have many helper functions for constructing these types, we don't need additional methods.
2021-09-29 11:47:03 -04:00
a0e08086f7
Merge pull request #10988 from hashicorp/dnephin/acl-legacy-remove-config
...
acl: isolate deprecated config and warn when they are used
2021-09-29 11:40:14 -04:00
3f4f7d2f3f
Merge pull request #9456 from hashicorp/dnephin/config-deprecation
...
config: Use DeprecatedConfig struct for deprecated config fields
2021-09-29 11:37:40 -04:00
cb5ef13fde
Merge remote-tracking branch 'origin/eculver/remove-envoy-1.15' into eculver/remove-envoy-1.15
2021-09-28 16:06:36 -07:00
eaa9394cb2
Fix typo
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-09-29 01:05:45 +02:00
64f94b10ce
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-28 15:59:43 -07:00
807871224a
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 15:58:20 -07:00
3f79aaf509
Cleanup unnecessary normalizing method ( #11169 )
2021-09-28 15:31:12 -04:00
4ed9476a61
Merge pull request #11084 from krastin/krastin-autopilot-loggingtypo
...
Fix a tiny typo in logging in autopilot.go
2021-09-28 15:11:11 -04:00
e2363c13ff
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 11:54:33 -07:00
90fe20c3a2
agent: Clean up unused built-in proxy config ( #11165 )
2021-09-28 11:29:10 -04:00
30fe14eed3
acl: fix default authorizer for down_policy
...
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632 .
2021-09-23 18:12:22 -04:00
a6a7069ecf
Remove t.Parallel from TestACLResolver_DownPolicy
...
These tests run in under 10ms, t.Parallel does nothing but slow them down and
make failures harder to debug when one panics.
2021-09-23 18:12:22 -04:00
4505cb2920
Refactor table index acl phase 2 ( #11133 )
...
* extract common methods from oss and ent
* remove unreachable code
* add missing normalize for binding rules
* fix oss to use Query
2021-09-23 15:26:09 -04:00
cc46fcc53e
config: Move ACLEnableKeyListPolicy to DeprecatedConfig
2021-09-23 15:15:00 -04:00
107c24a68a
config: move acl_ttl to DeprecatedConfig
2021-09-23 15:14:59 -04:00
5eb2bebdf8
config: move acl_{default,down}_policy to DeprecatedConfig
2021-09-23 15:14:59 -04:00
408eb0e08e
config: Deprecate EnableACLReplication
...
replaced by ACL.TokenReplication
2021-09-23 15:14:59 -04:00
d54db5917f
config: move ACL master token and replication to DeprecatedConfig
2021-09-23 15:14:59 -04:00
f8412cf5fa
Merge pull request #10903 from hashicorp/feature/ingress-sds
...
Add Support to for providing TLS certificates for Ingress listeners from an SDS source
2021-09-23 16:19:05 +01:00
ebe333b947
Refactor table index ( #11131 )
...
* convert tableIndex to use the new pattern
* make `indexFromString` available for oss as well
* refactor `indexUpdateMaxTxn`
2021-09-23 11:06:23 -04:00
d57931124f
Final readability tweaks from review
2021-09-23 10:17:12 +01:00
66c625a64d
Fix subtle loop bug and add test
2021-09-23 10:13:41 +01:00
7198d0bd80
Refactor SDS validation to make it more contained and readable
2021-09-23 10:13:19 +01:00
fe4f69613c
Refactor Ingress-specific lister code to separate file
2021-09-23 10:13:19 +01:00
f4f0793a10
Minor PR typo and cleanup fixes
2021-09-23 10:13:19 +01:00
4cc1ccf892
Revert abandonned changes to proxycfg for Ent test consistency
2021-09-23 10:13:19 +01:00
d812a0edc7
Fix merge conflict in xds tests
2021-09-23 10:12:37 +01:00
a24efd20fc
Fix some more Enterprise Normalization issues affecting tests
2021-09-23 10:12:37 +01:00
15969327c0
Remove unused argument to fix lint error
2021-09-23 10:09:11 +01:00
9422e4ebc7
Handle namespaces in route names correctly; add tests for enterprise
2021-09-23 10:09:11 +01:00
9d576a08dc
Update xDS routes to support ingress services with different TLS config
2021-09-23 10:08:02 +01:00
8a4254a894
Update xDS Listeners with SDS support
2021-09-23 10:08:02 +01:00
8548e15f1b
Update proxycfg to hold more ingress config state
2021-09-23 10:08:02 +01:00
0e410a1b1f
Add ingress-gateway config for SDS
2021-09-23 10:08:02 +01:00
3e6dc2a843
acl: remove ACL.Apply
...
As part of removing the legacy ACL system.
2021-09-22 18:28:08 -04:00
2ce64e2837
acl: made acl rules in tests slightly more specific
...
When converting these tests from the legacy ACL system to the new RPC endpoints I
initially changed most things to use _prefix rules, because that was equivalent to
the old legacy rules.
This commit modifies a few of those rules to be a bit more specific by replacing the _prefix
rule with a non-prefix one where possible.
2021-09-22 18:24:56 -04:00
c87d57bfeb
partitions/authmethod-index work from enterprise ( #11056 )
...
* partitions/authmethod-index work from enterprise
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-22 13:19:20 -07:00
d222f170a7
connect: Allow upstream listener escape hatch for prepared queries ( #11109 )
2021-09-22 15:27:10 -04:00
88a899d06a
connect: remove support for Envoy 1.15
2021-09-22 11:48:50 -07:00
ba13416b57
grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters ( #11099 )
...
Fixes #11086
2021-09-22 13:14:26 -05:00
66453d2de9
config: Move two more fields to DeprecatedConfig
...
And add a test for deprecated config fields.
2021-09-22 13:23:03 -04:00
23f070e0a1
config: Introduce DeprecatedConfig
...
This struct allows us to move all the deprecated config options off of
the main config struct, and keeps all the deprecation logic in a single
place, instead of spread across 3+ places.
2021-09-22 13:22:16 -04:00
4d222cfcd0
add 1.19.x versions to test config
2021-09-22 09:30:45 -07:00
bc04a155fb
Merge pull request #11090 from hashicorp/clly/kv-usage-metrics
...
Add KVUsage to consul state usage metrics
2021-09-22 11:26:56 -05:00
bfe6b64ca7
Strip out go 1.17 bits
2021-09-22 11:04:48 -05:00
7c1ef8f515
Add a mock Agent delegate to ease/improve some types of testing
2021-09-22 10:23:01 -04:00
320b20c708
auto-updated agent/uiserver/bindata_assetfs.go from commit 9c0233cf5
2021-09-22 13:05:38 +00:00
949416c071
auto-updated agent/uiserver/bindata_assetfs.go from commit cfbd1bb84
2021-09-22 09:26:14 +00:00
b40bdc9e98
acl: remove remaining tests that use ACL.Apply
...
In preparation for removing ACL.Apply.
Tests for ACL.Apply, ACL.GetPolicy, and ACL upgrades were removed
because all 3 of those will be removed shortly.
The forth test appears to be for the ACLResolver cache, so the test was moved to the correct
test file, and the name was updated to make it obvious what is being tested.
2021-09-21 19:35:26 -04:00
69f4cc7532
regenerate envoy golden files
2021-09-21 16:21:00 -07:00
b104b7719c
add envoy 1.19.1
2021-09-21 15:39:36 -07:00
ab91d254a3
fsm: restore the legacy commands
...
and emit a helpful error message.
2021-09-21 18:35:12 -04:00
0180dd67ff
Convert tests to the new ACL system
...
In preparation for removing ACL.Apply
2021-09-21 18:35:12 -04:00
b639f47e3c
config: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
2702aecc27
catalog: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
b6218b75d9
Update 4 non-acl tests that used the legacy ACL.Apply
...
These tests don't really care about the endpoint, they just need some way to create an ACL token.
2021-09-21 17:57:29 -04:00
ad9748adc3
acl: remove two commented out tests for legacy ACL replication
...
They were commented out in 2018.
2021-09-21 17:57:29 -04:00
5a31a2e167
acl: replace legacy Get and List RPCs with an error impl
...
These endpoints are being removed as part of the legacy ACL system.
2021-09-21 17:57:29 -04:00
26f3380688
acl: remove a couple legacy ACL operation constants
...
structs.ACLForceSet was deprecated 4 years ago, it should be safe to remove now.
ACLBootstrapNow was removed in a recent commit. While it is technically possible that a cluster with mixed version
could still attempt a legacy boostrap, we documented that the legacy system was deprecated in 1.4, so no
clusters that are being upgraded should be attempting a legacy boostrap.
2021-09-21 17:57:29 -04:00
af8c10afc4
acl: Remove unused ACLPolicyIDType
2021-09-21 17:57:29 -04:00
5493ff06cc
Merge pull request #10985 from hashicorp/dnephin/acl-legacy-remove-replication
...
acl: remove legacy ACL replication
2021-09-21 17:56:54 -04:00
64852cd3e5
Apply suggestions from code review
...
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-09-21 10:52:46 -05:00
2773bd94d7
xds: fix representation of incremental xDS subscriptions ( #10987 )
...
Fixes #10563
The `resourceVersion` map was doing two jobs prior to this PR. The first job was
to track what version of every resource we know envoy currently has. The
second was to track subscriptions to those resources (by way of the empty
string for a version). This mostly works out fine, but occasionally leads to
consul removing a resource and accidentally (effectively) unsubscribing at the
same time.
The fix separates these two jobs. When all of the resources for a subscription
are removed we continue to track the subscription until envoy explicitly
unsubscribes
2021-09-21 09:58:56 -05:00
973b7b5c78
Fix test
2021-09-20 13:44:43 -05:00
698fc291a9
Add KVUsage to consul state usage metrics
...
This change will add the number of entries in the consul KV store to the
already existing usage metrics.
2021-09-20 12:41:54 -05:00
55b36dd056
xds: ensure the active streams counters are 64 bit aligned on 32 bit systems ( #11085 )
2021-09-20 11:07:11 -05:00
ba13dbf24c
Update autopilot.go
...
Fixing a minuscule typo in logging
2021-09-20 14:40:58 +02:00
f1b2ef30d1
Merge pull request #11071 from hashicorp/partitions/ixn-decisions
2021-09-16 15:18:23 -06:00
661f520841
Fixup proxycfg tproxy case
2021-09-16 15:05:28 -06:00
12eec88dff
Remove ent checks from oss test
2021-09-16 14:53:28 -06:00
7fa8f19077
acl: ensure the global management policy grants all necessary partition privileges ( #11072 )
2021-09-16 15:53:10 -05:00
cf56be7d8d
Ensure partition is defaulted in authz
2021-09-16 14:39:01 -06:00
b5a8935bb8
Default the partition in ixn check
2021-09-16 14:39:01 -06:00
caafc1905e
Fixup test
2021-09-16 14:39:01 -06:00
8a9bf3748c
Account for partitions in ixn match/decision
2021-09-16 14:39:01 -06:00
a8f396c55f
Bump `go-discover` to fix broken dep tree ( #10898 )
2021-09-16 15:31:22 -04:00
5a6f9e38b1
auto-updated agent/uiserver/bindata_assetfs.go from commit 1d9d3349c
2021-09-16 17:31:08 +00:00
4e7b6888e3
acl: fix intention:*:write checks ( #11061 )
...
This is a partial revert of #10793
2021-09-16 11:08:45 -05:00
88627700d0
Merge pull request #11051 from hashicorp/partitions/fixes
2021-09-16 09:29:00 -06:00
494764ee2d
acl: small resolver changes to account for partitions ( #11052 )
...
Also refactoring the enterprise side of a test to make it easier to reason about.
2021-09-16 09:17:02 -05:00
7927a97c2f
Fixup manager tests
2021-09-15 17:24:05 -06:00
dc549eca30
Default partition in match endpoint
2021-09-15 17:23:52 -06:00
0cdcbbb4c9
Pass partition to intention match query
2021-09-15 17:23:52 -06:00
a57c52ca32
Ensure partition is used for SAN validation
2021-09-15 17:23:48 -06:00
08b222cfc3
ACL Binding Rules table partitioning ( #11044 )
...
* ACL Binding Rules table partitioning
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 13:26:08 -07:00
23e3f865b0
auto-updated agent/uiserver/bindata_assetfs.go from commit fc14a412f
2021-09-15 18:55:29 +00:00
abe0195257
auto-updated agent/uiserver/bindata_assetfs.go from commit b16a6fa03
2021-09-15 17:14:42 +00:00
25ea1a9276
use const instead of literals for `tableIndex` ( #11039 )
2021-09-15 10:24:04 -04:00
ffe3806aaf
Refactor `indexAuthMethod` in `tableACLBindingRules` ( #11029 )
...
* Port consul-enterprise #1123 to OSS
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* Fixup missing query field
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* change to re-trigger ci system
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 09:34:19 -04:00
8804577de1
Merge pull request #11024 from hashicorp/partitions/rbac
2021-09-14 11:18:19 -06:00
27f40ccf51
Update error texts ( #11022 )
...
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-09-14 11:08:06 -06:00
f209408918
Update spiffe ID patterns used for RBAC
2021-09-14 11:00:03 -06:00
0e30151eaa
Expand testing of simplifyNotSourceSlice for partitions
2021-09-14 10:55:15 -06:00
a65da57a3d
Expand testing of removeSameSourceIntentions for partitions
2021-09-14 10:55:09 -06:00
e9d78a20c7
Account for partition when matching src intentions
2021-09-14 10:55:02 -06:00
44d91ea56f
Add failures_before_warning to checks ( #10969 )
...
Signed-off-by: Jakub Sokołowski <jakub@status.im>
* agent: add failures_before_warning setting
The new setting allows users to specify the number of check failures
that have to happen before a service status us updated to be `warning`.
This allows for more visibility for detected issues without creating
alerts and pinging administrators. Unlike the previous behavior, which
caused the service status to not update until it reached the configured
`failures_before_critical` setting, now Consul updates the Web UI view
with the `warning` state and the output of the service check when
`failures_before_warning` is breached.
The default value of `FailuresBeforeWarning` is the same as the value of
`FailuresBeforeCritical`, which allows for retaining the previous default
behavior of not triggering a warning.
When `FailuresBeforeWarning` is set to a value higher than that of
`FailuresBeforeCritical it has no effect as `FailuresBeforeCritical`
takes precedence.
Resolves: https://github.com/hashicorp/consul/issues/10680
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Co-authored-by: Jakub Sokołowski <jakub@status.im>
2021-09-14 12:47:52 -04:00
4992218676
convert expiration indexed in ACLToken table to use `indexerSingle` ( #11018 )
...
* move intFromBool to be available for oss
* add expiry indexes
* remove dead code: `TokenExpirationIndex`
* fix remove indexer `TokenExpirationIndex`
* fix rebase issue
2021-09-13 14:37:16 -04:00
1f23bdf388
add locality indexer partitioning ( #11016 )
...
* convert `Roles` index to use `indexerSingle`
* split authmethod write indexer to oss and ent
* add index locality
* add locality unit tests
* move intFromBool to be available for oss
* use Bool func
* refactor `aclTokenList` to merge func
2021-09-13 11:53:00 -04:00
3638825db8
convert `indexAuthMethod` index to use `indexerSingle` ( #11014 )
...
* convert `Roles` index to use `indexerSingle`
* fix oss build
* split authmethod write indexer to oss and ent
* add auth method unit tests
2021-09-10 16:56:56 -04:00
ecbe8f0656
Include namespace and partition in error messages when validating ingress header manip
2021-09-10 21:11:00 +01:00
e6642c6dae
Refactor HTTPHeaderModifiers.MergeDefaults based on feedback
2021-09-10 21:11:00 +01:00
a1acb7ec3b
Fix enterprise test failures caused by differences in normalizing EnterpriseMeta
2021-09-10 21:11:00 +01:00
3484d77b18
Fix enterprise discovery chain tests; Fix multi-level split merging
2021-09-10 21:11:00 +01:00
e0ad412f1d
Remove unnecessary check
2021-09-10 21:09:24 +01:00
5c6d27555b
Fix discovery chain test fixtures
2021-09-10 21:09:24 +01:00
bc1c86df96
Integration tests for all new header manip features
2021-09-10 21:09:24 +01:00
1dd1683ed9
Header manip for split legs plumbing
2021-09-10 21:09:24 +01:00
f70f7b2389
Header manip for service-router plumbed through
2021-09-10 21:09:24 +01:00
fc2ed4cdf4
Ingress gateway header manip plumbing
2021-09-10 21:09:24 +01:00
2db02cdba2
Add HTTP header manip for router and splitter entries
2021-09-10 21:09:24 +01:00
7ac9b46f08
Header manip and validation added for ingress-gateway entries
2021-09-10 21:09:24 +01:00
82b30f8020
convert `Roles` index to use `indexerMulti` ( #11013 )
...
* convert `Roles` index to use `indexerMulti`
* add role test in oss
* fix oss to use the right index func
* preallocate slice
2021-09-10 16:04:33 -04:00
569e18d002
convert indexPolicies in ACLTokens table to the new index ( #11011 )
2021-09-10 14:57:37 -04:00
0d0edeec27
convert indexSecret to the new index ( #11007 )
2021-09-10 09:10:11 -04:00
f0cbe25ca6
convert indexAccessor to the new index ( #11002 )
2021-09-09 16:28:04 -04:00
24c6ce0be0
tls: consider presented intermediates during server connection tls handshake. ( #10964 )
...
* use intermediates when verifying
* extract connection state
* remove useless import
* add changelog entry
* golint
* better error
* wording
* collect errors
* use SAN.DNSName instead of CommonName
* Add test for unknown intermediate
* improve changelog entry
2021-09-09 21:48:54 +02:00
3fb797382b
Sync enterprise changes to oss ( #10994 )
...
This commit updates OSS with files for enterprise-specific admin partitions feature work
2021-09-08 11:59:30 -04:00
a7b5a5d1b4
Merge pull request #10984 from hashicorp/mesh-resource
...
acl: adding a new mesh resource
2021-09-07 15:06:20 -07:00
96d7842118
partition dicovery chains ( #10983 )
...
* partition dicovery chains
* fix default partition for OSS
2021-09-07 16:29:32 -04:00
4d5a39e622
acl: remove ACL.IsSame
...
The only caller of this method was removed in a recent commit along with replication.
2021-09-03 12:59:12 -04:00
4dd5bb8e3b
acl: remove legacy ACL replication
2021-09-03 12:42:06 -04:00
4206f585f0
acl: adding a new mesh resource
2021-09-03 09:12:03 -04:00
72391dc99c
try to infer command partition from node partition ( #10981 )
2021-09-03 08:37:23 -04:00
eb19271fd7
add partition to SNI when partition is non default ( #10917 )
2021-09-01 10:35:39 -04:00
11672defaf
connect: update envoy supported versions to latest patch release
...
(#10961 )
Relevant advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h
2021-08-31 10:39:18 -06:00
93f94ac24f
rpc: authorize raft requests ( #10925 )
2021-08-26 15:04:32 -07:00
a758581ab6
auto-updated agent/uiserver/bindata_assetfs.go from commit eeeb91bea
2021-08-26 18:13:08 +00:00
86de20c975
ent->oss test fix ( #10926 )
2021-08-26 14:06:49 -04:00
5c67517647
auto-updated agent/uiserver/bindata_assetfs.go from commit a907e1d87
2021-08-26 18:02:18 +00:00
d9022ce788
auto-updated agent/uiserver/bindata_assetfs.go from commit a0b0ed2bc
2021-08-26 16:06:09 +00:00
efbdf7e117
api: expose upstream routing configurations in topology view ( #10811 )
...
Some users are defining routing configurations that do not have associated services. This commit surfaces these configs in the topology visualization. Also fixes a minor internal bug with non-transparent proxy upstream/downstream references.
2021-08-25 15:20:32 -04:00
6b5a58de50
acl: some acl authz refactors for nodes ( #10909 )
2021-08-25 13:43:11 -05:00
c95ec5007d
auto-updated agent/uiserver/bindata_assetfs.go from commit a777b0a9b
2021-08-25 13:46:51 +00:00
9b2dd8b155
auto-updated agent/uiserver/bindata_assetfs.go from commit 8192dde48
2021-08-25 11:39:14 +00:00
a84f5fa25d
grpc: ensure that streaming gRPC requests work over mesh gateway based wan federation ( #10838 )
...
Fixes #10796
2021-08-24 16:28:44 -05:00
6b574abc89
auto-updated agent/uiserver/bindata_assetfs.go from commit 05a28c311
2021-08-24 16:04:24 +00:00
79e181be73
Avoid passing zero value into variadic
2021-08-20 17:40:33 -06:00
ed79e38a36
Update comment for test function
2021-08-20 17:40:33 -06:00
b1050e4229
Update prepared query cluster SAN validation
...
Previously SAN validation for prepared queries was broken because we
validated against the name, namespace, and datacenter for prepared
queries.
However, prepared queries can target:
- Services with a name that isn't their own
- Services in multiple datacenters
This means that the SpiffeID to validate needs to be based on the
prepared query endpoints, and not the prepared query's upstream
definition.
This commit updates prepared query clusters to account for that.
2021-08-20 17:40:33 -06:00
1f192eb7d9
Fixup proxy config test fixtures
...
- The TestNodeService helper created services with the fixed name "web",
and now that name is overridable.
- The discovery chain snapshot didn't have prepared query endpoints so
the endpoints tests were missing data for prepared queries
2021-08-20 17:38:57 -06:00
60591d55f7
agent: add partition labels to catalog API metrics where appropriate ( #10890 )
2021-08-20 15:09:39 -05:00
b6be94e7fa
fixing various bits of enterprise meta plumbing to be more correct ( #10889 )
2021-08-20 14:34:23 -05:00
f766b6dff7
oss portion of ent #1069 ( #10883 )
2021-08-20 12:57:45 -04:00
d730298f59
state: partition the nodes.uuid and nodes.meta indexes as well ( #10882 )
2021-08-19 16:17:59 -05:00
61f1c01b83
agent: ensure that most agent behavior correctly respects partition configuration ( #10880 )
2021-08-19 15:09:42 -05:00
4a0ae4048d
Merge pull request #10849 from hashicorp/dnephin/contrib-doc-xds-auth
...
xds: document how authorization works
2021-08-18 13:25:16 -04:00
e565409c6a
state: partition the usage metrics subsystem ( #10867 )
2021-08-18 09:27:15 -05:00
9df2464c7c
xds: document how authorization works
2021-08-17 19:26:34 -04:00
1cef3c99c2
state: adjust streaming event generation to account for partitioned nodes ( #10860 )
...
Also re-enabled some tests that had to be disabled in the prior PR.
2021-08-17 16:49:26 -05:00
e50e13d2ab
state: partition nodes and coordinates in the state store ( #10859 )
...
Additionally:
- partitioned the catalog indexes appropriately for partitioning
- removed a stray reference to a non-existent index named "node.checks"
2021-08-17 13:29:39 -05:00
5a82859ee1
acl: small improvements to ACLResolver disable due to RPC error
...
Remove the error return, so that not handling is not reported as an
error by errcheck. It was returning the error passed as an arg
unmodified so there is no reason to return the same value that was
passed in.
Remove the term upstreams to remove any confusion with the term used in
service mesh.
Remove the AutoDisable field, and replace it with the TTL value, using 0
to indicate the setting is turned off.
Replace "not Before" with "After".
Add some test coverage to show the behaviour is still correct.
2021-08-17 13:34:18 -04:00
09ae0ab94a
acl: make ACLDisabledTTL a constant
...
This field was never user-configurable. We always overwrote the value with 120s from
NonUserSource. However, we also never copied the value from RuntimeConfig to consul.Config,
So the value in NonUserSource was always ignored, and we used the default value of 30s
set by consul.DefaultConfig.
All of this code is an unnecessary distraction because a user can not actually configure
this value.
This commit removes the fields and uses a constant value instad. Someone attempting to set
acl.disabled_ttl in their config will now get an error about an unknown field, but previously
the value was completely ignored, so the new behaviour seems more correct.
We have to keep this field in the AutoConfig response for backwards compatibility, but the value
will be ignored by the client, so it doesn't really matter what value we set.
2021-08-17 13:34:18 -04:00
a8bc964241
Fix test failures
...
Tests only specified one of the fields, but in production we copy the
value from a single place, so we can do the same in tests.
The AutoConfig test broke because of the problem noticed in a previous
commit. The DisabledTTL is not wired up properly so it reports 0s here.
Changed the test to use an explicit value.
2021-08-17 13:32:52 -04:00
0d69b49f41
config: remove ACLResolver settings from RuntimeConfig
2021-08-17 13:32:52 -04:00
75baa22e64
acl: remove ACLResolver config fields from consul.Config
2021-08-17 13:32:52 -04:00
454f62eacc
acl: replace ACLResolver.Config with its own struct
...
This is step toward decoupling ACLResolver from the agent/consul
package.
2021-08-17 13:32:52 -04:00
5e5ad62679
acl: remove ACLRulesTranslateLegacyToken API endpoint
2021-08-17 13:10:02 -04:00
be0358df02
acl: remove legacy bootstrap
...
Return an explicit error from the RPC, and remove the flag from the HTTP API.
2021-08-17 13:10:00 -04:00
d877673268
agent: update some tests that were using legacy ACL endpoints
...
The tests were updated to use the new ACL endpoints now that the legacy ones have been removed.
2021-08-17 13:09:30 -04:00
10791b007d
http: update legacy ACL endpoints to return an error
...
Also move a test for the ACLReplicationStatus endpoint into the correct file.
2021-08-17 13:09:29 -04:00
4f54d9708c
acl: add some notes about removing legacy ACL system
2021-08-17 13:08:29 -04:00
e4c6bee7e6
Merge pull request #10792 from hashicorp/dnephin/rename-authz-vars
...
acl: use authz consistently as the variable name for an acl.Authorizer
2021-08-17 13:07:17 -04:00
7f71a672f3
Merge pull request #10807 from hashicorp/dnephin/remove-acl-datacenter
...
config: remove ACLDatacenter
2021-08-17 13:07:09 -04:00
Evan Culver