Commit Graph

14794 Commits

Author SHA1 Message Date
Evan Culver 521c423075
acls: Show `AuthMethodNamespace` when reading/listing ACL token meta (#10598) 2021-07-15 10:38:52 -07:00
Daniel Nephin b4ab87111c
Merge pull request #10567 from hashicorp/dnephin/config-unexport-build
config: unexport the remaining builder methods
2021-07-15 12:05:19 -04:00
Freddy a942a2e025
Merge pull request #10621 from hashicorp/vuln/validate-sans 2021-07-15 09:43:55 -06:00
freddygv cfc31f957b Add changelog entry 2021-07-15 09:27:46 -06:00
Daniel Nephin 4c78825f0c
Merge pull request #10617 from hashicorp/dnephin/config-add-missing-docs
docs: add config options that were missing
2021-07-15 11:23:32 -04:00
Daniel Nephin f286ea0922
Fix godoc comment
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-07-15 11:22:46 -04:00
Daniel Nephin b362ce092e
Merge pull request #10618 from hashicorp/dnephin/docs-add-deprecation-version-grpc-port
docs: add deprecation version for ports.grpc settings
2021-07-15 11:14:51 -04:00
R.B. Boyer e018d8a10b
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619) 2021-07-15 10:09:00 -05:00
hc-github-team-consul-core 6bf7c98227 auto-updated agent/uiserver/bindata_assetfs.go from commit 0762da3a6 2021-07-15 11:23:49 +00:00
John Cowen ffbe54971f
ui: [BUGFIX] Ensure we use the ns query param name when requesting permissions (#10608)
Previously when namespaces were enabled, we weren't requesting permission for the actively selected namespace, and instead always checking the permissions for the default namespace.

This commit ensures we request permissions for the actively selected namespace.
2021-07-15 12:19:07 +01:00
freddygv b6b42c34dc Add TODOs about partition handling 2021-07-14 22:21:55 -06:00
freddygv 3d4fa44c22 Update golden files 2021-07-14 22:21:55 -06:00
freddygv a7de87e95b Validate SANs for passthrough clusters and failovers 2021-07-14 22:21:55 -06:00
freddygv a6f7d806f6 Update golden files to account for SAN validation 2021-07-14 22:21:55 -06:00
freddygv 3f11449363 Validate Subject Alternative Name for upstreams
These changes ensure that the identity of services dialed is
cryptographically verified.

For all upstreams we validate against SPIFFE IDs in the format used by
Consul's service mesh:

spiffe://<trust-domain>/ns/<namespace>/dc/<datacenter>/svc/<service>
2021-07-14 22:20:27 -06:00
Daniel Nephin ce6846fba4 docs: add deprecation version for ports.grpc settings 2021-07-14 17:06:13 -04:00
Daniel Nephin 7fff096d8d
Merge pull request #10568 from hashicorp/dnephin/contrib-docs-config
contrib: add first draft of agent configuration docs
2021-07-14 16:54:36 -04:00
Daniel Nephin 152585f323 docs: add config options that were missing
https://github.com/hashicorp/consul/pull/128 added pid_file
https://github.com/hashicorp/consul/pull/1331 added disable_coordinates
2021-07-14 16:51:07 -04:00
Daniel Nephin 5e011568dd contrib: add first draft of agent configuration docs 2021-07-14 16:48:15 -04:00
Kyle Havlovitz e7309bfa8f
Merge pull request #10616 from hashicorp/partitions/oss-http-params
oss: add partition query param parsing
2021-07-14 13:43:56 -07:00
Kyle Havlovitz e97bc2bda7 http: add partition query param parsing 2021-07-14 12:07:38 -07:00
hc-github-team-consul-core 8c5723ec98 auto-updated agent/uiserver/bindata_assetfs.go from commit 3e80e637b 2021-07-14 18:00:42 +00:00
John Cowen 4f6674f16f
ui: [BUGFIX] Fix KV Code Editor syntax loading (#10605)
This commit adds a bit of string wrangling to avoid the keys in our javascript source file also being transformed. Additionally, whilst looking at this we decided that Maps are a better dictionary than javascript objects, so we moved to use those here also (but this doesn't affect the issue)
2021-07-14 18:55:35 +01:00
John Cowen af0e6be943
ui: Show the correct 'ACLs Disabled' page when ACLs are disabled (#10604)
Adds 'can access ACLs' which means one of two things

1. When ACLs are disabled I can access the 'please enable ACLs' page
2. When ACLs are enabled, its the same as canRead
2021-07-14 18:52:13 +01:00
John Cowen 398db1339b
ui: [BUGFIX] Ensure in-folder KVs are created in the correct folder (#10569)
When clicking to create a KV within folder name, would would be viewing a form that was a form for creating a KV in the root, which when the user clicked to save, saved the KV in the root.

For the moment at least I've removed the code that strips double slashes, and whilst this isn't ideal, it looks like we've picked up one of those bugs that turns into a 'feature', and completely reworking KV to not rely on the double slashes is not really an option right now.
2021-07-14 18:49:01 +01:00
Melissa Kam ffb7e92aa7
Merge pull request #10614 from hashicorp/nia/docs-0.2.1
nia/docs 0.2.1
2021-07-14 12:03:13 -05:00
David Yu 7048a045e3
docs: Add link to learn guide on migrating ACL tokens (#10609)
* docs: Add link to learn guide on migrating ACL tokens
2021-07-13 14:02:51 -07:00
Daniel Nephin 57c5a40869
Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc
config: rename `ports.grpc` to `ports.xds`
2021-07-13 13:11:38 -04:00
Daniel Nephin 15300b873a fix backwards compat for envoy command
The compatv2 integration tests were failing because they use an older CLI version with a newer
HTTP API. This commit restores the GRPCPort field to the DebugConfig output to allow older
CIs to continue to fetch the port.
2021-07-13 12:31:49 -04:00
Daniel Nephin 25dc14f036 Apply suggestions from code review
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
2021-07-13 12:31:49 -04:00
Daniel Nephin a5f93e5596 command/envoy: stop using the DebugConfig from Self endpoint
The DebugConfig in the self endpoint can change at any time. It's not a stable API.

With the previous change to rename GRPCPort to XDSPort this command would have broken.
This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read
this new field.

It includes support for the old API as well, in case a newer CLI is used with an older API, and
adds a test for both cases.
2021-07-13 12:31:49 -04:00
Daniel Nephin ef6bc739a1 config: update config settings and flags for ports.xds 2021-07-13 12:31:48 -04:00
Dhia Ayachi 53b45a8441
check expiry date of the root/intermediate before using it to sign a leaf (#10500)
* ca: move provider creation into CAManager

This further decouples the CAManager from Server. It reduces the interface between them and
removes the need for the SetLogger method on providers.

* ca: move SignCertificate to CAManager

To reduce the scope of Server, and keep all the CA logic together

* ca: move SignCertificate to the file where it is used

* auto-config: move autoConfigBackend impl off of Server

Most of these methods are used exclusively for the AutoConfig RPC
endpoint. This PR uses a pattern that we've used in other places as an
incremental step to reducing the scope of Server.

* fix linter issues

* check error when `raftApplyMsgpack`

* ca: move SignCertificate to CAManager

To reduce the scope of Server, and keep all the CA logic together

* check expiry date of the intermediate before using it to sign a leaf

* fix typo in comment

Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>

* Fix test name

* do not check cert start date

* wrap error to mention it is the intermediate expired

* Fix failing test

* update comment

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* use shim to avoid sleep in test

* add root cert validation

* remove duplicate code

* Revert "fix linter issues"

This reverts commit 6356302b54f06c8f2dee8e59740409d49e84ef24.

* fix import issue

* gofmt leader_connect_ca

* add changelog entry

* update error message

Co-authored-by: Freddy <freddygv@users.noreply.github.com>

* fix error message in test

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-07-13 12:15:06 -04:00
R.B. Boyer ae8b526be8
connect/ca: ensure edits to the key type/bits for the connect builtin CA will regenerate the roots (#10330)
progress on #9572
2021-07-13 11:12:07 -05:00
R.B. Boyer 0537922c6c
connect/ca: require new vault mount points when updating the key type/bits for the vault connect CA provider (#10331)
progress on #9572
2021-07-13 11:11:46 -05:00
Iryna Shustava a75a860174
cli/sdk: Allow applying redirect-traffic rules in a provided Linux namespace (#10564) 2021-07-13 10:05:48 -06:00
Melissa Kam a3f94f44ce
Merge pull request #10606 from hashicorp/cts-tf-1.0
nia/docs: Terraform 1.0 compatability
2021-07-13 10:50:33 -05:00
Melissa Kam 15f90d73e0 nia/docs: Terraform 1.0 compatability 2021-07-13 10:22:05 -05:00
Daniel Nephin ef32234ae1
Merge pull request #10579 from hashicorp/dnephin/improve-config-docs-tls
docs: Improve TLS user documentation
2021-07-12 19:09:15 -04:00
Daniel Nephin 58cf5767a8
Merge pull request #10479 from hashicorp/dnephin/ca-provider-explore-2
ca: move Server.SignIntermediate to CAManager
2021-07-12 19:03:43 -04:00
Noel Quiles 284c09413e
Bump hashi-stack-menu (#10599) 2021-07-12 15:27:32 -07:00
Curt Marker 99be1dfd69
Fixed a typo that broke the example static-server deployment (#10582)
The service account was typo'd and needs to be fixed
2021-07-12 13:28:36 -07:00
Daniel Nephin a22bdb2ac9
Merge pull request #10445 from hashicorp/dnephin/ca-provider-explore
ca: isolate more of the CA logic in CAManager
2021-07-12 15:26:23 -04:00
Daniel Nephin fdb0ba8041 ca: use provider constructors to be more consistent
Adds a contructor for the one provider that did not have one.
2021-07-12 14:04:34 -04:00
Dhia Ayachi 3eac4ffda4 check error when `raftApplyMsgpack` 2021-07-12 13:42:51 -04:00
Daniel Nephin 34c8585b29 auto-config: move autoConfigBackend impl off of Server
Most of these methods are used exclusively for the AutoConfig RPC
endpoint. This PR uses a pattern that we've used in other places as an
incremental step to reducing the scope of Server.
2021-07-12 13:42:40 -04:00
Daniel Nephin 605275b4dc ca: move SignCertificate to the file where it is used 2021-07-12 13:42:39 -04:00
Daniel Nephin c2e85f25d4 ca: move SignCertificate to CAManager
To reduce the scope of Server, and keep all the CA logic together
2021-07-12 13:42:39 -04:00
Daniel Nephin 51c6fb4cb8 docs: move TLS example next to field reference 2021-07-12 13:08:02 -04:00
Daniel Nephin 2682cd95c5
Update website/content/docs/agent/options.mdx
Co-authored-by: Kent 'picat' Gruber <kent@hashicorp.com>
2021-07-12 13:03:32 -04:00