Commit Graph

16056 Commits

Author SHA1 Message Date
freddygv 16d3efc4b5 Check ingress upstreams when gating chain watches 2021-12-13 18:56:28 -07:00
freddygv f4ddb5432c Use ptr receiver in all Upstream methods 2021-12-13 18:56:14 -07:00
freddygv d647141a7d Avoid storing chain without an upstream 2021-12-13 18:56:14 -07:00
freddygv 9e0958f1d2 Clean up chains separately from their watches 2021-12-13 18:56:14 -07:00
freddygv b704d4e2dd Validate chains are associated with upstreams
Previously we could get into a state where discovery chain entries were
not cleaned up after the associated watch was cancelled. These changes
add handling for that case where stray chain references are encountered.
2021-12-13 18:56:13 -07:00
freddygv ea26a7b7cf Store intention upstreams in snapshot 2021-12-13 18:56:13 -07:00
R.B. Boyer 72a81cfc4a
proxycfg: ensure all of the watches are canceled if they are cancelable (#11824) 2021-12-13 15:56:17 -06:00
Jared Kirschner 7b78ded3c7
Merge pull request #11818 from hashicorp/improve-url-not-found-response
http: improve 404 Not Found response message
2021-12-13 16:08:50 -05:00
R.B. Boyer 3dccd14d31
proxycfg: use external addresses in tproxy when crossing partition boundaries (#11823) 2021-12-13 14:34:49 -06:00
Jared Kirschner 757236007a http: improve 404 Not Found response message
When a URL path is not found, return a non-empty message with the 404 status
code to help the user understand what went wrong. If the URL path was not
prefixed with '/v1/', suggest that may be the cause of the problem (which is a
common mistake).
2021-12-13 11:03:25 -08:00
Freddy f7eeffb98d
Use anonymousToken when querying by secret ID (#11813)
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Dan Upton <daniel@floppy.co>

This query has been incorrectly querying by accessor ID since New ACLs
were added. However, the legacy token compat allowed this to continue to
work, since it made a fallback query for the anonymousToken ID.

PR #11184 removed this legacy token query, which means that the query by
accessor ID is now the only check for the anonymous token's existence.

This PR updates the GetBySecret call to use the secret ID of the token.
2021-12-13 10:56:09 -07:00
R.B. Boyer a0156785dd
various partition related todos (#11822) 2021-12-13 11:43:33 -06:00
John Cowen 45d97f080f
ui: Add version information back into the footer (#11803) 2021-12-13 15:54:58 +00:00
John Cowen b8888fc0f2
ui: Disable setting wildcard partitions for intentions (#11804) 2021-12-13 15:42:10 +00:00
John Cowen ca04a62702
ui: Change the URL prefix of partitions from `-` to `_` (#11801) 2021-12-13 15:39:56 +00:00
John Cowen 56525615ec
ui: Fix a problem showing the default part in a non-primary (#11800)
When switching to a non-primary datacenter we should only show the word 'default' in place of the partition menu, this fixes up a bug preventing that from happening due to erroneous if/let nesting
2021-12-13 15:08:24 +00:00
John Cowen 75343efcc9
ui: Prefer shorter partition word in certain places vs Admin Partition (#11772) 2021-12-13 15:04:35 +00:00
John Cowen 470fce1e07
ui: Ensure we show a special readonly page for intentions (#11767) 2021-12-13 15:02:36 +00:00
John Cowen 4734d0989c
ui: reuse BucketList for intention view pages (#11765) 2021-12-13 15:00:51 +00:00
Kyle Havlovitz b9e1dcde1c
Merge pull request #11812 from hashicorp/metrics-ui-acls
oss: use wildcard partition in metrics proxy ui endpoint
2021-12-10 16:24:47 -08:00
Kyle Havlovitz 9187070a93
Merge pull request #11798 from hashicorp/vip-goroutine-check
leader: move the virtual IP version check into a goroutine
2021-12-10 15:59:35 -08:00
Kyle Havlovitz ad9c104816 acl: use wildcard partition in metrics proxy ui endpoint 2021-12-10 15:58:17 -08:00
Kyle Havlovitz dc84a8bae3
Merge pull request #11809 from hashicorp/vip-counter-fix
state: fix freed VIP table id index
2021-12-10 15:06:27 -08:00
Kyle Havlovitz 45402dad63 state: fix freed VIP table id index 2021-12-10 14:41:45 -08:00
Kyle Havlovitz ccc119c549 Exit before starting the vip check routine if possible 2021-12-10 14:30:50 -08:00
Chris S. Kim db6c2663be
Update CI and release go versions to 1.17.5 (#11799) 2021-12-10 14:04:56 -05:00
Evan Culver db7c814722
connect: update SNI label extraction to support new taxonomy for partitions (#11786) 2021-12-10 10:26:22 -08:00
John Cowen c6c1b9f13a
ui: Change partitions to expect `[]` from the API (#11791) 2021-12-10 14:41:08 +00:00
Freddy 374be91fa6
Update stray ref to old admin-partition cmd (#11797) 2021-12-09 19:10:01 -07:00
Kyle Havlovitz 2a52630067 leader: move the virtual IP version check into a goroutine 2021-12-09 17:00:33 -08:00
FFMMM 336a234927
[sync ent] increase segment max limit to 4*64, make configurable (#1424) (#11795)
* commit b6eb27563e747a78b7647d2b5da405e46364cc46
Author: FFMMM <FFMMM@users.noreply.github.com>
Date:   Thu Dec 9 13:53:44 2021 -0800

    increase segment max limit to 4*64, make configurable (#1424)

    Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* fix: rename ent changelog file

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-12-09 15:36:11 -08:00
R.B. Boyer 357eea6155
update changelog for ent feature (#11794) 2021-12-09 16:44:14 -06:00
Matt Keeler 431de5e3dd
Various Boltdb/Raft Documentation Updates (#11793)
* Documenting the new raft_boltdb configuration options
* Add documentation around new boltdb metrics.
* Correct documentation for the consul.raft.fsm.apply metric
2021-12-09 16:18:59 -05:00
haxandmat bb992667de
Improved performance of the version.GetHumanVersion function by 50% on memory allocation. (#11507)
Co-authored-by: Evan Culver <eculver@hashicorp.com>
2021-12-09 13:14:06 -08:00
Chris S. Kim ead530bc48
Add partitions to prettyformatters (#11789) 2021-12-09 15:58:45 -05:00
Daniel Nephin ded49b3ab0
Merge pull request #11780 from hashicorp/dnephin/ca-test-vault-in-secondary
ca: improve test coverage for RenewIntermediate
2021-12-09 12:29:43 -05:00
Brandon Romano 0d2b0d2ddf
Update alert banner (#11790) 2021-12-09 12:09:47 -05:00
R.B. Boyer 5f6bf4e756
agent: ensure service maintenance checks for matching partitions ahead of other errors (#11788)
This matches behavior in most other agent api endpoints.
2021-12-09 10:05:02 -06:00
John Cowen 4ddc2b4481
ui: Amends to Routing visualization for partitions (#11747)
* Update disco fixtures now we have partitions

* Add virtual-admin-6 fixture with partition 'redirects' and failovers

* Properly cope with extra partition segment for splitters and resolvers

* Make 'redirects' and failovers look/act consistently

* Fixup some unit tests
2021-12-09 10:47:58 +00:00
John Cowen 27c85bcea0
ui: Fixup notifications for tokens using and topology intention saving (#11763) 2021-12-09 09:45:24 +00:00
John Cowen a104b0e9da
ui: Make 'dangerous' buttons have white text even in dark theme (#11756) 2021-12-09 09:37:28 +00:00
Ashwin Venkatesh 4e7c982fc3
update docs (#11784) 2021-12-08 21:21:46 -05:00
Daniel Nephin e6615bdaa7 fix misleading errors on vault shutdown 2021-12-08 18:42:52 -05:00
Daniel Nephin 15c4de0c15 ca: prune some unnecessary lookups in the tests 2021-12-08 18:42:52 -05:00
Daniel Nephin bf798094d5 ca: remove duplicate WaitFor function 2021-12-08 18:42:52 -05:00
Daniel Nephin 984986f007 ca: fix flakes in RenewIntermediate tests
I suspect one problem was that we set structs.IntermediateCertRenewInterval to 1ms, which meant
that in some cases the intermediate could renew before we stored the original value.

Another problem was that the 'wait for intermediate' loop was calling the provider.ActiveIntermediate,
but the comparison needs to use the RPC endpoint to accurately represent a user request. So
changing the 'wait for' to use the state store ensures we don't race.

Also moves the patching into a separate function.

Removes the addition of ca.CertificateTimeDriftBuffer as part of calculating halfTime. This was added
in a previous commit to attempt to fix the flake, but it did not appear to fix the problem. Adding the
time here was making the tests fail when using the shared patch
function. It's not clear to me why, but there's no reason we should be
including this time in the halfTime calculation.
2021-12-08 18:42:52 -05:00
Daniel Nephin bc7ec4455f ca: improve RenewIntermediate tests
Use the new verifyLearfCert to show the cert verifies with intermediates
from both sources. This required using the RPC interface so that the
leaf pem was constructed correctly.

Add IndexedCARoots.Active since that is a common operation we see in a
few places.
2021-12-08 18:42:52 -05:00
Daniel Nephin 0784073d5e ca: add a test for Vault in secondary DC 2021-12-08 18:42:51 -05:00
Daniel Nephin 373f445db5 ca: Add CARoots.Active method
Which will be used in the next commit.
2021-12-08 18:41:51 -05:00
R.B. Boyer 2f345cca33
acl: ensure that the agent recovery token is properly partitioned (#11782) 2021-12-08 17:11:55 -06:00