* docs/connect add link to intentions and minor phrasing change
* docs/connect pluralize 'applications'
* Update website/source/docs/connect/connect-internals.html.md
Co-Authored-By: Paul Banks <banks@banksco.de>
* Add contributing dir with Config file checklist and modify contribution guides
* Apply suggestions from code review
Co-Authored-By: Chris Piraino <cpiraino@hashicorp.com>
Co-authored-by: Chris Piraino <piraino.chris@gmail.com>
* Renamed structs.IntentionWildcard to structs.WildcardSpecifier
* Refactor ACL Config
Get rid of remnants of enterprise only renaming.
Add a WildcardName field for specifying what string should be used to indicate a wildcard.
* Add wildcard support in the ACL package
For read operations they can call anyAllowed to determine if any read access to the given resource would be granted.
For write operations they can call allAllowed to ensure that write access is granted to everything.
* Make v1/agent/connect/authorize namespace aware
* Update intention ACL enforcement
This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior.
Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself.
* Refactor Intention.Apply to make things easier to follow.
Sometimes, we have lots of errors in cross calls between DCs (several hundreds / sec)
Enrich the log in order to help diagnose the root cause of issue.
Before we were issuing 1 watch for every service in the services listing which would have caused the agent to process many more identical events simultaneously.
* added disclaimer about network segments due to Serf limitations
using work made at https://github.com/hashicorp/consul/pull/6558 by @thepomeranian
* Lowercasing functionality name
* Update website/source/docs/enterprise/network-segments/index.html.md
Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
Co-authored-by: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
* Azure MSI documentation
Adding in note about support for Azure MSI authentication method for Cloud auto-join
* fixing text formatting
fixing text formatting
* missing word
missing word - variable
* Update website/source/docs/agent/cloud-auto-join.html.md
Language change to be specific about where the security risk mitigation is concerned
Co-Authored-By: Jack Pearkes <jackpearkes@gmail.com>
Co-authored-by: Jack Pearkes <jackpearkes@gmail.com>
The global.bootstrapACLs key in the Helm chart docs was inadvertently
moved to a top-level key in commit 12e6ef8, which is incorrect.
This commit reverts that error.
Restore a few more service-kind index updates so blocking in ServiceDump works in more cases
Namely one omission was that check updates for dumped services were not
unblocking.
Also adds a ServiceDump state store test and also fix a watch bug with the
normal dump.
Follow-on from #6916
* Handle discard all logfiles properly
Fixes https://github.com/hashicorp/consul/issues/6892.
The [docs](https://www.consul.io/docs/agent/options.html#_log_rotate_max_files) are stating:
> -log-rotate-max-files - to specify the maximum number of older log
> file archives to keep. Defaults to 0 (no files are ever deleted). Set to
> -1 to disable rotation and discard all log files.
But the `-1` case was not implemented and led to a panic when being
used.
Co-Authored-By: Freddy <freddygv@users.noreply.github.com>
- website: embed yt videos on intro pages
- for /docs/connect
- for /intro
- css to handle iframe responding at smaller viewports
- Update consul connect video with introductory description. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
- Update consul connect intro with introductory description. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
• Renamed EnterpriseACLConfig to just Config
• Removed chained_authorizer_oss.go as it was empty
• Renamed acl.go to errors.go to more closely describe its contents
* Remove empty init
* Actually make the disco chain endpoint send the nspace, note:
The backend doesn't support this as yet.
* Tweak the font size of flash-messages ever so slightly
* Make sure the nspace menu is kept up to date when creating a new one
* Move comment to the correct place
* Only refresh the namespace menu if you specifically created a nspace
* Change FIXMEs to TODOs as we are happy for these to wait until later
* Add data layer for discovery chain (model/adapter/serializer/repo)
* Add routing plus template for routing tab
* Add extra deps - consul-api-double upgrade plus ngraph for graphing
* Add discovery-chain and related components and helpers:
1. discovery-chain to orchestrate/view controller
2. route-card, splitter-card, resolver card to represent the 3 different
node types.
3. route-match helper for easy formatting of route rules
4. dom-position to figure out where things are in order to draw lines
5. svg-curve, simple wrapper around svg's <path d=""> attribute format.
6. data-structs service. This isn't super required but we are using
other data-structures provided by other third party npm modules in other
yet to be merged PRs. All of these types of things will live here for
easy access/injection/changability
7. Some additions to our css-var 'polyfill' for a couple of extra needed
rules
* Related CSS for discovery chain
1. We add a %card base component here, eventually this will go into our
base folder and %stats-card will also use it for a base component.
2. New icon for failovers
* ui: Discovery Chain Continued (#6939)
1. Add in the things we use for the animations
2 Use IntersectionObserver so we know when the tab is visible,
otherwise the dom-position helper won't work as the dom elements don't
have any display.
3. Add some base work for animations and use them a little
4. Try to detect if a resolver is a redirect. Right now this works for
datacenters and namespaces, but it can't work for services and subsets -
we are awaiting backend support for doing this properly.
5. Add a fake 'this service has no routes' route that says 'Default'
6. redirect icon
7. Add CSS.escape polyfill for Edge
Adds namespace support to the UI:
1. Namespace CRUD/management
2. Show Namespace in relevant areas (intentions, upstreams)
3. Main navigation bar improvements
4. Logic/integration to interact with a new `internal/acl/authorize` endpoint