Kyle Havlovitz
fd83063686
autopilot: don't follow the normal server removal rules for nonvoters
2018-08-14 14:24:51 -07:00
Kyle Havlovitz
aa19559cc7
Fix stats fetcher healthcheck RPCs not being independent
2018-08-14 14:23:52 -07:00
Pierre Souchay
a16f34058b
Display more information about check being not properly added when it fails ( #4405 )
...
* Display more information about check being not properly added when it fails
It follows an incident where we add lots of error messages:
[WARN] consul.fsm: EnsureRegistration failed: failed inserting check: Missing service registration
That seems related to Consul failing to restart on respective agents.
Having Node information as well as service information would help diagnose the issue.
* Renamed ensureCheckIfNodeMatches() as requested by @banks
2018-08-14 17:45:33 +01:00
Freddy
cbe61dfcec
Improve reliability of tests with TestAgent ( #4525 )
...
- Add WaitForTestAgent to tests flaky due to missing serfHealth registration
- Fix bug in retries calling Fatalf with *testing.T
- Convert TestLockCommand_ChildExitCode to table driven test
2018-08-14 12:08:33 -04:00
Pierre Souchay
821a91ca31
Allow to rename nodes with IDs, will fix #3974 and #4413 ( #4415 )
...
* Allow to rename nodes with IDs, will fix #3974 and #4413
This change allow to rename any well behaving recent agent with an
ID to be renamed safely, ie: without taking the name of another one
with case insensitive comparison.
Deprecated behaviour warning
----------------------------
Due to asceding compatibility, it is still possible however to
"take" the name of another name by not providing any ID.
Note that when not providing any ID, it is possible to have 2 nodes
having similar names with case differences, ie: myNode and mynode
which might lead to DB corruption on Consul server side and
lead to server not properly restarting.
See #3983 and #4399 for Context about this change.
Disabling registration of nodes without IDs as specified in #4414
should probably be the way to go eventually.
* Removed the case-insensitive search when adding a node within the else
block since it breaks the test TestAgentAntiEntropy_Services
While the else case is probably legit, it will be fixed with #4414 in
a later release.
* Added again the test in the else to avoid duplicated names, but
enforce this test only for nodes having IDs.
Thus most tests without any ID will work, and allows us fixing
* Added more tests regarding request with/without IDs.
`TestStateStore_EnsureNode` now test registration and renaming with IDs
`TestStateStore_EnsureNodeDeprecated` tests registration without IDs
and tests removing an ID from a node as well as updated a node
without its ID (deprecated behaviour kept for backwards compatibility)
* Do not allow renaming in case of conflict, including when other node has no ID
* Fixed function GetNodeID that was not working due to wrong type when searching node from its ID
Thus, all tests about renaming were not working properly.
Added the full test cas that allowed me to detect it.
* Better error messages, more tests when nodeID is not a valid UUID in GetNodeID()
* Added separate TestStateStore_GetNodeID to test GetNodeID.
More complete test coverage for GetNodeID
* Added new unit test `TestStateStore_ensureNoNodeWithSimilarNameTxn`
Also fixed comments to be clearer after remarks from @banks
* Fixed error message in unit test to match test case
* Use uuid.ParseUUID to parse Node.ID as requested by @mkeeler
2018-08-10 11:30:45 -04:00
Siva Prasad
d98d02777f
PR to fix TestAgent_IndexChurn and TestPreparedQuery_Wrapper. ( #4512 )
...
* Fixes TestAgent_IndexChurn
* Fixes TestPreparedQuery_Wrapper
* Increased sleep in agent_test for IndexChurn to 500ms
* Made the comment about joinWAN operation much less of a cliffhanger
2018-08-09 12:40:07 -04:00
Armon Dadgar
a343392f63
consul: Update buffer sizes
2018-08-08 10:26:58 -07:00
Siva Prasad
cfa436dc16
Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix." ( #4497 )
...
* Revert "BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472 )"
This reverts commit cec5d7239621e0732b3f70158addb1899442acb3.
* Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix. (#4493 )"
This reverts commit 589b589b53e56af38de25db9b56967bdf1f2c069.
2018-08-07 08:29:48 -04:00
Pierre Souchay
fd927ea110
BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test ( #4472 )
...
- Improve resilience of testrpc.WaitForLeader()
- Add additionall retry to CI
- Increase "go test" timeout to 8m
- Add wait for cluster leader to several tests in the agent package
- Add retry to some tests in the api and command packages
2018-08-06 19:46:09 -04:00
Siva Prasad
29c181f5fa
CA initialization while boostrapping and TestLeader_ChangeServerID fix. ( #4493 )
...
* connect: fix an issue with Consul CA bootstrapping being interrupted
* streamline change server id test
2018-08-06 16:15:24 -04:00
Siva Prasad
dcd7d9b015
DNS : Fixes recursors answering the DNS query to properly return the correct response. ( #4461 )
...
* Fixes the DNS recursor properly resolving the requests
* Added a test case for the recursor bug
* Refactored code && added a test case for all failing recursors
* Inner indentation moved into else if check
2018-08-02 10:12:52 -04:00
Paul Banks
496af9061e
Fixes memory leak when blocking on /event/list ( #4482 )
2018-08-02 14:54:48 +01:00
mkeeler
0b775e1645
Release v1.2.2
2018-07-30 16:01:13 +00:00
Matt Keeler
cbd0afc87c
Handle resolving proxy tokens when parsing HTTP requests ( #4453 )
...
Fixes : #4441
This fixes the issue with Connect Managed Proxies + ACLs being broken.
The underlying problem was that the token parsed for most http endpoints was sent untouched to the servers via the RPC request. These changes make it so that at the HTTP endpoint when parsing the token we additionally attempt to convert potential proxy tokens into regular tokens before sending to the RPC endpoint. Proxy tokens are only valid on the agent with the managed proxy so the resolution has to happen before it gets forwarded anywhere.
2018-07-30 09:11:51 -04:00
Matt Keeler
5c7c58ed26
Gossip tuneables ( #4444 )
...
Expose a few gossip tuneables for both lan and wan interfaces
gossip_nodes
gossip_interval
probe_timeout
probe_interval
retransmit_mult
suspicion_mult
2018-07-26 11:39:49 -04:00
Kyle Havlovitz
42ab07b398
fix inconsistency in TestConnectCAConfig_GetSet
2018-07-26 07:46:47 -07:00
Paul Banks
25628f0e69
Add config option to disable HTTP printable char path check ( #4442 )
2018-07-26 13:53:39 +01:00
Kyle Havlovitz
ecc02c6aee
Merge pull request #4400 from hashicorp/leaf-cert-ttl
...
Add configurable leaf cert TTL to Connect CA
2018-07-25 17:53:25 -07:00
Kyle Havlovitz
68d7a9fbd3
connect/ca: simplify passing of leaf cert TTL
2018-07-25 17:51:45 -07:00
Siva Prasad
a5ebab63e7
Vendoring update for go-discover. ( #4412 )
...
* New Providers added and updated vendoring for go-discover
* Vendor.json formatted using make vendorfmt
* Docs/Agent/auto-join: Added documentation for the new providers introduced in this PR
* Updated the golang.org/x/sys/unix in the vendor directory
* Agent: TestGoDiscoverRegistration updated to reflect the addition of new providers
* Deleted terraform.tfstate from vendor.
* Deleted terraform.tfstate.backup
Deleted terraform state file artifacts from unknown runs.
* Updated x/sys/windows vendor for Windows binary compilation
2018-07-25 16:21:04 -07:00
Paul Banks
217137b775
Fixes #4421 : General solution to stop blocking queries with index 0 ( #4437 )
...
* Fix theoretical cache collision bug if/when we use more cache types with same result type
* Generalized fix for blocking query handling when state store methods return zero index
* Refactor test retry to only affect CI
* Undo make file merge
* Add hint to error message returned to end-user requests if Connect is not enabled when they try to request cert
* Explicit error for Roots endpoint if connect is disabled
* Fix tests that were asserting old behaviour
2018-07-25 20:26:27 +01:00
Paul Banks
17de36c36e
Allow config-file based Service Definitions for unmanaged proxies and Connect-natice apps. ( #4443 )
2018-07-25 19:55:41 +01:00
Paul Banks
feeea60dea
Ooops that was meant to be to a branch no master... EMORECOFFEE
...
Revert "Add config option to disable HTTP printable char path check"
This reverts commit eebe45a47b4df5c0271b17f0fd1bd85db8bdefca.
2018-07-25 15:54:11 +01:00
Paul Banks
d6c16dd0ad
Add config option to disable HTTP printable char path check
2018-07-25 15:52:37 +01:00
Paul Banks
186987874c
Merge pull request #4353 from azam/add-serf-lan-wan-port-args
...
Make RPC, Serf LAN, Serf WAN port configurable from CLI
2018-07-24 12:33:10 +01:00
Kyle Havlovitz
a125735d76
connect/ca: check LeafCertTTL when rotating expired roots
2018-07-20 16:04:04 -07:00
Mitchell Hashimoto
5c42dacef4
Merge pull request #4320 from hashicorp/f-alias-check
...
Add "Alias" Check Type
2018-07-20 13:01:33 -05:00
azam
5290d69cb3
Make Serf LAN & WAN port configurable from CLI
...
Make RPC port accessible to CLI
Add tests and documentation for server-port, serf-lan-port, serf-wan-port CLI arguments
2018-07-21 02:17:21 +09:00
Mitchell Hashimoto
dedc5ad69f
agent/local: silly spacing on select statements
2018-07-19 14:21:30 -05:00
Mitchell Hashimoto
e42ca78c5d
agent/local: address remaining test feedback
2018-07-19 14:20:50 -05:00
Matt Keeler
95e8f795df
Use the agent logger instead of log module
2018-07-19 11:22:01 -04:00
Matt Keeler
a89dab55d3
Update a couple erroneous tests.
2018-07-19 09:20:51 -04:00
Mitchell Hashimoto
81f6486fb5
agent/local: don't use time.After in test since notify is instant
2018-07-18 16:16:28 -05:00
Matt Keeler
953b72318f
Persist proxies from config files
...
Also change how loadProxies works. Now it will load all persisted proxies into a map, then when loading config file proxies will look up the previous proxy token in that map.
2018-07-18 17:04:35 -04:00
Kyle Havlovitz
45ec8849f3
connect/ca: add configurable leaf cert TTL
2018-07-16 13:33:37 -07:00
Matt Keeler
9f8991e0cc
Fix issue with choosing a client addr that is 0.0.0.0 or ::
2018-07-16 16:30:15 -04:00
Mitchell Hashimoto
5159c0341c
agent/checks: prevent overflow of backoff
2018-07-12 10:21:49 -07:00
Mitchell Hashimoto
65bbc12d69
agent: use the correct ACL token for alias checks
2018-07-12 10:17:53 -07:00
Mitchell Hashimoto
5889a3b6ff
agent: address some basic feedback
2018-07-12 09:36:11 -07:00
Mitchell Hashimoto
99ead8324f
agent: alias checks have no interval
2018-07-12 09:36:11 -07:00
Mitchell Hashimoto
b12d8ae179
agent/structs: check is alias if node is empty
2018-07-12 09:36:11 -07:00
Mitchell Hashimoto
00d95f9214
agent/checks: support node-only checks
2018-07-12 09:36:11 -07:00
Mitchell Hashimoto
275d2b929a
agent/checks: set critical if RPC fails
2018-07-12 09:36:11 -07:00
Mitchell Hashimoto
175e74972d
agent/checks: use local state for local services
2018-07-12 09:36:11 -07:00
Mitchell Hashimoto
3177d1719d
agent/local: support local alias checks
2018-07-12 09:36:10 -07:00
Mitchell Hashimoto
75ea0a1ee7
agent: run alias checks
2018-07-12 09:36:10 -07:00
Mitchell Hashimoto
0c4cd2df01
agent/checks: reflect node failure as alias check failure
2018-07-12 09:36:10 -07:00
Mitchell Hashimoto
3cbdade3b8
agent/config: support configuring alias check
2018-07-12 09:36:10 -07:00
Mitchell Hashimoto
10d68ec56f
agent/checks: add Alias check type
2018-07-12 09:36:09 -07:00
mkeeler
ba67087e3c
Release v1.2.1
2018-07-12 16:33:56 +00:00
Matt Keeler
cc46d59269
Merge pull request #4379 from hashicorp/persist-intermediates
...
connect: persist intermediate CAs on leader change
2018-07-12 12:09:13 -04:00
Paul Banks
6fe7faa554
Merge pull request #4381 from hashicorp/proxy-check-default
...
Proxy check default
2018-07-12 17:08:35 +01:00
Matt Keeler
965fc9cf62
Revert "Allow changing Node names since Node now have IDs"
2018-07-12 11:19:21 -04:00
Matt Keeler
d8a4d9137b
Fixup formatting
2018-07-12 10:14:26 -04:00
Matt Keeler
d63c5807cf
Revert PR 4294 - Catalog Register: Generate UUID for services registered without one
...
UUID auto-generation here causes trouble in a few cases. The biggest being older
nodes reregistering will fail when the UUIDs are different and the names match
This reverts commit 0f700340828f464449c2e0d5a82db0bc5456d385.
This reverts commit d1a8f9cb3f6f48dd9c8d0bc858031ff6ccff51d0.
This reverts commit cf69ec42a418ab6594a6654e9545e12160f30970.
2018-07-12 10:06:50 -04:00
Matt Keeler
0a365b1a4f
Merge pull request #4374 from hashicorp/feature/proxy-env-vars
...
Setup managed proxy environment with API client env vars
2018-07-12 09:13:54 -04:00
Paul Banks
8b54b87599
Update proxy config docs and add test for ipv6
2018-07-12 13:07:48 +01:00
Paul Banks
9223102331
Default managed proxy TCP check address sanely when proxy is bound to 0.0.0.0.
...
This also provides a mechanism to configure custom address or disable the check entirely from managed proxy config.
2018-07-12 12:57:10 +01:00
Matt Keeler
eccadda019
Set api.Config’s InsecureSkipVerify to the value of !RuntimeConfig.VerifyOutgoing
2018-07-12 07:49:23 -04:00
Matt Keeler
240e2affcd
Use type switch instead of .Network for more reliably detecting UnixAddrs
2018-07-12 07:30:17 -04:00
Matt Keeler
09ff064bc7
Look specifically for tcp instead of unix
...
Add runtime -> api.Config tests
2018-07-11 17:25:36 -04:00
Matt Keeler
ebf3319211
Update proxy manager test - test passing ProxyEnv vars
2018-07-11 16:50:27 -04:00
Kyle Havlovitz
2a40f93ac8
connect: use reflect.DeepEqual instead for test
2018-07-11 13:10:58 -07:00
Matt Keeler
42729d5aff
Merge pull request #3983 from pierresouchay/node_renaming
...
Allow changing Node names since Node now have IDs
2018-07-11 16:03:02 -04:00
Kyle Havlovitz
f9a35a9338
connect: add provider state to snapshots
2018-07-11 11:34:49 -07:00
Kyle Havlovitz
9c21cc7ac9
connect: update leader initializeCA comment
2018-07-11 10:00:42 -07:00
Kyle Havlovitz
db254f0991
connect: persist intermediate CAs on leader change
2018-07-11 09:44:30 -07:00
Matt Keeler
1e5e9fd8cd
PR Updates
...
Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.
2018-07-11 09:44:54 -04:00
Matt Keeler
bda7cb1448
Merge pull request #4371 from hashicorp/bugfix/gh-4358
...
Remove https://prefix from TLSConfig.Address
2018-07-11 08:50:10 -04:00
Pierre Souchay
3d0a960470
When renaming a node, ensure the name is not taken by another node.
...
Since DNS is case insensitive and DB as issues when similar names with different
cases are added, check for unicity based on case insensitivity.
Following another big incident we had in our cluster, we also validate
that adding/renaming a not does not conflicts with case insensitive
matches.
We had the following error once:
- one node called: mymachine.MYDC.mydomain was shut off
- another node (different ID) was added with name: mymachine.mydc.mydomain before
72 hours
When restarting the consul server of domain, the consul server restarted failed
to start since it detected an issue in RAFT database because
mymachine.MYDC.mydomain and mymachine.mydc.mydomain had the same names.
Checking at registration time with case insensitivity should definitly fix
those issues and avoid Consul DB corruption.
2018-07-11 14:42:54 +02:00
Matt Keeler
a124512ce3
Merge pull request #4365 from pierresouchay/fix_test_warning
...
Fixed compilation warning about wrong type
2018-07-10 16:53:29 -04:00
Matt Keeler
358e6c8f6a
Pass around an API Config object and convert to env vars for the managed proxy
2018-07-10 12:13:51 -04:00
Pierre Souchay
988acfdc67
Use %q, not %s as it used to
2018-07-10 16:52:08 +02:00
Matt Keeler
86ce52d0d3
Merge remote-tracking branch 'origin/master' into bugfix/prevent-multi-cname
2018-07-10 10:26:45 -04:00
Matt Keeler
22c5951ec4
Merge pull request #4303 from pierresouchay/non_blocking_acl
...
Only send one single ACL cache refresh across network when TTL is over
2018-07-10 08:57:33 -04:00
Matt Keeler
2762586b0e
Merge pull request #4362 from hashicorp/bugfix/gh-4354
...
Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries
2018-07-10 08:50:31 -04:00
Pierre Souchay
455d8fbea6
Fixed compilation warning about wrong type
...
It fixes the following warnings:
agent/config/builder.go:1201: Errorf format %q has arg s of wrong type *string
agent/config/builder.go:1240: Errorf format %q has arg s of wrong type *string
2018-07-09 23:43:56 +02:00
Paul Banks
dae66b1afc
Merge pull request #4038 from pierresouchay/ACL_additional_info
...
Track calls blocked by ACLs using metrics
2018-07-09 20:21:21 +01:00
MagnumOpus21
9bc5fe7fe5
Tests/Proxy : Changed function name to match the system being tested.
2018-07-09 13:18:57 -04:00
MagnumOpus21
3a00c5a834
Resolved merge conflicts
2018-07-09 12:48:34 -04:00
MagnumOpus21
0b50b84429
Agent/Proxy: Formatting and test cases fix
2018-07-09 12:46:10 -04:00
Matt Keeler
115893b7d8
Remove https://prefix from TLSConfig.Address
2018-07-09 12:31:15 -04:00
Matt Keeler
a26deb44cf
Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries
...
This also changes where the enforcement of the enable_additional_node_meta_txt configuration gets applied.
formatNodeRecord returns the main RRs and the meta/TXT RRs in separate slices. Its then up to the caller to add to the appropriate sections or not.
2018-07-09 12:30:11 -04:00
MagnumOpus21
f0af60612c
Proxy/Tests: Added test cases to check env variables
2018-07-09 12:28:29 -04:00
MagnumOpus21
4a8814ea01
Agent/Proxy : Properly passes env variables to child
2018-07-09 12:28:29 -04:00
Pierre Souchay
9128de5b11
Merge remote-tracking branch 'origin/master' into ACL_additional_info
2018-07-07 14:09:18 +02:00
Pierre Souchay
135ac85b21
Fixed indentation in test
2018-07-07 14:03:34 +02:00
Kyle Havlovitz
883b2a518a
Store the time CARoot is rotated out instead of when to prune
2018-07-06 16:05:25 -07:00
MagnumOpus21
e79f630adf
Agent/Proxy : Properly passes env variables to child
2018-07-05 22:04:29 -04:00
Matt Keeler
e9390fb5c7
Refactor to make this much less confusing
2018-07-03 11:04:19 -04:00
Matt Keeler
4d1bdd8fdb
Add a bunch of comments about preventing multi-cname
...
Hopefully this a bit clearer as to the reasoning
2018-07-03 10:32:52 -04:00
Matt Keeler
22cc44877d
Fix some edge cases and add some tests.
2018-07-02 16:58:52 -04:00
Matt Keeler
e3859b4f04
Only allow 1 CNAME when querying for a service.
...
This just makes sure that if multiple services are registered with unique service addresses that we don’t blast back multiple CNAMEs for the same service DNS name and keeps us within the DNS specs.
2018-07-02 16:12:06 -04:00
Kyle Havlovitz
3c520019e9
connect/ca: add logic for pruning old stale RootCA entries
2018-07-02 10:35:05 -07:00
Matt Keeler
ad40be86d5
Merge pull request #4315 from hashicorp/bugfix/fix-server-enterprise
...
Move starting enterprise functionality
2018-07-02 12:28:10 -04:00
Pierre Souchay
95a0ab9f99
Updated swith case to use same branch for async-cache and extend-cache
2018-07-02 17:39:34 +02:00
Pierre Souchay
6dfbbf1350
Updated documentation and adding more test case for async-cache
2018-07-01 23:50:30 +02:00
Pierre Souchay
382bec0897
Added async-cache with similar behaviour as extend-cache but asynchronously
2018-07-01 23:50:30 +02:00
Pierre Souchay
da9c91fd3d
Only send one single ACL cache refresh across network when TTL is over
...
It will allow the following:
* when connectivity is limited (saturated linnks between DCs), only one
single request to refresh an ACL will be sent to ACL master DC instead
of statcking ACL refresh queries
* when extend-cache is used for ACL, do not wait for result, but refresh
the ACL asynchronously, so no delay is not impacting slave DC
* When extend-cache is not used, keep the existing blocking mechanism,
but only send a single refresh request.
This will fix https://github.com/hashicorp/consul/issues/3524
2018-07-01 23:50:30 +02:00
Abhishek Chanda
37377d8779
Change bind_port to an int
2018-06-30 14:18:13 +01:00
Matt Keeler
02719c52ff
Move starting enterprise functionality
2018-06-29 17:38:29 -04:00
Mitchell Hashimoto
f213c55723
agent/config: parse upstreams with multiple service definitions
2018-06-28 15:13:33 -05:00
Mitchell Hashimoto
b6969b336b
Merge pull request #4297 from hashicorp/b-intention-500-2
...
agent: 400 error on invalid UUID format, api handles errors properly
2018-06-28 05:27:19 +02:00
Matt Keeler
66af873639
Move default uuid test into the consul package
2018-06-27 09:21:58 -04:00
Matt Keeler
dbc407cec9
go fmt changes
2018-06-27 09:07:22 -04:00
Mitchell Hashimoto
03b683f702
agent: 400 error on invalid UUID format, api handles errors properly
2018-06-27 07:40:06 +02:00
Matt Keeler
95291ec5ed
Make sure to generate UUIDs when services are registered without one
...
This makes the behavior line up with the docs and expected behavior
2018-06-26 17:04:08 -04:00
mkeeler
f8355d608a
Release v1.2.0
2018-06-25 19:45:20 +00:00
mkeeler
1da3c42867
Merge remote-tracking branch 'connect/f-connect'
2018-06-25 19:42:51 +00:00
Kyle Havlovitz
d436463d75
revert go changes to hide rotation config
2018-06-25 12:26:18 -07:00
Kyle Havlovitz
837f23441d
connect/ca: hide the RotationPeriod config field since it isn't used yet
2018-06-25 12:26:18 -07:00
Mitchell Hashimoto
54ad6fc050
agent: convert the proxy bind_port to int if it is a float
2018-06-25 12:26:18 -07:00
Matt Keeler
b3ba709b3d
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Matt Keeler
8b27c3268a
Make sure we omit the Kind value in JSON if empty
2018-06-25 12:26:10 -07:00
Jack Pearkes
0c43a0f448
update UI to latest
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
859eaea5c4
connect/ca: pull the cluster ID from config during a rotation
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
a67bfa2c1b
connect/ca: use weak type decoding in the Vault config parsing
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
fcc5dc6110
connect/ca: leave blank root key/cert out of the default config (unnecessary)
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
f3089a6647
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
f79e3e3fa5
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
cea94d0bcf
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
675555c4ff
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a97c44c1ba
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
7b0845ccde
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a98b85b25c
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
6ecc0c8099
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
b4fbeb0453
Note leadership issues in comments
2018-06-25 12:25:41 -07:00
Paul Banks
21fb98ad5a
Fix test broken by final telemetry PR change!
2018-06-25 12:25:40 -07:00
Paul Banks
824a9b4943
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
Matt Keeler
cbf31a467f
Output the service Kind in the /v1/internal/ui/services endpoint
2018-06-25 12:25:40 -07:00
Paul Banks
1d6e1ace11
register TCP check for managed proxies
2018-06-25 12:25:40 -07:00
Paul Banks
d1810ba338
Make proxy only listen after initial certs are fetched
2018-06-25 12:25:40 -07:00
Paul Banks
42e28fa4d1
Limit proxy telemetry config to only be visible with authenticated with a proxy token
2018-06-25 12:25:39 -07:00
Paul Banks
ba6e909ed7
Misc test fixes
2018-06-25 12:25:39 -07:00
Paul Banks
ca68136ac7
Refactor to use embedded struct.
2018-06-25 12:25:39 -07:00
Paul Banks
6deadef6bd
Revert telemetry config changes ready for cleaner approach
2018-06-25 12:25:39 -07:00
Paul Banks
fd3681f35b
Allow user override of proxy telemetry config
2018-06-25 12:25:38 -07:00
Paul Banks
ff162ffdde
Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about
2018-06-25 12:25:38 -07:00
Paul Banks
ced9b2bee4
Expose telemetry config from RuntimeConfig to proxy config endpoint
2018-06-25 12:25:38 -07:00
Paul Banks
2df422e1e5
Disable TestAgent proxy execution properly
2018-06-25 12:25:38 -07:00
Paul Banks
81bd1b43a3
Fix hot loop in cache for RPC returning zero index.
2018-06-25 12:25:37 -07:00
Paul Banks
3d51c2aeac
Get agent cache tests passing without global hit count (which is racy).
...
Few other fixes in here just to get a clean run locally - they are all also fixed in other PRs but shouldn't conflict.
This should be robust to timing between goroutines now.
2018-06-25 12:25:37 -07:00
Mitchell Hashimoto
3efa77b912
Update UI for beta3
2018-06-25 12:25:16 -07:00
Mitchell Hashimoto
29af8fb5ab
agent/cache: always schedule the refresh
2018-06-25 12:25:14 -07:00
Mitchell Hashimoto
63047f9434
agent: clarify comment
2018-06-25 12:25:14 -07:00
Mitchell Hashimoto
1f3d2701f3
agent: add additional assertion to test
2018-06-25 12:25:13 -07:00
Paul Banks
8f26c9c3b9
More test tweaks
2018-06-25 12:25:13 -07:00
Paul Banks
d6b13463ed
Fix misc test failures (some from other PRs)
2018-06-25 12:25:13 -07:00
Paul Banks
1283373a64
Only set precedence on write path
2018-06-25 12:25:13 -07:00
Paul Banks
22b95283e9
Fix some tests failures caused by the sorting change and some cuased by previous UpdatePrecedence() change
2018-06-25 12:25:13 -07:00
Paul Banks
e2938138f6
Sort intention list by precedence
2018-06-25 12:25:13 -07:00
Mitchell Hashimoto
efa2bdb88b
agent: intention update/delete responess match ACL/KV behavior
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
93037b0607
agent/structs: JSON marshal the configuration for a managed proxy
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
8cb57b9316
agent: disallow deregistering a managed proxy directly
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
47c0e0dde6
agent: deregister service deregisters the proxy along with it
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
0d457a3e71
agent: RemoveProxy also removes the proxy service
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
8c349a2b24
Fix broken tests from PR merge related to proxy secure defaults
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
a3ef9c2308
agent/cache: always fetch with minimum index of 1 at least
2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
164da57afb
agent/proxy: remove debug println
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
f551413714
agent: disallow API registration with managed proxy if not enabled
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
a8ec3064f5
agent/config: AllowManagedAPIRegistration
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
c30affa4b6
agent/proxy: AllowRoot to disable executing managed proxies when root
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
be83efe61e
agent/proxy: set the proper arguments so we only run the helper process
2018-06-25 12:25:11 -07:00
Mitchell Hashimoto
a7690301f9
agent/config: add AllowManagedRoot
2018-06-25 12:25:11 -07:00
Kyle Havlovitz
549dc22944
connect: fix two CA tests that were broken in a previous PR ( #60 )
2018-06-25 12:25:10 -07:00
Paul Banks
3433020fa6
Fix roots race with CA setup hammering bug and defensive nil check hit during obscure upgrade scenario
2018-06-25 12:25:10 -07:00
Kyle Havlovitz
1ce8361aa2
agent: format all CA config fields
2018-06-25 12:25:09 -07:00
Kyle Havlovitz
a242e5b130
agent: update accepted CA config fields and defaults
2018-06-25 12:25:09 -07:00
Mitchell Hashimoto
7846206753
agent/proxy: fix build on Windows
2018-06-25 12:24:18 -07:00
Paul Banks
6c77f7883e
Misc comment cleanups
2018-06-25 12:24:16 -07:00
Paul Banks
d0674cdd7a
Warn about killing proxies in dev mode
2018-06-25 12:24:16 -07:00
Mitchell Hashimoto
4ebddd6adb
agent/consul: set precedence value on struct itself
2018-06-25 12:24:16 -07:00
Mitchell Hashimoto
61c7e33a22
agent/config: move ports to ports
structure, update docs
2018-06-25 12:24:15 -07:00
Paul Banks
d140612350
Fixs a few issues that stopped this working in real life but not caught by tests:
...
- Dev mode assumed no persistence of services although proxy state is persisted which caused proxies to be killed on startup as their services were no longer registered. Fixed.
- Didn't snapshot the ProxyID which meant that proxies were adopted OK from snapshot but failed to restart if they died since there was no proxyID in the ENV on restart
- Dev mode with no persistence just kills all proxies on shutdown since it can't recover them later
- Naming things
2018-06-25 12:24:14 -07:00
Paul Banks
3df45ac7f1
Don't kill proxies on agent shutdown; backport manager close fix
2018-06-25 12:24:13 -07:00
Paul Banks
877390cd28
Test for adopted process Stop race and fix
2018-06-25 12:24:13 -07:00
Mitchell Hashimoto
e016f37ae7
agent: accept connect param for execute
2018-06-25 12:24:12 -07:00
Mitchell Hashimoto
52c10d2208
agent/consul: support a Connect option on prepared query request
2018-06-25 12:24:12 -07:00
Mitchell Hashimoto
e8c899b1b8
agent/consul: prepared query supports "Connect" field
2018-06-25 12:24:11 -07:00
Mitchell Hashimoto
e3562e39cc
agent: intention create returns 500 for bad body
2018-06-25 12:24:10 -07:00
Mitchell Hashimoto
ad382d7351
agent: switch ConnectNative to an embedded struct
2018-06-25 12:24:10 -07:00
Paul Banks
1e5a2561b6
Make tests pass and clean proxy persistence. No detached child changes yet.
...
This is a good state for persistence stuff to re-start the detached child work that got mixed up last time.
2018-06-25 12:24:10 -07:00
Paul Banks
3bac52480e
Abandon daemonize for simpler solution (preserving history):
...
Reverts:
- bdb274852ae469c89092d6050697c0ff97178465
- 2c689179c4f61c11f0016214c0fc127a0b813bfe
- d62e25c4a7ab753914b6baccd66f88ffd10949a3
- c727ffbcc98e3e0bf41e1a7bdd40169bd2d22191
- 31b4d18933fd0acbe157e28d03ad59c2abf9a1fb
- 85c3f8df3eabc00f490cd392213c3b928a85aa44
2018-06-25 12:24:10 -07:00
Paul Banks
9ef748157a
WIP
2018-06-25 12:24:09 -07:00
Paul Banks
9cea27c66e
Sanity check that we are never trying to self-exec a test binary. Add daemonize bypass for TestAgent so that we don't have to jump through ridiculous self-execution hooks for every package that might possibly invoke a managed proxy
2018-06-25 12:24:09 -07:00
Mitchell Hashimoto
56f5924f3e
agent/proxy: Manager.Close also has to stop all proxy watchers
2018-06-25 12:24:09 -07:00
Paul Banks
18e64dafbc
Fix import tooling fail
2018-06-25 12:24:09 -07:00
Paul Banks
e1aca748c4
Make daemoinze an option on test binary without hacks. Misc fixes for racey or broken tests. Still failing on several though.
2018-06-25 12:24:09 -07:00
Paul Banks
c97db00903
Run daemon processes as a detached child.
...
This turns out to have a lot more subtelty than we accounted for. The test suite is especially prone to races now we can only poll the child and many extra levels of indirectoin are needed to correctly run daemon process without it becoming a Zombie.
I ran this test suite in a loop with parallel enabled to verify for races (-race doesn't find any as they are logical inter-process ones not actual data races). I made it through ~50 runs before hitting an error due to timing which is much better than before. I want to go back and see if we can do better though. Just getting this up.
2018-06-25 12:24:08 -07:00
Paul Banks
3a00574a13
Persist proxy state through agent restart
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
a3e0ac1ee3
agent/consul/state: support querying by Connect native
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
bb98686ec8
agent/cache: update comment from PR review to clarify
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
418ed161dc
agent: agent service registration supports Connect native services
2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
8e02bbc897
agent/consul: support catalog registration with Connect native
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
55b3d5d6f4
agent/cache: update comments
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
ea0270e6aa
agent/cache: correct test name
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
b5201276bc
agent/cache: change behavior to return error rather than retry
...
The cache behavior should not be to mask errors and retry. Instead, it
should aim to return errors as quickly as possible. We do that here.
2018-06-25 12:24:07 -07:00
Mitchell Hashimoto
778e318a52
agent/cache: perform backoffs on error retries on blocking queries
2018-06-25 12:24:06 -07:00
Matt Keeler
95f0e8815d
Merge pull request #4234 from hashicorp/feature/default-new-ui
...
Switch over to defaulting to the new UI
2018-06-20 09:10:08 -04:00
Matt Keeler
6ccc4f39db
Merge pull request #4216 from hashicorp/rpc-limiting
...
Make RPC limits reloadable
2018-06-20 09:05:28 -04:00
Matt Keeler
426211fad6
Merge pull request #4215 from hashicorp/feature/config-node-meta-dns-txt
...
Add configuration entry to control including TXT records for node meta in DNS responses
2018-06-20 08:53:04 -04:00
Matt Keeler
bfe2fcbdf1
Update the runtime tests
2018-06-19 13:59:26 -04:00
Matt Keeler
b9d1e7042a
Make filtering out TXT RRs only apply when they would end up in Additional section
...
ANY queries are no longer affected.
2018-06-19 10:08:16 -04:00
Matt Keeler
9cb81dc47e
Switch over to defaulting to the new UI
2018-06-15 09:20:13 -04:00
Kyle Havlovitz
54bc937fed
Re-use uint8ToString
2018-06-14 09:42:23 -07:00
Kyle Havlovitz
4d46bba2c4
Support giving the duration as a string in CA config
2018-06-14 09:42:22 -07:00
Mitchell Hashimoto
771842255a
address comment feedback
2018-06-14 09:42:22 -07:00
Mitchell Hashimoto
9249662c6c
agent: leaf endpoint accepts name, not service ID
...
This change is important so that requests can made representing a
service that may not be registered with the same local agent.
2018-06-14 09:42:20 -07:00
Mitchell Hashimoto
787ce3b269
agent: address feedback
2018-06-14 09:42:20 -07:00
Mitchell Hashimoto
b5b29cd6af
agent: rename test to check
2018-06-14 09:42:18 -07:00
Mitchell Hashimoto
b961bab08c
agent: implement HTTP endpoint
2018-06-14 09:42:18 -07:00
Mitchell Hashimoto
a48ff54318
agent/consul: forward request if necessary
2018-06-14 09:42:17 -07:00
Mitchell Hashimoto
b02502be73
agent: comments to point to differing logic
2018-06-14 09:42:17 -07:00
Mitchell Hashimoto
526cfc34bd
agent/consul: implement Intention.Test endpoint
2018-06-14 09:42:17 -07:00
Paul Banks
bd5e569dc7
Make invalid clusterID be fatal
2018-06-14 09:42:17 -07:00
Paul Banks
919fd3e148
Fix logical conflicts with CA refactor
2018-06-14 09:42:17 -07:00
Paul Banks
73f2a49ef1
Fix broken api test for service Meta (logical conflict rom OSS). Add test that would make this much easier to catch in future.
2018-06-14 09:42:17 -07:00
Paul Banks
bd5eb8b749
Add default CA config back - I didn't add it and causes nil panics
2018-06-14 09:42:17 -07:00
Paul Banks
dbcf286d4c
Ooops remove the CA stuff from actual server defaults and make it test server only
2018-06-14 09:42:16 -07:00
Paul Banks
834ed1d25f
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.
2018-06-14 09:42:16 -07:00
Paul Banks
bdd30b191b
Comment cleanup
2018-06-14 09:42:16 -07:00
Paul Banks
5abf47472d
Verify trust domain on /authorize calls
2018-06-14 09:42:16 -07:00
Paul Banks
30d90b3be4
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
5a1408f186
Add CSR signing verification of service ACL, trust domain and datacenter.
2018-06-14 09:42:16 -07:00
Paul Banks
c808833a78
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
d1265bc38b
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
1660f9ebab
Add more metadata to structs.CARoot
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
baf4db1c72
Use provider state table for a global serial index
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
5998623c44
Add test for ca config http endpoint
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
c90b353eea
Move connect CA provider to separate package
2018-06-14 09:42:15 -07:00
Mitchell Hashimoto
4bb745a2d4
agent/cache: change uint8 to uint
2018-06-14 09:42:15 -07:00
Mitchell Hashimoto
6cf2e1ef1a
agent/cache: string through attempt rather than storing on the entry
2018-06-14 09:42:15 -07:00
Mitchell Hashimoto
c42510e1ec
agent/cache: implement refresh backoff
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
54a1662da8
agent/consul: change provider wait from goto to a loop
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
749f81373f
agent/consul: check nil on getCAProvider result
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
c57405b323
agent/consul: retry reading provider a few times
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
b4f990bc6c
agent: verify local proxy tokens for CA leaf + tests
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
8f7b5f93cd
agent: verify proxy token for ProxyConfig endpoint + tests
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
3a7aaa63bc
agent/proxy: pass proxy ID as an env var
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
f69c8b85ef
agent/config: add managed proxy upstreams config to skip
...
agent/config will turn [{}] into {} (single element maps into a single
map) to work around HCL issues. These are resolved in HCL2 which I'm
sure Consul will switch to eventually.
This breaks the connect proxy configuration in service definition FILES
since we call this patch function. For now, let's just special-case skip
this. In the future we maybe Consul will adopt HCL2 and fix it, or we
can do something else if we want. This works and is tested.
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
662f38c625
agent/structs: validate service definitions, port required for proxy
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
498c63a6f1
agent/config: default connect enabled in dev mode
...
This enables `consul agent -dev` to begin using Connect features with
the built-in CA. I think this is expected behavior since you can imagine
that new users would want to try.
There is no real downside since we're just using the built-in CA.
2018-06-14 09:42:13 -07:00
Paul Banks
954d286d73
Make CSR work with jank domain
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
257d31e319
agent/proxy: delete pid file on Stop
2018-06-14 09:42:13 -07:00
Mitchell Hashimoto
1dfb4762f5
agent: increase timer for blocking cache endpoints
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
a89238a9d3
agent/proxy: address PR feedback
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
7bb13246a8
agent: clarify why we Kill still
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
147b066c67
agent: restore proxy snapshot but still Kill proxies
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
1d24df3827
agent/proxy: check if process is alive in addition to Wait
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
4301f7f1f5
agent: only set the proxy manager data dir if its set
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
e3be9f7a02
agent/proxy: improve comments on snapshotting
2018-06-14 09:42:12 -07:00
Mitchell Hashimoto
eb31827fac
agent/proxy: implement periodic snapshotting in the manager
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
64fc9e0218
agent/proxy: check if process is alive
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
a3a0bc7b13
agent/proxy: implement snapshotting for daemons
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
9675ed626d
agent/proxy: manager configures the daemon pid path to write pids
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
5e0f0ba178
agent/proxy: write pid file whenever the daemon process changes
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
09093a1a1a
agent/proxy: change LogDir to DataDir to reuse for other things
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
e2133fd391
agent/proxy: make the logs test a bit more robust by waiting for file
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
d019d33bc6
agent/proxy: don't create the directory in newProxy
2018-06-14 09:42:11 -07:00
Mitchell Hashimoto
49bc7181a4
agent/proxy: send logs to the correct location for daemon proxies
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
515c47be7d
agent: add additional tests for defaulting in AddProxy
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
52665f7d23
agent: clean up defaulting of proxy configuration
...
This cleans up and unifies how proxy settings defaults are applied.
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
ed14e9edf8
agent: resolve some conflicts and fix tests
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
657c09133a
agent/local: clarify the non-risk of a full buffer
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
31b09c0674
agent/local: remove outdated comment
2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
bae428326a
agent: use os.Executable
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
6a78ecea57
agent/proxy: local state event coalescing
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
16f529a13c
agent/proxy: implement force kill of unresponsive proxy process
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
4722e3ef76
agent: fix crash that could happen if proxy was nil on load
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
10fe87bd4a
agent/proxy: pull exit status extraction to constrained file
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
669268f85c
agent: start proxy manager
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
6884654c9d
agent/proxy: detect config change to stop/start proxies
2018-06-14 09:42:09 -07:00
Mitchell Hashimoto
8ce3deac5d
agent/proxy: test removing proxies and stopping them
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
a2167a7fd1
agent/proxy: manager and basic tests, not great coverage yet coming soon
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
fae8dc8951
agent/local: add Notify mechanism for proxy changes
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
f64a002f68
agent: start/stop proxies
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
93cdd3f206
agent/proxy: clean up usage, can't be restarted
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
536f31571b
agent: change connect command paths to be slices, not strings
...
This matches other executable configuration and allows us to cleanly
separate executable from arguments without trying to emulate shell
parsing.
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
76c6849ffe
agent/local: store proxy on local state, wip, not working yet
2018-06-14 09:42:08 -07:00
Mitchell Hashimoto
659ab7ee2d
agent/proxy: exponential backoff on restarts
2018-06-14 09:42:07 -07:00
Mitchell Hashimoto
c2f50f1688
agent/proxy: Daemon works, tests cover it too
2018-06-14 09:42:07 -07:00
Mitchell Hashimoto
c47ad68f25
wip
2018-06-14 09:42:07 -07:00
Paul Banks
02ab461dae
TLS watching integrated into Service with some basic tests.
...
There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.
2018-06-14 09:42:07 -07:00
Paul Banks
dcd277de8a
Wire up agent leaf endpoint to cache framework to support blocking.
2018-06-14 09:42:07 -07:00
Kyle Havlovitz
b28e11fdd3
Fill out connect CA rpc endpoint tests
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
0e184f3f5b
Fix config tests
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
7c0976208d
Add tests for the built in CA's state store table
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
19b9399f2f
Add more tests for built-in provider
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
a29f3c6b96
Fix some inconsistencies around the CA provider code
2018-06-14 09:42:06 -07:00
Paul Banks
153808db7c
Don't allow connect watches in agent/cli yet
2018-06-14 09:42:06 -07:00
Paul Banks
072b2a79ca
Support legacy watch.HandlerFunc type for backward compat reduces impact of change
2018-06-14 09:42:05 -07:00
Paul Banks
6f566f750e
Basic watch
support for connect proxy config and certificate endpoints.
...
- Includes some bug fixes for previous `api` work and `agent` that weren't tested
- Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches.
- Integration into `connect` is partially done here but still WIP
2018-06-14 09:42:05 -07:00
Kyle Havlovitz
2167713226
Add CA config to connect section of agent config
2018-06-14 09:42:05 -07:00
Kyle Havlovitz
02fef5f9a2
Move ConsulCAProviderConfig into structs package
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
887cc98d7e
Simplify the CAProvider.Sign method
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
44b30476cb
Simplify the CA provider interface by moving some logic out
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
aa10fb2f48
Clarify some comments and names around CA bootstrapping
2018-06-14 09:42:04 -07:00
Mitchell Hashimoto
5abd43a567
agent: resolve flaky test by checking cache hits increase, rather than
...
exact
2018-06-14 09:42:04 -07:00
Mitchell Hashimoto
73838c9afa
agent: use helper/retry instead of timing related tests
2018-06-14 09:42:04 -07:00
Mitchell Hashimoto
dcb2671d10
agent/cache: address PR feedback, lots of typos
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
07d878a157
agent/cache: address feedback, clarify comments
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
ad3928b6bd
agent/cache: don't every block on NotifyCh
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
3f80a9f330
agent/cache: unit tests for ExpiryHeap, found a bug!
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
1c31e34e5b
agent/cache: send the total entries count on eviction to go-metrics
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
ec559d77bd
agent/cache: make edge case with prev/next idx == 0 handled better
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
b319d06276
agent/cache: rework how expiry data is stored to be more efficient
2018-06-14 09:42:03 -07:00
Mitchell Hashimoto
449bbd817d
agent/cache: initial TTL work
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
3c6acbda5d
agent/cache: send the RefreshTimeout into the backend fetch
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
257fc34e51
agent/cache: on error, return from Get immediately, don't block forever
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
e9d58ca219
agent/cache: lots of comment/doc updates
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
a1f8cb9570
agent: augment /v1/connect/authorize to cache intentions
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
56774f24d0
agent/cache-types: support intention match queries
2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
109bb946e9
agent/cache: return the error as part of Get
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
6ecc2da7ff
agent/cache: integrate go-metrics so the cache is debuggable
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
3b6c46b7d7
agent/structs: DCSpecificRequest sets all the proper fields for
...
CacheInfo
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
ccd7eeef1a
agent/cache-types/ca-leaf: proper result for timeout, race on setting CA
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
4509589427
agent/cache: support timeouts for cache reads and empty fetch results
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
b0f70f17db
agent/cache-types: rename to separate root and leaf cache types
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
e3b1c400e5
agent/cache-types: got basic CA leaf caching work, major problems still
2018-06-14 09:42:01 -07:00
Mitchell Hashimoto
9e44a319d3
agent: check cache hit count to verify CA root caching, background update
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
8bb4fd95a6
agent: initialize the cache and cache the CA roots
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
286217cbd8
agent/cache: partition by DC/ACL token
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
72c82a9b29
agent/cache: Reorganize some files, RequestInfo struct, prepare for partitioning
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
ecc789ddb5
agent/cache: ConnectCA roots caching type
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
c69df79e0c
agent/cache: blank cache key means to always fetch
2018-06-14 09:42:00 -07:00
Mitchell Hashimoto
8584e9262e
agent/cache: initial kind-of working cache
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
43f13d5a0b
Add cross-signing mechanism to root rotation
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
bbfcb278e1
Add the root rotation mechanism to the CA config endpoint
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
a585a0ba10
Have the built in CA store its state in raft
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
80eddb0bfb
Fix the testing endpoint's root set op
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
9fefac745e
Update the CA config endpoint to enable GETs
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
fc9ef9741b
Hook the CA RPC endpoint into the provider interface
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
a40db26ffe
Add CA bootstrapping on establishing leadership
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
e26819ed9c
Add the bootstrap config for the CA
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
4d0713d5bb
Add the CA provider interface and built-in provider
2018-06-14 09:41:58 -07:00
Kyle Havlovitz
ebdda17a30
Add CA config set to fsm operations
2018-06-14 09:41:58 -07:00
Kyle Havlovitz
f7ff16669f
Add the Connect CA config to the state store
2018-06-14 09:41:58 -07:00
Paul Banks
a90f69faa4
Adds api
client code and tests for new Proxy Config endpoint, registering with proxy and seeing proxy config in /agent/services list.
2018-06-14 09:41:58 -07:00
Paul Banks
9d11cd9bf4
Fix various test failures and vet warnings.
...
Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix.
2018-06-14 09:41:58 -07:00
Paul Banks
8a4410b549
Refactor localBlockingQuery to use memdb.WatchSet. Much simpler and correct as a bonus!
2018-06-14 09:41:58 -07:00
Paul Banks
aed5e5b03e
Super ugly hack to get TeamCity build to work for this PR without adding a vendor that is being added elsewhere and will conflict...
2018-06-14 09:41:58 -07:00
Paul Banks
cbd8606651
Add X-Consul-ContentHash header; implement removing all proxies; add load/unload test.
2018-06-14 09:41:57 -07:00
Paul Banks
44afb5c699
Agent Connect Proxy config endpoint with hash-based blocking
2018-06-14 09:41:57 -07:00
Paul Banks
c2266b134a
HTTP agent registration allows proxy to be defined.
2018-06-14 09:41:57 -07:00
Paul Banks
78e48fd547
Added connect proxy config and local agent state setup on boot.
2018-06-14 09:41:57 -07:00
Paul Banks
280382c25f
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works.
...
Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-06-14 09:41:57 -07:00
Paul Banks
adc5589329
Allow duplicate source or destination, but enforce uniqueness across all four.
2018-06-14 09:41:57 -07:00
Paul Banks
51b1bc028d
Rework connect/proxy and command/connect/proxy. End to end demo working again
2018-06-14 09:41:57 -07:00
Paul Banks
2d6a2ce1e3
connect.Service based implementation after review feedback.
2018-06-14 09:41:56 -07:00
Mitchell Hashimoto
62b746c380
agent: rename authorize param ClientID to ClientCertURI
2018-06-14 09:41:56 -07:00